Page 1 of 1

routing question

Posted: Wed Sep 22, 2004 1:18 pm
by RobClem
I have been running my MikroTik with a Bridge setup - basically I have my LAN and WAN interfaces added to the Bridge and then bind my private and public addresses to the Bridge. This works fine - EXCEPT that any broadcast storms on my network bring it to a standstill.

I would prefer to have a NAT rule(which I know how to configure) for my private addresses to NAT to a single public address.

What I need to know is how to route public addresses from the LAN side of the router to the WAN side and back the other way as well. Is this possible and if so can anyone offer any advice?



Posted: Wed Sep 22, 2004 3:19 pm
by advantz
You can start here : ... to.content

use dst-nat and src-nat to link public to local ones

Posted: Wed Sep 22, 2004 3:56 pm
by RobClem
I know how to do this bit but I want to let public IP's flow through the router without NATing them - I do this with a bridge at the moment but ideally don't want to use a bridge

Posted: Wed Sep 22, 2004 4:25 pm
by mag
sorry, but i guess this is not possible that easy. (a router is actually defined by at least two different interfaces with two different subnets)
let's suppose a subnet of public ip-addresses is bound to the LAN- interface, then there are three options for the WAN side:
- unnumbered point-to-point link
- transfer-net (usually a small subnet e.g. /30 of public ip-addresses
- NAT (the WAN interface responds to all public ip-addresses)

the last case needs one-by-one NAT, usually done with a pair of ip-range-dependend src- and dst-nat rules.

there's also a good packet flow picture in the manuals ip firewall section.

i hope this helps a bit.


Posted: Wed Sep 22, 2004 8:31 pm
by RobClem
what do y udo to route public IP's through a MikroTik - this must be a very common request?

Posted: Wed Sep 22, 2004 8:34 pm
by RobClem
I understand point 3 - can you explain point 1 and 2 a little bit more?



Posted: Wed Sep 22, 2004 8:48 pm
by mag
2: usually a small transfer-net i.e. an ip-subnet with 4 addresses (/39).

for example: with .1 being the remote WAN interface on the upstream ISP and the default gateway too. .2 to be bound to the local WAN interface.
if the LAN-interface has an ip-address from a different subnet, routing occurs automatically.

1: only for point-to-point-links and often used on cisco routers, i haven't tried that on mikrotik ROS. the point-to-point-interface gets the ip-address of the LAN interface with unnumbered command.
exampe is here:

Posted: Thu Sep 23, 2004 10:56 am
by RobClem
just to clarify -

my upstream ISP has a router with a /26 address range GW - xx.xx.xx.65
WAN side of my Router - xx.xx.xx.66 /30
LAN side of my router - xx.xx.xx.67 /26

Customers - xx.xx.xx.70-128 /26 with xx.xx.xx.65 as Gateway

Will the above work or have I got my subnets wrong?

thanks for the help


Posted: Thu Sep 23, 2004 11:22 am
by pbailly
Customers - xx.xx.xx.70-128 /26 with xx.xx.xx.65 as Gateway
70-128 no can do + gateway should be in the range

WAN side of my Router - xx.xx.xx.66 /30
that /30 uses addresses 64 to 67 included (network and broadcast) so the next usable ranges are :
a /30 (68-71)
a /29 (72-79)
a /28 (80-95)
a /27 (96-127)
1 IP per range for the mikrotik and use this ip as gateway
1 IP is the network add. and 1 IP is the broadcast add.

it seems just strange to me that your ISP put his router on your IPs, i imagine you mean the router they installed at your location has the x.x.x.65 IP.

in that case i suggest do decrease the range on the ISP router at your place (a /30), a /30 on the MT also, then use RIP2 on your LAN so the router can learn the routes from the MT and vice versa

a drawing of your setup could help a lot


Posted: Thu Sep 23, 2004 2:06 pm
by mag
Will the above work or have I got my subnets wrong?
same subnet on both interfaces -> no routing.

it would be possible (as explained in pbailly's posting) to use
x.y.z.66/30 for the WAN, and a default route to .65 on the MT.

and than for example

x.y.z.68/30 set aside for other WAN interface

x.y.z.73/29 for LAN (leaves 5 more ip for e.g. network equipment), def. gw is .73 for them

anything else depends from the network scenario.

Posted: Sat Sep 25, 2004 6:39 pm
by GJS
How about proxy arp? This is what I use.

Basically, you set proxy arp on the WAN interface which will make your router respond with an arp reply to any address which is in it's routing table.

Then add a static route for the public IP with your LAN interface as the gateway. Then set the public address on the client (or assign by static DHCP lease) and you should be good to go.

I combine this with arp reply-only on the LAN interface so that each client can only use one IP address according to their MAC address.

'Hope that helps, Rob.


Posted: Sat Sep 25, 2004 7:40 pm
by pbailly
proxy arp will work only if the matching that occurs in the MT machine hits the LAN route before the WAN route : packet matches the LAN route and is thus forwarded there, but imaging it matches the WAN route first ? it is then sent back where it came from

easily checked when you have only 2 choices (2 network cards) : turn the router arround and use the LAN card as WAN and WAN card as LAN and it'll work, but imagine a MT machine with 5 or 6 network adapter : things won't work then

MT 2.5 seemed to use a different kind of match (smallest matching network perhaps) because what you suggest did work with MT 2.5 but didn't after upgrade to 2.8

and then one day you'll decide to connect a second MT to your router, perhaps as a future replacement, using proxy-arp for this once will really srew your network as you'll have to have the routes from your first MT (at a high cost) and then some TCP packets will be taken by one router ... and some by the other one (both have the same routes, cost is just different) go figure !

but using a small network (/29) for the router and the MT and using RIP on the router and the 2 MT will allow you to use ARP-ENABLED instead and to add that extra MT in there and do a very painless switchover from one MT to the other, or allow the use of both MT simultaneously.


Posted: Sun Sep 26, 2004 3:03 am
by GJS
Hmm... not sure that I understand, Patrick. I'm running 2.8.13 without any problems, though I do only have two interfaces on the router. Why would the packet match the LAN route?

The route has the interface that the host machine is connected to as it's gateway:
1 S X.X.X.1/32 r 1 private

If it were connected to a different interface I would just use the IP address of this interface. On the host, the gateway is the same interface ( in this case).

I beleive that it's possible to to route a public IP addess across any number of routers, provided you have proxy arp enabled on both the relevant interfaces. See the posts by mp3turbo in this thread for details: ... highlight=


Posted: Sun Sep 26, 2004 10:51 am
by pbailly
i was talking about routing a /26 of official IP add. were the LAN part actually has the official addresses and the WAN part is connected to a adsl router or leased line router

of course, masquerading private address space is no problem with proxy-arp