Community discussions

MikroTik App
 
tomasmato
newbie
Topic Author
Posts: 30
Joined: Thu May 19, 2022 3:23 pm

2 IP addresses on 2 ports

Sat Jun 18, 2022 6:53 pm

Good day,

I have a VPS with Mikrotik CHR version 7.

I am paying for 2 public IP addresses from the VPS provider, which are on 2 interfaces (2 virtual ports - ether1 and ether2). I need to set the IP address for both ports, but I need all the traffic to go through the first (main) IP address (on port 1), and IP 2 (on port 2) should only be for port forwarding.



How do I set this up, please?

Thank you in advance for all the answers.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: 2 IP addresses on 2 ports

Sat Jun 18, 2022 7:49 pm

I suppose you realize that the responses to the port-forwarded requests must be sent from the public IP attached to ether2, but thats something the connection tracking in firewall takes care of automatically. But if you need that these responses are actually sent from ether2, it may be more complicated. Do you have a DHCP client attached to both etherX interfaces? Are the two public addresses from the same subnet, thus with the same address of a gateway, or from different ones?
 
tomasmato
newbie
Topic Author
Posts: 30
Joined: Thu May 19, 2022 3:23 pm

Re: 2 IP addresses on 2 ports

Sat Jun 18, 2022 8:11 pm

The main thing is that if I set one public IP to port 1 and the other to port 2, then I can't connect to CHR even through one public IP or it works for a while through one of them. It is not via DHCP, but static IP, both are in the same subnet and have the same gateway.

I also have two public IPs on another device, but on one port, both are set here and it works fine, the router can be reached via both IP addresses, but the router's clients communicate to the Internet via only one.

The only difference between the other router is that it is on two ports, not one.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: 2 IP addresses on 2 ports

Sat Jun 18, 2022 8:15 pm

The main thing is that if I set one public IP to port 1 and the other to port 2, then I can't connect to CHR even through one public IP or it works for a while through one of them. It is not via DHCP, but static IP, both are in the same subnet and have the same gateway.
That sounds odd, can you post the configuration that is used while this happens? Substitute the first three bytes of the public IP everywhere they occur before posting. Export to file when the setting you use when it behaves weird, then disable one of the addresses so that you could download the file.
 
tomasmato
newbie
Topic Author
Posts: 30
Joined: Thu May 19, 2022 3:23 pm

Re: 2 IP addresses on 2 ports

Sat Jun 18, 2022 8:31 pm

The main thing is that if I set one public IP to port 1 and the other to port 2, then I can't connect to CHR even through one public IP or it works for a while through one of them. It is not via DHCP, but static IP, both are in the same subnet and have the same gateway.
That sounds odd, can you post the configuration that is used while this happens? Substitute the first three bytes of the public IP everywhere they occur before posting. Export to file when the setting you use when it behaves weird, then disable one of the addresses so that you could download the file.
/interface bridge
add name=lanbr
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1-ip1
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no name=ether3-ip2
set [ find default-name=ether4 ] disable-running-check=no
/ip address
add address=X.X.X.49/24 interface=ether1-ip1 network=X.X.X.0
add address=10.10.10.1/24 interface=lanbr network=10.10.10.0
add address=X.X.X.141/24 disabled=yes interface=ether3-ip2 network=\
X.X.X.0
/ip dns
set servers=8.8.8.8
/ip route
add dst-address=0.0.0.0/0 gateway=X.X.X.1


I am sending configuration, it is just a basic, because I haven't set anything up yet because it stopped working after adding a second IP, but I think everything is important there.

IP1 is on ether1
IP2 is on ether3

on ether2 and ether4 is nothing

X.X.X.X is public IP

As you said, I disabled the second IP address via local to be able to export the configuration, otherwise it was enabled.

Thank you very much.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: 2 IP addresses on 2 ports

Sat Jun 18, 2022 8:48 pm

Try setting the gateway of the default route to X.X.X.1%ether1-ip1 and see whether it resolves the issue (i.e. if you won't lose access via IP address when you enable the other address).
 
tomasmato
newbie
Topic Author
Posts: 30
Joined: Thu May 19, 2022 3:23 pm

Re: 2 IP addresses on 2 ports

Sat Jun 18, 2022 11:34 pm

Try setting the gateway of the default route to X.X.X.1%ether1-ip1 and see whether it resolves the issue (i.e. if you won't lose access via IP address when you enable the other address).
I tried it. If I set it this way, only X.X.X.49 works. If I set the same for the second IP address, both work, but unstable - pinging problems, I tried to create a PPTP server here and it does not work at all when there are both IPs, sometimes one of them does not work or none.

It's weird. You don't know what could happen to that, maybe I don't need to set anything else?

Thank you for your answer.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: 2 IP addresses on 2 ports

Sun Jun 19, 2022 12:10 am

Do you have to use two interfaces, can't you just put both addresses on one? Assuming that gateway is actually same machine, it would make everything much simpler.
 
tomasmato
newbie
Topic Author
Posts: 30
Joined: Thu May 19, 2022 3:23 pm

Re: 2 IP addresses on 2 ports

Sun Jun 19, 2022 12:23 am

Do you have to use two interfaces, can't you just put both addresses on one? Assuming that gateway is actually same machine, it would make everything much simpler.
That would be the best. The problem is that, as I said, this is a CHR that runs on my VPS. When I purchased another public IP address from my VPS provider, another port appeared on my Mikrotik and I received information from the VPS provider that I was assigned another IP address X.X.X.141 for Port 3. But the gateway should be the same ...
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: 2 IP addresses on 2 ports  [SOLVED]

Sun Jun 19, 2022 12:24 am

So you confirm that if you add the interface name to the gateway of a single default route, you can enable both IP addresses, and access to the one attached to ether1 works without any issues. That was what I wanted to prove. By adding the other route with the same (default) distance value of 1 you have broken it again, but that is not surprising.

The next step is to add a separate routing table and use mangle rules to make the router respond via the same interface through which the request has arrived.
/routing/table/add name=via-ether3 fib
/route/add routing-table=via-ether3 gateway=X.X.X.1%ether3-ip2
/ip/firewall/mangle
add chain=prerouting in-interface=ether3-ip2 connection-mark=no-mark action=mark-connection new-connection-mark=via-ether3
add chain=prerouting in-interface=!ether3-ip2 connection-mark=via-ether3 action=mark-routing new-routing-mark=via-ether3
add chain=output connection-mark=via-ether3 action=mark-routing new-routing-mark=via-ether3
 
tomasmato
newbie
Topic Author
Posts: 30
Joined: Thu May 19, 2022 3:23 pm

Re: 2 IP addresses on 2 ports

Sun Jun 19, 2022 2:15 pm

So you confirm that if you add the interface name to the gateway of a single default route, you can enable both IP addresses, and access to the one attached to ether1 works without any issues. That was what I wanted to prove. By adding the other route with the same (default) distance value of 1 you have broken it again, but that is not surprising.

The next step is to add a separate routing table and use mangle rules to make the router respond via the same interface through which the request has arrived.
/routing/table/add name=via-ether3 fib
/route/add routing-table=via-ether3 gateway=X.X.X.1%ether3-ip2
/ip/firewall/mangle
add chain=prerouting in-interface=ether3-ip2 connection-mark=no-mark action=mark-connection new-connection-mark=via-ether3
add chain=prerouting in-interface=!ether3-ip2 connection-mark=via-ether3 action=mark-routing new-routing-mark=via-ether3
add chain=output connection-mark=via-ether3 action=mark-routing new-routing-mark=via-ether3
Thank you very much, it looks like it's working fine now.

Just out of curiosity, I'd like to ask, would the same configuration work even if there was a different gateway on port 3 than on port 1?

Thank you in advance for your answer.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: 2 IP addresses on 2 ports

Sun Jun 19, 2022 2:32 pm

would the same configuration work even if there was a different gateway on port 3 than on port 1?
Yes, it would. The reason why it required this extra effort although the gateway IP is the same for both interfaces seems to be that the datacenter filters traffic whose source IP address is not associated, according to their data, to the interface from which it comes. That's not bad actually, as it means that no one can rent a VM at that DC and use it to send tons of DoS traffic from forged source addresses.

The mangle rules I've suggested are sufficient to route responses to port forwarded traffic via the proper interface. If you eventually change your mind in future, and decide you need some outgoing traffic (i.e. initiated by clients at LAN side toards servers in the internet) to be NATed to IP2, you'll need to add some more mangle rules and modify the existing ones.
 
tomasmato
newbie
Topic Author
Posts: 30
Joined: Thu May 19, 2022 3:23 pm

Re: 2 IP addresses on 2 ports

Sat Jun 25, 2022 1:22 am

would the same configuration work even if there was a different gateway on port 3 than on port 1?
Yes, it would. The reason why it required this extra effort although the gateway IP is the same for both interfaces seems to be that the datacenter filters traffic whose source IP address is not associated, according to their data, to the interface from which it comes. That's not bad actually, as it means that no one can rent a VM at that DC and use it to send tons of DoS traffic from forged source addresses.

The mangle rules I've suggested are sufficient to route responses to port forwarded traffic via the proper interface. If you eventually change your mind in future, and decide you need some outgoing traffic (i.e. initiated by clients at LAN side toards servers in the internet) to be NATed to IP2, you'll need to add some more mangle rules and modify the existing ones.
Sorry for the late reply. Anyway, thank you very much.

Who is online

Users browsing this forum: sybadi and 74 guests