Wed Aug 31, 2022 6:31 pm
Good. First, maybe you want to edit the configuration file to hide the public prefix?
Before starting, set up the forward chain of the firewall filter so that it wouldn't forward anything coming from WAN (ether1) except packets belonging to established, related, or untracked connections, and except icmp - that's the very goal of the exercise, isn't it. Later on, you'll permit forwarding (without dst-nat) of the chosen ports to the.pub.lic.85.
/ip firewall filter
add chain=forward connection-state=established,related,untracked action=accept
add chain=forward protocol=icmp action=accept
add chain=forward in-interface=ether1 action=drop
Next, to have the public IP up directly on eth0 of the server while not wasting another three public IPs for broadcast, network address, and gateway, you have to use the point-to-point Ethernet setup, where the local address is a /32 one and the remote address is, well, another /32 one. I don't know how to cofigure that using the NetworkManager, but using the plain ip command, you set it the following way:
ip address add the.pub.lic.85/32 peer 10.20.30.40 dev eth0
ip route add default via 10.20.30.40
The corresponding setting at the Mikrotik end of the cable is
/ip address add interface=ether4 address=10.20.30.40/32 network=the.pub.lic.85
(of course you first remove ether4 from the bridge connecting it with ether3).
This way, Mikrotik will add a route to the.pub.lic.85 via ether4:
[me@MyTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
...
17 ADC the.pub.lic.85/32 10.20.30.40 ether4 0
...
A smaller subnet (longer prefix) always wins so if RouterOS receives a packet for the.pub.lic.85 from anywhere, it will send it via ether4, although the.pub.lic.85 also fits into the the.pub.lic.80/29 subnet attached to ether1.
The dst-nat to a private address and back would be a just workaround if you wouldn't be able to find how to set this point-to-point configuration up in the startup configuration of the Ubuntu.
Next, you have to tell the Mikrotik to respond to ARP requests arriving to the main WAN and asking about the.pub.lic.85 with its own MAC address; to do that, you use
/ip arp add interface=ether1 address=the.pub.lic.85 published=yes
That's it.