A couple questions if I may. How does a router determine which public IP is used for masquerading when there is a choice? Also I'm not fully understanding the new bridge concept, as it isn't working on the firewall side of the router.
"Interface WAN" = single Ethernet port #2 on router
Code: Select all
# RouterOS 6.42.7 # model = CRS326-24G-2S+ /ip address add address=10.100.100.206/26 comment="PUBLIC-EMAIL" interface="Interface WAN" network=10.100.100.192 add address=10.100.100.207/26 comment="PUBLIC-WEB" interface="Interface WAN" network=10.100.100.192 add address=10.100.100.208/26 comment="PUBLIC-SECURE" interface="Interface WAN" network=10.100.100.192 add address=192.168.1.254/24 comment="Local LAN" interface="LAN Bridge" network=192.168.1.0 add address=192.168.0.254/24 comment="Local EMAIL" interface="EMAIL Bridge" network=192.168.0.0 add address=192.168.2.254/24 comment="Local IOT" interface="IOT Bridge" network=192.168.2.0 /ip firewall nat add action=masquerade chain=srcnat comment="Masquerade outbound IP to Public" out-interface="Interface WAN" /ip route add distance=1 gateway=10.100.100.193
"LAN Bridge" = Bridge of Ethernet ports #1, #3, #5, #7 (192.168.1.254/24)
"EMAIL Bridge" = Bridge of Ethernet ports #10, #12, #14, #16 (192.168.0.254/24)
"IOT Bridge" = Bridge of Ethernet ports #9, #11, #13, #15 (192.168.2.254/24)
Three separate internal networks, all isolated. None of my inbounds are DMZ's, all are PORT routed NATs. The inbound ports seem to work, ie: PORT 25 for email has PAT to 192.168.0.100 and that server is connected to router Ethernet port #10. The problem is, I'd like ALL public traffic from each of the various networks to use their own public IP. From the email server (192.168.0.100) a web browser asking for 'What is my IP' returns 10.100.100.206, which is the public IP for the LAN users.
I tried to use mangle and connection/route marking to force local LAN to use a designated IP for outbound. I thought I may need several masquerade settings (one for each LAN), but I'm not sure how to do that when everything is using the same outbound Ethernet and Gateway. I tried to setup another bridge of Ethernet ports #2, #4, #6, #8 and assign Ethernet #2 IP 10.100.100.206, Ethernet #4 IP 10.100.100.207, and Ethernet #6 IP 10.100.100.208; but then the bridge caused all sorts of other issues within the Firewall.
Not sure how to proceed. Originally I had three 750 routers doing this job, but I thought I'd combine them into one rack mountable router.