Community discussions

MikroTik App
 
dcikac
just joined
Topic Author
Posts: 3
Joined: Mon Mar 28, 2022 11:39 am

Configuring two public IP.s on different subnets

Mon Mar 28, 2022 12:20 pm

Hi ppl.

So i hit a bit of a wall. To keep thing kinda simple I will refer to these addresses ISP1: 130.130.130.146/29 and ISP2 : 120.120.120.49/29 and local 192.168.1.0.

I have been using as my default connection ISP1 and populated all related public IP addresses with web services, vpn and so one and asked to get more public IP addresses from my ISP, and they gave me another pool but other range, configured on the same port as ISP1 addresses. Now on interface ether1-gateway i have IPS1 and ISP2 addresses. My Mikrotik CRS125-24G-1S-2HnD was kind enough to spot that in IP --> Routes and I got a 0.0.0.0 default gateway connection to 120.120.120.49/29 --> reachable ether1-gateway, but it was blue, so I added in IP --> addresses the 120.120.120.49/29, he figured that the BC address is 120.120.120.48 network on ether1-gateway and after adding a different routing mark "second" the connection was marked as AS and prolly working.

I fw settings I added the standard rules that work with my other servers :
chain=input action=accept protocol=tcp dst-address=120.120.120.49 in-interface=ether1-gateway dst-port=80

Nat rule:
chain=dstnat dst-address=120.120.120.49 action=dst-nat protocol=tcp dst-port=80 to-addresses=192.168.1.34 (server address) to-port:80

(mascarade ofc)

These rules work when I'm using ISP1 addresses, just copied them and used the IP-s and ports I needed and on the other side there is nginx listening on port 80 for http. It all works localy because I made rules that use in-interface=bridge-local, so I can access my server local, but not from other locations over the public ISP2 address.

When I try to go from the public ISP2 ip i don't even get traffic in my NAT and FW counters, so my conclusion is that i missed something in the routing tables, routing rules or address ip config to say when a package comes from 120.120.120.49 (or some other address in that pool ) do a bridge local, and use the "main" routing tables. In the drop down meni for my ISP1 default configuration i don't have any selected routing mark, it's blank, maybe if i select "main" and in the routing rules make a rule something like dst-address=120.120.120.0/29 src-address=192.168.1.0/24 routing-mark=second interface=ether1-gateway action=lookup table=main.

Sry I know these is all confusing, and my English is not great, but if someone has a clue what I'm missing or have I made too much steps and MT gets confused. Any way thanks for reading and will give more info when asked.
 
MikroTokkie
just joined
Posts: 7
Joined: Thu Mar 10, 2022 9:33 pm

Re: Configuring two public IP.s on different subnets

Mon Mar 28, 2022 8:47 pm

Needs more info from the ISP. I suppose the second subnet is routed to ONE of the addresses in the first subnet. But you'll have to check with your ISP.
 
dcikac
just joined
Topic Author
Posts: 3
Joined: Mon Mar 28, 2022 11:39 am

Re: Configuring two public IP.s on different subnets

Tue Mar 29, 2022 9:35 am

The it is not routed to the first ISP1 range, but it's configured on the same port.

My ISP gave me a cisco router that has eth1 for their ftth optics, and his eth2 is my wan, and on cisco eth2 i have ISP1 and ISP2 public IP addresses, I would be more happy if they gave me on eth3 the ISP2 range probably easier to configure when i can say my MT eth5 is a gateway for ISP2 ip range.

So ISP1 and ISP2 ranges are on cisco eth2 that goes to MT eth1-gateway, and even when i added a route:
/ip route
add dst-address=120.120.120.0/29 gateway=ether1-gateway

It is marked reachable, so MT is hooked to those addresses, but somehow i need to get them to my local bridge and NAT, a routing rule maybe to redirect routing mark "second" to use bridge local or a mangle rule for prerouting.
 
Sob
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: Configuring two public IP.s on different subnets

Tue Mar 29, 2022 8:32 pm

If ISP put both subnets on same interface of their router, i.e. if it was RouterOS, their config would be:
/ip address
add interface=to-dcikac address=130.130.130.x/29
add interface=to-dcikac address=120.120.120.y/29
Then if so far you had on your router:
/ip address
add interface=WAN address=130.130.130.a/29
add interface=WAN address=130.130.130.b/29
...
/ip route
add dst-address=0.0.0.0/0 gateway=130.130.130.x
Then all you need is to add new addresses:
/ip address
add interface=WAN address=120.120.120.g/29
add interface=WAN address=120.120.120.h/29
...
And it should work. You may add route too:
/ip route
add dst-address=0.0.0.0/0 gateway=130.130.130.x
But if gateway is same device, then both 130.130.130.x and 120.120.120.y probably have same MAC address, so it's not really needed. Only if they did it in a way that they don't have same MAC address, you're need to treat it as regular dual WAN.
 
dcikac
just joined
Topic Author
Posts: 3
Joined: Mon Mar 28, 2022 11:39 am

Re: Configuring two public IP.s on different subnets

Wed Mar 30, 2022 2:12 pm

First of all thanks to @MikroTokkie andd @Sob for your help.

Second the forum and wiki helped me a lot at learning about MT and the issue was resolved, literally.

@sob

After getting your confirmation that my config is fine, and other sources I took the other advice, and started from the source, and by that I mean trecart, when I was last testing it was fine and got to my IPS2 address, and now it got stuck on a private IP address.

Got on the phone with the ISP, and the problem was that I HAD a cisco router, and they switched it when I had a speed update on my ftth with a MT and it was not configured on their internal part and got stuck on their forward to my wan…

After they did their part all was working, because I had all of the fw and nat rules in place just the public ip was not resolving to ISP router that is connected to my wan interface.

Thanks guys, in the end it was an over configuration and not looking at the basics, all I needed was:

/ip address
add interface= ether1-gateway address=120.120.120.49/29 (and for every other public ip in the range that I will use )

and than

/ip firewall
add chain=input action=accept protocol=tcp dst-address=120.120.120.50 in-interface=ether1-gateway dst-port=80

/ip firewall nat

add chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=80 protocol=tcp dst-address=120.120.120.50 in-interface=ether1-gateway dst-port=80
(http for outside access)

add chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=80 protocol=tcp dst-address=120.120.120.50 in-interface=bridge-local dst-port=80
(http for local access)


Did it for other ports and it works, @MikroTokkie i was lacking experience to conclude that maybe the ISP is at fault and it was working for some time, just didn't need the extra IP.s, thanks to both for the shove in the right direction, to go to basics and go to the ISP, and to confirm I doing the right thing and it's not a me problem, you have a Beerware license from me.
 
Sob
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: Configuring two public IP.s on different subnets

Wed Mar 30, 2022 11:22 pm

Few things:

- You don't need the input rule, that would be if you wanted to connect to router itself, but dstnat won't let it go there.
- You don't need two dstnat rules, just get rid of in-interface and one will be enough.
- When port number in to-ports is the same as number in dst-port, you can omit to-ports entirely.

Who is online

Users browsing this forum: No registered users and 12 guests