Hello,

this should be very simple, but I'm so uneducted in this topic, that I'm facing issues

Scenario:

WAN <-> MikroTik <-> LAN + RoutedDirectIP

What I mean, is that MikroTik serves WAN access to LAN using NAT. And, also has one server directly connected to it, which has external IP address.

MikroTik: 85.1.1.1
LAN: 10.1.1.255
Server1: 85.1.2.1

if Server1 would have IP close to MikroTiks, I could use subnet mask to let it know that it's directly connected. But its not.... so I thought I could add static route, but it requires a gateway address..

Whats the proper way to do this?

Thanks!

I don't know about the proper way, but I have some ideas how to make it work.

First, are you sure that only single address is routed to you? It is possible, just seems a little unusual to me.

Lets say it is correct. Then:

a) use point-to-point addresses

- on Server1 add 85.1.1.1 and set the other address to x.x.x.x (any non-public address you like).
- on Server1 add default route via x.x.x.x
- on Mikrotik add x.x.x.x and set the other address to 85.1.1.1.

How exactly to do it:
- on Mikrotik add new address x.x.x.x/32 and set network address to y.y.y.y (other address)
- on Linux use e.g. ifconfig ethX x.x.x.x pointopoint y.y.y.y
- on Windows I have no idea

b) use another private network to connect Mikrotik and Server1

- on Mikrotik add 10.1.2.1/24
- on Server1 add 10.1.2.2/24
- on Server1 add 85.1.2.1/32
- on Server1 add default route via 10.1.2.1
- on Mikrotik add route to 85.1.2.1 via 10.1.2.2

If Server1 is running Windows, it won't like 85.1.2.1/32 (= mask 255.255.255.255). But it seems that it can be changed later manually in registry.

For now I've done it adding a simple route to 85.1.2.1 using 85.1.2.1 as the gateway. It seems to work, though I'm not sure if it might have any consequences?

If the public ip srcnat/dstnat to the private ip is correct, you should be able to use a local masquerade. Mine works.

/ip firewall nat
add chain=srcnat action=masquerade src-address=10.1.1.0/24

If it is not a private ip, how do you have it routed, and what interface is assigned that public ip subnet?

thats the issue - it's public IP, and it's only one IP that our ISP has given to us (in addition to our router IP). So how to route it IS my question For now I have it working like this:

85.1.1.1 is public IP for our router [well, I've changed it, but lets assume its like that]
85.1.2.1 is public IP for our internal server

I've added a new route to 85.1.2.1 255.255.255.255 on 85.1.1.1 using 85.1.2.1 as a gateway. It seems to work. But is it proper?

If you have only one public ip, where did you get the other public ip? Unless your ISP routes that second ip to your router, it will not work outside your localnet.

ADD: My bad! You have two public ips assigned; one at the router, and the second is routed into a server on the localnet, correct? And your localnet is on the same interface as the server?

Add the second ip address/netmask (85.1.2.1/24?) to your WAN interface.
Set the internal server to a localnet address. (like 10.1.1.2/24)

/ip firewall nat
add chain=srcnat action=src-nat src-address=10.1.1.2 to-addresses=85.1.2.1 place-before=0
add chain=dstnat action=dst-nat dst-address=85.1.2.1 to-addresses=10.1.1.2 place-before=0

If the two ips are on separate subnets, you may need a routing-mark to select the correct gateway in "/ip route".

For now I've done it adding a simple route to 85.1.2.1 using 85.1.2.1 as the gateway. It seems to work,...

I don't get it. It basically tells the router that route to 85.1.2.1 is via it's own address. But how can router know where it is? It can't work. But if it does, I'm obviously misinterpreting something.

@Sob: I don't think you are missing anything. If the ip/subnet is not assigned to the WAN interface, only conntrack will know where it is. Only locally in the router. From the internet, it will dead-end into the MT router's WAN interface. Without the second ip address/subnet assigned there, the router will not respond.

I think I forgot to tell something - the server is connected directly to the router via a switch. So there is no path anymore, the packet just has to be delivered to the recipient

I think I forgot to tell something - the server is connected directly to the router via a switch. So there is no path anymore, the packet just has to be delivered to the recipient

Connected directly to which interface? WAN or LAN?

lan

What ip/subnet is assigned to your lan interface? Show me:
/ip address print
with changes to protect your public ip, of course!

I've actually changed all the IPs in question, so I'm not even sure what to show Routers external IP is 85.1.1.1, LAN IP is 10.1.1.1, subnet mask is 10.1.1.255. Internal servers lan IP is 10.1.1.200. It also has a second interface, which has a 85.1.2.1 IP assigned. And I added a new route to 8.1.2.1 VIA 8.1.2.1 to router.

Seems to work..

If I understand it correctly, you have this:



Routes are (MikroTik style):

- at Server:
/ip route add dst-address=0.0.0.0/0 gateway=10.1.1.1

- at ISP
/ip route add dst-address=85.1.2.1 gateway=85.1.1.1

And now the part I don't understand. It sounds that on the Router you added:

/ip route add dst-address=85.1.2.1 gateway=85.1.2.1

This simply can't work, because Router doesn't have any idea where 85.1.2.1 might be.

I'd understand if the route on Router was:

/ip route add dst-address=85.1.2.1 gateway=10.1.1.200

That would work just fine.

It is exactly as you described, precisely.

And it works!

Adding route did not work, until I explicitely specified interface. When I did that, it started working. My guess, is that it sends arp request and the server responds to it, so they know they are connected directly. Could this be true?

So I was wondering how it's possible to specify interface. And finally found that it's possible to do:

/ip route add dst-address=85.1.2.1 gateway=name_of_interface

Is this what you did?

Frankly, I'm so new to mikrotik, that I'm using WinBox interface, and not even sure of the command lines..

Anyway, my way doesnt really work It worked when 8.1.2.1 was on same adapter which also had an internal IP address. When we put in a new adapter, it no longer works.. I have to look into your suggestions..

And now the part I don't understand. It sounds that on the Router you added:
/ip route add dst-address=85.1.2.1 gateway=85.1.2.1

I don't think that route is correct. It should be
/ip route add dst-address=85.1.2.1 gateway=10.1.1.200

Insure to exclude this address from any srcnats or masquerades.

Ok, I've tried it "additional private network" way. And it works just fine for incoming connections - they find their way to the public IP just fine. However, that does not work at all for outgoing connections via that network. If I don't add anything, they just dont go through. If I add a masquarade rule, they appear to come from router's IP address

Ok, so current configuration:

Router - 85.1.2.1
Router additional network - 10.1.2.1/24
Router route to 85.1.2.2 via 10.1.2.2

Server - 85.1.2.2 AND 10.1.2.2

This works for incoming connections. Outgoing connections from server fail.

If I add a masquarade, outgoing connections appear to come from 85.1.2.1

If I add a src-nat for 10.1.2.2 to 85.1.2.2, it works, but I thought I could avoid NAT completely?

I apparently misunderstand the ip address assignments on the router and server. Best to show
/ip address print
/ip route print
/ip firewall nat print
That will help us see what is happening.

What ip/subnet and gateway was issued by your ISP on the public ip you are trying to route?

I think I see where the problem is. If application on server doesn't explicitly bind to 85.1.2.2 for outgoing connections, then it probably uses 10.1.2.2 as source address. So we need some way to prefer the public address. I'll think about that.

One more thing, what OS does your server use?

ISP assigned configuration: 8.1.2.1, 255.255.255.255, gateway 8.1.1.1

I can't paste you actual configuration because microtik has a complex additional network, nat, firewall configuration, and the IPs I show here are also diffferent..

I think you might be right that windows does not bind to the public IP, instead binds to 10.1.2.2.. but I'm not sure how to force it. Actually, I'm pretty sure there isn't a way..

server OS is Windows 2008.

I see now. I think you might need to assign that ip/subnet to the router wan interface, then srcnat/dsnat to the server localnet ip.

Thats how I had it in the first place. But I don't want that! I can't believe it's not possible to just tell the router that, hey, this IP is connected to you! I've tried manually adding ARP address to ARP table, and while ARP ping works fine, normal ping doesn't get through..

Well, it is possible to just tell the router that, hey, this IP is connected to you! The only trouble here is that you need to tell the same to Windows and you can't.

I see few options:

1) Tell your ISP to route some usable subnet to you, instead of single address. /30 would be enough. That way you can set up standard subnet between router and server using public addresses.

2) Use NAT as SurferTim suggests. Generally speaking NAT sucks, but if you do not require anything "special" like IPSec, it will work.

3) Find a way how to make it work with single routed address. I believe that only clean reliable solution is using point-to-point addresses. The problem is, Windows doesn't seem to support them. With one exception - tunnels. So if you establish e.g. PPPoE tunnel between server and router, then you can have 85.1.2.2 on server's side, anything else on the router's side and it will work. But there's another trouble - I wasn't able to find a way how to auto-start such tunnel on Windows boot. Major trouble for server use..

4) This is a dirty trick, but it would work too. Just pretend that you have /30 subnet that contains 85.1.2.2 and use it between router and server. The bad thing is, that you will make two or three more addresses look as local, so you won't be ever able to communicate with them. But you will break it only for yourself and there's a chance that you won't need to communicate with them anyway, so it may be usable. But still it's not ok, so it should be the least prefered solution.

Actually, I was thinking about 4) - i don't really care about other ISP addresses in that range, there's nothing interesting for us there

But I would rather do it proper way.. NAT doesn't seem "proper" - I can have it NAT way using private IPs only, but I would like to separate private vs public traffic completely..

I could ask ISP to address us more IPs, but somehow I thought telling "I'm connecting" was much easier than it appears now

Do you have any idea why adding ARP address does not work?

As for windows, adding a route to IP with same gateway address as IP tells it it's "on-link", so that should work...

As for windows, adding a route to IP with same gateway address as IP tells it it's "on-link", so that should work...

I was doing my previous testing with XP and it didn't work. But then I tried Win7 and it seems that it will actually work there. Window 2008 is Vista based, but hopefully it will work there too. I'm just about to try a proper test and I'll let you know.

Thank you very much. I'm really hoping I can solve this with real IP assigment on Windows box, and without resorting to additional networks / nats / other hacks.

Btw, just to remind - it worked fine when this public IP was on the same interface as other, NATed, private IP. So I think it's only a matterof ARP lookup to know this IP is onlink..

Here it is, tested and working on Windows 7:

Server public interface:
Address: 85.1.2.2
Mask: 255.255.255.255 (yes, 4 x 255)
Gateway: 85.1.2.1

If you want server to be also part of internal network, then best is to add another network adapter and connect it there. But don't set default gateway on that interface.

Router interface dedicated to server:
/ip address add address=85.1.2.1/32 interface=to-server-iface
/ip route add dst-address=85.1.2.2/32 gateway=to-server-iface

I'm not exactly sure if it's a problem that this way 85.1.2.1 is on both interfaces on router. But it works. You can also put there anything else (e.g. 10.10.10.10, as gw on server and ip on router) and it will work too.

I will try it out tomorrow, thanks!

If server interface is eth1, and I add a public IP I do not own to this interface, it won't cause problems on WAN interface, or will it?

If you mean that eth1 is interface on router where server is connected to, then you can put any address you want there. But if it's address owned by someone else, you won't be able to access the real one. And I don't see any reason why to do it this way.

I have to assign IP on same subnet as 8.1.2.1 [my server's given IP], but it doesn't belong to me

Ok, so you're saying that the last example that works for me on Win7 does not work on your Win2008?

No, no, it does! It's just that I have to enter 8.1.2.1 on the router, which does not belong to me

actually, I see where I confused you (and myself). It's by scrambling these adresses!

Problem is, I own two IPs from different subnets - 8.1.1.1 [router] and 8.1.2.1 [server].

Sorry for mistaking you..

INHO it still doesn't change anything. The point of this last setup is to not require any other public addresses except those two you got from your isp.

So if we leave out the numbers, you have PublicIPForRouter and PublicIPForServer.
PublicIPForRouter is assigned to router, on interface connected to ISP.
PublicIPForServer is assigned to server, on interface connected to router.
The only missing thing is address you need tu put on router, on interface connected to server.
And because we're using point-to-point, it can be *anything*.
Even duplicated PublicIPForRouter will work (there will be two PublicIPForRouter address on router, each on different interface).
Or you can use any non-public address like 10.10.10.10. It does not have to be close to PublicIPForServer. This is the whole idea of point-to-point addressing.

Oh... you are right! It works just fine! I KNEW there was a easy way out! Thanks for showing it to me! [happy]