i have a mikrotik router and i want to assign public ips to a couple of servers on my lan ,so i have subscribed for a public pool from my isp

can anyone guide me on how to nat multiple public ips on mikrotik

this is the data my isb gave me ex:

matrix lan ip= 1.1.2.2
gateway= 1.1.1.1
wan ip= 1.2.3.4
subnet mask= 255.255.255.248
public ip = 1.1.1.2 - 1.1.1.6

these matrix, gateway, wan ip confuses me

a little help please ...

Forget about matrix. Your gateway is IP on your ISP side. Mask is a subnet mask for your public network 1.1.1.0/29. Your first public ip you can use for yourself is 1.1.1.2, the last one is 1.1.1.6. You have IPs: 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5, 1.1.1.6. The WAN IP you can use for connection to the world is from range 1.1.1.2-.1.1.1.6. Any of them. Other 4 addresses you can use inside of your local network or for NAT your private network(f.e. 10.10.10.0/24) into public 1.1.1.2-1.1.1.6.

A few thoughts:
* i wouldn't be NATing these extra ips: configure them directly on the servers and attach to the CPE device of your ISP (modem, router, ...), "parallel" to RB
* keep one ip reserved for NATing your internal network if needed
* if you must NAT, put these servers on separate network -> "DMZ"

Besides of this /29 subnet, do you have an another public IP from ISP?

Regards,
Leandro de Lima Camargo

thank you guys for your comments.
at first i would like to explain why i need to nat these ip instead of assign them directly to the servers
i have a local hosted website consists of three servers on my lan and because hi speed internet connection is very expensive in my country i thought about subscribing for 4 different internet connections and each have public pool ips so that i can take 3 ips of every wan connection and assign it to my 3 servers and using bind (linux DNS server) to round robin them (just like big websites which have different ip responding to each request) .. correct me if i am wrong in these thought ..

• i have used my isp modem in bridge mode and notice that WAN IP is the ip assigned to the pppoe interface dynamically from my isp

• i added to same pppoe interface the 5 ips addresses i got from my isp with /29 at each, then mikrotik automatically figures that network address is the MATRIX LAN IP .. should i change the network ip to the GATEWAY IP ..

• i added a src-nat rule to translate a public ip to local one ex:
  Code: Select all

   chain=srcnat action=src-nat to-addresses=1.1.1.2 src-address=192.168.0.1

now i can access my servers from outside my network ,but if i try to access the server from inside my network i can't using the public ip .. i think i need to do hairbin nat, but dont know how ..

Diagram it.

Someone asked if you get a public IP for your external router interface. If so, you would assign the /29 to the internal interface of the router and then to 3 servers below that. Then the ISP would be probably statically routing the /29 to your public IP.

This is what we're trying to figure out.

But you would still need to diagram it.

thank you guys for your comments.
at first i would like to explain why i need to nat these ip instead of assign them directly to the servers
i have a local hosted website consists of three servers on my lan and because hi speed internet connection is very expensive in my country i thought about subscribing for 4 different internet connections and each have public pool ips so that i can take 3 ips of every wan connection and assign it to my 3 servers and using bind (linux DNS server) to round robin them (just like big websites which have different ip responding to each request) .. correct me if i am wrong in these thought ..

• i have used my isp modem in bridge mode and notice that WAN IP is the ip assigned to the pppoe interface dynamically from my isp

• i added to same pppoe interface the 5 ips addresses i got from my isp with /29 at each, then mikrotik automatically figures that network address is the MATRIX LAN IP .. should i change the network ip to the GATEWAY IP ..

• i added a src-nat rule to translate a public ip to local one ex:
  Code: Select all

   chain=srcnat action=src-nat to-addresses=1.1.1.2 src-address=192.168.0.1

now i can access my servers from outside my network ,but if i try to access the server from inside my network i can't using the public ip .. i think i need to do hairbin nat, but dont know how ..

First of all: when you connecting with your ISP with PPPoE, you'll have only /32 IP address, because it's point to point network design over ethernet. When you getting /29 network from your ISP, he just adding static route on his BRAS, that your /29 network reachable through your PPPoE IP. Your gateway to the world(0.0.0.0/0) will be the one: though your PPPoE connection.
Now about NAT. If you want to translate public IP into local, you will need destination nat rule, not source, because you want to control your LAN, not to scr-natting the hole world. The rule will be like this, but depends of your interface name:
ip firewall nat
add chain=dstnat action=dst-nat interface=pppoe1 dst-address=1.1.1.2 to-address=192.168.0.1

Also you can choose type of protocol and port.

If you want to access to your local server through the router by public IP which you natting, you should use hairpin nat:

After you dst-nat from global to LAN, add these 2 rules:
ip firewall nat
add action=dst-nat chain=dstnat dst-address="your global IP" dst-port=80 in-interface="LAN interface for your web server"
protocol=tcp src-address=192.168.0.0/24 to-addresses=192.168.0.1 to-ports=80
add action=masquerade chain=srcnat dst-address=192.168.0.1 dst-port=80 out-interface="LAN interface for your web server" protocol=tcp src-address=192.168.0.0/24

If I misconfigured smthg, just adjust it to your idea.

General info about H-NAT:

https://wiki.mikrotik.com/wiki/Hairpin_NAT

P.S.: if you can't figure out why wiki manipulates 2 rules, but I use 3, it is because I specifying exact interface.