Hello,

I am using a router RB3011UiAS and I have a static ip for some time now, from my internet provider: X.X.159.139/22. I created an address in the router , associated to interface eth8-rds.

Last week I requested a subnet with 8 ips from the network provider and they gave me one, routed through the static ip that I already had (I don't understand what that means). The subnet is Y.Y.47.240/29.

I created a second address inthe router, for this subnet Y.Y.47.241/29, associated to interface eth9-sub.

The two interfaces are in no relation, not bridged, none is master for the other.

I understood that I can use only 5 public ips from the subnet for computers connected to the router: Y.Y.78.242 - Y.Y.78.246

I was told to disable NAT-ul (the masquerade entry in ip firewall nat) and to add a static route from subnet (Y.Y.47.240/29) through gw of public ip (X.X.156.1), to the internet.

If I run from router terminal /ip route print, I get:

# | DST-ADDRESS | PREF-SRC | GATEWAY | DISTANCE
0 | A S | 0.0.0.0/0 | X.X.156.1 | 1
1 | ADC | X.X.156.0/22 | X.X.159.139 | eth8-rds | 0
2 | ADC | Y.Y.47.240/29 | Y.Y.47.241 eth8-rds | 0
3 | S | Y.Y.47.240/29 | | X.X.156.1 | 1

The last static route was added according to ISP instruction, which appears blue in winbox (not active).

When I connect a computer (static ip Y.Y.47.242, mask 255.255.255.248, gw: Y.Y.47.241) to eth9-sub and want to ping google dns (8.8.8. from it, it does not work.

Also, from outside, if I ping X.X.159.139 it works, but if I ping Y.Y.78.242 (or Y.Y.78.241), it does not work.

Could anyone tell me what am I doing wrong that I cannot make the ips in the subnet visible to the internet?

Thank you.

Routed subnet means that traffic for all those IP addresses is sent to your router and it's up to you what you do with it.

It's not exactly true that you can use only five addresses, it depends on how exactly you use them. E.g. it you assigned all of them to router (doesn't really matter to which interface), you can use all eight (with NAT or for services on router). Or you can route individual addresses (with /32 netmask) anywhere inside your network and also use all eight. Five is the limit when you assign whole subnet to internal interface like you did. It's probably also the most common way, so it's not like you did anything wrong. And even when doing this, there is still a way to use more, because even though .240 and .247 are wasted on internal interface as network address and broadcast, when someone from internet tries to connect to them, you can catch that traffic using dstnat and forward it elsewhere. And the other way around, you can also use these addresses for srcnat.

You don't need to add any static route, your current default route will be used automatically.

What you need to make sure about is that you allow traffic through firewall in both directions: You may limit some things in future if you want, but lets start with everything allowed. You also need to skip NAT for these addresses. Assuming you already have some internal subnet which uses NAT (srcnat or masquerade), you need to add exception for your new public addresses. Put this before current srcnat rule(s): Edit: According to this: You put your /29 subnet on eth8-rds and not on eth9-sub as you wrote. That's another reason why it can't work.

Thank you for the answer.
I removed the static route and I ran the three commands.
I forgot to mention that eth8-rds and eth9-sub are in the same switch group (the router has two switch groups)
Ping is still not working from the PC connected to eth9-sub, I also cannot ping y.y.78.242 from outside.
Could there be something else missing from the configuration?
Is there a way to test if ISP did setup correctly the subnet so that all traffic will be sent to the public IP x.x.159.139?
Would traceroute from the router console help me investigate the problem?

I don't know what you're trying to tell by:

I forgot to mention that eth8-rds and eth9-sub are in the same switch group (the router has two switch groups)

In your first post, you wrote:

I created a second address inthe router, for this subnet Y.Y.47.241/29, associated to interface eth9-sub.

The two interfaces are in no relation, not bridged, none is master for the other.

So eth9-sub should be completely independent interface with address Y.Y.47.241/29 assigned to it. That would be correct. But output from "/ip route print" shows that it's not there, but instead it's on WAN eth8-rds, and that's wrong. It won't work until you move the address to eth9-sub. If you feel it would be wrong because you're trying to do something that I didn't see in your description, try to explain it better.

Anyway, you can easily verify if the subnet is routed to you. Run Tools->Torch on WAN and then try to access any address from routed subnet from outside and you should see incoming packets.

About eth8-rds and eth9-sub being in the same switch group on the router (that router has 10 Ethernet ports divided into two switch groups of 5 ports each), I thought that if they were not, then they would not communicate even with forwarding rules. So far I could not make them communicate if the two are on different switch groups, for example eth1 and eth6.

I wrongly copied the output of /ip route print the first time, the subnet was associated with eth9-sub from the beginning. Sorry I did not mention that in the second post.

After using the torch tool from winbox on the eth8-rds port, on protocol icmp and trying to ping any of the subnet ips from outside, in turned out that no packets were coming to the router so I immediately called the network provider who fixed the problem this morning.

The problems are solved but I could have struggled much more with this issue without your help.
Thank you very much for the useful information.

So far I could not make them communicate if the two are on different switch groups, for example eth1 and eth6.

Router tries to route anything it knows how, and everything is enabled by default. If there are properly configured addresses, subnets and routes, and no firewall rules blocking the traffic, it must work.

Thank you for that information.

You assumed correctly in a previous post that I would also use an internal subnet and you said:

"You also need to skip NAT for these addresses. Assuming you already have some internal subnet which uses NAT (srcnat or masquerade), you need to add exception for your new public addresses."

It seems that the srcnat rule is not enough if I also have some dstnat rules for that internal subnet. Would the foloowing rule skip them for my public addresses?

/ip firewall nat add action=accept chain=dstnat dst-address=Y.Y.47.240/29 in-interface=ether8-rds

I have a server with two ethernet ports, one ip of the internal subnet goes to one ethernet port and the public ips from the public subnet go to the second port (using one interface for the first ip and virtual interfaces for the rest of the ips). If am looking at the traffic in the server, I see that all incoming traffic goes through first port and all outgoing traffic goes through the second port.

You don't need dstnat for this.

Normally dstnat is used with private addresses. Connection from internet has router's public address as destination and you need to change it into 192.168.x.x or so. That's what dstnat does, it changes destination address (or port).

But if you have public addresses in your internal network, packets from internet already have correct destination. Router sees that they are for connected subnet and sends them there automatically. The only thing you need is to allow them in forward chain. Other dstnat rules can't interfere, as long as they are correct. Which is often not true. Very popular style for dstnat rules is: The problem with rules like this is that they take packets to *any* destination address, as long as they come via WAN interface. Most people will never notice, because they have just one public address (and for many even that means they're lucky, because many other people don't have any). But in your case, this rule would catch traffic to all your addresses.

The solution is to not use in-interface=WAN. Instead use dst-address=<specific IP address> if it's static. If it's not, use dst-address-type=local (= all addresses assigned to router, which does not include whole subnet) and to prevent it from redirecting traffic which you really want for router itself (e.g. web administration from LAN), add also dst-address=!<router's LAN address>.

Hello,

I have an additional /30 public subnet routed through an existing /30 connection to ISP in the same way and wonder if you can help me also?
My goal is to have a second router public facing, with a WAN IP from the new subnet. I have this working by adding the new subnet to an interface on R1 and handing out the one available address via DHCP to R2, then a srcnat rule.

My questions;

- Is it possible to setup R2 in a way that R1 does not process the traffic for R2? Like a Wan bridge or similar. I cannot see how this could be possible but maybe I am missing something.
- How would /32 public addressing allow 3 additional routers to have a public IP each from the new /30 subnet? What would the gateway be? What would this look like config wise?

Thank you

If you have main /30 for link (e.g. 1.1.1.1/30 is on ISP's router and serves as your default gateway, and your router has 1.1.1.2/30 on WAN), and another /30 (e.g. 2.2.2.0/30) is routed to you, it means that on ISP's router there's: So all four addresses (2.2.2.0-2.2.2.3) are routed to you, and it's up to you what you do with them.

If you just add 2.2.2.1/30 on some internal interface, you can have one server (2.2.2.2/30).

Even with this config, you can still use the other three addresses with NAT, e.g. things like this will work: Or you can give all four addresses to individual servers. You can route them to their existing internal addresses: On servers, these addresses would be assigned to either some loopback interface, or just as another address on same interface as 192.168.1.x. If it would be mainly for incoming connections, service could bind to this specific public address and it will work correctly. There can be trouble with outgoing conenctions that might want to use 192.168.1.x as default source address. It really depends on exact server (what OS and config it has).

Or you can skip existing private addresses and use point to point addressing with public ones. So on router you'd add: And then on servers it again depends on OS. If the server (router) is RouterOS, it's the opposite: Linux: Windows: The x.x.x.x is some unique address (same for all), any random private address will do (it doesn't have to be from 2.2.2.0/30).

Thank you Sob, very helpful.

I do however lose understanding with the point to point addressing, I have not done addressing where the network ID is in a different subnet from IP address. I need to understand why it works, and why any random IP works for the gateway for all. All private addresses are /32 and gateway is /32 and they're all random, so long as they match on R1 and R2 as your example shows?

Am I right in saying there is no way to give R2 a public IP without R1 routing its traffic? If ISP has /route add dst-address=2.2.2.0/30 gateway=1.1.1.2, then all traffic for 2.2.2.0/30 must come from 1.1.1.2? i.e. there is no gateway for 2.2.2.1 at ISP I assume? Info ISP provided; your new subnet is 2.2.2.0/30 and is routed via 1.1.1.2.

If all traffic for R2 must traverse R1, is the best way to reduce CPU to add firewall accept rules? - accept all traffic coming in on WAN for 2.2.2.1 and going to eth2, accept all traffic from 2.2.2.1 coming from eth2 going out wan?

Thanks again

With /32 addresses, the mask covers exactly one address, so there's no way how gateway could be from same subnet, it has to be something else. And how it works... it simply does. Device sends ARP request for the other address, it answers, the same happens for other direction, and they can talk to each other.

The x.x.x.x in my example can be just one address, and can be reused for all four links.

You can't avoid traffic going trough R1. If that would be the requirement, you'd need the second subnet done the same way as first one, i.e. with ISP's router being the gateway. Then you could just put in a dumb switch and connect WANs of both routers to it, and they would not depend on each other. But with /30, it would give you only one usable address. If you'd need more, you'd need /29 (five usable addresses with this kind of config).

Best way to have the least impact on CPU usage of R1 is probably if you make traffic to/from 2.2.2.0/30 untracked in raw table, and then just accept untracked packets in firewall filter.

Thanks Sob, I will do some testing to see it working, then it will make sense.

I do have another site setup with second router with public IP as you describe - a /29 with WAN bridge on R1 for R2 and gateway for both at ISP. This current site had to be done this way as ISP accidentally provided much more throughout than expected, and if I asked for main subnet to be changed from /30 to /29 they would see their error, so routed it is. I just need to suss a way to minimise cpu load on R1 for R2 traffic, speedtest had R1 (AH1100x2) cpu hitting 90% even with fw rules to accept at the top. I'm not familiar with untracking, but will suss it out.

Thanks again for the advice.