I understand how to set up a Mikrotik router in an office environment where there's one public IP on the WAN port and there's a route such as "0.0.0.0/" with the Gateway IP address to the ISP's gateway router, and then using NAT in the router.

But now I'm trying to learn how to set up a MikroTik router where the ISP is providing a block of public IP addresses such that I can route these public IP addresses to individual 'devices' on a network.

(Obviously, I've changed the IP addresses from the 'real ones' to something else, for privacy reasons).

For example, the ISP has provided 38.1.2.128/29 for the 'interface' IP addresses. They stated that 38.1.2.133 to 38.1.2.135 are for 'customer' (me) and that I should use 38.1.2.133 on my WAN port and 38.1.2.131 as my 'gateway'.

They've provided 198.7.8.9/29 as the public IP address block, to be assigned to 'devices' on the network.

So, would I set up my WAN port with 38.1.2.133 and then a 'default route' with 0.0.0.0/0 and the Gateway address as 38.1.2.131?

Then, would I set one of the 198.7.8.x addresses (such as 198.7.8.128) as the LAN IP address on my router (which would then be the Gateway IP address in the 'devices' on the network?

And then would I set up routes from my router to each 'device' on the network, to route the public IP addresses to these 'devices'?

Or am I completely misunderstanding this?

John

So, would I set up my WAN port with 38.1.2.133 and then a 'default route' with 0.0.0.0/0 and the Gateway address as 38.1.2.131?

Yes

Then, would I set one of the 198.7.8.x addresses (such as 198.7.8.128) as the LAN IP address on my router (which would then be the Gateway IP address in the 'devices' on the network?

Yes

And then would I set up routes from my router to each 'device' on the network, to route the public IP addresses to these 'devices'?

No, you would change the IP of the device(s) on the network that you want to have public IPs to 198.7.8.x addresses. So they would have 198.7.8.x addresses and would no longer have private IP addresses.

I understand that each 'device' on the network would be programmed with it's own public IP address. I realize that I didn't mention that I understood that.

Would I still have to have routes to reach each device from the 'outside world'?

John

Would I still have to have routes to reach each device from the 'outside world'?

Not "each device", but one route for the subnet, yes. However, since you are adding an IP on that subnet onto your router, your router will automatically have a "connected" route to that subnet, so you do not need to add anything. Your provider will have to add a route for that subnet, but I'm assuming they have already done that since they told you what IP to assign to the WAN port of your router.

Ok. Now let's expand this a bit.

If the 'device' is another route that's on the other side of another router, like this:

Edge Router --> Router 1 --> Client Router

Then, I would need a route (static or use something like OSPF) in the Edge Router, to route a public IP to the Client Router, since the Client Router is not directly connected to the Edge Router. Is that correct?

John

Ok. Now let's expand this a bit.

If the 'device' is another route that's on the other side of another router, like this:

Edge Router --> Router 1 --> Client Router

Then, I would need a route (static or use something like OSPF) in the Edge Router, to route a public IP to the Client Router, since the Client Router is not directly connected to the Edge Router. Is that correct?

John

That depends - keep in mind that if you have a router there are probably networks on both sides, so if this is shown for the client router, your diagram would actually look like this:

Edge Router <-- network A --> Router 1 <-- Network B --> Client Router <-- Network C -->

So in this case, for Network B, the edge router will need a route to network B, but Router 1 and the Client Router will already have a route because they both have IP addresses on that network.

For Network C, both the Edge Router and Router 1 will need routes to Network C in order to reach it, but the client router doesn't because it is directly connected. This is only the case if you are not doing NAT on the client router of course.

You may also need routes in the other direction, but in many cases this will be taken care of by a chain of default routes (assuming the default route path is going from right to left in the above diagram).

One problem that I think I'm having is that I don't think in terms of 'networks'. I think in terms of 'devices'. I do think of a point-to-point 'network' as a 'path', but I think of it as a 'path' between two 'devices'. And one 'device' doesn't communicate with a 'network', but communications with another 'device'.

This likely coming from over 40 years of working at a component level with commercial radio communications systems where 'devices' communicate with each other. A 'system' is a simply a group of 'devices' that communicate with each other.

So, I have to re-think this and teach my brain to think in terms of 'networks', rather than just 'devices'.

Meanwhile, thinking in terms of 'devices'...

The Edge Router needs a route in place to get incoming traffic to the Client Router, because there's another Router (Router 1) between the Edge Router and the Client Router. Correct?

The Edge Router already knows how to reach Router 1, because they're directly connected (so the route is automatically set up). Correct?

And Router 1 already knows how to connect to the Client Router, because they're directly connected (so the route is automatically set up). Correct?

John

There's a lot of public IP addresses in that plan going to waste.
Many years ago an Australian ISP would give you a WAN IP like 203.173.50.133/22, Gateway 203.173.48.1 via DHCP.
Then you would have your IP addresses 198.7.8.9/29 . Using your router you would be able to allocate all 8 addresses by setting them as /32 to the devices directly connected to your router ports.
So port 1 WAN 203.173.50.133/22, Gateway 203.173.48.1
Port 2 LAN 10.0.0.1/24
Port 3 10.0.11.9/32 GW 198.7.8.9 1st server. Server connected to this port would have IP address 198.7.8.9/32 gateway 10.0.11.9
Port 4 10.0.11.10/32 GW 198.7.8.10 2nd server etc.
If needed these could be assigned to VLAN interfaces and then the servers attached to a managed switch.

These IP addresses will definitely not be 'going to waste'. This is a network for a new WISP network, not a private network.

John

The Edge Router needs a route in place to get incoming traffic to the Client Router, because there's another Router (Router 1) between the Edge Router and the Client Router. Correct?

The Edge Router already knows how to reach Router 1, because they're directly connected (so the route is automatically set up). Correct?

And Router 1 already knows how to connect to the Client Router, because they're directly connected (so the route is automatically set up). Correct?

Yes, what you say is correct, and that would allow the client router itself to get online, but only the client router itself - any devices behind the client router would not get connectivity because they would be on a network that the other devices do not have routes for.

Your scenario is therefore very artificial. You would not give a client a router with the intention to give connectivity to the router but to nothing behind it. Connecting routers together is not the point of the internet - connecting computers together is, and routers are just a tool in facilitating that. As someone who works for an ISP, if I told a customer that the Internet service that we gave them would allow their router to get online, but their computers and phones etc could not go on the internet through it, they would rightly ask what the point was.

These IP addresses will definitely not be 'going to waste'. This is a network for a new WISP network, not a private network.

John

..
No I'm not saying your requirement is wasting IP addresses I'm saying the method could use more of the public addresses in a more effective way.

mducharme, I think I understand what you're saying. I think this again goes back to my background in communications. I'm definitely going to have to 'reshape' my thinking.

And there's obviously going to have to be routes in the Client Router to reach the internet, correct?

Jebz, I see what you mean now. Right now I'm working with the IP addresses that the upstream provider gave me. Those may likely change.

John

mducharme, I think I understand what you're saying. I think this again goes back to my background in communications. I'm definitely going to have to 'reshape' my thinking.

And there's obviously going to have to be routes in the Client Router to reach the internet, correct?

Yes, obviously, but that direction can be taken care of with default routes in this simple scenario.

Going back to this *altered* diagram:

Edge Router <-- network A --> Router 1 <-- Network B --> Client Router <-- Network C --> Client computers/printers/servers/etc.

Each router has an address on both networks. Ignoring things such as firewalls that are external to routing, it is a rule that if a device has a route to a network (and there is a return path back), it will be able to reach all devices on the network. In the above example, Network C is the network the client computers/printers/servers/etc are on.

In the above example, each router will have an IP on each network it is connected to. The client router for instance will have an IP address on Network B and and IP address on Network C.

Router 1 could ping the Client Router's address on Network B and get a reply without having to configure anything, but not the edge router. If you manually added a route for Network B onto "Edge Router" and you had routes (ex. default route) to carry the traffic the other way, then the Edge Router can ping the IP address the client router has on Network B, but could not ping the IP the client router has on Network C. As a result, you could say the Client Router is kindof half-reachable - it can be reached only on one of its two IP addresses. This is the problem with thinking in terms of "devices" instead of "networks", because with a device like a router, it is possible to have "partial connectivity" where you can reach one interface on a router but not others. The customer devices on Network C would also not be reachable from the edge router.

On the other hand, when you are creating routes, you are making routes for networks, not for devices. When you have the ability to reach a network, you have the ability to reach the devices on that network (again, excluding things like firewalls that are external to routing). If you were to add routes for Network C onto the Edge Router and Router 1 (and the routes were present for the return traffic), you could then reach Network C from those two routers, which means you could ping both the Client Router's address on Network C and other devices on Network C, like computers, servers, etc.

I sure appreciate all of this help. I need to 'digest it', but this is the kind of help that I need.

Thank you both!

John

Let me set up this scenario (which is real).

Here's how it's physically set up. The IP addresses shown for each Router are the WAN port IP addresses (Gateways for the 'next' network).

Edge Router-->Network 1-->Site Router 1-->Network 2-->Client Router-->Network 3-->Client PC
::::::::::::::::::10.0.247.0/24 : 10.0.247.101/24 : 10.1.1.0/24 : 10.1.1.1/24 : 192.168.1.0/24 : 192.168.1.1/24

From Site Router 1, I can ping the Client Router. If I understand correctly, this is because there is a route automatically set up in Site Router 1, since the Client Router is directly connected to Site Router 1. Is this correct?

From the Edge Router, I can not ping the Client Router, as I don't have a Route set up in the Edge Router to reach the Client Router through Site Router 1.

At this point, I don't want to reach the 192.168.1.0 network (the Client PC, for example), just want to reach the WAN port of the Client Router (10.1.1.1/24).

So, I then set up a Route in the Edge Router, 10.1.1.0/24 with a Gateway of 10.0.247.101/24, that should let me reach the Client Router's WAN port on 10.1.1.1/24.

But I still can't ping 10.1.1.1 from the Edge Router.

What am I doing wrong?

John

From Site Router 1, I can ping the Client Router. If I understand correctly, this is because there is a route automatically set up in Site Router 1, since the Client Router is directly connected to Site Router 1. Is this correct?

Yes

But I still can't ping 10.1.1.1 from the Edge Router.

What am I doing wrong?

Most likely you are missing the return path in routing. Either you need routes to the specific networks going back in the other direction, or the default gateways need to be set up to carry the traffic in a chain (Client router will have the site router as a default gateway, site router will have the edge router as a default gateway).

They are set up as a chain.

Client Router has 0.0.0.0/24 with Gateway as 10.1.1.254 (which is one of the LAN IP addresses on the Site Router).
Site Router has 0.0.0.0/24 with Gateway as 10.0.247.254 (which is one of the LAN IP addresses on the Edge Router).

Client routers have internet access just fine, so I know that the outbound routes are working.

John

They are set up as a chain.

Client Router has 0.0.0.0/24 with Gateway as 10.1.1.254 (which is one of the LAN IP addresses on the Site Router).
Site Router has 0.0.0.0/24 with Gateway as 10.0.247.254 (which is one of the LAN IP addresses on the Edge Router).

Client routers have internet access just fine, so I know that the outbound routes are working.

John

You mean 0.0.0.0/0 don't you? it shouldn't be 0.0.0.0/24. That might be your issue.

I've typed /24 too many times. Yes, it's 0.0.0.0/0 on all routers.

John

I've typed /24 too many times. Yes, it's 0.0.0.0/0 on all routers.

John

Add two firewall rules to allow all ICMP on input and forward chains and move them to the top of the list on all three routers, then try the ping again.

That makes sense. ICMP is enabled with Input, but not forward. That's going to stop it from passing -through- the router to the next router.

And yes, it worked.

So, other 'regular' traffic should pass then, correct? Unless it's specifically blocked in the firewall of one of the routers. Correct?

I really do appreciate your help. Now that I'm better understanding how this works, it doesn't seem to complicated.

John

So, other 'regular' traffic should pass then, correct? Unless it's specifically blocked in the firewall of one of the routers. Correct?

Yes, exactly. Also as an ISP it makes sense to allow most (if not all) ICMP - it makes troubleshooting much easier.

So now I would like to go a step further, now that I -think- I understand the routing aspects of this.

I've used port forwarding a lot to get outside connections into specific machines in networks.

But the routing public IP addresses to Clients' networks is not clear to me. Currently, I have one public IP on the WAN port of the Edge Router and a 0.0.0.0/0 route set to access the upstream provider. Now we're going to switch over to 'routed' public IP addresses so that I can assign public IP addresses to multiple customers. Not all need them, but some will.

The upstream provider to this network has provided the following information (I have changed the IP addresses somewhat, for privacy, but this should give the idea of what they've provided).

38.1.2.128/29

I've been told to use 38.1.2.133 for my WAN port on the Edge Router and use 38.1.2.131 as the default Gateway address (so, 0.0.0.0/0 with Gateway=38.1.2.131).

This seems simple enough and really no different than what I have now, other than just different addresses to use.

I've been given a /29 block of public IP addresses to route to customers. Such as 198.1.2.128/29. This allows me to use 198.1.2.129 to 192.1.2.190 for customers.

And here's where I'm kind of lost. How do I set up the MikroTik Edge Router to route these IP addresses to a particular customer? I'm assuming that I will set up routes in the other routers just like I would with private IP addresses, but using one of these public IP addresses, and assign that public IP address to the Client Router. Correct?

But, how do I set up the Edge Router with these public IP addresses? Do I put this entire range in the router, with the interface set to the WAN port (for example, Eth1)?

John

But, how do I set up the Edge Router with these public IP addresses? Do I put this entire range in the router, with the interface set to the WAN port (for example, Eth1)?

You don't configure edge router with the addresses, you only configure it with routes.

Consider this: your ISP delivers IP packet at ER (your edge router) WAN port. Now ER takes a look at it (and let's put possible firewall aside for now):

1. Oh, my, here's a new packet. Where on network is it destined?
   Router looks at dst-address of a packet.
2. Is it my own address? Nope.
3. Jolly good. Do I knkw where to push it so it's not my problem any more?
   Router now consults its routing table. Lets assume you don't run any routing protocol like BGP or OSPF, makes example easier ... but the ptocess is the same never the less, only routing table(s) is much larger.
4. Good, my admin configured a X.Y.Z.W/30 route, which matches this packet's dst-address the best and says it shoukd go via interface etherX (or pppoe-inX or VPNxy or whatever)

And that interface mentioned in the last step could be actually a hop inside your routed backbone (e.g. end point of some wireless PtP link or some such).

In the story above the last point might actually be "Oh, look, the best matching route is 0.0.0.0/0, let's push packet back to the interface it arrived at" ... which can happen in some misconfigured cases (routing loops, misroutes, ...).

As you can notice, router only cares about dst-address. Firewall, on the other hand, may care also about src-address and all other meta information available about the packet (NAT is usually function of firewall).

I think I've got it! That actually sounds pretty simple.

So I just need to set up incoming routes to get traffic to the correct Client Router/Network.

You mention the firewall and NAT.

Even with the routes, this incoming traffic will still be going through the firewall/NAT, correct? So I might need to open ports through the firewall for each customer that is using a public IP address, depending upon what they're doing with incoming traffic, correct?

I tend to like to keep ports closed, if I don't have to have them open for a specific reason. I don't have a problem with opening ports for a client (as long as they're not abusing the service), but I like to try to stay a little bit ahead of the hackers.

John

I think I've got it! That actually sounds pretty simple.

So I just need to set up incoming routes to get traffic to the correct Client Router/Network.

I assume you are trying trying to use the IPs on that 38.1.2.128/29 subnet to assign to various client routers on their WAN ports (one for each)?

Edge Router-->Network 1-->Site Router 1-->Network 2-->Client Router-->Network 3-->Client PC

So really what ends up happening here is 38.1.2.128/29 would be used in the "Network 2" part of the above diagram, and you will have a bunch of other client routers also on Network 2 using the other IPs. Then you just need the static route on the edge router so that the edge router knows how to reach Network 2.

Even with the routes, this incoming traffic will still be going through the firewall/NAT, correct? So I might need to open ports through the firewall for each customer that is using a public IP address, depending upon what they're doing with incoming traffic, correct?

I tend to like to keep ports closed, if I don't have to have them open for a specific reason. I don't have a problem with opening ports for a client (as long as they're not abusing the service), but I like to try to stay a little bit ahead of the hackers.

It is highly unusual to do port blocking (except for certain often abused ports) for public IP addresses that are directly assigned to customer routers. Especially if a customer is paying extra for a public IP (or even more for a static public IP) they would probably not expect or appreciate ports being firewalled off before it even gets to their IP. Otherwise they end up losing most of the benefits of the public IP in the first place. If you need to, firewall off NetBIOS (SMB/CIFS) ports and possibly SMTP port tcp/25, but I wouldn't do more than that, and even those may not be necessary.

No, the 38.1.2.128/29 range is provided by the upstream provider as a 'transport' only. The client 'block is the 198.1.2.128/29 range.

Something else that others, with whom I've spoken to about this subject, had mentioned was the necessity to break the 198.1.2.128/29 block into smaller blocks to assign to each Site Router/area/network.

If all I have to do is set up one route in the Edge Router and set the Client Router's WAN port to the desired public IP address, then I don't understand why I would have to break the /29 block into smaller blocks and 'pre-assign' the smaller blocks to the Site Routers/areas/networks. It looks like I can just assign public IP addresses to each client, as needed, and not have 'reserved' public IP addresses on networks where I might never actually need them.

I see what you mean about the port blocking. Open all ports to those Clients who have their own public IP addresses and let the Client Router deal with firewall/NAT/ports.

John

No, the 38.1.2.128/29 range is provided by the upstream provider as a 'transport' only. The client 'block is the 198.1.2.128/29 range.

Right, sorry, misread your last post. I meant 198.1.2.128/29

Something else that others, with whom I've spoken to about this subject, had mentioned was the necessity to break the 198.1.2.128/29 block into smaller blocks to assign to each Site Router/area/network.

You would generally do that if you needed to split up the IP addresses across multiple site routers (i.e. having some clients at one site, some at another, etc.). If all of the clients who needed to use those addresses are on the same site router you could simply put the entire /29 on the site router on "Network 2". However, a /29 is rather small (only giving you 5 usable public IPs for clients) so you would practically only be able to split it over two sites and set up one client at each site. Therefore with a subnet of that size I would avoid having to split it up any further.

If all I have to do is set up one route in the Edge Router and set the Client Router's WAN port to the desired public IP address, then I don't understand why I would have to break the /29 block into smaller blocks and 'pre-assign' the smaller blocks to the Site Routers/areas/networks. It looks like I can just assign public IP addresses to each client, as needed, and not have 'reserved' public IP addresses on networks where I might never actually need them.

There are three ways you could split up the /29: you could either use it as a full /29 and put it on one site router, allowing you to connect 5 clients to that site router. Or, you could use it as a /30 and put each /30 on one site router, allowing you to connect one client on each. Or you could split it into 8 /32 networks which you could then assign to client routers wherever they go.

I sounds like you are speaking of splitting into 8 /32 networks when you say "it looks like I can just assign public IP addresses to each client, as needed, and not have 'reserved' public IP addresses on networks where I might never actually need them". Keep in mind that this can work, but the approach is not typical and can be confusing. To get this to work, you would have a private IP on the client's WAN port, and would add a "loopback" bridge to the client router with no ports and assign the public /32 IP to this bridge, then you will need to reconfigure the pref. src on the client router's default route to send packets from the public IP, otherwise the traffic will come from the private IP on their WAN port. This configuration does not work on most simple routers for home and small business so unless all of your client routers are MikroTik routers or better this will not work.

A slight alternative to the approach in the last paragraph is using point to point addressing to connect the client router to the site router. This addressing setup sortof mimics a PPP setup like PPPoE, without actually using PPPoE. However, this setup can be more confusing in other ways, although it does prevent you from needing to set pref. src or create the loopback bridge. The point to point addressing setup is most likely to only work with MikroTik routers and possibly a handful of others.

And I made a mistake. It's 198.1.2.128/26, not /29.

Let me back up here a bit.

Edge Router-->Network 1-->Site Router 1-->Network 2-->Client Router-->Network 3-->Client PC

So, on the Edge Router, I set up a route to Network 2:

Destination Address: 198.1.2.131 Gateway: 10.0.247.101 where 198.1.2.131 is public IP and 10.0.247.101 is Site Router IP.

Then the Client Router WAN port is set to 198.1.2.131.

Will this not work?

John

And I made a mistake. It's 198.1.2.128/26, not /29.

John

If it is a /26, then you can do it the normal way and split that up across multiple site routers - as long as you only have a few "sites", the trade-off is not bad. The advantage is this will work with any router and is the normal way so it is less likely to confuse people. The other options are still available but as I said can be confusing or work only with MikroTik.

Or would this be more correct:

Edge Router route:

Destination Address: 198.1.2.128/29 Gateway Address: 10.0.247.101 where 198.1.2.128/29 sets up 6 usable IP addresses and routes those to the Network 2 (which is the first Site Router network)
Destination Address: 198.1.2.136/29 Gateway Address: 10.0.247.102 where 198.1.2.136/29 sets up 6 usable IP addresses and routes those to the Site Router 2 Network.
And so on.

Then, in each Client Router would be set with the WAN port to the desired public IP address. No routes would be needed in the Site Router, because it would be connected directly to the Client Router and the Edge Router.

Is this correct?

John

Or would this be more correct:

Edge Router route:

Destination Address: 198.1.2.128/29 Gateway Address: 10.0.247.101 where 198.1.2.128/29 sets up 6 usable IP addresses and routes those to the Network 2 (which is the first Site Router network)
Destination Address: 198.1.2.136/29 Gateway Address: 10.0.247.102 where 198.1.2.136/29 sets up 6 usable IP addresses and routes those to the Site Router 2 Network.
And so on.

Then, in each Client Router would be set with the WAN port to the desired public IP address. No routes would be needed in the Site Router, because it would be connected directly to the Client Router and the Edge Router.

Is this correct?

John

Yes, that is correct, but also keep in mind that you will have to assign the first usable ip of those 6 usable ips to the site router on the interface connected to “network 2” in your diagram from before. This would be used as the default gateway ip for the client routers on the other 5 ips in the subnet.

Ah, yes. I had forgotten about needing the gateway ip for the 198.1.2.x network up addresses, in each site router.

John

So, here's what I'll do:

Edge Router -
Route: 198.1.2.128/27 Gateway: 10.0.247.101 'This gives me 30 usable IP addresses through Site Router 1.
Route: 198.1.2.160/29 Gateway: 10.0.247.102 'This gives me 6 usable IP addresses through Site Router 2.
Route: 198.1.2.168/29 Gateway: 10.0.247.104 'This gives me 6 usable IP addresses through Site Router 4.
Route: 198.1.2.176/29 Gateway: 10.0.247.107 'This gives me 6 usable IP addresses through Site Router 7.
Route: 198.1.2.184/29 Gateway: 10.0.247.108 'This gives me 6 usable IP addresses through Site Router 8.

I"m not going to route any public IP addresses to Sites 3, 5 or 6.

Then on each Site Router:

198.1.2.129 Assigned to LAN Bridge of Site Router 1
198.1.2.161 Assigned to LAN Bridge of Site Router 2
198.1.2.169 Assigned to LAN Bridge of Site Router 4
198.1.2.177 Assigned to LAN Bridge of Site Router 7
198.1.2.185 Assigned to LAN Bridge of Site Router 8

Then for a Client Router that needs a public IP address:

198.1.2.xxx Assigned to Eth1, where xxx = the appropriate public IP address for the Site Router to which this Client will connect.
198.1.2.xxx Assigned to Gateway in Client Router where xxx=the appropriate Gateway IP address for the Site Router to which this Client will connect.

Does this look right?
John

Does this look right?
John

Yes, that looks good to me, and correct. Should work fine.

So, this does work to give internet access from a Client Router/Network/Device.

But, the IP address that always shows as the public IP, such as when I browse to ipchicken.com, is my Edge Router's WAN IP address (the 'default' IP address for my network), and not the public IP address that is set in the Client Router (on its WAN port).

So, how do I get the public IP address that is assigned to the Client Router to show up as the public IP address for this Client?

John

By fixing your srcnat/masquerade rule(s), you need to exclude routed public subnet from that.

I did find information on how to set a NAT rule to correct the problem of clients not showing the correct public ip address. That works fine now.

I also found that I needed a couple of filters in the firewall rules to allow inbound and outbound traffic that's using the public ip addresses.

I also found that I can use a combination of NAT rules along with the public ip address routing to achieve some interesting (and needed, in some cases) results.

I sure like MikroTik routers.

All is working well now.

John

I did find information on how to set a NAT rule to correct the problem of clients not showing the correct public ip address. That works fine now.

I also found that I needed a couple of filters in the firewall rules to allow inbound and outbound traffic that's using the public ip addresses.

I also found that I can use a combination of NAT rules along with the public ip address routing to achieve some interesting (and needed, in some cases) results.

I sure like MikroTik routers.

All is working well now.

John

Well a couple of things need to be taken into consideration

1- in order to pass a block o public ips forward without going trought NAT firewall system (that means no block port type is applied on public ips forwared to clients, its up to the client to protect himself with the block of public ips) you need to create a firewall nat rule on the mikrotik devices we use the following details

/ip firewall nat
add action=accept chain=srcnat comment="DON´T DO NAT ON THE FOLLOWING PUBLIC IP BLOCK" src-address=public-ip/29

this rule right on top of all your firewall rules (it will state that all incoming connections to the following dst-ip public-ip/29 will be accepted without blocking ports or any kind of filters.


2- in order to make incoming IPs from outside on your mikrotik logs.. example IP 123.456.789.010 src-ip incomming connection to public-ip.101 you need to change in your main WAN internet ISP link the following SRC-NAT masquerade rules.. to SRC-NAT to-addresses and also set ouput-interface on your WAN interface on the firewall NAT rule.. otherwise if you leave it masquerade which was created for dinamic-public ips.. it will overwrite your SRC-ADDRESS ips from incomming connections with your public IP gatway from your WAN port.. and instead of knowing which public ip from external connection is trying to connect to your clients public ips, you will only see your own public ip gateway connecting to your clients public-ip on incomming connection logs.