Is it possible to install Router OS on a windows host machine when that machine has no Internal IP address, but only an external one?

Any virtualization platform I know for Windows does address also networking. So as soon as you install/activate it, a virtual Ethernet interface will be added to the Windows system, and you'll be able to add more manually. And you will also be able to specify how to use them.

So if there is just a single physical network interface on the Windows, you have the following possibilities:

• activate "windows connection sharing" on the physical interface, which will ask you at which other interfaces you want to "share internet", so you choose the virtual one as a sharing interface; what actually happens is that Windows attach an IP address to the sharing interface, runs a DHCP server there, and NATs the traffic from this subnet to the shared interface's address as it leaves through there
• vice versa, assign the physical interface to the CHR, and let the CHR provide connectivity to the Windows via the virtual interface (making it CHR's LAN, with src-nat or masquerade of traffic leaving via the physical interface)
• let the Windows and the CHR share the physical interface, which actually creates a bridge with the physical interface and the virtual interface as member ports. So the Windows can use one IP address and the CHR can use another one if the network allows that. With Hyper-V in particular, this is even possible with wireless interfaces, but it terribly slows down sending through that interface.

Any virtualization platform I know for Windows does address also networking. So as soon as you install/activate it, a virtual Ethernet interface will be added to the Windows system, and you'll be able to add more manually. And you will also be able to specify how to use them.

Yes, I am using Hyper-V and choose the "external network" and I see "vEthernet (new virtual switch)" adapter next to my NIC addapter.

So if there is just a single physical network interface on the Windows

Yes, only one NIC card.

Regarding the 3 options you suggest:

I created a virtual switch as described above but have no Internet connectivity on the CHR, which makes sense as there is no DHCP server running on neither Windows Host nor the virtual switch.

If understood it correctly, I should either create a private or internal network (which of the two?) on that virtual switch, run a DHCP server on the CHR or the virtual switch (I do not know how to do the latter) and then Bridge on the Windows machine, the physical NIC adapter with the virtual switch? Is this correct?

Does the fact I have a second static external address, from the provider, help anywhere in the process? It is a X.X.X.X/32 IP linked with that server, but is on a different subnet from the 1st static .

A private network on the virtual switch is accessible to the virtual machines alone, not to the host, so it is useless for connection of the CHR to the internet.

If you create an internal network, a corresponding virtual interface is created in the host Windows, which you can use to share internet with the CHR connected to the corresponding virtual network.

If you create an external network for the only physical adapter available, the bridge is created in Windows as you've already noticed; if you deassign the non-/32 public IP on Windows and assign it to the CHR interface attached to that external network, the CHR will have internet access (of course don't forget about mask, default route etc.). And you can use the internal network to let Windows access the internet via the CHR. It depends on you whether you configure the IPs statically or set up a DHCP server at the CHR, but static configuration seems simpler to me.

If the second public IP is routed via the first one, you can't use it for the CHR if the basic one is assigned to Windows, but you can use it for Windows if the basic one is assigned to CHR.

If you keep the Windows on a private address, the CHR must act as a NAT for it; if you want to assign the second public IP to the Windows directly, the CHR must not act as a NAT.

To have the second public IP directly to Windows, use any non-conflicting private ip, let's say 10.10.10.10 for the purpose of the example; the /32 public one will be 22.22.22.22.

On the CHR, assuming that ether2 is connected to the internal network, you'll set the following:
/ip address add address=10.10.10.10/32 network=22.22.22.22 interface=ether2

On the Windows, you set the following IP configuration on the virtual Ethernet connected to the internal network:
IP address: 22.22.22.22
Subnet mask: 255.255.255.255
Default gateway: 10.10.10.10

It will ask you whether you really want to set up a default gateway outside the subnet of the own address, you confirm that. That's it.

Just disconnect the machine from the internet before you start doing this, and don't connect it back before setting up firewall rules on the CHR.

If you create an internal network, a corresponding virtual interface is created in the host Windows, which you can use to share internet with the CHR connected to the corresponding virtual network.

You mean to chose the physical connection and the "new" internal virtual connection, and click "bridge" to share Internet?

if you deassign the non-/32 public IP on Windows and assign it to the CHR interface attached to that external network, the CHR will have internet access

Both IPs are /32 ones , each one on different subnet. I cannot deassign the first one (unless you mean remove the static IP in windows IPV4 settings and chose "obtain an IP address automatically", but I have a feeling it will take again the same.

If the second public IP is routed via the first one, you can't use it for the CHR if the basic one is assigned to Windows,

Yes, this is how they 've done it

If you keep the Windows on a private address, the CHR must act as a NAT for it;

Got a little confused here...by private address you mean 192.x.x.x? If that's what you mean I understand : "...the CHR must act as a NAT for it; "

if you want to assign the second public IP to the Windows directly, the CHR must not act as a NAT.

There is an option in Windows to assign an additional public IP address to the same NIC (sharing the main gateway) . Is this what you mean here?

To have the second public IP directly to Windows, use any non-conflicting private ip, let's say 10.10.10.10 for the purpose of the example; the /32 public one will be 22.22.22.22.

I think I understand what you 're saying here, the Internal network in this case will be set to receive an IP address automatically ? Or set it up as :

IP address: 22.22.22.22
Subnet mask: 255.255.255.255
Default gateway: 10.10.10.10

It will ask you whether you really want to set up a default gateway outside the subnet of the own address, you confirm that. That's it.

I was under the impression that Windows do not allow setting a gateway outside the subnet, but can be wrong... In this last example do I need to bridge the Internal network with the physical network or not since it will have the public /32 address ? What about Ether1, where will it be connected?

It feels I am getting there with the above input! Thank you Sindy!

You mean to chose the physical connection and the "new" internal virtual connection, and click "bridge" to share Internet?

No, that's two different functionalities. When you select two or more network interfaces in Windows, you can bridge them together, but what I have in mind is another operation - right-click the interface holding the public IP, choose properties; in the window that opens, choose the "sharing" tab, check "allow other network users to share this connection", and choose the other interface from a drop-down menu (in your particular case, there may be only a single one, the virtual NIC belonging to the internal network. Once you confirm this, Windows start acting as a router with NAT: 192.168.137.1/24 gets assigned to the "LAN" interface chosen, a DHCP server assigning addresses from 192.168.137.0/24 gets spawned there, indicating 192.168.137.1 as the default gateway, and Windows start forwarding packets coming from this subnet via the "shared" (WAN) interface and src-nat them to its own IP address.

Both IPs are /32 ones , each one on different subnet. I cannot deassign the first one (unless you mean remove the static IP in windows IPV4 settings and chose "obtain an IP address automatically", but I have a feeling it will take again the same.

OK, of course any individual address is a /32 one; what I had in mind was that one of them (a "primary" one) is part of at least a /30 subnet, with another address from that subnet acting as the default gateway for the Windows, whereas the other one (an "additional" one) is routed to the Windows via the first one, meaning you never receive an ARP request for this other one. To use this additional address on the Windows themselves, you have to add it as a secondary one with /32 mask, haven't you?

If you keep the Windows on a private address, the CHR must act as a NAT for it;

Got a little confused here...by private address you mean 192.x.x.x? If that's what you mean I understand : "...the CHR must act as a NAT for it; "

What I had in mind was that

• if you assign the additional public IP you have to the virtual NIC of the Windows, you don't need any NAT rules for that address on the CHR, but you need that unusual setup where the gateway IP and the interface IP are not in the same subnet
• if you assign some private IP (such as 192.168.x.y) to the virtual NIC of the Windows, the CHR must provide some kind of dst-nat from the additional public IP to the 192.168.x.y one to allow access from the internet to services on the Windows (such as RDP), and also src-nat for outgoing traffic of the Windows, to either the primary public IP or to the additional one, whatever suits you better.

There is an option in Windows to assign an additional public IP address to the same NIC (sharing the main gateway) . Is this what you mean here?

No, this works when both the primary public address (the one with an other-than-/32 mask) and the secondary one are assigned to Windows themselves, so none of the two remains free for the CHR.

I think I understand what you 're saying here, the Internal network in this case will be set to receive an IP address automatically ? Or set it up as :

IP address: 22.22.22.22
Subnet mask: 255.255.255.255
Default gateway: 10.10.10.10

The latter. You must configure this manually in Windows and CHR. Maybe there is a way to use a DHCP server on the CHR for this but I've never tested this. In any case it takes more work to set up the DHCP server than to set the address manually on Windows.

I was under the impression that Windows do not allow setting a gateway outside the subnet, but can be wrong...

I've tested that before posting, that's why I wrote that there will be the warning window regarding out-of-subnet gateway.

In this last example do I need to bridge the Internal network with the physical network or not since it will have the public /32 address ? What about Ether1, where will it be connected?

In this last example, you connect CHR's ether1 to the only external network available, so effectively CHR's ether1 will be connected to the physical Ethernet cable. In Hyper-V's virtual switch management, you have to forbid Windows to connect to the physical interface at all (untick the checkbox saying "allow the host operating system to share this adapter" in the settings of the External network).

The internal network always creates a virtual NIC for Windows (as without it, it would be a private one), so you assign CHR's ether2 to this internal network, so both the virtual NIC in Windows and CHR's ether2 will see each other via the virtual switch.

In Hyper-V's virtual switch management, you have to forbid Windows to connect to the physical interface at all (untick the checkbox saying "allow the host operating system to share this adapter" in the settings of the External network).

If I do that, won't I lose remote connection to the server (won't I be locked out from accessing the dedicated server through remote desktop connection) ? Or you meant to install a windows OS on that VM give the second public IP to that VM and create another CHR VM (internal network) ?

Edit: The provider suggests to use the second IP in this way: https://adminforge.de/windows-allgemein ... n-windows/ had to translate it on google in English , they didn't give me an English version one , apologies.

Based on the attached what am I missing ? Haven't manage to ping 8.8.8.8 from MT

The provider suggests to use the second IP in this way: https://adminforge.de/windows-allgemein ... n-windows/ had to translate it on google in English , they didn't give me an English version one , apologies.

You wrote before that the additional IP address was routed via the first one; the slideshow suggests that it is in its own subnet, as it has a /24 mask.

So the first thing necessary is to find out how it is actually done, because the setup will differ accordingly.

• if the provider routes the 22.22.22.22 to you via the 23.23.23.90, it means that they determine your MAC address by sending an ARP request "who has 23.23.23.90", and then send to that MAC address a packet with destination IP address 22.22.22.22.
• if the 22.22.22.22 has an own subnet, or if they do it in some weird way similar to the one I've suggested for the interconnection of the Windows and the CHR via the internal virtual switch, they send ARP requests "who has 22.22.22.22".

So you need to find out whether you ever receive ARP requests asking for 22.22.22.22 or not. To do that, configure some other address than 22.22.22.22 on the internal interface, wait about 10 minutes to let any eventual ARP records at the provider side to time out, run Wireshark with capture filter arp or dst host 22.22.22.22 on the Realtek or on the virtual Ethernet connected to external, and ping 22.22.22.22 from the internet (or try to connect to http:22.22.22.22 using a web browser, so that a mobile phone was enough). As the 22.22.22.22 is not attached to the external interface of the Windows, either you will see IP packets coming to 22.22.22.22, or you will see ARP requests for 22.22.22.22, with no responses in either case. IP packets mean that the traffic to 22.22.22.22 is routed via 23.23.23.90, ARP packets mean it is not.

In Hyper-V's virtual switch management, you have to forbid Windows to connect to the physical interface at all (untick the checkbox saying "allow the host operating system to share this adapter" in the settings of the External network).

If I do that, won't I lose remote connection to the server (won't I be locked out from accessing the dedicated server through remote desktop connection) ? Or you meant to install a windows OS on that VM give the second public IP to that VM and create another CHR VM (internal network) ?

I don't know your environment - you haven't mentioned that it is a server in some datacenter. If you have no other access to the Windows machine than remotely via this interface, then definitely this is not the way to go, as you'd indeed lose the access. If you can set things up locally, while connected using a keyboard and a monitor, you will have RDP access via the CHR later on. But this is only relevant if they indeed route 22.22.22.22 to you via 23.23.23.90; if they send ARP requests for 22.22.22.22, the whole exercise is useless and you can have 23.23.23.90 on the Windows and 22.22.22.22 on the CHR while both are bridged with the Realtek NIC (external virtual switch).

Haven't manage to ping 8.8.8.8 from MT

Of course you cannot ping 8.8.8.8 from the CHR, as both the public IPs are attached to the Windows (and there is no default route on the CHR, only the route to 22.22.22.22).

So the first thing necessary is to find out how it is actually done, because the setup will differ accordingly.

I am attaching both results with ARP filter on External virtual card and Dst host to 22.22.22.22 (ping from laptop) . Didn't see any ARP requests for 22.22.22.22 when I run ping to it.

I don't know your environment - you haven't mentioned that it is a server in some datacenter.

Thought I mentioned in the beginning that it is a remote dedicated server (sorry if I didn't mention that I only have remote access through RDC and no other ways to connect)

if they send ARP requests for 22.22.22.22, the whole exercise is useless and you can have 23.23.23.90 on the Windows and 22.22.22.22 on the CHR while both are bridged with the Realtek NIC (external virtual switch).

You mean bridge the external virtual card with the Internal and enter 22.22.22.22 on the CHR? What IP should I enter on the internal virtual card? Or follow this (and just bridge the two virtual
cards?) :

IP address: 22.22.22.22
Subnet mask: 255.255.255.255
Default gateway: 10.10.10.10

I am attaching both results with ARP filter on External virtual card and Dst host to 22.22.22.22 (ping from laptop) . Didn't see any ARP requests for 22.22.22.22 when I run ping to it.

... but the ping requests did nevertheless arrive. So if you gave the ISP router enough time to forget the eventual ARP record before starting to ping, and if you first sniffed for ARP and only then for ICMP, it means that the ISP has configured a route to 22.22.22.22 via the primary IP as a gateway. But it's a public IP after all, so various bots may attack it... so to be bullet-proof about it, sniff for ARP for half an hour and then use a display filter arp.dst.proto_ipv4 == 22.22.22.22. If the packet list becomes empty once you apply this display filter, it's definitely the worst case.

So if this gets confirmed, then together with the fact that you cannot access the server in any other way than remotely via RDP, I can't see a way to make the additional public IP available at the CHR, because whilst the CHR would be able to use the primary address and forward traffic for 22.22.22.22 to the Windows, I'm not sure whether Windows can behave as a router with port forwarding, the only possibility I know about is the "internet connection sharing" where they act as a NAT, and the default Windows Firewall doesn't allow port forwarding to addresses in the private network.

So I cannot see a way to make use of the secondary IP except if you would e.g. run two processes, like web servers, on the Windows themselves, and would make each of them listen on only one address (so they could listen at the same standard port).

Setting the 22.22.22.22 up at the CHR while its ether1 is connected to the external switch together with the Windows makes no sense as packets for 22.22.22.22 arrive to the MAC address of the NIC which is held by the Windows, so the CHR will not get them.

So the maximum possible without physical keyboard&monitor connection to the server is to let the CHR connect somewhere else as a VPN client running on a private IP address and NATed to the public one of the Windows, but such a setup may be completely useless for your use case.

You mean bridge the external virtual card with the Internal and enter 22.22.22.22 on the CHR?

This is irrelevant as the ISP doesn't send ARP requests for 22.22.22.22. If they did, it would just mean to connect ether1 of CHR to the external virtual switch, keep the Windows be connected to it too, and at the CHR, set
/ip address
add interface=ether1 address=22.22.22.22/32 network=ip.of.the.gateway.used.by.Windows

Thank you Sindy ! All this is very interesting :-) !

use a display filter arp.dst.proto_ipv4 == 22.22.22.22. If the packet list becomes empty once you apply this display filter, it's definitely the worst case.

Yes, it did come back as empty :-( and after some back and forth with the provider they came back with this:

Dear Customer,
The additional IPs which we provided are forwarded through the main IP addresses which means that they need to be assigned to the server network settings.
Also, the additional IPs do not have their own gateway and MAC addresses.

arp.dst.proto_ipv4 == 22.22.22.22 , to see if I understand it correctly shows ARP requests to 22.22.22.22, if the list gets populated "Who has...Tell..." it shows that the provider sends requests to this public IP (when trying to access via ping) regardless of whether it is configured in Windows (Ethernet/properties/advanced). If nothing comes back it shows this IP is not "active" as it is routed through the first one , and because is not (in my case) configured in Windows there is no response . Am I correct in this ?

I installed Vmware (attached) and configured ICS to virtual ethernet 8 and I was able to ping 8.8.8.8 and perform a traceroute with a 100% loss on hop 2 (can you please tell me what that means?) I would expect public gateway 23.23.23.1 to be there (in that second hop) or for 23.23.23.90 to be there, however it shows on the third 23.23.23.1 (have Xed it out)... I didn't configure a masquerade rule as Windows does NAT (like you said in your previous post).

Windows firewall allows to open ports and vmware allows (attached) port forwarding to local addresses , does this change things?

Would all problems be solved if a provider offered e.g. /30 range of public addresses (obviously not routing number 2,3 etc via number 1) . In that case would I create a virtual adapter, enter second public IP 22.22.22.22 with subnet /30 and gateway? (you mention non conflicting 10.10.10.10 -would that be equivalent e.g. to 192.168.x.x ?) and then enter on CHR : that same IP 192.168.x.x and network 22.22.22.22? Or each one would have its own public address with gateway 22.22.22.1

If you have 3 public IP addresses in the same subnet 22.22.22.5-22.22.22.6-22.22.22.7 is it correct to assume that you can enter them on each card (physical,virtual, and ether1 of CHR) and thus have internet access on the CHR, through given 22.22.22.7?