I am hoping that maybe ZeroByte, or anyone else, can answer a couple of more questions for me. Using the WinBox software, is it possible to assign more than one IP address to a MAC address? In other words, since we use WinBox to hand out public IP addresses, is it possible to assign a static IP address to a router, then allow a few more IP addresses to be handed to other devices behind the router? I have a client that has their router on 1.1.19.131, but they have access to 1.1.19.131 through 1.1.19.136. They have their router at 1.1.19.131 and they want to have their mail server and a couple of other devices behind the router, but use the 1.1.19.132 through 1.1.19.136 addresses. I am trying to figure out how to get all of this to work correctly using the WinBox. Any suggestions are greatly appreciated.

Hi ,
yes you can assign more than one IP to an interface
i didn't exactly understand you , but i think you wanna redirect your packets which targeting your public ip address to a private ip address behind your router , if i'm right we call it NAT


here is an example of NAT port forwarding for remote desktop to a private ip address :

chain=dstnat action=dst-nat to-addresses=192.168.200.2 to-ports=3389 protocol=tcp src-port=3389 dst-port=3389 log=yes log-prefix="************* Remote Desktop Attemp **************"

but there are many options you can use : input/output interface , src/dst ip address and ......

Thank you Shayan for the reply. I am familiar with one-to-one NAT and how it works, but my client wants to use public IP addresses on the back side of the router. There is a word for this....it seems like it is a Microsoft term....I have been racking my brain for a couple of days now trying to come up with the word. Anyway, I will try to do a better job of explaining what my client is attempting to accomplish and how I am trying to help them.

So my client has a business and they have purchased a public IP from my company. For ease of following my story, we are going to give them a public static IP address of 1.1.19.131 (not their real IP address, not even close, just made up.) Their Watchguard firewall has a MAC address of AA:BB:CC:DD:EE:FF which I have completed the process of 'Set as Static' on the WinBox. Therefore the firewall, with the above referenced MAC address, has an IP address of 1.1.19.131. Now, they have a mail server, I don't know the MAC yet, which they would like to set with an IP address of 1.1.19.132, as they purchased six static IP addresses from my company. They don't want to have to purchase a managed switch and set it up so the mail server, along with other devices, are facing the public Internet directly. They would like to place the mail server (1.1.19.132) behind the firewall, but still have it either pull the static IP address, or manually place the public static IP address on it. We did some testing where we put the public static IP address on the mail server, but pings and other traffic dies out before it gets there. They have set up the Watchguard firewall to forward all the mail traffic out to the public gateway (1.1.19.129 - which is my gateway on the WinBox). This is where I am stuck. Do we need to go back to one static public IP address, then have the firewall do port forwarding to the other devices, or would I be able to assign the five other static public IP addresses to the devices from the WinBox through the firewall? Or do I just need to explain to the client that they need to purchase a managed switch and just have all of their devices facing the public Internet so the WinBox can hit one of them directly?

I really do appreciate the assistance. Thank you.

It's not so complicated , but i'm a wireless professional , it's something about routing , firewalling and NAT which i'm not expert on these subjects.
but every firewall has its own behavior over packets and you don't know how it has been configured ,may be somewhere its dropping your packets , i'm sure you can add multiply IPs on you interface and easily NAT or route them as i've done this many times without any problem.

it's better an expert help you , but in my opinion a visual diagram would be very useful because reading a network situation and seeking for its problem needs a very strong imagination

thank you.

If you want to give multiple IP addresses to the same client device, there are basically two ways to do it:

1: the customer's device should be aware that it has multiple IP addresses, and simply reply to ARP requests from your router for every IP it has configured on it - and no more. This is the most preferable because it's just "how things should work"

If the customer's device is a Cisco ASA, for instance, whenever a static NAT rule is created, there is an option to enable proxy-arp for this mapping, and that should be set to 'yes' - some devices just require that the administrator (your customer in this case) configure multiple IP addresses on the WAN interface.


2: statically map the extra IP address(es) to the customer's device

2a: (preferred mapping method): Create a /32 static route for the extra IP address with next-hop IP = the customer's primary IP.
e.g. /ip route add dst=1.1.19.132/32 gateway=1.1.19.131
If you want the customer to have all of the IPs in the range, then you'd need to do this for every single address.

2b: create static ARP entries with the customer's device's MAC address - this is less preferred because if the customer ever changes devices, or changes which interface of their device is connected to you, then they're going to suddenly be broken until you can update your static ARP entries.