Good day,
I have a setup where I have my client on a static private IP address using Mikrotik CPE(say RouterA) on my routed wireless network with an internet gateway Mikrotik router(RouterB). On the gateway router RouterB I have a /24 public IP assigned by my upstream provider and I would like to subnet this block to my clients.
Inorder to assign a public IP, currently I assign the client a /24 on the public interface on RouterB and then create two nat rules, one scr another dst attached to the clients static private IP(RouterB).
Now I would like to know is there a problem if I assign a /32 IP instead of the current /24? I have tested it once and I could see RouterB from the internet but I would like to know is this good practice?
Re: Using a /32 bit mask
There would be a challenge. Any other ip will not be localnet, including the gateway. The gateway must be localnet.
Re: Using a /32 bit mask
Lets say your ISP's gw is 1.2.3.1/24, your router has 1.2.3.2/24 and you can use any other 1.2.3.x/24. Then if you add e.g. 1.2.3.10/32 to the public interface (same where 1.2.3.2 is), it will work without any problem. When ISP's gw sends ARP request for 1.2.3.10, it will reach the router and it can send correct reply. From your side 1.2.3.10 can't reach 1.2.3.1 by itself. But 1.2.3.2 can reach it. So the router will learn correct MAC address and even packets from 1.2.3.10 can use it. But I don't see any real difference between /24 and /32 here. No advantage, no disadvantage, nothing. IMHO both will work exactly the same.
But I see some other major flaw with your setup. If you really assign all public addresses to RouterB, and then just forward the packets to client's internal address and masquerade the other direction, then client doesn't really have public address. It will work for many things. But what if client thinks e.g. "hey, I got this cool public 1.2.3.10, and I'd like to create IPSec tunnel to my other office at 4.3.2.1"? He can't do it, because he doesn't really have that address.
But I see some other major flaw with your setup. If you really assign all public addresses to RouterB, and then just forward the packets to client's internal address and masquerade the other direction, then client doesn't really have public address. It will work for many things. But what if client thinks e.g. "hey, I got this cool public 1.2.3.10, and I'd like to create IPSec tunnel to my other office at 4.3.2.1"? He can't do it, because he doesn't really have that address.
Re: Using a /32 bit mask
in that case, you should setup bridge, not router. or use arp-proxy
Re: Using a /32 bit mask
I ran into this problem. I have long since reverted to my /24 setup.There would be a challenge. Any other ip will not be localnet, including the gateway. The gateway must be localnet.