MikroTik

Probably very simple question, but I am not that familiar with MT router and with routers in general. So, I have outside network (ISP), let say 10.0.0.0/28 and my private one 192.168.0.0/24. All trafic going out from my local network is going out as one public IP address(. That's is working and configured exactlly as in Manual's "basic setup". And if I want to bring out to public some services (like web server) I can do that by dest-nat so that some port on private IP is maped to some port on my public IP.

But I have several PC's that are webservers and I want each of them to have different real IP address. That is, they can have some local IP, but then it has to be maped completelly to some public address. Is it possible? How to do that in MT router?

Thanks,
Maris

Seems I found the answer by myself:
just assigned another one IP address to Public interface and then in destination-NAT it is possible to specify IP address without port number thus forwarding all trafic from public address to private one. Only I am not usre if this is the right way to do it, is it?

For some reason it was not abvious from manual that it is possible to omit port number this way in fact bringing out all services on that IP Maybe some additional sample in Manual would help.

I use it the same way, but, I wouldn't reccomend to nat all ports, use only those you need.

Let me put another question (I dont want to make another topic, too many topics hehehe).

Our ISP gaved us 32 public IP's and, I dont want to NAT to my local pc's but I want to put public IP directly to PC, but to only lets say to 5 PC's, the rest would be in private IP subnet, lets say 10.0.0.x, also queues, nat etc would be nice for those PC's with public IP's as they work with private ones.

Yes, if that would be possible without NAT this would be good solution for me too.

One thing what I don't like (and I am not sure if that should be this way or I did something wrong) is that I can't access my local PC's services that have been NATed to some real IP addresss, by that real IP. That is if I have local PC with ip 192.168.0.1 that has webserver on it and it is NAT'ed to some outside IP x, then if I am outside my local network I can type in webbrowser IP x and it shows my webpage, but whithin my local network x doesn't work, I have to use 192.168.0.1.

Are there some solution for this?

Don't know, its same at my side also, even sometimes I got mikrotik router page :).

What is your dst-nat rule? It might be so that it specifies only outside interface as in-interface, and if you change it to "all", it will work OK.

Also about putting real addresses inside, there are two options (please read the manual to understand how they differ and which one better suits your needs): bridging (yes, you can do bridging, routing and NAT simultaneously!) and proxy-arp

What is your dst-nat rule? It might be so that it specifies only outside interface as in-interface, and if you change it to "all", it will work OK

Oh, no, I'm sorry, I just remembered that this solution may not work either... guess why?

If you are in one network with the web server, dst-nat will work (if your local interface is included in the "in-interface" of the rule) and redirect all the traffic to the web server. Now server finds out that somebody from its own network has sent a request to it, so it responds to the client directly without going through the router. In that case the connection would even not be possible...

Please put an src-nat rule to maswuerade your internal clients going out through the same internal interface to your web server.

Thanks, it worked finally, but took some while to figure out. At the end it was really simple:
1. dest-nat rule should have in-interface set to all (as it was initially for me)
2. src-nat rule should have out interface also set to "all" (initially it was to Public as I was following manuals example when setting this up)

Only question, why in manulal "MikroTik RouterOS™ V2.7 Basic Setup Guide', chapter Application examples, is recomended to set out-interface for src-nat rule to "Public", is there any benefit for that? Or just bug in manual?

Thanks for sugestions about bridging and arp-proxy - will read more and try later. Paldies

yes, there is one thing - if you have an internal webserver, you will not be able to see the visitor's ip addresses, because they too will be masqueraded. this problem is solved by changing the out-interface to public.

You are right. All requests, even those from outside our network, was seend by webserver with rooters IP. But I found solution:
- we leave original src-nat rule as it was before, with Public in-interface
- add new rule where we set src.address to 192.168.0.0/24 and set in.interface to local.
Now outside requests keeps their IP addreses! Okey, if we access webpage from local net by real IP, then it refences as comming from rooter, but that's okey, I think, as without this rule we coudn't access webserver by real ip anyway.