MikroTik

Hi,

I'm trying to setup two public IP on one WAN interface (RB951G-2HnD), but works only one. I think there may be a problem with GW or routing, cos each IP is from different subnet and each IP has its own GW.
I'm tried setup two public IP from the same rage with the same GW and it works great. I'm now strugling with that issue. Could someone help or kick me to the right directions ?

Regards from Czech republic

Based on what you describe, the GW devices are separate devices and you do not have any sort of a routing protocol set up or available. An odd setup for sure, but it should work with the addition of some routing marks:

ros code

/ip firewall mangle
  add action=mark-routing chain=prerouting comment="To GW1" new-routing-mark=GW1 src-address=1.1.1.11
  add action=mark-routing chain=prerouting comment="To GW2" new-routing-mark=GW2 src-address=2.2.2.22
/ip routing
  add gateway=1.1.1.1 routing-mark=GW1
  add gateway=2.2.2.2 routing-mark=GW2

Of course, this is a router, so you probably have other subnets behind it. In which case, you'll want to create and use address lists so that traffic from your various subnets gets forwarded to the appropriate gateway. You'll also want to exclude internal traffic from getting marked:

ros code

/ip firewall mangle
  add action=mark-routing chain=prerouting comment="To GW1" new-routing-mark=GW1 \
    src-address-list=TO_GW1 dst-address-list=!INTERNAL
  add action=mark-routing chain=prerouting comment="To GW2" new-routing-mark=GW2 \
    src-address-list=TO_GW2 dst-address-list=!INTERNAL

Hope this helps!

Thanks for reply.

It's seems very complicated to me. I am not sure if there are separate devices or not. I get UTP cable and these two public IPs from my provider, don't know what is behind.
I want to replace my old iptables linux FW with that MT. I have one physical cable and two different public IPs on it. The old one and the new one, which isn't from the same subnet like the old one. I ask my provider for another IP, but the old pool were used, so he gave me a new subnet pool. On my linux FW, I don't need to setup anything else except IP.
No second GW, no routing, everything works while I add a new IP to my wan interface. I though with MT it will be the same, but I am unable to get it work. I don't need load balancing or something like that. I have a webserver behind MT in DMZ with two public IPs on it. Everything I need is that people from internet will be able to go to both IPs of my web. So the first I have to setup both IP on wan interface and then setup a forward rules on MT. Where is the difference between MT and Linux in that issue ?

Regards

Ok, if you can do this with straight IP tables on Linux, you can do this with MT (which is still Linux). You just have to learn the abstraction layers that MT put on top.

So, both IP addresses are from the same provider. You probably don't have to worry about the actual GW then. The provider already knows how to send traffic to either one of your IP addresses and how to deal with traffic FROM either of your IP addresses.

Unless your provider is doing something very whacky, this will work just fine:

ros code

/ip address
  add address=1.1.1.11/24 interface=ether1
  add address=2.2.2.22/24 interface=ether1
/ip route
  add gateway=1.1.1.1

Again, your provider already knows how to reach 2.2.2.22, so you don't need to worry about that. When you send traffic FROM 2.2.2.22, it really doesn't matter which GW IP you use, as the GW router will know how to handle it already. Once you have this in place, test it:

ros code

/ping 8.8.8.8 src-address=1.1.1.11
/ping 8.8.8.8 src-address=2.2.2.22

If this does not work, contact your provider for assistance.

I thing I have these setting, but no success. I have let's say primary the old one IP with its default GW and mask 24. In linux environment someone tells me when I adding a new IP on the same interface I have to add it with mask 32. So, there should be only one 24 mask on the interface and the rest should be 32. Thats the only difference I can see. However I can try put both IP with mask 24.

Yeah, when adding additional IP addresses in the same subnet, it's best practice to use a /32 mask. Addresses in multiple subnets should not require this.

It could be something funky with your ISP, but I couldn't tell you for sure.

Both of the obvious configurations are failing, not sure what else to try.

Good luck!

I have some news. I am able to ping from router from both IP's to 8.8.8.8. That's OK.
But nobody can't ping from internet to my router's second public IP.
When I launch Torch, I can see packet from other public IP to my router, BUT I am unable to see any incoming packets in firewall input, NAT nor mangle and I am pretty sure that I should see something there.