Get Two public IP on the same interface

Techsystem · Fri Apr 26, 2024 5:45 pm

Hello for all..
from your experience can you share how can you get two public IP address on the same interface..?
I mean the following :
I have ONU device connected to Mirkotik in ether1 interface.
in this interface ether1 My ISP assign one of the public IP and create a masquarde and routing rule for it as normal (mikrotik 101).
(( so ether1 have -let's say- 156.55.55.2/24 and the routing rule is dst:0.0.0.0, gateway: 156.55.55.1))

now how can i get the other one..?
i tried to assign the other public IP to the same interface ether1 but that's create a problem with me.
and by the way when i assign the other public to ether1 I created two src-nat rule as the following
chain:srcnat action:src-nat, to-add: 156.55.55.2
and the other rule is the same with second public IP

so any ideas..?

anav · Fri Apr 26, 2024 5:57 pm

config??

Techsystem · Fri Apr 26, 2024 6:12 pm

Hey anav..glad yo have you here...!

well yes I understand but i really don't have one, I am far a way from router.
Maybe yesterday I can get one.
but to simplify the situation more.

Let's assume that 156.55.55.2 is the first public and 156.55.55.3 is the second and by the way in real scenario the two public IP different from each other by this 2 and 3.

1-ignore the firewall
2-ignore WLAN interface
3-there is a bridge with two interface (ether2 and 3) and if you connect your PC to it you will get access internet with the first Public IP.
4-i want to create another bridge with ( ether4 and 5) so if i connect any devices to it he have to access the internet with the second public IP.
5-the route rules as the following I didn't add any additional rule
dst-address: 0.0.0.0
gateway:156.55.55.1

6-as I said the NAT rule as the above I have two src-nat rule the first for the first IP and the other for second IP

anav · Fri Apr 26, 2024 6:21 pm

The answer is not to make multiple bridges.
Do you want subnets to equally access the available WANS, ( like in PCC load balance )
Do you want some subnets to go out WAN1 and some out WAN2
Do you have remote users coming in to LAN servers and if so over which WAN
Do you have remote users coming in via VPN, if so which WAN
Do you have local users going out third party VPN

The real time you worry about having the same WAN gateway IP but different WANIPs is in your IP routes.

/ip route
add checkgateway=ping distance=1 dst-address=0.0.0.0/0 gateway=singleGatewayIP%ether1 routing-table=main
add checkgateway=ping distance=2 dst-address=0.0.0.0/0 gateway=singleGatewayIP%ether2 routing-table=main

if you have some mangles or routing rules
add dst-address=0.0.0.0/0 gateway=singleGatewayIP%ether1 routing-table=useWAN1
add dst-address=0.0.0.0/0 gateway=singleGatewayIP%ether2 routing-table=useWAN2

Techsystem · Fri Apr 26, 2024 6:26 pm

The answer is not to make multiple bridges.
Do you want subnets to equally access the available WANS, ( like in PCC load balance )
Do you want some subnets to go out WAN1 and some out WAN2
Do you have remote users coming in to LAN servers and if so over which WAN
Do you have remote users coming in via VPN, if so which WAN
Do you have local users going out third party VPN

yes I want this one Do you want some subnets to go out WAN1 and some out WAN2

anav · Fri Apr 26, 2024 6:35 pm

For whole subnets ( probably vlans ) it may be easiest to use routing rules and tables.
The routes already shown above.

/routing table
add fib name=useWAN1
add fib name=useWAN2

/routing rules
add action=lookup-in-table min-prefix=0 routing-table=main comment="ensures local traffic is permitted"
add action=lookup src-address=subnetA routing-table=useWAN1
add action=lookup src-address=subnetB routing-table=useWAN2

Techsystem · Fri Apr 26, 2024 6:48 pm

For whole subnets ( probably vlans ) it may be easiest to use routing rules and tables.
The routes already shown above.

/routing table
add fib name=useWAN1
add fib name=useWAN2

/routing rules
add action=lookup-in-table min-prefix=0 routing-table=main comment="ensures local traffic is permitted"
add action=lookup src-address=subnetA routing-table=useWAN1
add action=lookup src-address=subnetB routing-table=useWAN2

I am really was thinking about that, but the problem is that i have only one out interface ether1
so in this case how the routing rules will be ..?
I mean I am confortable with your scenario when I have two out (WAN) interface but in my case I think it's different.
so If you didn't catch the idea, I can draw a Draw.io diagram for you.

k6ccc · Fri Apr 26, 2024 6:52 pm

I did exactly what you are trying to do for years. Each LAN or VLAN used a different public IP on my DSL. This was ROS 5 and early 6, so Anav's information is far more current. Very easy and worked great.

Amm0 · Fri Apr 26, 2024 7:20 pm

I am really was thinking about that, but the problem is that i have only one out interface ether1

Perhaps the question is what's the purpose of using the 2nd public IP, if it's using same physical upstream?

e.g.
1. Do you want to different dst-nat rules based on IP? In this case, you just need to add a 2nd /ip/address on ether1 & dst-nat rules that match on the specific public dst-addr in NAT.
2. Use multiple IPs for outbound connections. I believe you should be able to use PCC on the /ip/firewall/nat e.g.

/ip/firewall/nat
add action=src-nat chain=srcnat out-interface=ether1 per-connection-classifier=both-addresses-and-ports:2/0 to-address=156.55.55.2
add action=src-nat chain=srcnat out-interface=ether1 per-connection-classifier=both-addresses-and-ports:2/1 to-address=156.55.55.3

k6ccc · Fri Apr 26, 2024 7:27 pm

In my case, originally I did it because I was running two instances of a ham radio linking system. Each had (at that time) to be on a separate pubic IP address. So one was on on LAN that used one of my public IP addresses and the other instance was on a different LAN that used one of the other public IPs.

anav · Fri Apr 26, 2024 7:32 pm

Ahh, single interface now thats challenging..........
But how is this different from any group of public IPs coming from a single provider over a single interface.

Typically one uses one IP for the router and a second IP directly for a server for example.
What to do if one wants to use them both for the router, PCC or some subnets for A and some subnets for B...........

Amm0 · Fri Apr 26, 2024 7:38 pm

Ahh, single interface now thats challenging..........

I'm not sure what it gets you, if it's the same ISP... Normally ISP do throttling/queues by the customer's link, not by specific public IP... but perhaps not.

Also, another approach that allow config closer to the typical dualwan examples is using a MACVLAN interface for the 2nd public IP.

Techsystem · Fri Apr 26, 2024 7:39 pm

I am really was thinking about that, but the problem is that i have only one out interface ether1
Perhaps the question is what's the purpose of using the 2nd public IP, if it's using same physical upstream?

e.g.
1. Do you want to different dst-nat rules based on IP? In this case, you just need to add a 2nd /ip/address on ether1 & dst-nat rules that match on the specific public dst-addr in NAT.
2. Use multiple IPs for outbound connections. I believe you should be able to use PCC on the /ip/firewall/nat e.g.
Code: Select all
/ip/firewall/nat
add action=src-nat chain=srcnat out-interface=ether1 per-connection-classifier=both-addresses-and-ports:2/0 to-address=156.55.55.2
add action=src-nat chain=srcnat out-interface=ether1 per-connection-classifier=both-addresses-and-ports:2/1 to-address=156.55.55.3

Hey Amm0.. I applied exactly what you said, but as I mentioned eralier that I had some troubles with this implementation.
so If you have another method it would be appreciated.

Amm0 · Fri Apr 26, 2024 7:41 pm

Well that should work. Maybe post the relevant config?

I suppose another approach that allow config closer to the typical dualwan examples is using a MACVLAN interface for the 2nd public IP. And use that MACVLAN as interface instead of something like ether2 in other examples.

Techsystem · Fri Apr 26, 2024 7:42 pm

Ahh, single interface now thats challenging..........
But how is this different from any group of public IPs coming from a single provider over a single interface.

Typically one uses one IP for the router and a second IP directly for a server for example.
What to do if one wants to use them both for the router, PCC or some subnets for A and some subnets for B...........

well ok I like this idea here Typically one uses one IP for the router and a second IP directly for a server for example. actually in real situation this second IP for the server and maybe we can use it for other device, but you mean to put the public directly in the server ..?

Amm0 · Fri Apr 26, 2024 7:46 pm

well ok I like this idea here Typically one uses one IP for the router and a second IP directly for a server for example. actually in real situation this second IP for the server and maybe we can use it for other device, but you mean to put the public directly in the server ..?

If it's a server, then perhaps a netmap be better as this does a one-to-one NAT between the public IP and LAN IP of the server:
/ip/firewall/nat chain=dst-nat action=netmap dst-address55.5.5.3 to-address=<LAN-address-of-server>

This maps the public entire IP and all ports to the server's LAN address, so you'd still be able to restrict it via the firewall. And the 2nd public IP still need to be added to /ip/address on router.

Amm0 · Fri Apr 26, 2024 7:48 pm

And with netmap, you'd need a src-nat rule too, but matching on src-address using the LAN address of the server and a to-address=55.5.5.3

Techsystem · Fri Apr 26, 2024 7:49 pm

Well that should work. Maybe post the relevant config?

I suppose another approach that allow config closer to the typical dualwan examples is using a MACVLAN interface for the 2nd public IP. And use that MACVLAN as interface instead of something like ether2 in other examples.

I totaly forget this MACVLAN feature, that's awesom. but before i upgrad my router to I think 7.12 or above as i remember that this MACVLAN is only available as DHCP-Client. is it..? and the ONU Device in my case doesn't have DHCP..correct me if i am wrong.

Amm0 · Fri Apr 26, 2024 7:52 pm

You'd assign the MACVLAN the public IP address "manually" in /ip/address, instead of using /ip/dhcp-client. For intents in the firewall/routing, it's a different layer2 interface – which means all example that expect an ethernet interface name, should work same with MACVLAN.

Techsystem · Fri Apr 26, 2024 7:52 pm

well ok I like this idea here Typically one uses one IP for the router and a second IP directly for a server for example. actually in real situation this second IP for the server and maybe we can use it for other device, but you mean to put the public directly in the server ..?
If it's a server, then perhaps a netmap be better as this does a one-to-one NAT between the public IP and LAN IP of the server:
/ip/firewall/nat chain=dst-nat action=netmap dst-address55.5.5.3 to-address=<LAN-address-of-server>

This maps the public entire IP and all ports to the server's LAN address, so you'd still be able to restrict it via the firewall. And the 2nd public IP still need to be added to /ip/address on router.

I think this is a good solution here I will try it..
Thank you so much Mr.Amm0

Techsystem · Sat Apr 27, 2024 6:41 pm

You'd assign the MACVLAN the public IP address "manually" in /ip/address, instead of using /ip/dhcp-client. For intents in the firewall/routing, it's a different layer2 interface – which means all example that expect an ethernet interface name, should work same with MACVLAN.

Hello Mr.Amm0, Hello for all..
Back to our discussion I applied MACVLAN setting today and that's work well, so I assign a static IP -(the second Public IP)- and also I created another routing rule -(I dublicate the already existed rule)- and also create a NAT rule because I want the src-add=192.168.1.1/24 to use the first IP and the other 192.168.0.1/24 to use the Second. but here is the -expected- issue:
I couldn't mark route to a specific Public IP, I mean know the traffic is routed sometime from Public 1 and sometime from Public 2 and that's make an issue with my dst-nat rules .
for more simplicity here is my configuration

Don't take this silly routing rule into account because it doesn't make any scense here but just I was trying.

# model = CCR2004-16G-2S+
# serial number = 
/interface bridge
add name=bridge1
add name=bridge2

/interface macvlan
add disabled=no interface=ether1 mac-address=                mode=private \
    name=macvlan1

/interface list
add name=LAN
add name=WAN

/ip pool
add name=dhcp_pool0 ranges=192.168.0.100-192.168.0.200
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.200

/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=3h name=dhcp1
add address-pool=dhcp_pool1 interface=bridge2 lease-time=3h name=dhcp2

/port
set 0 name=serial0
set 1 name=serial1

/routing table
add disabled=no fib name=85
add disabled=no fib name=WAN-84
add disabled=no fib name=WAN-85

/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge2 interface=ether10
add bridge=bridge2 interface=ether11
add bridge=bridge2 interface=ether12



/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=bridge2 list=LAN


/ip address
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0
add address=xx.xx.55.84/24 interface=ether1 network=xx.xx.55.0


add address=xx.xx.55.85/24 disabled=no interface=macvlan1 network=\
    xx.xx.55.0
add address=192.168.1.1/24 interface=bridge2 network=192.168.1.0

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=xx.xx.xx.xx gateway=192.168.0.1
add address=192.168.1.0/24 gateway=192.168.1.1

/ip dns
set servers=8.8.8.8

/ip firewall filter
add action=accept chain=input comment=\
    "\"defconf: accept established, related, untracked\"" \
    connection-nat-state="" connection-state=established,related,untracked
add action=drop chain=input comment="\"defconf: drop invalid\"" \
    connection-state=invalid
add action=accept chain=input comment="defcon: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback" \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf:accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "\"defconf: drop all from WAN not DSTNATed\"" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/24 to-addresses=\
    xx.xx.55.84
add action=src-nat chain=srcnat src-address=192.168.1.0/24 to-addresses=\
    xx.xx.55.85

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xx.xx.55.1 \
    pref-src="" routing-table=WAN-84 scope=30 suppress-hw-offload=no \
    target-scope=10

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xx.xx.55.1 \
    pref-src="" routing-table=WAN-85 scope=30 suppress-hw-offload=no \
    target-scope=10

add disabled=no dst-address=0.0.0.0/0 gateway=185.24.62.1 routing-table=main \
    suppress-hw-offload=no

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/routing rule
add action=lookup disabled=yes src-address=192.168.0.1/24 table=WAN-84
add action=lookup disabled=yes src-address=192.168.1.1/24 table=WAN-85

any ideas on how to solve this issue..?
specifically what I want is to make bridge 1 use the first Public IP and bridge 2 use the second

Amm0 · Sat Apr 27, 2024 9:23 pm

The first NAT rule should use a src-nat, not masquerade. If action=masquerade, then the to-address= is NOT used...

e.g.
/ip firewall nat add action=masquerade chain=srcnat src-address=192.168.0.0/24 to-addresses=xx.xx.55.84
==>
/ip firewall nat add action=src-nat chain=srcnat src-address=192.168.0.0/24 to-addresses=xx.xx.55.84

Techsystem · Sun Apr 28, 2024 5:11 am

The first NAT rule should use a src-nat, not masquerade. If action=masquerade, then the to-address= is NOT used...

e.g.
/ip firewall nat add action=masquerade chain=srcnat src-address=192.168.0.0/24 to-addresses=xx.xx.55.84
==>
/ip firewall nat add action=src-nat chain=srcnat src-address=192.168.0.0/24 to-addresses=xx.xx.55.84

ok, so you think this will solve the problem..?
also do i have to change the route rules -( i mean created two same rules, so the connection will be distributed across those two route)- or its emough to have one..?

Amm0 · Sun Apr 28, 2024 6:04 pm

Depends on the problem you're trying to solve. There are many ways to configure things.

As it stands, the NAT rules use one public for one subnet 192.168.1.0, and 2nd IP for 192.168.0.0.

To use rules and routing table, the gateway needs to use an interface qualifier & add'l NAT rules. Specifically,

1. You need to set the public IP to use, based on the interface used, perhaps in addition to the IP subnet ones above (and before those other NAT rules):
/ip/firewall/filter add action=src-nat chain=srcnat out-interface=macvlan1 to-addresses=xx.xx.55.85
/ip/firewall/filter add action=src-nat chain=srcnat out-interface=ether1 to-addresses=xx.xx.55.84

2. In the /ip/route tables for WAN-85 and WAN-84, make sure to use the qualifier in the route (which will then trigger above NAT rules based on interface):
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xx.xx.55.1%macvlan1 routing-table=WAN-85
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xx.xx.55.1%ether1 routing-table=WAN-84

3. At this point, you can use rules. But note that using just two rules based on src-address=192.168.0.1/24 blocks inter-VLAN routing and router access. Two possible fixes, add a dst-address=<LAN> or min-prefix= rule BEFORE the custom rules that send non-internet traffic to "main" routing table. See @anav's comments above. But your current /routing/rule's will essentially do as it says: use WAN-84/85 tables for a subnet...that routing table only has one route to your ISP & no other routes (e.g. so main routing table isn't used if a rule says to use a table, thus if 192.168.0.x needed to connect to/from 192.168.1.x it won't work without some rule that send it to main if src-address= is the matcher).

4. For completeness, you should add the macvlan1 interface to the WAN interface list too:
/interface list member add interface=macvlan1 list=WAN

Get Two public IP on the same interface [SOLVED]

Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface

Re: Get Two public IP on the same interface [SOLVED]

Who is online