Mikrotik setup: 1 provider issues 2 IPs that need to be divided into two networks / interfaces

R

ruskella2014-01-13 22:37:30

Mikrotik

ruskella, 2014-01-13 22:37:30

Hello, please tell me how to configure the Internet on the mikrotik 2011UiAS-2HnD router in this way:
2 ip is given statically for optics (sfp1), one ip must be distributed to one interface (or bridge / master slave), the second ip to another interface.
The difficulty lies in the fact that it turns out to set up the work of the first network, that is, I configure the first dedicated ip to the desired group of interfaces, prescribe the rules in the firewall and in the routes, everything works, there are no problems.
But, now you need to connect the second address, I do the same as the first one, and ... The second network comes out from the first ip, that is, it’s not correct and the rule in the route is blue. I found on the Internet how to do it:
asp24.com.ua/blog/perenapravlenie-ip-adresov-na-vt...
that is, it is necessary to mark the routes of the first network with one marker, and the second network with another. And in the route, indicate that the first network with marker 1 should go through the route into which it filters by marker 1. It seems to be normal and there should be no problems, I do this for both the first and second networks, at first glance everything works, but here from the outside it does not let me go to Mikrotik, although it is allowed (I did not prohibit it anywhere).
I can connect to the server behind Mikrotik from outside (via port redirection), and from there to Mikrotik via ssh (server on ubuntu server, without shell/GUI)
So here's how to solve the last problem or how to set it up correctly.
UPD
Network setup:
the provider issues
1) x3.xx.xx.x6/24 with a gateway x3.xx.xx.1 - this is for the network 192.168.1.0/24
2) x9.xx.xxx.xx8/24 with gateway x9.xx.xxx.1 - this is for network 192.168.4.0/24
Configs:
/ip firewall nat print

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=sfp1 

 1   chain=dstnat action=netmap to-addresses=192.168.1.230 to-ports=80 protocol=tcp dst-address=x3.xx.xx.x6 in-interface=sfp1 dst-port=81 

 2   chain=dstnat action=netmap to-addresses=192.168.1.230 to-ports=3000 protocol=tcp dst-address=x3.xx.xx.x6 in-interface=sfp1 dst-port=3000 

 3   chain=dstnat action=netmap to-addresses=192.168.1.230 to-ports=22 protocol=tcp dst-address=x3.xx.xx.x6 in-interface=sfp1 dst-port=2222 

 4   chain=dstnat action=netmap to-addresses=192.168.1.230 to-ports=2233 protocol=tcp dst-address=x3.xx.xx.x6 in-interface=sfp1 dst-port=2233 

 5   chain=srcnat action=masquerade src-address=192.168.4.0/24 out-interface=sfp1

/ip firewall mangle print

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting action=mark-routing new-routing-mark=233 passthrough=no src-address=192.168.4.0/24 

 1   chain=prerouting action=mark-routing new-routing-mark=231 passthrough=no src-address=192.168.1.0/24

/ip route print detail

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=x9.xx.xxx.1 gateway-status=x9.xx.xxx.1 reachable via  sfp1 check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=233 

 1 A S  dst-address=0.0.0.0/0 gateway=x3.xx.xx.1 gateway-status=x3.xx.xx.1 reachable via  sfp1 check-gateway=ping distance=1 scope=30 target-scope=10 

 2 X S  dst-address=0.0.0.0/0 gateway=WAN gateway-status=WAN inactive distance=1 scope=30 target-scope=10 

 3 ADC  dst-address=x3.xx.xx.0/24 pref-src=x3.xx.xx.x6 gateway=sfp1 gateway-status=sfp1 reachable distance=0 scope=10 

 4 ADC  dst-address=x9.xx.xxx.0/24 pref-src=x9.xx.xxx.xx8 gateway=sfp1 gateway-status=sfp1 reachable distance=0 scope=10 

 5 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=bridge1,bridge1 gateway-status=bridge1 reachable,bridge1 reachable distance=0 scope=10 

 6 X S  dst-address=192.168.1.0/24 gateway=sfp1 gateway-status=sfp1 inactive check-gateway=ping distance=1 scope=30 target-scope=10 

 7 ADC  dst-address=192.168.4.0/24 pref-src=192.168.4.1 gateway=ether6 gateway-status=ether6 reachable distance=0 scope=10

For 192.168.1.0/24, I removed the marking, since whoever has the gateway 192.168.1.1 registered, then the dns server (the router does not let it in) does not respond.
Without marking 192.168.1.0/24, access via the web interface works (winbox did not try)

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

S

Smugo, 2014-01-13
@Smugo

Just today I was reading an article on the subject
habrahabr.ru/post/186284

E

EvilMan, 2014-01-13
@EvilMan

Show me the config. According to the description, you are doing everything right. But if it does not work, then something is overlooked. Addresses from one subnet or from different? If from one, then no PBR is needed, but simply make NAT to the desired address by the label (use src-nat instead of masquerade). If the addresses issued by the provider are from different subnets (with different gateways), then you really need PBR, but there it is simply added along a separate route with a label for each gateway.

K

kodi, 2014-01-14
@kodi

@ruskella
Incoming connections to the second ip must also be marked. You mark only outgoing traffic and, accordingly, the response to it normally passes. And if you initialize the connection on the incoming, then you get that it does not fit your rule.
I wrote about connection marking, but it also applies to packets.
And you don't seem to use search. You are not the first and not the last: Several ip-addresses via ethernet on one Mikrotik interface