I think that pretty much got it. As someone earlier pointed out.. I think I am merely over thinking all this. I was going to simply source nat all the traffic coming from the router but didn't know if it would continue to cause problems.
Sometimes all you need is that perpestive from the outside. Keith -----Original Message----- From: "Butch Evans" <[EMAIL PROTECTED]> To: "Mikrotik discussions" <[email protected]> Sent: 4/7/08 9:49 PM Subject: Re: [Mikrotik] Multiple Address's on an Interface On Mon, 7 Apr 2008, Keith Barber wrote: >I was working over the weekend switching my routers over from being >behind NAT to having full blown public ips. I was hoping to be >able to "overlay" the public IPs, but all the traffic continued to >say it was coming from the internal IPs. > >Is there a way in MT that you can say, this address is the primary >one for this interface? If not, then my next move will probably be >to start implementing vlans, so I get separate interfaces. Take the following config for example: /ip address add interface=ether1 address=10.0.0.1/24 add interface=ether1 address=10.0.1.1/24 /ip route add gateway=10.0.1.2 If you want to ping a device that is at 10.0.0.0/24, then that device will see a ping from 10.0.0.1. Likewise, if you ping a device on the 10.0.1.0/24 network, that device will see the source as 10.0.1.1. You can verify this with: /ip route print Note the "pref-source" column. Now, if you add the following config: /ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade Traffic leaving the router that is natted by that rule will use the source address of 10.0.0.1. Why? Because that is the FIRST IP address on the ether1 interface. You can't see that in WINBOX, but doing "/ip address print" from a terminal will show you which was added first. If you need it to use 10.0.1.1 instead, you have 3 choices. 1. You can remove the 10.0.0.1 address, then add it again, leaving the 10.0.1.1 as the first IP on the interface. 2. You can set the pref-source parameter of the default route to be the 10.0.1.1 address (this is the easiest). 3. You can, instead of the masquerade rule above, you src-nat as below: /ip firewall nat add chain=src-nat out-interface=ether1 action=src-nat \ to-addresses=10.0.1.1 I don't know for sure if I understood the issue you were facing, but that is the short answer. ;-) -- ******************************************************************** *Butch Evans *Professional Network Consultation * *Network Engineering *MikroTik RouterOS * *573-276-2879 *ImageStream * *http://www.butchevans.com/ *StarOS and MORE * *Mikrotik Certified Consultant *Wired or Wireless Networks * ********************************************************************
