This guide is a simple outline for altering a default Mikrotik routerboard
configuration, in order to serve and route public IP addresses from a /29
allocation delivered over a PPPoE session.
The last usable IP of the subnet will be used by the router as the gateway (our
ISP returns this IP on PPPoE connection), and NAT for the private subnet
allocation.
This configuration will serve the public IPs to devices over DHCP after they have been set as static leases (and thus will not default to serve them).
There are no firewall rules that apply to devices which are assigned public IP addresses. Keep that in mind when configuring your device, as it will be fully exposed to the internet.
This configuration is based on the default router configuration from Mikrotik, therefore the following assumptions have been made:
- A network bridge exists for your private traffic, named
bridge
. - A DHCP server exists on the bridge, named
defconf
. - We’re using the default interface groups,
WAN
andLAN
. - We can pass on traffic as the 2nd rule in the firewall (after the counter entry).
IP Address | Purpose |
---|---|
Network address | |
Usable address for device | |
Usable address for device | |
Usable address for device | |
Usable address for device | |
Usable address for device | |
Gateway (router) | |
Broadcast address |
PPPoE Configuration
We need to create a PPPoE profile, plus a client.
You will need to set your own username and password (replace myusername
and
mypassword
).
/ppp profile
add change-tcp-mss=yes name=ISP use-compression=no use-encryption=no use-ipv6=no use-mpls=no
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=isp-pppoe profile=ISP user=myusername password=mypassword
/interface list member
add interface=isp-pppoe list=WAN
IP Address Configuration
We need to setup our IP range in a few places:
- The router itself needs to be given the last address.
- The DHCP server needs to be aware of the range in order to know how to serve information such as the gateway and DNS server. We do not need to define a pool since we’re not going to freely allocate these addresses.
- We need to create an IP list in the firewall for the usable subnet (exclusing the router’s IP itself) in order to tell the firewall to simply pass on traffic.
/ip address
add address=10.0.0.22/29 interface=bridge network=10.0.0.16
/ip dhcp-server network
add address=10.0.0.16/29 dns-server=10.0.0.22 gateway=10.0.0.22 netmask=29
/ip firewall address-list
add address=10.0.0.17-10.0.0.21 list=public-range
/ip firewall filter
add action=accept chain=forward comment="Allow all traffic to public IP range" dst-address-list=public-range place-before=*1
Allocate IP Addresses
Finally, we just need to tell the DHCP server how to map these IP addresses to local client devices.
Just replace the IP with one from the usable range and the MAC address with the local client device.
/ip dhcp-server lease
add address=10.0.0.20 mac-address=A0:B1:C2:D3:E4:F5 server=defconf