Expert Telecommunications & Internet Solutions

How to Assign Public IP Subnet on Mikrotik Router without NAT

There are occasions when a device (eg a VoIP phone, a server or another router) that is connected to a LAN interface of a Mikrotik router requires a public IP address.

Ideally the Mikrotik router should be able to route connections from such devices without the inefficiencies of network address translation (NAT).

There are step-by-step guides for Draytek routers on how to assign public IP addresses to LAN interfaces without NAT, but I could not find anything similar for Mikrotik routers.

There are plenty forum topics on this subject, but as with many Mikrotik forums there is no straightforward guidance.

I recently had to figure this out for myself and managed to get it working.

Hopefully my pain is your gain with the step-by-step guide below:

Step1: Ask your ISP for a Subnet of Public IP Addresses

When requesting a subnet of publicly routable IP addresses from your ISP you should ask for one more usable IP address than you need for the devices that you want to connect.

For example, if you have three devices that need public IP addresses, then you should ask your ISP for four public IP addresses.

The reason for this is that one of the IP addresses is required for the LAN interface gateway on your Mikrotik router.

In my situation I only needed one IP address for a VoIP phone, so I asked for two public IP addresses.

My ISP gave me the subnet 87.XXX.YYY.228/30 which comprises:

  • 87.XXX.YYY.228 – Network Address
  • 87.XXX.YYY.229 – Usable Address
  • 87.XXX.YYY.230 – Usable Address
  • 87.XXX.YYY.231 – Broadcast Address
Step 2: Assign IP Addresses to Mikrotik Interface

The next step is to assign your public IP addresses to the interface to which your device will be connected.

This could be Bridge, LAN or VLAN depending on your particular set up.

In my case I required my VoIP phone to be on VLAN 100.

You also need to decide what IP address is to be assigned to your interface and what addresses are to be used for your device(s).

In my case 87.XXX.YYY.229 was assigned to the interface with 87.XXX.YYY.230  assigned to the VoIP phone.

The Mikrotik script for achieving this is:

/ip address

add address=87.XXX.YYY.229/30 interface=vlan1000 network=87.XXX.YYY.228

The /30 subnet mask is essential as I discovered after some trial and error.

This script automatically creates an IP route as follows:

  • Dst Address – 87.XXX.YYY.228/30
  • Gateway – vlan 100 reachable
  • Pref Source – 87.XXX.YYY.229
Step 3: Create Firewall Rule to Allow Connections from Subnet

You will probably have a firewall rule that allows connections from your private subnets to the internet and drops everything else.

You will therefore need to create a rule to allow connections from your public subnet.

This is the script that I used:

/ip firewall filter

add action=accept chain=forward connection-state=new out-interface=ether1 src-address=87.XXX.YYY.228/30

My WAN interface is ether1.

Step 4: Assign IP Address to Device

To assign the chosen public IP address(es) to your device you have the option of manually configuring the network settings in your device or you can configure your Mikrotik router to assign the address(es) by DHCP.

To assign the IP address manually you would enter the device IP (87.XXX.YYY.230), gateway IP (87.XXX.YYY.229) and DNS server (eg information into the device’s network settings.

To configure your Mikrotik router to assign the IP address by DHCP you would use the following scripts:

/ip pool

add name=pool_100 ranges=87.XXX.YYY.230

/ip dhcp-server

add address-pool=pool_100 authoritative=after-2sec-delay disabled=no interface=vlan100 name=dhcp_100

/ip dhcp-server network

add address=87.XXX.YYY.228/30  dns-server= gateway=87.XXX.YYY.229

If you had a large subnet you would increase the DHCP Pool range accordingly.

Step 5: Create Firewall Rule to Allow Connections to Subnet

You may want to allow connections from the outside world to one or more devices that have been assigned IP addresses in your public subnet.

This may be from specific external public IP addresses or it may be from all public IP addresses if your subnet device (eg a router) has its own firewall.

You will therefore need to create a rule to allow external connections to your public subnet.

This is the script that I used:

/ip firewall filter

add action=accept chain=forward dst-address=87.XXX.YYY.228/30 in-interface=ether1

The above script allows all external connections to all addresses in the public subnet, but this can be restricted to specific external IP addresses using the “src-address” field or specific subnet addresses in the “dst-address” field.

You may need one or more additional lines in the firewall filter to achieve the restrictions that are required.

Get In Touch

Click on the contact button to the left (or use our contact form) if you wish to discuss telecommunications or internet solutions for your home or office.

About Us

Premitel are an established telecommunications & internet solutions provider serving primarily Edinburgh, the Lothians & Scottish Borders, although we have a few clients throughout the UK and overseas.

Our customers are typically businesses, although that includes the increasing number of home workers.

We specialise in:

  • high quality VoIP solutions and services;
  • boosting & extending WiFi;
  • better & faster internet;
  • cordless phone systems; and
  • expense reduction.

Our advice is free for relatively straightforward requirements. For more complex projects, we offer a free initial no-obligation consultation.

Premitel in partnership with First City Communications also offer telephone & internet installation & support services for business & residential customers.