我从 ISP 购买了 5 个保留(未使用)的公共地址(/29),我想将其中一个地址分配给我的私有 LAN 中的 Windows 服务器/客户端机器。
目的是从任何地方访问服务器/客户端计算机无需端口转发在我的MikroTik 路由器。
有可能做到这一点吗?如果答案是肯定的,那么怎么做呢?
答案1
是的,你可以,网上有很多例子,基于文本也视频适用于 MikroTik 路由器。
请注意,将公用 IP 地址(并路由)分配给专用网络中的计算机会使该计算机(位于专用网络内)成为“公用计算机”。如果您不解决此配置所涉及的风险,则可能会出现潜在的安全问题。
以下是一个例子(来源):
步骤1:为您的设备将连接的 Mikrotik 接口分配 IP 地址。
This could be Bridge, LAN or VLAN depending on your particular set up.
In my case I required my VoIP phone to be on VLAN 100.
You also need to decide what IP address is to be assigned to your interface and what addresses are to be used for your device(s).
In my case 87.XXX.YYY.229 was assigned to the interface with 87.XXX.YYY.230 assigned to the VoIP phone.
The Mikrotik script for achieving this is:
/ip address
add address=87.XXX.YYY.229/30 interface=vlan1000 network=87.XXX.YYY.228
The /30 subnet mask is essential as I discovered after some trial and error.
This script automatically creates an IP route as follows:
Dst Address – 87.XXX.YYY.228/30
Gateway – vlan 100 reachable
Pref Source – 87.XXX.YYY.229
第2步:创建防火墙规则以允许来自子网的连接
You will probably have a firewall rule that allows connections from your private subnets to the internet and drops everything else.
You will therefore need to create a rule to allow connections from your public subnet.
This is the script that I used:
/ip firewall filter
add action=accept chain=forward connection-state=new out-interface=ether1 src-address=87.XXX.YYY.228/30
My WAN interface is ether1.
步骤3:为设备分配 IP 地址
To assign the chosen public IP address(es) to your device you have the option of manually configuring the network settings in your device or you can configure your Mikrotik router to assign the address(es) by DHCP.
To assign the IP address manually you would enter the device IP (87.XXX.YYY.230), gateway IP (87.XXX.YYY.229) and DNS server (eg 8.8.8.8) information into the device’s network settings.
To configure your Mikrotik router to assign the IP address by DHCP you would use the following scripts:
/ip pool
add name=pool_100 ranges=87.XXX.YYY.230
/ip dhcp-server
add address-pool=pool_100 authoritative=after-2sec-delay disabled=no interface=vlan100 name=dhcp_100
/ip dhcp-server network
add address=87.XXX.YYY.228/30 dns-server=8.8.8.8 gateway=87.XXX.YYY.229
If you had a large subnet you would increase the DHCP Pool range accordingly.
步骤4:创建防火墙规则以允许连接到子网
You may want to allow connections from the outside world to one or more devices that have been assigned IP addresses in your public subnet.
This may be from specific external public IP addresses or it may be from all public IP addresses if your subnet device (eg a router) has its own firewall.
You will therefore need to create a rule to allow external connections to your public subnet.
This is the script that I used:
/ip firewall filter
add action=accept chain=forward dst-address=87.XXX.YYY.228/30 in-interface=ether1
The above script allows all external connections to all addresses in the public subnet, but this can be restricted to specific external IP addresses using the “src-address” field or specific subnet addresses in the “dst-address” field.
You may need one or more additional lines in the firewall filter to achieve the restrictions that are required.
我没有 MikroTik 路由器,所以很遗憾我无法测试这一点。
答案2
从技术上讲,您无法将 IP 地址从 WAN 端传递到 LAN 端。实现此目的的唯一方法是使用以下选项:
选项 1:这是最佳选项,不需要其他配置,您可以创建 2 座桥梁:
1- 桥接 WAN:任何作为此桥接成员的接口都将路由 IP 地址。此选项的问题是您需要将服务器或客户的路由器直接连接到桥接 WAN 成员的端口,而不是通过交换机中继端口。
2- Bridde-LAN:分配给此桥的任何端口或 VLAN 都将是您的 LAN 端,并将通过您的交换机中继端口。
选项 2:对于此选项,您需要 ISP 提供的 2 个子网,假设您为路由器获得 /30,为内部使用获得 /29,或者在我的情况下,我有 /27。当 ISP 提供这两个子网时,他们称之为 LAN 的第二个子网可以路由到 Bridge-LAN 或 Bridge-WAN,就像您的任何内部 IP 地址一样。这里唯一的区别是 ISP 将整个第二个子网路由到第一个子网,因此无论它们来自 WAN 端口还是 LAN 端口,两者都是可路由的。
我希望这有帮助