Article sections

Document version: 2025-10-24
Author: Maulik Bhuptani – Macro World Softwares

🧭 Overview

This configuration allows a single Airtel WAN line (port 1) with two static public IPs to serve two internal LAN subnets.
Each LAN subnet decides which public IP to use purely by the gateway set on the PC — no VLANs or extra switches required.

⚙️ Network Summary

Role	Internal Subnet	LAN Gateway	Public IP (NAT)	Public Gateway	WAN Port
LAN-1	192.168.4.0/24	192.168.4.1	122.170.9.12	122.170.9.1	ether1
LAN-2	192.168.5.0/24	192.168.5.1	122.169.117.19	122.169.117.1	ether1

🧩 Physical Layout

Port	Function	Current Use	Future Provision
ether1	WAN – Airtel 1	Active (two public IPs)	Primary Internet
ether2	Reserved – Airtel 3	—	Secondary (distance 2)
ether3	Reserved – Airtel 2	—	Tertiary (distance 3)
ether4	Reserved – ACT	—	Backup (distance 4)
ether5 – ether8	LAN Bridge	LAN Uplink → Switch	Active
ether7 + ether8	Used for PCs / LAN uplink	Confirmed working
USB	—	—	Jio 4G Dongle (distance 5)
sfp+1	—	—	10 GbE expansion

🌐 Logical Diagram

[Airtel ONT (Bridge)]
        │  (Public IPs 122.170.9.12 / 122.169.117.19)
     [RB5009]
        │ ether1  (WAN - Airtel)
        │
 ┌───────────────────────────────┐
 │ bridge-lan (ether5–8)         │
 ├──────────────┬────────────────┤
 │              │                │
LAN-1:192.168.4.x→GW 192.168.4.1→122.170.9.12
LAN-2:192.168.5.x→GW 192.168.5.1→122.169.117.19

🔐 Behavior

PC Gateway	Outgoing Public IP	Comment
192.168.4.1	122.170.9.12	Primary Airtel IP
192.168.5.1	122.169.117.19	Secondary Airtel IP

Switching a PC between public IPs is as simple as changing the gateway between .4.1 and .5.1.

📜 Core Configuration Summary

RouterOS version: 7.x
Device: MikroTik RB5009UG+S+

1. Identity

/system identity set name="RB5009-DualIP"

2. WAN (Airtel)

/interface ethernet set [find default-name=ether1] name=wan-airtel
/ip address
add address=122.170.9.12/24 interface=wan-airtel comment="Airtel Public #1"
add address=122.169.117.19/32 interface=wan-airtel comment="Airtel Public #2"

3. LAN Bridge

/interface bridge add name=bridge-lan protocol-mode=rstp
/interface bridge port
add bridge=bridge-lan interface=ether5
add bridge=bridge-lan interface=ether6
add bridge=bridge-lan interface=ether7
add bridge=bridge-lan interface=ether8
/ip address
add address=192.168.4.1/24 interface=bridge-lan comment="GW for 122.170.9.12"
add address=192.168.5.1/24 interface=bridge-lan comment="GW for 122.169.117.19"

4. Routing Tables + Routes

/routing table
add name=to-122-170-9-12 fib
add name=to-122-169-117-19 fib

/ip route
add dst-address=0.0.0.0/0 gateway=122.170.9.1 routing-table=to-122-170-9-12
add dst-address=0.0.0.0/0 gateway=122.169.117.1 routing-table=to-122-169-117-19

5. Policy Routing (Mangle)

/ip firewall mangle
add chain=prerouting in-interface=bridge-lan src-address=192.168.4.0/24 \
    action=mark-routing new-routing-mark=to-122-170-9-12 passthrough=no
add chain=prerouting in-interface=bridge-lan src-address=192.168.5.0/24 \
    action=mark-routing new-routing-mark=to-122-169-117-19 passthrough=no

6. NAT (Source NAT)

/ip firewall nat
add chain=srcnat routing-mark=to-122-170-9-12 out-interface=wan-airtel \
    action=src-nat to-addresses=122.170.9.12
add chain=srcnat routing-mark=to-122-169-117-19 out-interface=wan-airtel \
    action=src-nat to-addresses=122.169.117.19

7. Basic Firewall

/ip firewall filter
add chain=input action=accept connection-state=established,related
add chain=input action=drop connection-state=invalid
add chain=input action=accept in-interface=bridge-lan comment="Allow LAN mgmt"
add chain=input action=drop in-interface=wan-airtel comment="Drop all from WAN"

8. DNS & NTP

/ip dns set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/system clock set time-zone-name=Asia/Kolkata
/system ntp client set enabled=yes servers=162.159.200.1,162.159.200.123

🔍 Verification

Check	Command	Expected
List default routes	`/ip route print where dst-address=0.0.0.0/0`	Two routes (one per table)
Test public IP	From 192.168.4.x PC → ifconfig.me	Shows 122.170.9.12
	From 192.168.5.x PC → ifconfig.me	Shows 122.169.117.19
Router ping test	`/ping 8.8.8.8 routing-table=to-122-169-117-19`	Works via second GW

🧱 Future Expansion Plan

Stage	Port	ISP	Role	Distance	Notes
Stage 2	ether2	Airtel 3	Secondary link	2	Static 1 IP
Stage 3	ether3	Airtel 2	Tertiary link	3	Two IPs (bridge later)
Stage 4	ether4	ACT	Backup	4	One static IP
Stage 5	USB	Jio 4G	Emergency	5	USB tether
Stage 6	sfp+1	—	Optional 10G	—	LAN uplink or DC interconnect

Each new WAN will simply add:

One /ip address entry.
One /ip route with the desired distance.
Optional NAT/health-check rules for failover.

🧰 Maintenance Commands

Action	Command
Backup config	`/export file=dualip_backup`
View backup file	Files → dualip_backup.rsc
Restore	`/import dualip_backup.rsc`
View NAT usage	`/ip firewall nat print stats`
View routing marks	`/ip firewall mangle print stats`
Check route tables	`/routing/route/print`
Log identity	`/system identity print`

🧠 Key Takeaways

One Airtel physical line can host multiple public IPs.
Each internal subnet (192.168.4.x / 192.168.5.x) cleanly maps to a specific public IP.
Simple for troubleshooting: just change gateway on the PC.
Scales to multi-WAN by reusing the same design pattern.
RouterOS v7 policy-based routing ensures separation without VLANs or extra switche

Script

===== Identity & housekeeping =====

/system identity set name=RB5009-EDGE
/user set admin password=”CHANGE-ME-STRONG”

===== Interface naming (optional, just for clarity) =====

/interface ethernet set [ find default-name=ether1 ] name=wan1-airtel1
/interface ethernet set [ find default-name=ether2 ] name=wan2-airtel3
/interface ethernet set [ find default-name=ether3 ] name=wan3-airtel2
/interface ethernet set [ find default-name=ether4 ] name=wan4-act
/interface ethernet set [ find default-name=ether5 ] name=lan5
/interface ethernet set [ find default-name=ether6 ] name=lan6
/interface ethernet set [ find default-name=ether7 ] name=lan7
/interface ethernet set [ find default-name=ether8 ] name=lan8

===== LAN bridge on ports 5–8 =====

/interface bridge add name=bridge-lan protocol-mode=rstp comment=”LAN 192.168.4.0/24″
/interface bridge port
add bridge=bridge-lan interface=lan5
add bridge=bridge-lan interface=lan6
add bridge=bridge-lan interface=lan7
add bridge=bridge-lan interface=lan8

Give the same bridge TWO gateway IPs (.1 and .2) as you requested

/ip address
add address=192.168.4.1/24 interface=bridge-lan comment=”LAN GW #1″
add address=192.168.4.2/24 interface=bridge-lan comment=”LAN GW #2″

(Optional) DHCP for general PCs (avoid .101 and .102); disable if not needed

/ip pool add name=pool_lan ranges=192.168.4.50-192.168.4.99,192.168.4.150-192.168.4.200
/ip dhcp-server add name=dhcp_lan interface=bridge-lan address-pool=pool_lan lease-time=8h
/ip dhcp-server network add address=192.168.4.0/24 gateway=192.168.4.1 dns-server=192.168.4.1

===== DNS cache (so LAN can resolve) =====

/ip dns set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

===== WAN1: Airtel-1 (primary) with TWO public IPs =====

Replace mask/gateway with Airtel’s exact details for 122.170.9.12

/ip address add address=122.170.9.12/24 interface=wan1-airtel1 comment=”Airtel-1 122.170.9.12″
/ip route add dst-address=0.0.0.0/0 gateway=122.170.9.1 distance=1 check-gateway=ping comment=”Default via Airtel-1-122.170.9.12″

Bind second Airtel public IP as /32 on the same interface (for SNAT usage)

/ip address add address=122.169.117.19/32 interface=wan1-airtel1 comment=”Airtel-1 122.169.117.19 (/32 for SNAT)”

===== WAN slots prepared (future) with your distances =====

WAN2: Airtel-3 (bridge mode) – future static (distance 2). Placeholder. Add address/gateway later.

/ip route add dst-address=0.0.0.0/0 gateway= distance=2 check-gateway=ping comment=”(Future) Default via Airtel-3″

WAN3: Airtel-2 (router mode -> bridge later) – future static (distance 3). Placeholder.

/ip route add dst-address=0.0.0.0/0 gateway= distance=3 check-gateway=ping comment=”(Future) Default via Airtel-2″

WAN4: ACT (router mode -> bridge later) – future static (distance 4). For now likely 192.168.0.1.

/ip route add dst-address=0.0.0.0/0 gateway= distance=4 check-gateway=ping comment=”(Future) Default via ACT”

WAN5: Jio 4G USB Tethering – distance 5. Will appear as lte1/ppp-out1 later.

/ip route add dst-address=0.0.0.0/0 gateway= distance=5 check-gateway=ping comment=”(Future) Default via Jio 4G”

===== NAT (very important order): specific hosts first, then general =====

Ensure .101 always uses 122.170.9.12

/ip firewall nat add chain=srcnat src-address=192.168.4.101 out-interface=wan1-airtel1 action=src-nat to-addresses=122.170.9.12 comment=”Server .101 -> 122.170.9.12″

Ensure .102 always uses 122.169.117.19

/ip firewall nat add chain=srcnat src-address=192.168.4.102 out-interface=wan1-airtel1 action=src-nat to-addresses=122.169.117.19 comment=”Server .102 -> 122.169.117.19″

General LAN internet via active default route (masquerade)

/ip firewall nat add chain=srcnat out-interface-list=WAN action=masquerade comment=”Masquerade others”

===== Interface lists =====

/interface list add name=WAN
/interface list add name=LAN
/interface list member add list=WAN interface=wan1-airtel1
/interface list member add list=WAN interface=wan2-airtel3
/interface list member add list=WAN interface=wan3-airtel2
/interface list member add list=WAN interface=wan4-act
/interface list member add list=LAN interface=bridge-lan

===== Basic firewall =====

/ip firewall filter
add chain=input action=accept connection-state=established,related comment=”Allow established/related”
add chain=input action=drop connection-state=invalid
add chain=input action=accept in-interface-list=LAN comment=”Allow LAN to router (Winbox/DNS/DHCP)”
add chain=input action=drop in-interface-list=WAN comment=”Drop all from WAN to router”

===== Time (for logs, future VPN, etc.) =====

/system clock set time-zone-name=Asia/Kolkata
/system ntp client set enabled=yes primary-ntp=162.159.200.1 secondary-ntp=162.159.200.123

Last Updated: 4 months ago in Mikrotik, Networking, RB5009

MikroTik RB5009 — Dual Public IP (Airtel) Configuration