Using Two Public IP Addresses from ISP DHCP
Using Two Public IP Addresses from ISP DHCP
Section titled “Using Two Public IP Addresses from ISP DHCP”Overview
Section titled “Overview”Some ISPs provide more than one usable public IP address on a single WAN connection. RouterOS supports two main delivery models:
- Routed subnet — ISP assigns one DHCP WAN address and routes an
additional public block (e.g. a
/29) to that address. You add the extra IPs as static addresses on the WAN interface. - Separate DHCP leases — ISP delivers each public IP as an independent DHCP lease, distinguished by L2 identity (VLAN or client-id/MAC). Each lease needs its own RouterOS DHCP client on a distinct interface.
This guide covers both models and shows how to use each public IP for outbound NAT and inbound destination-NAT.
Note: RouterOS supports only one
/ip dhcp-clientinstance per L2 interface. Two DHCP clients cannot share the same physical port without a separate virtual interface (VLAN or similar).
Prerequisites
Section titled “Prerequisites”- RouterOS v7.x (commands also work on v6.49+)
- WAN interface connected to ISP (example:
ether1) - ISP confirmed to supply two public IPv4 addresses on this connection
- LAN bridge already configured (example:
bridge-LAN,192.168.1.0/24)
Configuration
Section titled “Configuration”Scenario A — ISP routes an extra block via DHCP WAN
Section titled “Scenario A — ISP routes an extra block via DHCP WAN”The ISP gives your DHCP lease one primary WAN IP and separately routes
an additional block (or single /32) over that next-hop.
Step 1 — Configure the DHCP client
Section titled “Step 1 — Configure the DHCP client”/ip dhcp-clientadd interface=ether1 add-default-route=yes use-peer-dns=yes disabled=noStep 2 — Add the second public IP as a static address
Section titled “Step 2 — Add the second public IP as a static address”Replace 203.0.113.22 and the prefix length with the values your ISP
provides.
/ip addressadd interface=ether1 address=203.0.113.22/32 comment="2nd public IP"Use /30 or /29 if the ISP assigned you a small subnet rather than a
single host address.
Step 3 — NAT — map internal hosts to specific public IPs
Section titled “Step 3 — NAT — map internal hosts to specific public IPs”Order matters: more-specific rules must appear before the general masquerade rule.
/ip firewall nat
# Host A always leaves via the second public IPadd chain=srcnat src-address=192.168.1.10 out-interface=ether1 \ action=src-nat to-addresses=203.0.113.22 comment="host-A -> 2nd public"
# Everything else masquerades behind the primary DHCP-assigned IPadd chain=srcnat out-interface=ether1 action=masquerade \ comment="default masquerade"Step 4 — Publish inbound services on the second public IP (optional)
Section titled “Step 4 — Publish inbound services on the second public IP (optional)”/ip firewall natadd chain=dstnat dst-address=203.0.113.22 protocol=tcp dst-port=443 \ action=dst-nat to-addresses=192.168.1.10 to-ports=443 \ comment="HTTPS on 2nd public -> host-A"Scenario B — ISP delivers two leases on separate VLANs
Section titled “Scenario B — ISP delivers two leases on separate VLANs”The ISP tags each DHCP lease on a different VLAN (e.g. VLAN 10 for the first IP, VLAN 20 for the second).
Step 1 — Create VLAN interfaces on the WAN port
Section titled “Step 1 — Create VLAN interfaces on the WAN port”/interface vlanadd name=wan-vlan10 interface=ether1 vlan-id=10 comment="1st public VLAN"add name=wan-vlan20 interface=ether1 vlan-id=20 comment="2nd public VLAN"Step 2 — Add a DHCP client for each VLAN
Section titled “Step 2 — Add a DHCP client for each VLAN”/ip dhcp-clientadd interface=wan-vlan10 add-default-route=yes default-route-distance=1 \ use-peer-dns=yes disabled=no comment="primary WAN"add interface=wan-vlan20 add-default-route=yes default-route-distance=2 \ use-peer-dns=no disabled=no comment="2nd public WAN"Setting default-route-distance=2 on the second client makes the first
VLAN the preferred default gateway. Both default routes are installed;
traffic can be steered with policy routing (see Troubleshooting).
Step 3 — NAT per WAN interface
Section titled “Step 3 — NAT per WAN interface”/ip firewall natadd chain=srcnat src-address=192.168.1.10 out-interface=wan-vlan20 \ action=masquerade comment="host-A via 2nd public"
add chain=srcnat out-interface=wan-vlan10 action=masquerade \ comment="default via 1st public"Policy routing for deterministic outbound path (optional)
Section titled “Policy routing for deterministic outbound path (optional)”If you need specific internal hosts to always use a particular public IP regardless of NAT, add a routing table, mangle marks, and static routes.
# Create the policy routing table/routing tableadd name=via-wan2 fib
# Mark new connections from host-A, then steer them to the via-wan2 table/ip firewall mangleadd chain=prerouting src-address=192.168.1.10 connection-state=new \ action=mark-connection new-connection-mark=conn-wan2 passthrough=yes \ comment="host-A new conns via wan2"add chain=prerouting connection-mark=conn-wan2 action=mark-routing \ new-routing-mark=via-wan2 passthrough=no comment="steer conn-wan2 to table"
# Router-originated traffic (DNS queries, pings, etc.) also uses the tableadd chain=output connection-mark=conn-wan2 action=mark-routing \ new-routing-mark=via-wan2 passthrough=no
# Default route in the via-wan2 table/ip routeadd dst-address=0.0.0.0/0 gateway=wan-vlan20 routing-table=via-wan2 \ distance=1 check-gateway=pingVerification
Section titled “Verification”Confirm both addresses appear on the router and the DHCP client is bound:
/ip dhcp-client print detail/ip address print/ip route print detailCheck that NAT rules match traffic with non-zero packet counters:
/ip firewall nat print statsTest outbound source IP from a specific host:
# Run on the router itself (replace 203.0.113.22 with your 2nd public IP)/tool fetch url="https://ifconfig.me" src-address=203.0.113.22Trace active NAT translations:
/ip firewall connection print where src-address~"192.168.1.10"Troubleshooting
Section titled “Troubleshooting”Only one public IP is reachable inbound
Section titled “Only one public IP is reachable inbound”- Verify
/ip address printshows both public IPs on the interface. - Check that inbound
dstnatrules exist for the second IP. - Confirm the ISP is routing the second IP to your WAN next-hop, not to another subscriber.
Return traffic arrives on the wrong interface (Scenario B)
Section titled “Return traffic arrives on the wrong interface (Scenario B)”Asymmetric routing causes sessions to drop when replies leave via a different interface than the one that received the original packet. The connection-mark + routing-mark pattern in the Policy Routing section above handles this for LAN-initiated sessions. For inbound sessions (e.g. port-forwarded services), additionally mark connections entering on the second WAN and steer their replies:
/ip firewall mangleadd chain=input in-interface=wan-vlan20 action=mark-connection \ new-connection-mark=conn-wan2 passthrough=yes \ comment="inbound on 2nd WAN"add chain=output connection-mark=conn-wan2 action=mark-routing \ new-routing-mark=via-wan2 passthrough=no \ comment="replies exit via 2nd WAN"Ensure /routing table add name=via-wan2 fib and the corresponding
default route in that table are present (see Policy Routing above).
DHCP client shows searching indefinitely (Scenario B)
Section titled “DHCP client shows searching indefinitely (Scenario B)”- Confirm VLAN IDs match the ISP handoff configuration.
- Verify the physical port connects to an ISP CPE that tags those VLANs.
- Check ISP CPE allows the client-id or MAC of each VLAN interface.
Second public IP acquired but packets are dropped
Section titled “Second public IP acquired but packets are dropped”Ensure the firewall filter forward and input chains allow traffic
addressed to the second IP:
/ip firewall filteradd chain=input dst-address=203.0.113.22 action=accept \ comment="allow inbound on 2nd public" place-before=0