Mikrotik and NAT/Routing issue
You have to make decisions and design you network.
On ether1 which is connected to your ISP you should define a smaller network. e.g /30 (to tell the truth it is much easier if you request one more smaller range from your ISP than splitting what you have now).
So on ether1 10.10.10.192/30 your gw is 10.10.10.193 and 10.10.10.194/30 is your IP (on the mikrotik - ether1). You then ask your ISP to route
- 10.10.10.196/30
- 10.10.10.200/29
- 10.10.10.208/28
to the address 10.10.10.194 and to setup the same /30 netmask on their side as you did on yours.
Then on ether2 you configure one (or more) of the address ranges seen above. On this interface you don't do any NAT. You setup the pool according to the address ranges configured on the interface.
On ether3 you configure private addresses as you wish. The examples you provided seems fine. Here you setup MASQUERADE
and this is the only place you have NAT.
And what was wrong with your original setup?
- You should not assign /32 networks the way you did.
- The ISP will address all as being on the same network however this is not the case.
- You do not do SNAT and DNAT at the same time on an interface. In this case you only do SNAT which alters the source address. When the packets comes back the netfilter subsystem remembers what he did the will automatically do the reverse transformation. (MASQUERADE is a special case of SNAT)
EDIT If you do not want to involve your ISP in this then you do the same and enable proxy-arp, this is well described here: http://wiki.mikrotik.com/wiki/Manual:IP/ARP#Proxy_ARP
Related videos on Youtube
arul
Updated on September 18, 2022Comments
-
arul almost 2 years
I have basic NAT/Routing problem with Mikrotik RB750 that I've been unable to solve over the past days. From our ISP we have 26 IP addresses: 10.10.10.192/27, with 10.10.10.193 being the gateway and 10.10.10.194 the first available IP.
What I need is that everything connected to ether2 gets a public IP from the DHCP server, and everything connected to ether3 gets a local IP from another DHCP (192.168.100.0/24). All clients should have internet access (I'll figure out bandwidth throttling later) and optimally just 'see' each other (all boxes are Win7, I guess this can ultimately be handled with VPN).
Here is my setup: ether1 (10.10.10.194) is connected directly to ISP.
20 clients connected to ether2(10.10.10.195), and another 20 to ether3(10.10.10.196) (both through same 24 port switches).
This is my setup, which doesn't work, all 20 clients from ether2 can access the internet, though all comm. seems to come from 10.10.10.194 (is this due to the masquerade on ether1?), and ether3 can't access the internet at all.
I think that I need to masquerade ether3, and SNAT/DNAT or NETMAP ether2, but that doesn't work either, I guess that I need to somehow 'wire' both ether2+3 to ether1.
Address list:
# ADDRESS NETWORK INTERFACE 0 ;;; public 10.10.10.194/32 10.10.10.192 ether1-gateway 1 ;;; inner DHCP 192.168.100.0/24 192.168.100.0 ether3-private 2 ;;; public 10.10.10.195/32 10.10.10.192 ether2-pub 3 ;;; public 10.10.10.196/32 10.10.10.192 ether3-private
NAT
0 ;;; ether3 nat chain=srcnat action=src-nat to-addresses=10.10.10.196 src-address=192.168.100.0/24 out-interface=ether3-private 1 ;;; ether3 nat chain=dstnat action=dst-nat to-addresses=192.168.100.0/24 in-interface=ether3-private 2 ;;; ether1 masquerade chain=srcnat action=masquerade to-addresses=10.10.10.194 out-interface=ether1-gateway
Routes:
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 A S 0.0.0.0/0 ether1-gateway 1 2 A S 10.10.10.192/27 10.10.10.195 ether2-pub 1 3 ADC 10.10.10.192/32 10.10.10.195 ether2-pub 0 ether1-gateway ether3-private 4 ADC 192.168.100.0/24 192.168.100.0 ether3-private 0
IP Pools:
# NAME RANGES 0 public-pool 10.10.10.201-10.10.10.220 1 private-pool 192.168.100.2-192.168.100.254
DHCP configs:
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP 0 public-dhcp ether2-pub public-pool 3d 1 private-dhcp ether3-private private-pool 3d
Thanks!
-
user649102 over 11 yearsYour question is not mikrotik specific. I guess that you have basic networking questions. The fact that you change IP addresses to fake ones does not help at all.
-
TomTom over 11 yearsHis question IS mikrotik specific because Mirktoik has it's own shell and setup UI. And a lot of modifications. May I assume you have no clue what you talk about, cstarmas?
-
arul over 11 years@cstamas No offense, but I think that noting the HW/SW I'm using is more relevant than exposing my IP range.
-
user649102 over 11 years@arul I guess you want all of the public IPs behind Mikrotik as a firewall, right?
-
arul over 11 years@cstamas Yes, that's right.
-
user649102 over 11 years@TomTom Yes, you may. You should also downvote my answer then. kthxbye
-
-
arul over 11 yearsThank you for your input, but I don't want to have the ISP involved more than I need, since the network may be subject to changes on a weekly basis - besides, I'm just curious how to do it.