6

I have basic NAT/Routing problem with Mikrotik RB750 that I've been unable to solve over the past days. From our ISP we have 26 IP addresses: 10.10.10.192/27, with 10.10.10.193 being the gateway and 10.10.10.194 the first available IP.

What I need is that everything connected to ether2 gets a public IP from the DHCP server, and everything connected to ether3 gets a local IP from another DHCP (192.168.100.0/24). All clients should have internet access (I'll figure out bandwidth throttling later) and optimally just 'see' each other (all boxes are Win7, I guess this can ultimately be handled with VPN).

Here is my setup: ether1 (10.10.10.194) is connected directly to ISP.

20 clients connected to ether2(10.10.10.195), and another 20 to ether3(10.10.10.196) (both through same 24 port switches).

This is my setup, which doesn't work, all 20 clients from ether2 can access the internet, though all comm. seems to come from 10.10.10.194 (is this due to the masquerade on ether1?), and ether3 can't access the internet at all.

I think that I need to masquerade ether3, and SNAT/DNAT or NETMAP ether2, but that doesn't work either, I guess that I need to somehow 'wire' both ether2+3 to ether1.

Address list:

 #   ADDRESS            NETWORK         INTERFACE                                                          
 0   ;;; public
     10.10.10.194/32  10.10.10.192  ether1-gateway
 1   ;;; inner DHCP
     192.168.100.0/24   192.168.100.0   ether3-private
 2   ;;; public
     10.10.10.195/32  10.10.10.192  ether2-pub
 3   ;;; public
     10.10.10.196/32  10.10.10.192  ether3-private

NAT

 0   ;;; ether3 nat
     chain=srcnat action=src-nat to-addresses=10.10.10.196 
     src-address=192.168.100.0/24 out-interface=ether3-private 

 1   ;;; ether3 nat
     chain=dstnat action=dst-nat to-addresses=192.168.100.0/24 
     in-interface=ether3-private 

 2   ;;; ether1 masquerade
     chain=srcnat action=masquerade to-addresses=10.10.10.194 
     out-interface=ether1-gateway 

Routes:

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          ether1-gateway            1
 2 A S  10.10.10.192/27  10.10.10.195  ether2-pub                1
 3 ADC  10.10.10.192/32  10.10.10.195  ether2-pub                0
                                           ether1-gateway    
                                           ether3-private    
 4 ADC  192.168.100.0/24   192.168.100.0   ether3-private            0

IP Pools:

 # NAME             RANGES                         
 0 public-pool     10.10.10.201-10.10.10.220  
 1 private-pool    192.168.100.2-192.168.100.254

DHCP configs:

 #   NAME               INTERFACE              RELAY           ADDRESS-POOL              LEASE-TIME ADD-ARP
 0   public-dhcp        ether2-pub                             public-pool               3d        
 1   private-dhcp       ether3-private                         private-pool              3d

Thanks!

arul
  • 193
  • 1
  • 3
  • 7
  • Your question is not mikrotik specific. I guess that you have basic networking questions. The fact that you change IP addresses to fake ones does not help at all. – cstamas Dec 10 '12 at 08:03
  • His question IS mikrotik specific because Mirktoik has it's own shell and setup UI. And a lot of modifications. May I assume you have no clue what you talk about, cstarmas? – TomTom Dec 10 '12 at 09:17
  • @cstamas No offense, but I think that noting the HW/SW I'm using is more relevant than exposing my IP range. – arul Dec 10 '12 at 10:34
  • @arul I guess you want all of the public IPs behind Mikrotik as a firewall, right? – cstamas Dec 10 '12 at 11:14
  • @cstamas Yes, that's right. – arul Dec 10 '12 at 11:37
  • @TomTom Yes, you may. You should also downvote my answer then. kthxbye – cstamas Dec 10 '12 at 16:24

3 Answers3

3

You have to make decisions and design you network.

On ether1 which is connected to your ISP you should define a smaller network. e.g /30 (to tell the truth it is much easier if you request one more smaller range from your ISP than splitting what you have now).

So on ether1 10.10.10.192/30 your gw is 10.10.10.193 and 10.10.10.194/30 is your IP (on the mikrotik - ether1). You then ask your ISP to route

  • 10.10.10.196/30
  • 10.10.10.200/29
  • 10.10.10.208/28

to the address 10.10.10.194 and to setup the same /30 netmask on their side as you did on yours.

Then on ether2 you configure one (or more) of the address ranges seen above. On this interface you don't do any NAT. You setup the pool according to the address ranges configured on the interface.

On ether3 you configure private addresses as you wish. The examples you provided seems fine. Here you setup MASQUERADE and this is the only place you have NAT.

And what was wrong with your original setup?

  • You should not assign /32 networks the way you did.
  • The ISP will address all as being on the same network however this is not the case.
  • You do not do SNAT and DNAT at the same time on an interface. In this case you only do SNAT which alters the source address. When the packets comes back the netfilter subsystem remembers what he did the will automatically do the reverse transformation. (MASQUERADE is a special case of SNAT)

EDIT If you do not want to involve your ISP in this then you do the same and enable proxy-arp, this is well described here: http://wiki.mikrotik.com/wiki/Manual:IP/ARP#Proxy_ARP

cstamas
  • 6,607
  • 24
  • 42
  • Thank you for your input, but I don't want to have the ISP involved more than I need, since the network may be subject to changes on a weekly basis - besides, I'm just curious how to do it. – arul Dec 11 '12 at 02:10
0

Why would you not simply configure the router to receive the ISP's IP ON Ether1, bridge Ether 2 & 3, then apply the DHCP server for internal clients on the bridge... granted your Internal IP's would need to change but WAY simpler, you could even add your old gateways and ranges as static ip's bound to the bridge till you get everyone on DHCP... and if you ran an additional cable between your 24 port switches, that might also give you some redundancy for fail over (you will need to review your switch docs to see what it supports) You would then Mascaraed the bridge to NAT out to the net, it also would keep your own traffic internal and allow you to do some firewalling, etc.

0
  1. You make error in setting on ether3 IP with prefix 32. it must be 24.

  2. I don't understand, what You mean by dst-nat everything from ether3? Look like it block internet in ether3 1 ;;; ether3 nat chain=dstnat action=dst-nat to-addresses=192.168.100.0/24 in-interface=ether3-private

  3. When you change IP, usually close network field and let it calculated automatic. For example address=10.10.10.195/32 network=10.10.10.195 interface=ether2-pub

  4. You can try exclude your public net from masqarade rule src-address=!10.10.10.192/27 and enable proxy-arp on ether1-public. Maybe it work. I dont shure, because i newer used such 'strange' config.

PS. For me, look better give out private subnet on ether2 and set 1 to 1 nat (src-nat and dst-nat)

mmv-ru
  • 682
  • 6
  • 17