NAT Routing back to original Router


I am considering trying to implement something similar to the diagram below and need to know how this would be possible. Networking is not my strong suit so forgive any errors in my description.

I have a switch/router in place that is BGPing with an ISP. Connected to this are some wireless AP's and I have people connecting to these as a station. The stations have VLAN 100 set and a public IP, in this example The gateway is set on the main router and then a default route pushes that traffic to the ISP. The flow would be something like: connects to AP (in bridge mode), traffic routes to the main switch gateway Default route is then used to pass to which the ISP then determines the routing from here for the public ip.

I want to start using NAT, the main aim is to dual stack and NAT ipv4 for services which are still unattainable on ipv6.I wish to use a mikrotik or similar to do the natting for a small number of people, nothing too intensive. However, rather than physically connecting devices to the mikrotik it seems much cleaner to route only the necessary traffic to the mikrotik as not all people will be natted.

If I use for example as the local range and set the CPE with: IP: Gateway:

Setting the mikrotik with Ideally traffic would then passthrough the AP to the main router and then to the mikrotik ie the local NAT range gateway, at this point, it would be natted to a public ip ie and then routed back to the main switch gateway of and finally out to the ISP like normal traffic.

Is the physical setup possible and can someone give me an idea on the main points of consideration to achieve the following.

enter image description here

The Humble Rat

Posted 2019-07-17T09:04:09.873

Reputation: 153



Well first problem in your idea is: Vlan 100 cannot have 2 different ip ranges like on your drawing so you need to choose is vlan 100 is 10.X.X.X or is it 1.X.X.X it can't be both. So I suggest to create 2 vlans one for green client station with private addressing using NAT and another vlan with public ip addressing.

Now you will need 2 sub-interfaces on swp2 port. This will be acting as default gateway for 2 vlans so lets say swp2.1 sub-interface will have address and swp2.2 will have ip address

Now on sub-interface swp2.2 you setting idk how its on microtik but on cisco command is: "ip nat inside" so you are telling this is inside of the network and you will be translating addresses from here (I skipping ACL or public IP pool configuration) and you choosing port swp50 as ip nat outside port.

And now this should work at least on my lab it worked, client with private ip address went through NAT translation when client with public IP address skipped NAT.


Posted 2019-07-17T09:04:09.873

Reputation: 186