6

I have basic NAT/Routing problem with Mikrotik RB750 that I've been unable to solve over the past days. From our ISP we have 26 IP addresses: 10.10.10.192/27, with 10.10.10.193 being the gateway and 10.10.10.194 the first available IP.

What I need is that everything connected to ether2 gets a public IP from the DHCP server, and everything connected to ether3 gets a local IP from another DHCP (192.168.100.0/24). All clients should have internet access (I'll figure out bandwidth throttling later) and optimally just 'see' each other (all boxes are Win7, I guess this can ultimately be handled with VPN).

Here is my setup: ether1 (10.10.10.194) is connected directly to ISP.

20 clients connected to ether2(10.10.10.195), and another 20 to ether3(10.10.10.196) (both through same 24 port switches).

This is my setup, which doesn't work, all 20 clients from ether2 can access the internet, though all comm. seems to come from 10.10.10.194 (is this due to the masquerade on ether1?), and ether3 can't access the internet at all.

I think that I need to masquerade ether3, and SNAT/DNAT or NETMAP ether2, but that doesn't work either, I guess that I need to somehow 'wire' both ether2+3 to ether1.

Address list:

 # ADDRESS NETWORK INTERFACE 0 ;;; public 10.10.10.194/32 10.10.10.192 ether1-gateway 1 ;;; inner DHCP 192.168.100.0/24 192.168.100.0 ether3-private 2 ;;; public 10.10.10.195/32 10.10.10.192 ether2-pub 3 ;;; public 10.10.10.196/32 10.10.10.192 ether3-private 

NAT

 0 ;;; ether3 nat chain=srcnat action=src-nat to-addresses=10.10.10.196 src-address=192.168.100.0/24 out-interface=ether3-private 1 ;;; ether3 nat chain=dstnat action=dst-nat to-addresses=192.168.100.0/24 in-interface=ether3-private 2 ;;; ether1 masquerade chain=srcnat action=masquerade to-addresses=10.10.10.194 out-interface=ether1-gateway 

Routes:

 # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 A S 0.0.0.0/0 ether1-gateway 1 2 A S 10.10.10.192/27 10.10.10.195 ether2-pub 1 3 ADC 10.10.10.192/32 10.10.10.195 ether2-pub 0 ether1-gateway ether3-private 4 ADC 192.168.100.0/24 192.168.100.0 ether3-private 0 

IP Pools:

 # NAME RANGES 0 public-pool 10.10.10.201-10.10.10.220 1 private-pool 192.168.100.2-192.168.100.254 

DHCP configs:

 # NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP 0 public-dhcp ether2-pub public-pool 3d 1 private-dhcp ether3-private private-pool 3d 

Thanks!

6
  • Your question is not mikrotik specific. I guess that you have basic networking questions. The fact that you change IP addresses to fake ones does not help at all. Commented Dec 10, 2012 at 8:03
  • His question IS mikrotik specific because Mirktoik has it's own shell and setup UI. And a lot of modifications. May I assume you have no clue what you talk about, cstarmas? Commented Dec 10, 2012 at 9:17
  • @cstamas No offense, but I think that noting the HW/SW I'm using is more relevant than exposing my IP range. Commented Dec 10, 2012 at 10:34
  • @arul I guess you want all of the public IPs behind Mikrotik as a firewall, right? Commented Dec 10, 2012 at 11:14
  • @cstamas Yes, that's right. Commented Dec 10, 2012 at 11:37

3 Answers 3

3

You have to make decisions and design you network.

On ether1 which is connected to your ISP you should define a smaller network. e.g /30 (to tell the truth it is much easier if you request one more smaller range from your ISP than splitting what you have now).

So on ether1 10.10.10.192/30 your gw is 10.10.10.193 and 10.10.10.194/30 is your IP (on the mikrotik - ether1). You then ask your ISP to route

  • 10.10.10.196/30
  • 10.10.10.200/29
  • 10.10.10.208/28

to the address 10.10.10.194 and to setup the same /30 netmask on their side as you did on yours.

Then on ether2 you configure one (or more) of the address ranges seen above. On this interface you don't do any NAT. You setup the pool according to the address ranges configured on the interface.

On ether3 you configure private addresses as you wish. The examples you provided seems fine. Here you setup MASQUERADE and this is the only place you have NAT.

And what was wrong with your original setup?

  • You should not assign /32 networks the way you did.
  • The ISP will address all as being on the same network however this is not the case.
  • You do not do SNAT and DNAT at the same time on an interface. In this case you only do SNAT which alters the source address. When the packets comes back the netfilter subsystem remembers what he did the will automatically do the reverse transformation. (MASQUERADE is a special case of SNAT)

EDIT If you do not want to involve your ISP in this then you do the same and enable proxy-arp, this is well described here: http://wiki.mikrotik.com/wiki/Manual:IP/ARP#Proxy_ARP

1
  • Thank you for your input, but I don't want to have the ISP involved more than I need, since the network may be subject to changes on a weekly basis - besides, I'm just curious how to do it. Commented Dec 11, 2012 at 2:10
0
  1. You make error in setting on ether3 IP with prefix 32. it must be 24.

  2. I don't understand, what You mean by dst-nat everything from ether3? Look like it block internet in ether3 1 ;;; ether3 nat chain=dstnat action=dst-nat to-addresses=192.168.100.0/24 in-interface=ether3-private

  3. When you change IP, usually close network field and let it calculated automatic. For example address=10.10.10.195/32 network=10.10.10.195 interface=ether2-pub

  4. You can try exclude your public net from masqarade rule src-address=!10.10.10.192/27 and enable proxy-arp on ether1-public. Maybe it work. I dont shure, because i newer used such 'strange' config.

PS. For me, look better give out private subnet on ether2 and set 1 to 1 nat (src-nat and dst-nat)

0

Why would you not simply configure the router to receive the ISP's IP ON Ether1, bridge Ether 2 & 3, then apply the DHCP server for internal clients on the bridge... granted your Internal IP's would need to change but WAY simpler, you could even add your old gateways and ranges as static ip's bound to the bridge till you get everyone on DHCP... and if you ran an additional cable between your 24 port switches, that might also give you some redundancy for fail over (you will need to review your switch docs to see what it supports) You would then Mascaraed the bridge to NAT out to the net, it also would keep your own traffic internal and allow you to do some firewalling, etc.

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.