1:1 Nat help when behind a Nat router.

marvin · March 28, 2005, 7:49pm

I have this setup..

NAT router:
Wan Ip: 66.15.99.192
1:1 NAT: 66.15.99.196 ↔ 192.168.0.70

Mikrotik:
Bridge1 Ip: 192.168.0.70/24 and 192.168.5.26/24
Wireless bridges are all on 192.168.5.x ip addresses.

Now I need to redirect that 1:1 NAT to 192.168.5.38. How would I do this?
Since it’s already behind a nat router we are not using firewalls at all in
the mikrotik server.

wildbill442 · March 29, 2005, 5:38pm

well it sounds like the traffic is being natted from 66.15.99.xx > 192.168.0.0… there’s no route to the other network. You’d first have to setup a static route to 192.168.5.0 from 192.168.0.0 then you should be able to NAT to the 192.168.5.0 network. Are you using a Mikrotik Router as your edge routing device?

If the 192.168.5.0 network is for your wireless bridges, why not just setup a VPN Tunnel to that network? I’m assuming this is just for management of the wireless bridges. A VPN would increase security and you wouldn’t have to open up ports on the router. Just a suggestion..

marvin · March 29, 2005, 8:21pm

Actually we have to give the customer a static IP for their billing server setup. So we have to 1:1 NAT that ip to the customer. I have learned that the problem tho is another issue that we are looking into replacing and that is that the powernoc bmu is blocking multi-dmz and natting from getting through. This is an issue that we are now trying to work with powernoc on getting resolved and looking to replace the entire setup with a mikrotik router system and hope the 2.9 beta is stable enough for a router now since we need load balancing between 2 wan connections.

But once we get that problem resolved than I need to know than how I need to setup the NAT on the mikrotik wireless server that has a point to point bridge going to a single relay tower than to the customer.

So since learning this I won’t have to use the 0.70 ip at all but just the 5.26 so our setup looks like..

router xincom: 192.168.0.1
mikrotik server: 192.168.5.26
relay bridge: 192.168.5.36
customer bridge: 192.168.5.38
customer ip: 192.168.5.150

so I just need to know how to do the 1:1 NAT or static route to forward traffic setup on the router xincom as a 1:1 NAT from 66.15.99.196 to 192.168.5.26 since I don’t believe the router can see 192.168.5.150 at all unless it’s on the physical network. I could be wrong.

wildbill442 · March 29, 2005, 10:14pm

what exactly is router xincom? and where’s your public IP at?

It sounds like you’re trying to NAT an already NAT’d network.

This is what I got from your description.

Internet<---->66.15.99.xxx <—> 192.168.0.0 <----> 192.168.5.0

Please confirm or give a more detailed description of the network. Start from your internet connection and work back to your customer devices.

marvin · March 29, 2005, 10:37pm

Ok… Xincom is a dual wan router.. load balancing

Wan1: 24.73.65.14/30
Wan2: 66.15.99.193 - 196/24
Lan: 192.168.0.1
BMU: 192.168.0.20 (bridged bandwidth unit with bridged ip’s)
Ip2: 192.168.15.1/24 (used for signup for hotspot)
Ip3: 192.168.5.1/24 (infrastructure ip class)
Ip4: 192.168.60.1/24 (customer ip class)

I setup a multi-dmz in the xincom router:
WanIp2: 66.15.99.196 <----> Mikrotik Server: 192.168.5.26

Now it needs to know to direct all traffic going to 66.15.99.196 to CPE: 192.168.5.150

Unless you know of an easier method? We are working on a test unit to learn how to setup Mikrotik as a load balancing router to replace the Xincom but that will be a little time yet before were comfortable enough with it to use it as our all purpose Router, AP, and Wireless Bridge. So in the meantime we need to forward external ip 66.15.99.196 to customer CPE Switch: 192.168.5.150

wildbill442 · March 30, 2005, 7:30pm

Ok so what does the routing table look like in the Xincom router?

Does it include routes to your interior networks (x.x0.0, x.x.5.0, x.x.60.0 etc..)? Is the MT Router doing any routing? If so please print the routing table. Or is it a transparent bridge?

The Xincom router appears to be doing NAT so thats where the 1:1 nat entry will be, but the Xincom router needs to know how to get to the other interior networks other than 192.168.0.0/24. Now if your MT Router is actually routeing then you need to make sure the routes are setup correctly, you can define them statically or use a routing protocol. If you do static routeing make sure the Xincom router has the proper routes defined as well as the MT Router.

Also its good practice to use networks that aren’t used on millions of home use broadband routers by default (192.168.0.0/16). You can also use 10.0.0.0/8, and 172.16.0.0/12.

marvin · March 30, 2005, 9:48pm

Well they call it a multi-dmz actually in xincom.. just their name for it. I did a 66.15.99.196 <—> 192.168.5.150. The MT Router is strictly a transparent bridge no routing. I’m beginning to expect the problem is the xincom won’t see a different ip like 192.168.5.x even tho it’s on a class B. So we are going to attempt to move it to the internal ip address.
And yeah I agree on the 192.168.0.x but it was already established when I got here and it would take quite a while and a good router to be able to change without bringing anyone down. Something to work on in the future as I learn more about Mikrotik routing since I plan to build a mikrotik router to experiment with.
I appreciate your assistance with this issue and it was questions you asked that made me think about possibilities with the router not liking anything not on the 192.168.0.x ip block.

GJS · March 30, 2005, 10:54pm

I’m not sure I have this right but it seems like you want to ‘carry’ a public IP address across your network to a customer. You might be better off using proxy-arp instead of multiple 1:1 NATs, if it is supported by all your devices.

wildbill442 · March 30, 2005, 11:27pm

Hey GJS can you expand on this? I’ve never used proxy-arp and would like to understand more about how that works.

marvin · March 31, 2005, 12:33am

I too would like to know more about proxy-arp. Thanks

GJS · March 31, 2005, 3:21pm

OK, I’m no expert but here’s the basics. When you know how it works you realise there’s a surprising number of devices that use it.

As an example let’s take a PPP connection to an upstream provider. Let’s say that provider has allocated 1.1.1.0/24 address space to you. Any packet from the Internet addressed to one of your addresses, is routed by your upstream provider to your PPP connection. On your network you may have many routers or other devices between your border router and the host which is to be assigned a particular address. On the local side of your border router ARP is used to find the MAC address of the next hop onto your network. If the device at this next hop has proxy arp enabled, it will provide an ARP response for any address that is in it’s routing table. Take this example network where we want to assign a public address of 1.1.1.3 to a host behind an MT router:

PPP<–>border router(1.1.1.1)<—>(1.1.1.2)MT(10.0.0.1)<—>(1.1.1.3)host

Proxy-ARP needs to be enabled on the public interface of the MT (1.1.1.2) and there needs to be a routing table entry like this:

#    DST-ADDRESS        GATEWAY         DISTANCE INTERFACE
 1  S 1.1.1.3/24    10.0.0.1          1             private

Now, the MT will provide an ARP response when a packet arrives at the public interface with dst-addr of 1.1.1.3 and route it to the private interface (10.0.0.1). For packets to flow from the host to the PPP connection proxy-ARP and an appropriate route is also required on the private interface, though other modes can be used if the gateway on the host is set to 10.0.0.1.

This method can be used to “traverse” an address across any numbner of routers in the network provided each one is proxy-ARP capable.

'Hope this sheds a little light.

wildbill442 · March 31, 2005, 8:12pm

Would you enable this on both WAN+LAN interfaces?

GJS · March 31, 2005, 11:47pm

As above, this depends on what you want to acheive on the LAN side. If you have multiple hops you will need proxy-ARP on both interfaces. I use ARP-reply only on the LAN side (single hop) for added security which works with some host devices. If there is no proxy-ARP on the LAN interface you need to use the private address as the gateway on the host. Windows doesn’t seem to have a problem having it’s gateway on a different network (IP 1.1.1.3, mask 255.255.255.0, GW 10.0.0.1, in the example above) while Linux, apparently, does.

marvin · April 1, 2005, 3:26am

GJS Great post. So if I had two hops.. after the mikrotik router.. one being a bridge all I need to do is proxy-arp enable the bridge correct? This is exactly what I been looking for and sounds much more efficient than doing a 1:1 NAT giving the customer a true external ip. Thanks for the tutorial lesson

GJS · April 1, 2005, 1:01pm

Your welcome, marvin. Yes, this method does have the advantage that you get to put the actual IP on the customers device. Putting a private address on it then trying to convince him that it’s really a public address is not ideal.

If you have two hops after your MT you will need to enable proxy-ARP on both sides of the MT. Now, if your next hop is to a bridge and the next one to the customer’s host device e.g.

Internet<–>MT<–>bridge<–>Host (customer PC)

I don’t think you need anything else. I’m not very familiar with how bridges work but don’t they just work at the MAC layer so will be transparent as far as IP addressing is concerned? Hopefully someone can jump in here and correct me if I’m wrong.

wildbill442 · April 1, 2005, 5:50pm

A bridge isn’t concidered a Hop..