Community discussions

MikroTik App
 
spaske84
just joined
Topic Author
Posts: 9
Joined: Fri Jul 01, 2016 3:56 pm

Mikrotik NAT-ing from one subnet to the other

Mon Aug 01, 2016 4:21 pm

Hi,

We have two subnets on our local network and a third separate subnet (172.28.4.0/24) for VPN server (on Mikrotik router). Also we have set up a site-to site VPN connection to our client. The client allowed access for those two subnets in his firewall, but won't allow us access from the third subnet (people working from home). Is there a possibility to route or NAT that subnet to subnets which are currently allowed access?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Mikrotik NAT-ing from one subnet to the other

Mon Aug 01, 2016 4:28 pm

Do this:
/ip firewall nat
add chain=srcnat src-address=172.28.4.0/24 dst-address=x.x.x.x action=netmap to-address=y.y.y.y/24
add chain=dstnat dst-address=y.y.y.y/24 src-address=x.x.x.x action=netmap to-address=172.28.4.0/24
... where x.x.x.x = the IP block of the customer side of the VPN, and y.y.y.y/24 = one of your two blocks of IP addresses which the customer's router WILL allow through the VPN.

When doing a bulk range prefix translation like this, make sure that the prefix sizes match - i.e. if the "allowed" prefix (y.y.y.y) is something other than /24, then change your VPN pool 172.28.4.0/24 to use the same size IP block as y.y.y.y

x.x.x.x can (and must) be whatever size range the customer is using - it's in the rule to specify WHEN the NAT rule should apply.
Make sure these rules come before any other NAT rules you may be using so that they take precedence over your usual NAT policy.
 
spaske84
just joined
Topic Author
Posts: 9
Joined: Fri Jul 01, 2016 3:56 pm

Re: Mikrotik NAT-ing from one subnet to the other

Mon Aug 08, 2016 11:41 am

That worked like a charm. Thanks a lot man!
 
TTaufik
just joined
Posts: 4
Joined: Thu Sep 22, 2016 6:04 am

Re: Mikrotik NAT-ing from one subnet to the other

Thu Sep 22, 2016 7:02 am

Hello, I have problem to connect my pc to my server in different subnet.

0 10.10.10.67/24 10.10.10.0 ether1_WAN
1 192.168.1.1/24 192.168.1.0 ether3_server
2 192.168.2.1/24 192.168.2.0 ether4_client1
3 192.168.3.1/24 192.168.3.0 ether5_client2

How can I ping from PC in client1 to PC in server and client2 and vice versa.
Thank you.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Mikrotik NAT-ing from one subnet to the other

Thu Sep 22, 2016 3:29 pm

Would you like to show us your configuration?
 
User avatar
czolo
Member
Member
Posts: 423
Joined: Fri Mar 04, 2005 9:49 am
Location: Poland (Warsaw)
Contact:

Re: Mikrotik NAT-ing from one subnet to the other

Thu Sep 22, 2016 5:00 pm

Routing should done the job. If you setup gateways properly on your PCs and your server, it should work.
 
TTaufik
just joined
Posts: 4
Joined: Thu Sep 22, 2016 6:04 am

Re: Mikrotik NAT-ing from one subnet to the other

Thu Sep 22, 2016 5:38 pm

Would you like to show us your configuration?
ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 XI ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough log=no log-prefix=""

1 ;;; WAN1
chain=srcnat action=masquerade src-address-list=client1 out-interface=ether1_WAN1 log=no log-prefix=""

2 ;;; WAN2
chain=srcnat action=masquerade src-address-list=client2 out-interface=ether2_WAN2 log=no log-prefix=""

ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=WAN1-route passthrough=yes src-address-list=client1 log=no log-prefix=""

1 chain=prerouting action=mark-routing new-routing-mark=WAN2-route passthrough=yes src-address-list=client2 log=no log-prefix=""

ip route print

# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 10.10.10.64 1
1 S 0.0.0.0/0 10.10.10.64 2
2 A S 0.0.0.0/0 10.20.20.1 1
3 S 0.0.0.0/0 10.20.20.1 2
4 A S 0.0.0.0/0 10.10.10.64 1
5 S 0.0.0.0/0 10.20.20.1 2
6 ADC 192.168.1.0/24 192.168.1.1 ether3_server 0
7 ADC 192.168.2.0/24 192.168.2.1 ether4_client1 0
8 DC 192.168.3.0/24 192.168.3.1 ether5_client2 0
9 ADC 10.20.20.0/24 10.20.20.20 ether2_WAN2 0
10 ADC 10.10.10.0/24 10.10.10.67 ether1_WAN1 0

I use 2 WAN. WAN1 for client1 and WAN2 for client2 and for failover if WAN1 or WAN2 troble (disconnect)
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Mikrotik NAT-ing from one subnet to the other

Fri Sep 23, 2016 8:34 am

i angrry with czolo. Routing should done the job, you can allow to ping.
 
TTaufik
just joined
Posts: 4
Joined: Thu Sep 22, 2016 6:04 am

Re: Mikrotik NAT-ing from one subnet to the other

Fri Sep 23, 2016 9:50 am

i angrry with czolo. Routing should done the job, you can allow to ping.
Can you give me an example?
 
User avatar
czolo
Member
Member
Posts: 423
Joined: Fri Mar 04, 2005 9:49 am
Location: Poland (Warsaw)
Contact:

Re: Mikrotik NAT-ing from one subnet to the other

Fri Sep 23, 2016 10:47 am

There is no example for that :D You have a router in the middle, so if you have gateways setup on your clients and your server, router should know a destination.
Show us your
/ip dhcp-ser ex
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Mikrotik NAT-ing from one subnet to the other

Fri Sep 23, 2016 11:48 am

 
mhtelb
just joined
Posts: 6
Joined: Mon Nov 28, 2016 9:29 am

Re: Mikrotik NAT-ing from one subnet to the other

Mon Apr 24, 2017 8:28 am

Hey
I have X86 mikrotik
WAN = 192.168.1.1
LAN = 10.20.20.1/22
so, users IP's in subnet ( 10.20.20.2-10.20.23.254 )
My problem is :
How to make user ( 10.20.20.20 ) to see and ping user ( 10.20.22.22 )
although all of them on the same interface
 
mhtelb
just joined
Posts: 6
Joined: Mon Nov 28, 2016 9:29 am

Re: Mikrotik NAT-ing from one subnet to the other

Mon Apr 24, 2017 9:12 am

Hey
I have X86 mikrotik
WAN = 192.168.1.1
LAN = 10.20.20.1/22
so, users IP's in subnet ( 10.20.20.2-10.20.23.254 )
My problem is :
How to make user ( 10.20.20.20 ) to see and ping user ( 10.20.22.22 )
although all of them on the same interface

Who is online

Users browsing this forum: Adephx, GoogleOther [Bot], MaxwellsEq and 48 guests