Community discussions

MikroTik App
 
nicfallenangel
just joined
Topic Author
Posts: 3
Joined: Tue Feb 21, 2012 7:42 pm

Transparent Bridge with NAT?

Tue Feb 21, 2012 8:12 pm

So this falls into the category of "Can it be done?"

We are setting up a mikrotik to handle QoS and have several devices that act as wireless bridges with internal IP addresses for the sake of argument they run on 192.168.1.x/24

The mikrotik is set up as a transparent bridge to allow client devices to get IP addresses from an external DHCP server and avoid double NAT.

Brief rundown: ether1 is the "master" port and QoS is set on the others (using Mangle and Queue trees) with all five ports bridged together. I know I can set a DHCP client on the bridge/ether1 interface and can get the information about that IP through ARP/other means. Is there a way that I can get remote access to the 192 IPs while still maintaining the transparent bridge?

Setup is as follows:
Modem ---- Mikrotik ---- wireless bridge AP(192.168.1.x/24) ---- Wireless bridge client(192.168.1.x/24) ---- CPE that gets external DHCP/internet access (69.x.x.x as an example)
 
User avatar
dasiu
Trainer
Trainer
Posts: 231
Joined: Fri Jan 30, 2009 11:41 am
Location: Reading, UK
Contact:

Re: Transparent Bridge with NAT?

Tue Feb 21, 2012 11:59 pm

yes :)
 
nicfallenangel
just joined
Topic Author
Posts: 3
Joined: Tue Feb 21, 2012 7:42 pm

Re: Transparent Bridge with NAT?

Wed Feb 22, 2012 12:12 am

yes :)
Thanks for the reply. How?
 
nicfallenangel
just joined
Topic Author
Posts: 3
Joined: Tue Feb 21, 2012 7:42 pm

Re: Transparent Bridge with NAT?

Sat Feb 25, 2012 12:42 am

I managed to work it out. Our setup uses separate vlans to run the management and data connections. I set the data on the bridge of course, then with a proper IP on the bridge, I used a dst-nat to get from the management IP to the IPs on the data bridge. In case anyone wants to know, here's the code I used:

Add the VLANs:
/interface vlan
add arp=enabled disabled=no interface=ether1 l2mtu=1596 mtu=1500 name=vlan1 \
    use-service-tag=no vlan-id=1
add arp=enabled disabled=no interface=ether1 l2mtu=1596 mtu=1500 name=vlan2 \
    use-service-tag=no vlan-id=2
Create the bridge and add the data vlan and other ports to it:
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    disabled=no forward-delay=15s l2mtu=1598 max-message-age=20s mtu=1500 \
    name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
    interface=vlan2 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ether2 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ether3 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ether4 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ether5 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=yes
Set IP addresses (x.x.x.x for public and y.y.y.y for local):
/ip address
add address=x.x.x.x/x disabled=no interface=vlan1 network=x.x.x.0
add address=y.y.y.y/y disabled=no interface=bridge1 network=y.y.y.0
Add NAT action to move connection from public Management port to private bridge interface:
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=x.x.x.x \
    dst-port=8081 in-interface=vlan1 protocol=tcp to-addresses=y.y.y.y \
    to-ports=80
Add gateway for public address so it properly routes:
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=x.x.x.x scope=\
    30 target-scope=10

Who is online

Users browsing this forum: cmmike, kolinsmk, PBondurant and 50 guests