masquerade on public eth with "in traffic" on the same eth!

v00d00 · Fri Jul 13, 2007 2:56 pm

how to masquerade on public eth with incoming traffic on the same public interface?

scheme:

public interface ip connected to internet - 80.22.232.35

private network coming trough public interface from a vpn tunnel - 192.168.2.0/24

I have permited all traffic from 192.168.2.0/24 that goes trough public interface.

but the problem is that I dont know how to masquerade traffic from 192.168.2.0/24 so they have access to internet.

Pls help.

thx.

balimore · Fri Jul 13, 2007 3:36 pm

----
Hai fren
ya, i have little experince like yours
this my history 18 moths ago, i did remember:
on my RB511 has one ether and one wireless interface, before use it, i had problem cos public and loacl on one interface, and i had idea is Bridge interface solution.
on ether i made bridge and local subnet i put on bridge, and put public address to ether and just put incoming and local network with one physical interface and to switch too :
before i am not believe but, it work fine and incredible. and so sorry my english isn't well
this my diagram and benefit: you will have public and private for supply link to your client together.

|ISP with public address
|
Hub ---- RB511 ))))))) Local subnet wirelessly 
|
|------- Local subnet over wire

my suggestion i did do one physic for public and local address. nice...
but now i am not need it, cause i have centralized aaa one with x86

and how to nat for private, i did like this:

/ip fi nat add chain=scrnat out-interface=ether action=masquerade

regards
Hasbullah.com
----

v00d00 · Fri Jul 13, 2007 4:00 pm

I dont understand what you are saying. as I read i see that bridging them its not a solution.

scheme:

internet                vpn location with 192.168.2.0/24 (some kind of mpls VPN from our ISP)
    |                             |
    |                             |
    |                             |
public eth ---------------
    |
local eth
    |
    |
    |
my local networks

/ip route print

A S 192.168.2.0/24 r 8?.?2.2?3.?3 public_eth0
A S 0.0.0.0/0 r 8?.?2.2?3.?3 public_eth0
ADo 172.16.1.0/24 r 172.16.100.1 lan
ADo 172.16.2.0/24 r 172.16.100.1 lan
ADo 172.16.3.0/24 r 172.16.100.1 lan
ADo 172.16.4.0/24 r 172.16.100.1 lan
ADo 172.16.5.0/24 r 172.16.100.1 lan
ADo 172.16.6.0/24 r 172.16.100.1 lan
ADo 172.16.7.0/24 r 172.16.100.1 lan
ADo 172.16.8.0/24 r 172.16.100.1 lan
ADo 172.16.9.0/24 r 172.16.100.1 lan

and I have putted masquerade rule for source 192.168.2.0/24:
chain=srcnat src-address=192.168.2.0/24 dst-address-list=!localnetworks action=masquerade

routing between 192.168.2.0/24 and my local networks works great, but when I'm trying to ping an external IP, from 192.168.2.0/24 I get request time out.

PLEASE HELP.

Thank you.

balimore · Fri Jul 13, 2007 4:51 pm

----
so sorry fren
that solution as your subject this post

regards
Hasbullah.com
----

Borage · Sat Jul 14, 2007 1:23 am

Isn't it better to assign the network 192.168.2.0/24 to the LAN interface (local eth)? Where are the VPN tunnel coming from, internet or a leased line? The normal procedure if the VPN tunnel are coming from the internet, is to to not use default gateway on remote network.

masquerade on public eth with "in traffic" on the same eth!

masquerade on public eth with "in traffic" on the same eth!

Re: masquerade on public eth with incoming traffic on the same i

Re: masquerade on public eth with "in traffic" on the same eth!

Re: masquerade on public eth with "in traffic" on the same eth!

Re: masquerade on public eth with "in traffic" on the same eth!

Who is online