Can't access real address from fake address in the same NIC.
RouterOS general discussion

10 posts   •   Page 1 of 1
egg
just joined
 
Posts: 23
Joined: Sat Jul 03, 2004 12:23 pm

Can't access real address from fake address in the same NIC.

by egg » Tue Jan 17, 2006 3:06 pm

Hello,
I have MT 2.9.7 box with 2 NIC's.
First NIC (public) is connected to my ISP by LAN and second
NIC is connected to my private network. My ISP give me real
address space xxx.14.7.0/24 and I route them at second NIC (private) .
At second (private) NIC i have one more network with, fake address 192.168.0.0/24.
In this situation I can't see real address space at second NIC
from fake ip address in this NIC.
From Internet I can see my real space at private network.
My Fake address can access Internet but can't access real address at secont (private) NIC.
What can I do to resolve this problem?
Thanks in advance.

User avatar
cibernet
Long time Member
Long time Member
 
Posts: 609
Joined: Fri Jan 28, 2005 8:22 pm
Location: Salta, Republica Argentina

by cibernet » Tue Jan 17, 2006 9:40 pm

Try using bridge.... Tell more about what do you want to do...
José Ignacio Acosta
MikroTik Consultant IDAR0001
Mikronet

Movile: +54 9 03877-451218
Email/Msn: info[at]mikronet.com.ar
Website: http://www.mikronet.com.ar

User avatar
djape
Member
Member
 
Posts: 462
Joined: Sat Nov 06, 2004 8:54 pm
Location: Kingdom of Serbia

by djape » Wed Jan 18, 2006 4:47 am

Hm...
Can you eplain this little bit more.
I don't understand meaning of
"In this situation I can't see real address space at second NIC
from fake ip address in this NIC.
From Internet I can see my real space at private network.
My Fake address can access Internet but can't access real address at secont (private) NIC. "

Cheers...
I drink like a pirate and smoke like a hippie...

egg
just joined
 
Posts: 23
Joined: Sat Jul 03, 2004 12:23 pm

by egg » Wed Jan 18, 2006 11:42 am

Ok ... Sorry for my english ... but ... ill try to explain :)

Ether1:
- xxx.17.16.2/31

Ether2:
- xxx.17.7.1/24
- 192.168.0.1/24

Rule at firewall nat:
/ip firewall nat add chain=srcnat src-address=192.168.0.2 action=masquerade comment="" disabled=no

I have default gw xxx.17.16.1 trough Ether1.
xxx.17.16.1 is Cisco router and route address space xxx.17.7.0/24 at
xxx.17.16.2. If I use some address from my real address space
(ex. xxx.17.7.2 with gateway xxx.17.7.1 and mask 255.255.255.0)
everything is working good. I have Internet and access to other users that use address from xxx.17.7.0/24 network.
If I take address from 192.168.0.0/24 network (ex. 192.168.0.2 with
gateway 192.168.0.1 and mask 255.255.255.0) I have full access to Internet and other users that use address from 192.168.0.0/24, but have no access to users who use address from xxx.17.7.0/24 except xxx.17.7.1 (because its IP in my MT BOX).

Thanks for answers.

User avatar
djape
Member
Member
 
Posts: 462
Joined: Sat Nov 06, 2004 8:54 pm
Location: Kingdom of Serbia

by djape » Wed Jan 18, 2006 1:03 pm

The problem is that you use masquerade.
Which means that all IPs from 192.168.0.0/24 network will use Gateways IP address.
What you need to do is to configure src-nat and dst-nat.
Assume that youre PC address is 192.168.0.5/32 and you want to access it from internet.
Go to ip firewall nat and place following rule on top of masquerade

add chain=srcnat src-address=192.168.0.5/32 action=src-nat to-addresses=xxx.17.7.x/32 to-ports=0-65535

then do dst-nat

add chain=dstnat dst-address=xxx.17.7.x/32 action=dst-nat to-addresses=192.168.0.5/32 to-ports=0-65535

This should be done for each address (PC) that you want to access from internet where x will be one of the addresses asigned to you by ISP.

all other will go through masquerade!

Cheers...
I drink like a pirate and smoke like a hippie...

egg
just joined
 
Posts: 23
Joined: Sat Jul 03, 2004 12:23 pm

by egg » Wed Jan 18, 2006 5:04 pm

Mmm no. :( This is not what I need.
I want to make connection between users with fake IP address and users
with Real address. I don't want to access fake IP's from Internet and this
is the reason that I don't use dstnat and people use fake IP's.
But when I make server (ex. web server) with Real IP address to access
him from Internet, I can't access this server from fake IP address.

egg
just joined
 
Posts: 23
Joined: Sat Jul 03, 2004 12:23 pm

by egg » Wed Jan 18, 2006 5:09 pm

Maybe ill try to make my question simple.

Ether2:
- 192.168.0.1/24
- xxx.17.7.1/24
How to make connection from users with IP: 192.168.0.2-254 to server with IP: xxx.17.7.2 .

User avatar
djape
Member
Member
 
Posts: 462
Joined: Sat Nov 06, 2004 8:54 pm
Location: Kingdom of Serbia

by djape » Sun Jan 22, 2006 2:33 pm

Well, it seems your ip route configuration needs to be checked. Look in there and you'll solve the problem...
I drink like a pirate and smoke like a hippie...

User avatar
lastguru
Member
Member
 
Posts: 439
Joined: Fri May 28, 2004 9:04 pm
Location: Certified Trainer/Consultant in Riga, Latvia

by lastguru » Mon Jan 23, 2006 6:43 pm

egg wrote:/ip firewall nat add chain=srcnat src-address=192.168.0.2 action=masquerade comment="" disabled=no

try specifying output interface, and see wat happens
International MikroTik Certified Trainer and Consultant form Latvia.
I do RouterOS Training and Certification worldwide!

skype: lastguru

User avatar
djape
Member
Member
 
Posts: 462
Joined: Sat Nov 06, 2004 8:54 pm
Location: Kingdom of Serbia

by djape » Mon Jan 23, 2006 7:06 pm

lastguru wrote:try specifying output interface, and see wat happens


Good point. I totally forgot that...
I drink like a pirate and smoke like a hippie...

10 posts   •   Page 1 of 1

Who is online

Users browsing this forum: hgonzale, Insspb and 31 guests

It is currently Mon Nov 24, 2014 1:05 am