Page 1 of 1

Can't access real address from fake address in the same NIC.

Posted: Tue Jan 17, 2006 2:06 pm
by egg
Hello,
I have MT 2.9.7 box with 2 NIC's.
First NIC (public) is connected to my ISP by LAN and second
NIC is connected to my private network. My ISP give me real
address space xxx.14.7.0/24 and I route them at second NIC (private) .
At second (private) NIC i have one more network with, fake address 192.168.0.0/24.
In this situation I can't see real address space at second NIC
from fake ip address in this NIC.
From Internet I can see my real space at private network.
My Fake address can access Internet but can't access real address at secont (private) NIC.
What can I do to resolve this problem?
Thanks in advance.

Posted: Tue Jan 17, 2006 8:40 pm
by cibernet
Try using bridge.... Tell more about what do you want to do...

Posted: Wed Jan 18, 2006 3:47 am
by djape
Hm...
Can you eplain this little bit more.
I don't understand meaning of
"In this situation I can't see real address space at second NIC
from fake ip address in this NIC.
From Internet I can see my real space at private network.
My Fake address can access Internet but can't access real address at secont (private) NIC. "

Cheers...

Posted: Wed Jan 18, 2006 10:42 am
by egg
Ok ... Sorry for my english ... but ... ill try to explain :)

Ether1:
- xxx.17.16.2/31

Ether2:
- xxx.17.7.1/24
- 192.168.0.1/24

Rule at firewall nat:
/ip firewall nat add chain=srcnat src-address=192.168.0.2 action=masquerade comment="" disabled=no

I have default gw xxx.17.16.1 trough Ether1.
xxx.17.16.1 is Cisco router and route address space xxx.17.7.0/24 at
xxx.17.16.2. If I use some address from my real address space
(ex. xxx.17.7.2 with gateway xxx.17.7.1 and mask 255.255.255.0)
everything is working good. I have Internet and access to other users that use address from xxx.17.7.0/24 network.
If I take address from 192.168.0.0/24 network (ex. 192.168.0.2 with
gateway 192.168.0.1 and mask 255.255.255.0) I have full access to Internet and other users that use address from 192.168.0.0/24, but have no access to users who use address from xxx.17.7.0/24 except xxx.17.7.1 (because its IP in my MT BOX).

Thanks for answers.

Posted: Wed Jan 18, 2006 12:03 pm
by djape
The problem is that you use masquerade.
Which means that all IPs from 192.168.0.0/24 network will use Gateways IP address.
What you need to do is to configure src-nat and dst-nat.
Assume that youre PC address is 192.168.0.5/32 and you want to access it from internet.
Go to ip firewall nat and place following rule on top of masquerade

add chain=srcnat src-address=192.168.0.5/32 action=src-nat to-addresses=xxx.17.7.x/32 to-ports=0-65535

then do dst-nat

add chain=dstnat dst-address=xxx.17.7.x/32 action=dst-nat to-addresses=192.168.0.5/32 to-ports=0-65535

This should be done for each address (PC) that you want to access from internet where x will be one of the addresses asigned to you by ISP.

all other will go through masquerade!

Cheers...

Posted: Wed Jan 18, 2006 4:04 pm
by egg
Mmm no. :( This is not what I need.
I want to make connection between users with fake IP address and users
with Real address. I don't want to access fake IP's from Internet and this
is the reason that I don't use dstnat and people use fake IP's.
But when I make server (ex. web server) with Real IP address to access
him from Internet, I can't access this server from fake IP address.

Posted: Wed Jan 18, 2006 4:09 pm
by egg
Maybe ill try to make my question simple.

Ether2:
- 192.168.0.1/24
- xxx.17.7.1/24
How to make connection from users with IP: 192.168.0.2-254 to server with IP: xxx.17.7.2 .

Posted: Sun Jan 22, 2006 1:33 pm
by djape
Well, it seems your ip route configuration needs to be checked. Look in there and you'll solve the problem...

Posted: Mon Jan 23, 2006 5:43 pm
by lastguru
/ip firewall nat add chain=srcnat src-address=192.168.0.2 action=masquerade comment="" disabled=no
try specifying output interface, and see wat happens

Posted: Mon Jan 23, 2006 6:06 pm
by djape
try specifying output interface, and see wat happens
Good point. I totally forgot that...