Hi,
Can I do this?
WAN IP (assigned by ISP, X.X.X.X) and 172.16.0.0/24 (addresses created by router) ↔ ROUTER <—> LAN 192.168.0.0/24,
with 1:1 NAT between 172.16.0.0/24 and 192.168.0.0/24.
The question is primarily about the IP addresses on the WAN, but in this context with the 1:1 NAT.
Thanks anyone for helping.
Yes. only one router. I’ll try to understand the rest before replying any further.
What are you trying to do?
In your example:
WAN IP (assigned by ISP, X.X.X.X) and 172.16.0.0/24 (addresses created by router) ↔ ROUTER <—> LAN 192.168.0.0/24
Is ROUTER a second router which is also connected to the WAN segment, or is it the router you’re trying to do additional 1:1 on?
I assume there’s only one router…
The short answer is this:
You can do both at the same time, but the network needs to be able to forward 172.16.0.0/24 to your router’s WAN interface. Assuming that packets with those destination IPs are going to reach your router, then you can use netmap actions:
/ip route add dst=172.16.0.0/24 type=blackhole
/ip firewall nat
add chain=dstnat dst-address=172.16.0.0/24 action=netmap to-address=192.168.0.0/24
add chain=srcnat src-address=192.168.0.0/24 dst-address-list=specialhosts action=netmap to-address=172.16.0.0/24
add chain=srcnat out-interface=WAN action=masquerade
(the masquerade rule probably already exists in your NAT rules - I just repeated it here to illustrate that the netmap rules should come first in the list)
You’ll also need an address-list which has the hosts / networks which will be viewing your network as 172.16.0.0
Thanks ZB.
The single router is behind a cell modem with ip-passthrough. So the router’s wan would be assigned the modem’s ip.
I had the 1:1 nat working correctly(with an openwrt router) when the modem was assigning a lan address. But I want to use ipsec/gre on the new mikrotik router and I’m uncertain if I can forward the esp protocol 50 thru the cell modem.
The modem doesn’t have vpn passthrough, just ip-passthrough, dmz, or port forwarding. I am uncertain what the difference really is between the ip-passthrough or the dmz, other than the assigned address and a modem management port when in dmz. It only has a single ethernet port.
My intention is to have many modems with 172.16.x.0/24, connected remotely via ipsec/gre to a central mikrotik and/or CHR. The lan addresses will be identical at every site. In some applications there would be no central modem.
Currently testing with a pair of haplite’s and an rb850.
I’d suggest using something like L2TP where the routers can all “phone home” into a central VPN server and have their VPN interface IP assigned by a profile in the server.
You wouldn’t need to use 1:1 NAT or anything fancy in this case. The 172.x.x.x addresses would just get assigned by the server as an additional IP address on the system so you wouldn’t need to do any NAT to get it to work.
The LAN’s on every device will be identical. 192.168.0.0/24. Or at least I will have limited control over the IP’s.
I’m actually following your suggestion from http://forum.mikrotik.com/t/routing-to-multiple-same-subnet-vpns/94990/1
The radio has l2tp and gre capabilities, but I’ve had some difficulties with the configuration. I also want to allow modems from different manufacture’s and am attracted to having the interesting bits in the router not in the cell modem. Hence, just do it all in the router and make the modem transparent.
I appreciate your suggestions. But I don’t see the difference between doing the networking via l2tp or via ipsec/gre. Either way, wouldn’t I need to netmap the lan to the wan or intermediate network?
okay - it makes more sense what your goal is now.
Then my first response to this thread is pretty much what you need to do.
If your core network is contained in a single CIDR block (172.16.0.0/24 for instance) then you can just use dst-address=172.16.0.0/24 instead of using dst-address-list=specialhosts
If your VPN type uses a tunnel interface, then you can use out-interface=tunnel-interface instead of the dst-address (I much prefer this method to using explicit IP addresses)
Terrific. I’ll give it a try.
Zerobyte. Thanks. I got it working as per your suggestion.
My tests so far are with gre tunnels.
This is on device 2.
/ip firewall nat
add action=netmap chain=dstnat dst-address=172.16.2.0/24 to-addresses=192.168.0.0/24
add action=netmap chain=srcnat dst-address=172.16.2.0/24 src-address=192.168.0.0/24 to-addresses=172.16.2.0/24
add action=masquerade chain=srcnat comment=“default configuration” out-interface=gre-tunnel1
add action=masquerade chain=srcnat comment=“default configuration” out-interface=gre-tunnel254
seems to work, but I haven’t ran both tunnels at the same time yet.
My tunnel endpoint addresses are arbitrarily 1.1.1.x/24. This leads me to tunnel endpoints on device 2 with the duplicate address 1.1.1.2. I hope this doesn’t cause problems.
To match the above,
on device 2,
tunnel 1 is 1.1.1.2/24 to 1.1.1.1/24
tunnel 254 is 1.1.1.2/24 to 1.1.1.254/24
I don’t know if having 1.1.1.2 as the endpoint for all tunnels on device 2 will work. I think the /24 network would also lead to excessive traffic over my cell modems, so it’s crucial that I get this part correct.
Anyways, just wanted to give an update and say thanks.