1:1 NAT configuration between two VLANs

MauMikrotik · April 13, 2023, 4:23pm

Hi all guys, I’m new to Mikrotik but before posting this new topic I’ve done a lot of searches on the web without find a solution.

I have two VLANs configured under same bridge.

10.0.10.x/24 subnet - VLAN10
10.0.20.x/24 subnet - VLAN20

Using WinBox I’ve created a firewall rule that allow all the traffic from some VLAN20’s IP to all the 10.0.10.x/24.
It works fine, I’m able to reach those IPs from any device under VLAN10. Since I’m a newbie I’m happy for this result!

For a particular device configuration I need to create a 1:1 NAT between 10.0.10.221 to 10.0.20.1.
The final target is: assuming that I’m on 10.0.10.13 IP, I’m able to ping 10.0.10.221 (because the NAT will redirect my ping to 10.0.20.1).

I’ve tried to configure a “dst nat” but it seem not working.
I’ve also tried to configure a “dst nat” over “netmap” but it’s the same…

I’m a little bit confused… I have a great knowledge and great skills on NAT configuration over many other brand devices like Fortinet, Sonicwall, Zyxel, Altaro, Ubiquiti Unify,… but here I need your help.
May I ask for your suggestion on how I can configure this simple kind of NAT?
Many thanks in advance.

Bye!

MauMikrotik · April 18, 2023, 12:08pm

Hi guys, nobody know how configure a simple NAT on Mikrotik?
Nobody can help me?

Thank you!
Bye!

anav · April 18, 2023, 1:12pm

Perhaps add a network diagram because I dont understand the request.
You use config language dst-nat etc, to describe a requirement.

I understand
identify a user, group of users, device, group of devices
identify what traffic flow they need, ( without any config talk )

MauMikrotik · April 20, 2023, 8:32am

Hi anav, thank you for your reply!
Sure, attached a simple diagram of what i need to obtain from this NAT configuration.

I have created this thing on Fortinet in this way:

I’ve created the IP object 10.0.10.221 with name Device1
I’ve created the IP object 10.0.20.1 with name NatDevice1
I’ve create a firewall policy that allow traffic from VLAN10 with source Device1 to VLAN20 with destination NatDevice1

If I’m on 10.0.10.13 IP, for example, and I ping 10.0.10.221, i receive reply with no problems.

I’m not understanding how I can replicate this configuration on Mikrotik logic.
Thank you so much for your help.

MauMikrotik · April 20, 2023, 9:39am

Hi again, I’ve an update.

I’ve created a dst-nat and enabled logs.

Then I started a ping -t from 10.0.10.13 to 10.0.10.221.

As I can see from them the ping is triggering this NAT because I can see traffic.

Log message:
dstnat: in:VLAN10 out:(unknown 0), src-mac c4:9d:ff:a9:75:c5, proto ICMP (type 8, code 0), 10.0.10.13->10.0.10.221, len 60

I suppose that the problem is the outgoing interface… it is different from “VLAN10” incomping interface… how can I explain to the dst-nat that the outgoing interface should be different? In the NAT rule window I can only input a destination address without specify is interface…

Thank you!

MauMikrotik · April 20, 2023, 12:24pm

Finally I’ve found the solution: I’ve configured a dst-nat chain with netmap action.

It’s working fine.

Thank you for the support.
Have a nice day!

anav · April 20, 2023, 3:47pm

Glad you have it solved, it sounded like a dstnat of some sort but without the use case I was in the dark.
I have no clue what you were trying to accomplish from a laypersons perspective…