1:1 NAT configuration

Hello all,

I have a 1:1 NAT related question. I’ve been trying to test it out at home as I will be moving on server to a DC and need to basically know how to do it before that happens. For those purposes I’ve created 2 new networks (10.30.30.0/29 and 10.30.40.0/29) which should represent two public IPv4 blocks which I will use there (of course, in DC these will be outside of the RFC1918 range). I am using two MikroTik routers inside of my home network for this (as you’ll see in the screenshots) and I can ping them from each side, but something seems to be missing. From MT R1 I can’t ping 10.30.30.2 which is a device (raspberry pi) inside of 1:1 natted network. The raspberry has a 192.168.88.254 which was assigned by MT R2’s DHCP. What am I missing here?

MT-R1

MT-R2

MT-R2 export

# 2024-04-14 19:23:39 by RouterOS 7.12.1
# software id = JYVA-SF64
#
# model = RB760iGS
# serial number = HD50802B0EP
/interface bridge
add admin-mac=18:FD:74:AA:5A:C4 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.30.30.1/29 interface=sfp1 network=10.30.30.0
add address=10.30.40.1/29 interface=sfp1 network=10.30.40.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=sfp1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=netmap chain=srcnat out-interface=sfp1 src-address=192.168.88.254 to-addresses=10.30.30.2
add action=netmap chain=dstnat dst-address=10.30.30.2 to-addresses=192.168.88.254
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=\
    fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Your help would be appreciated!

Can you share the config for R1?

Also, you use action netmap instead of srcnat/dstnat. Be sure to understand how netmap works as it had some subtleties.

From my understanding “netmap” should be the fitting option here, only difference being that I use it for single IP translation and not networks. I tried with the same configuration using destination NAT, but nothing really changed.

As for the R1 config, I am not comfortable exporting / sharing it as it’s my main router. Anything that I didn’t share via screenshot, is not configured when it comes to this “lab” setup.

Sure thing.

If you look in r1, do you see an arp entry for 10.30.30.2?

If not, you need a route host in r2 for 10.30.30.2 that points to your pi. You may have to set proxy arp on the external interface as well, can’t remember whether it 's needed.

If you need the commands, let me know.

Netmap is used in overlapping cases by remapping 1:1 duplicated subnets onto virtual subnets. you can find an article of mine here where a small example is shown.
https://foisfabio.it/index.php/2023/04/22/mikrotik-netmap-ipsec/

If you have to map 1:1 of the PC 192.168.88.254 assuming that 10.10.30.1 is a public IP you must apply the rules in this way:

/ip firewall Nat 
add chain=srcnat src-address=192.168.88.254 action=srcnat to-address 10.10.30.1
add chain=dstnat dst-address=10.10.30.1 action=dstnat to-address=192.168.88.254

Obviously 10.10.30.1 you can replace it with any IP from the /29 pool. I hope I understood the question well and gave you a correct answer

Thanks for the suggestions.

I did try “dst-nat” before I even tried “netmap” but I was getting same results. I have disabled the netmap rules and configured what you suggested (except that I used 10.30.30.2, instead of 10.30.30.1 as it is assigned to the MT R2).

10.30.30.2 is still not reachable.

if 192.168.88.254 is a PC disable the firewall or antivirus for testing.
in addition to icmp try to reach some service of 192.168.88.254 by calling it from 10.10.30.2

I did not mention it but of course the 192.168.88.254 is reachable from MT R2.

go to ip firewall filter in router 2 and try disabling the drop rules one by one. Every time you disable clean the connection tracking from /ip firewall connection and see if it is a Firewall problem, I see that you have the default configuration, so the drop !LAN rule will surely give you trouble

Disabling all “drop” FW rules (including the !LAN one) sadly didn’t change anything.

On R1.

/ip/arp/print

Do you have an entry for 10.30.30.2?

(If you posted it in the screenshot, can’t see it, resolution is too low.)

Please right click on the image and “open image in new tab”, it should show it in full size.
Or use this link for the last screenshot which I attached https://forum.mikrotik.com/download/file.php?id=65961

No ARP entry.

On R2:

/ip/route/add dst-address=10.30.30.2/32 gateway=192.168.88.254

And try again

Did that, unfortunately no change. (https://forum.mikrotik.com/download/file.php?id=65963)

But do you have an ARP entry for 10.30.30.2 on R1?

Same as before:

[admin@MikroTik] > ip/arp/print 
Flags: D - DYNAMIC; C - COMPLETE
Columns: ADDRESS, MAC-ADDRESS, INTERFACE
#    ADDRESS         MAC-ADDRESS        INTERFACE
0 DC 10.30.30.6      2C:C8:1B:03:CE:9C  sfp1     
1 DC 192.168.88.254  B8:27:EB:31:6A:60  bridge   
2 D  10.30.30.2                         sfp1

I don’t see why I would get an ARP entry for an IP which isn’t configured on the device NIC.
There’s an ARP entry for 192.168.88.254, as it is to be expected.

Then on R2 you need to set the interface sfp for proxy-arp. You still need the route for 10.30.30.2/32 to 192.168.88.254.

Adapt the following line of code.

/interface/ethernet/set [find name=sfp1] arp=proxy-arp

Note that sfp1 is still present in the bridge, while being used as a L3 interface.

After changing the suggested ARP setting for “sfp1” interface, things started to work.

[admin@MikroTik] > ip/arp/print 
Flags: D - DYNAMIC; C - COMPLETE
Columns: ADDRESS, MAC-ADDRESS, INTERFACE
#    ADDRESS         MAC-ADDRESS        INTERFACE
0 DC 192.168.88.254  B8:27:EB:31:6A:60  bridge   
1 DC 10.30.30.6      2C:C8:1B:03:CE:9C  sfp1

Without adding the suggested route. So now I’m not sure if it’s needed?

By the looks of it, this is from R2. Do you have an ARP entry on R1 for 10.30.30.2?

I spoke a bit too soon. The ICMP does work, but for example SSH does not (no matter if the suggested route entry is there or not).
Yes, R1 does have an ARP entry now.

Do I need to enter the port range for my dst-nat rule? although, I thought leaving it empty would mean that all 65535 ports are included.