1:1 NAT

mike153 · August 3, 2016, 8:36am

Hello
I have a question

I have 2 networks.
The PC B1 needs access to the server
The server and the computer by A need to access the PC B1

How can i configure this?
I ask for help
Thank you very much

Sob · August 3, 2016, 5:33pm

So you have two different networks with same IP subnet and want them to communicate with each other? It’s not completely impossible, but if you want to save yourself from future headaches, just renumber one network. If you think you can’t, then think about it again, it’s worth it.

If you really can’t, you’ll need to use some virtual networks. Obviously you can’t simply connect from left 192.168.0.11 to right 192.168.0.11. You’ll need to connect to some different address and let routers with NAT do the rest. Lets say the virtual subnet for left network is 192.168.1.0/24 and for right network it’s 192.168.2.0/24:

LAN1 192.168.0.0/24 --- [Router1] ----tunnel---- [Router2] --- 192.168.0.0/24 LAN2
    (192.168.1.0/24)                                          (192.168.2.0/24)

To connect from left to right, you’ll be connecting to 192.168.2.x. To connect from right to left, you’ll be connecting to 192.168.1.x.

Router1:

/ip route
add distance=1 dst-address=192.168.2.0/24 gateway=<router2>
/ip firewall nat
add action=netmap chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.0.0/24 to-addresses=192.168.1.0/24
add action=netmap chain=dstnat dst-address=192.168.1.0/24 src-address=192.168.2.0/24 to-addresses=192.168.0.0/24

Router2:

/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=<router1>
/ip firewall nat
add action=netmap chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.0.0/24 to-addresses=192.168.2.0/24
add action=netmap chain=dstnat dst-address=192.168.2.0/24 src-address=192.168.1.0/24 to-addresses=192.168.0.0/24

kujo · August 3, 2016, 6:44pm

Good shema, create a bridge between networks, create dhcp server and configure dynamic ip assign on all pc.

Have a good day!

mike153 · August 4, 2016, 6:11am

Thanks for the reply
@Sob:
Yes we have 2 networks with one same ip (192.168.0.11).
Network A is the Network from my company. We can’t change this.
Network B is a NC-Machine. We can’t change this IP!

Only, it is important that the server from network A (192.168.0.200) can connect with the host from network B (B1 192.168.0.11) Ping and tcp.
And the host (B1 192.168.0.11) can connect the Server. Ping and tcp.
All other computers have no connection.

The problem is that I already have the IP in the network A and can not change this.
They are all static IP addresses.

The router must translate the IP 192.168.0.11 from network B into a different IP, for example 192.168.0.211.
Then the Server can connect with the Client from network B (B1 192.168.0.11) over the IP 192.168.0.211.

Otherwise, the router has no tasks
Is this possible?

haik01 · August 4, 2016, 8:58am

Why can you not change the addresses in the A network? How many machines do you have? Usually a PC does not care what IP it has, neither the router. For teh PC it does not matter if he has an IP in the range of 192.168.0.xxx or 10.0.0.1 or even 85.24.25.236. As long as he knows what to do with the packets.

So please consider to change the range. I had the same problem with a remote site (VPN tunnel), and it because MUCH easier and simpler setup when I changed the remote site to a different IP range. Immediately all problems and issues were “solved”.

Yes, it takes time to prepare, plan etc… but is was worth the headache time which has now gone.

For easyness:

If your existing PC A1 has an IP of 192.168.0.11 then make it 192.168.5.11. That way you still keep the numeration exact, but only one number changed.

mjsabri · August 4, 2016, 9:36am

you should bridge all port on your router then connect PC and server to router

Sob · August 4, 2016, 6:52pm

Can’t bridge with same addresses (e.g. .11) in both networks.

But if full communication between any host in network A and any host in network B is not required, it’s possible to do something like this:

/interface ethernet
set [ find default-name=<network A interface> ] arp=proxy-arp
/ip address
add address=192.168.0.211/24 interface=<network A interface> network=192.168.0.0
add address=192.168.0.210/32 interface=<network B interface> network=192.168.0.11
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.0.211 to-addresses=192.168.0.11
add action=masquerade chain=srcnat out-interface=<network B interface>
add action=src-nat chain=srcnat out-interface=<network A interface> \
    src-address=192.168.0.11 to-addresses=192.168.0.211

Fake address .211 will be visible in network A. Any host in network A will be able to connect to it and it will be forwarded to .11 in network B, where it will look like it comes from .210. It’s one direction. For the other one, .11 from network B will be able to connect to any address in network A, which is not in use in network B. So it will be able to connect to .200, but not to the other .11, .12 and .210. From the description so far it should be enough.

ZeroByte · August 4, 2016, 10:14pm

Sob - pretty nice work-around, but what happens to the .11 that’s really in network A?
Seems like that host would be screwed by this deal…

To OP:
I strongly recommend renumbering the A.11 host to something else and then just connecting the B.11 host into the same network and having done with it. Legacy work-arounds like this tend to snowball into un-imaginably horrible tangles. (I inherited some firewalls that have a collossal amount of crap like this in them, and I cry every time I log into one of them)

Sob · August 4, 2016, 11:18pm

Oops, sorry, error in testing… but it can be fixed:

/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=<network A interface> routing-mark=lanA
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=192.168.0.0/24 \
    in-interface=<network B interface> new-routing-mark=lanA passthrough=no

Now A .11 can connect to B .11 (using “virtual” .211).

It’s still not possible the other way around, but going by the arrows in original picture, it’s not necessary. Although why not, lets make .210 do the same for B network what .211 does for A network:

/ip firewall mangle
add action=dst-nat chain=dstnat dst-address=192.168.0.210 to-addresses=192.168.0.11

Now B .11 can connect to .210 and get to A .11.

It’s becoming a little messy for my taste, I mean if I wanted to actually use it, I don’t mind playing with it.

ZeroByte · August 9, 2016, 12:47am

Heh - policy based routing FTW.
I’know what you mean, though. I’ve given many “mad science” solutions on here that I would never recommend actually USING, but sometimes people just want to do something a certain way.
The mad science itself is definitely fun for its own sake sometimes - taking advantage of quantum effects of ARP, etc.