1:1 NATting of /29 subnet

Kazek · October 14, 2021, 3:45pm

Hello,

This looks easy on paper but it gives me a headache. An ISP gives a /29 subnet.

Let’s say 1.1.1.1/29 is a GW and port eth1 in my Mikrotik has an IP 1.1.1.2/29.

Ports eth2,3,4,5 are LAN network with multiple devices connected. I would like two of them (10.0.0.7,10.0.0.8 ) to use other IPs from the /29 range (1.1.1.3/29 and 1.1.1.4/29) and the rest of hosts to use 1.1.1.2

So in theory I add all /29 IPs to my WAN interface (so eth1 has 1.1.1.2/29, 1.1.1.3/29 and 1.1.1.4/29)
I also create two rules in NAT for each host:

/ip firewall nat add chain=dstnat dst-address=1.1.1.3 action=dst-nat to-addresses=10.0.0.7
/ip firewall nat add chain=srcnat src-address=10.0.0.7 action=src-nat to-addresses=1.1.1.3

The problem is this is not working. Am I missing something or it’s not as straightforward as I think?

sindy · October 14, 2021, 6:14pm

The two rules as such should do what you expect them to do.

However, the firewall rules work as a system where mutual order matters and rules in different chains must work in accord. So it is possible that these rules are shadowed by other ones, or that you do not permit dst-nated connections in forward chain in filter, … or you may test connections to 1.1.1.2 from a client in the same LAN subnet like the server so the response from the server takes a shortcut, etc.

So post a carefully anonymized but otherwise complete export of your config (see my automatic signature below) and provide details on how you are testing.

CZFan · October 15, 2021, 10:04am

To add to what @sindy said, the other IPs in that prefix might not be available to you, i.e. might belong to devices on the link to you, etc…

rextended · October 15, 2021, 10:22am

Use netmap on Right Order against other rules

/ip firewall nat
[...]
add action=netmap chain=dstnat dst-address=1.1.1.3 to-addresses=10.0.0.7
add action=netmap chain=srcnat src-address=10.0.0.7 to-addresses=1.1.1.3
[...] 
add chain=srcnat action=masquerade [...]
[...]