1-to-1 NAT with state table

DotTest37 · May 12, 2016, 1:01pm

I have this use case where I need something I dont know MT can do.
Three locations, one master with a NOC software and two sites with servers.
Each location has a public IP but all internal servers use src-NAT to access the Internet.

I have to set a VPN between the NOC and each of the two sites so the NOC monitors the servers behind.
The two sites have the same private IP segments and the NOC software does not support overlapping IPs.

Talked to the NOC software people and they advised me to implement NAT at each of the two client sites so that the NOC software sees two different private networks without having to change anything on the servers.

The only requirement they have is that the NAT table is permanent at the sites, meaning that the translated IP should be always the same.
To illustrate, the IPs are like this:
NOC Public IP: 1.1.1.1
NOC Private Subnet: 192.168.100.0/24

Site 1 Public IP: 2.2.2.2
Site 1 Private Subnet: 10.0.0.1/24

Site 2 Public IP: 3.3.3.3
Site 2 Private Subnet: 10.0.0.1/24

========
I would need a translation like this:
NOC Public IP: 1.1.1.1
NOC Private Subnet: 192.168.100.0/24

Site 1 Public IP: 2.2.2.2
Site 1 Private Subnet: 10.0.0.1/24
Site 1 NAT Pool for VPN with NOC: 192.168.200.0/24
(Server 1 with IP 10.0.0.10 should always be translated to 192.168.200.10)
(Server 2 with IP 10.0.0.11 should always be translated to 192.168.200.11)
etc
etc

Site 2 Public IP: 3.3.3.3
Site 2 Private Subnet: 10.0.0.1/24
Site 2 NAT Pool for VPN with NOC: 192.168.300.0/24
(Server 8 with IP 10.0.0.10 should always be translated to 192.168.300.10)
(Server 9 with IP 10.0.0.11 should always be translated to 192.168.300.11)
etc
etc

=======

Im somewhat familiar with simplistic NAT and PAT on Mikrotik, but not sure on this one.

Thanks a lot for the help.

pe1chl · May 12, 2016, 6:52pm

Yes you can do this with target netmap in the NAT page.

ZeroByte · May 12, 2016, 7:05pm

Choose a “virtual” range for each site - e.g. 172.16.1.0/24 = site 1, 172.16.2.0/24 = site 2, etc…

I assume that the NOC’s private range does not overlap the private ranges at the sites - if so, then you just extend this solution to cover the NOC addresses as well.

At the NOC router, route the virtual range to each site. The NOC devices will refer to the site devices using their “virtual” addresses.

At the site router, use netmap (as stated by Pe1chl):
action=netmap chain=dstnat dst-address=172.16.1.0/24 to-address=192.168.1.0/24 (to-address=the real internal range)
action=netmap chain=srcnat src-address=192.168.1.0/24 to-address=172.16.1.0/24 (src-address=the real internal range)

DotTest37 · May 14, 2016, 3:01am

I just read about Netmap on the Mikrotik Wiki.
Great suggestion.
One question though, will Netmap make the NAT table static on a prefix basis?
for example, will server 10.0.0.10 will be always translated to 192.168.200.10? even if the servers came online in different order?
(We cannot have a case where one day 10.0.0.10 is translated to 192.168.200.10 and another day is translated to 192.168.200.21 because there were other servers coming online first after a general reboot)
Thanks a lot!

pe1chl · May 14, 2016, 6:57am

Yes this is just a static translation, that is why the 2 networks must have the same size.
There is no dynamic mapping table like with masquerade or src-nat.

DotTest37 · May 14, 2016, 3:01pm

Excellent

I have two extra MT routers, I will test it this weekend and will report back.
Thanks!

ZeroByte · May 16, 2016, 2:38pm

That’s the thing about stateless NAT - if it didn’t predictably do the same thing each and every time, then it wouldn’t work.