Asymmetric NAT question

RouterOS General
1

Hi all,

I have a question regarding asymmetric 1-to-1 NAT. Is it possible with Mikrotik router?

My current test scheme below:

                     bridge_address: 10.10.10.10/32
                    192.168.0.1/24          10.0.0.1/24
                                  NAT1_Router
                               /              \
               192.168.0.10/24/                \ 10.0.0.10/24     
                  Inside_Router                  Outside_Router
                              \               /
                               \             /
                                 NAT2_Router
                    192.168.0.2/24        10.0.0.2/24
                     bridge_address: 10.10.10.10/32

Network 192.168.0.0/24 is in vlan 10.
Network 10.0.0.0/24 is in vlan 20.

My goal is:

  1. Outside_Router sends packet to address 10.10.10.10 via NAT1_Router
  2. NAT1_Router makes dst-nat, changing destination address 10.10.10.10 to 192.168.0.10
  3. Inside_Router receives packet and sends reply back to 10.0.0.10 but not via NAT1_Router, it sends packet to NAT2_Router.
  4. NAT2_Router must translate this packet back with src-nat, changing source address 192.168.0.10 to 10.10.10.10.

Problem is, NAT2_Router does not provide NAT translation for local address 192.168.0.10 to address 10.10.10.10. As a result, Outside_Router receives replies with source IP address 192.168.0.10, not 10.10.10.10.

Inside_Router configuration:

/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
/ip address
add address=192.168.0.10/24 interface=vlan10 network=192.168.0.0
/ip route
add distance=1 dst-address=10.0.0.0/24 gateway=192.168.0.2
/system identity
set name=Inside_Router

NAT1_Router configuration:

/interface bridge
add name=br-nat-1
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
add interface=ether1 name=vlan20 vlan-id=20
/ip address
add address=192.168.0.1/24 interface=vlan10 network=192.168.0.0
add address=10.0.0.1/24 interface=vlan20 network=10.0.0.0
add address=10.10.10.10 interface=br-nat-1 network=3.3.3.3
/ip firewall nat
add action=netmap chain=dstnat dst-address=10.10.10.10 to-addresses=192.168.0.10
add action=netmap chain=srcnat src-address=192.168.0.10 to-addresses=10.10.10.10
/system identity
set name=NAT1_Router

NAT2_Router configuration:

/interface bridge
add name=br-nat-1
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
add interface=ether1 name=vlan20 vlan-id=20
/ip address
add address=192.168.0.2/24 interface=vlan10 network=192.168.0.0
add address=10.0.0.2/24 interface=vlan20 network=10.0.0.0
add address=10.10.10.10 interface=br-nat-1 network=10.0.0.0
/ip firewall nat
add action=netmap chain=dstnat dst-address=10.10.10.10 to-addresses=192.168.0.10
add action=netmap chain=srcnat src-address=192.168.0.10 to-addresses=10.10.10.10
/system identity
set name=NAT2_Router

Outside_Router configuration:

/interface vlan
add interface=ether1 name=vlan20 vlan-id=20
/ip address
add address=10.0.0.10/24 interface=vlan20 network=10.0.0.0
/ip route
add distance=1 dst-address=10.10.10.10/32 gateway=10.0.0.1
/system identity
set name=Outside_Router

Appreciate your help.

2

It should work for UDP, I’m not sure about TCP and ping. One thing is that with loose-tcp-tracking=yes, the filter in the firewall allows the first ever TCP packet seen to be other than the SYN one, another thing is whether connection-tracking permits such other-than-SYN packet to be seen by the nat table. Similar case with ICMP, I think only ping requests are handled by the nat table.

3

It looks like something that conntrack won’t like at all, it would probably need some stateless NAT, but I’m not sure if it’s even possible in RouterOS.

4

Thank you sindy for your reply. Indeed, UDP traffic is NATed in this scheme and TCP and ICMP traffic is bypassed. Regarding loose-tcp-tracking option, just tried 6.44.3 version, it seems like there is no difference if loose-tcp-tracking is enabled or disabled. Anyway, thank you for your help.

5

Stateless NAT or connection synchronization between routers. And it seems like neither of this options is available on Mikrotik router.

6

Any update on this issue?