Configure 1:1 NAT

Hello,
I want to configure a mikrotik hAP Lite to do 1:1 NAT but having some problems with that.

I want to achieve, that all data coming to eth1 (assigned in routerOS to 192.168.10.1) were directed to a client device on eth4 (static ip=192.168.2.15).
So I think 1:1 NAT is the right thing for that job.. is that right??

The last two days I’ve tried several different configs from web, but always without success..

my current config is showed below. Can anybody please help to find my mistake?
For testing, I tried to ping 192.168.10.1 from my computer (192.168.10.5) but didn’t get any response!

Thanks and regards!

Router doesn’t know about 192.168.2.15 plugged in ether4. You need to have a route for it. Easiest way is to add address 192.168.2.x/24 on ether4 (/24 is most likely netmask). Also the device must be able to talk back to router, so that “x” in the address must be what device has set as default gateway.

Sob, thank you for your answer!

The device has following settings: IP: 192.168.2.15, Subnet 255.255.255.0 and Gateway 192.168.2.1
So I added 192.168.2.1/24 to the address-list of MikroTik. The route was generated automatically.

But ping is still not working.. Are there any further settings necessary?

What about your other firewall rules? You might have some filtering set up, which won’t let packets pass through router. Or it can be config of the other device, for example its firewall might not allow pings from other subnets. Try to ping it from router. Or use Tools->Torch and check what happens on ether4, if you see packets in both directions.

It looks like ether4 is set as a slave to ether2?
Look in the interfaces → ethernet configurations on ether4.
Does it say master port = ether2?

Then move the IP address 192.168.2.1/24 onto ether2

That was the trick!!

Now I have one more question concerning firewall rules.
What is the simplest way/firewall rule to accept all packages on this NAT setting? (in both directions)

Simplest way is no rules. If you don’t limit it, everything is accepted by default.

If you want to completely disable any kind of security between the interfaces, just remove all rules from the forward chain of the filter table of the firewall.

EDIT: LOL Sob - you posted while I was posting

oh cool, that was easy to configure!

Now I’ve tried to use a new client device with this NAT setup. The default network settings are 192.168.2.15, subnet 255.255.255.0 and gateway 0.0.0.0 !!
So now, ping from my computer to 192.168.10.1 does not work anymore.. Is there a possibility to fix that, without changing the client gateway address to 192.168.2.1?

Your client device is obviously misconfigured, so that would be first thing to correct. But if you for some reason can’t, then you can do this:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether4

All connections to 192.168.2.15 will look like they come from 192.168.2.1, so it will be possible to reply to them. But you still won’t be able to establish connections from 192.168.2.15 to anywhere else.

It works!! Thank you!!

Hello,
I have a new problem.
A device (IP: 192.168.1.10) on port 4 of my mikrotik haP Lite is sending UDP broadcast messages. (to 255.255.255.255)
Mikrotik should redirect all UDP/broadcast messages from port 4 to a device on port 1. (IP: 192.168.100.100)

Torch in Mikrotik is showing the broadcast message but it seems, that my NAT rule doesn’t work.. It doesn’t arrive any message at my computer (tested with wireshark)


For testing I’ve send the UDP-Message to 192.168.1.254 instead 255.255.255.255 and then the UDP-messages arrives on pc. (wireshark)

What is going wrong? How can I fix it?

You could try specifying dst-address=192.168.1.255 in the nat rule, but in general, UDP broadcast redirection is not a feature available in Mikrotik.
The only thing that ROS has the feature to do this with is DHCP relay.