Destination NAT Problem with Public IP-Adresses

RouterOS General
1

Hello,

we have a Routerboard 1100AH with RouterOS 5.8.

Now we want to NAT some Public IP´s to private ones and also a general NAT-Rule for the other private IP´s.

example:
localnet= 10.0.0.0/8
wan-ip=1.1.1.0/24

What I´ve done:

define IP-Adresses

add address=10.1.1.1/8 disabled=no interface=ether2-lan network=10.0.0.0
add address=1.1.1.1/24 disabled=yes interface=ether1-wan network=1.1.1.0
Client 1
add address=1.1.1.2/24 disabled=yes interface=ether1-wan network=1.1.1.0
Client 2
add address=1.1.1.3/24 disabled=yes interface=ether1-wan network=1.1.1.0
Client 3
add address=1.1.1.4/24 disabled=yes interface=ether1-wan network=1.1.1.0
Client 4
add address=1.1.1.5/24 disabled=yes interface=ether1-wan network=1.1.1.0
...and so on

define default route

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.254 scope=30 target-scope=1

default nat + public ip natting

Client 1
add action=src-nat chain=srcnat disabled=no out-interface=ether1-wan src-address=10.1.1.2 to-addresses=1.1.1.2
add action=dst-nat chain=dstnat disabled=no dst-address=1.1.1.2 in-interface=ether1-wan to-addresses=10.1.1.2
Client 2
add action=src-nat chain=srcnat disabled=no out-interface=ether1-wan src-address=10.1.1.3 to-addresses=1.1.1.3
add action=dst-nat chain=dstnat disabled=no dst-address=1.1.1.3 in-interface=ether1-wan to-addresses=10.1.1.3
Client 3
add action=src-nat chain=srcnat disabled=no out-interface=ether1-wan src-address=10.1.1.4 to-addresses=1.1.1.4
add action=dst-nat chain=dstnat disabled=no dst-address=1.1.1.4 in-interface=ether1-wan to-addresses=10.1.1.4
...and so on
General Nat-Rule
add action=src-nat chain=srcnat disabled=no out-interface=ether1-wan src-address=10.0.0.0/8 to-addresses=1.1.1.1
  1. This seems to work, but now there is a problem that clients with public ip randomly loose (every 5-10 minutes) their connection for about 1 minute.They can´t access the internet. (about 70 clients with public ip´s)
  2. Also it seems that not all ports with services are reachable from outside of the network, especially web-services.
  3. Clients with public IP cannot reach other clients with public ip´s. I can´t figure out whats wrong.

The Netmap-function shouldn´t be the solution, because in my opionen it´s only for equal subnets (public - local).

Hope you can point me to the right direction.

2

Based on what you’re describing it’s impossible to troubleshoot the network drop issue. You need to provide (or possibly establish for yourself) way more details. Do interfaces drop? Do you see link flaps? Are router utilizations going up (CPU spikes?)? And so on.

All ports should be reachable. Check firewalls, including upstream ones (maybe the upstream provider is blocking some ports - many do).

Public IPs reaching each other is a subset of the hairpin NAT problem: http://wiki.mikrotik.com/wiki/Hairpin_NAT

All in all it would be decidedly better if you could just route public IPs to your customers rather than have a huge, unwieldy NAT setup that requires hairpin NAT hacks. It would also save the customers from double NAT as they presumably NAT on the CPE as well. Routing this isn’t terribly hard to set up at all, either with normal networks (make /30 tunnels with private IPs you route the public IP address across), or via tunnel methods such as PPPoE where you dynamically assign each CPE a /32 as it dials into your central router.