different type of NAT

ferdous · May 25, 2009, 6:05pm

hello all,
is there any way to masquerade a nat blocked ip I mean ISP blocked nat . my isp has given me a ip which is
ip address :10.20.25.1/24
gateway :10.20.25.250 and i put this in my wan interface . my lan ip is 192.168.0.1/24 .
i can ping yahoo.com from my mikrotik terminal box. but when i share this connection .i cannot ping yahoo.com from my xp pc. but it ping to the isp gateway. any solution plz. I really need to share this connection. plz reply how to do it.

regards
ferdous

hilton · May 25, 2009, 6:42pm

Perhaps but it depends on what you mean by ‘blocked’?

i can ping yahoo.com from my mikrotik terminal box. but when i share this connection .i cannot ping yahoo.com from my xp pc. but it ping to the isp gateway

How exactly are you ‘sharing’ this connection? Post your config for us to look at.

ferdous · May 25, 2009, 7:26pm

wan ip : 10.20.25.1/24 (ISP has given me this ip)
gateway : 10.20.25.250
dns: 202.168.200.98
202.192.254.4

my lan ip : 192.168.0.1/24

/ip address add address=10.20.25.1/24 interface=wan
/ip dns 202.168.200.98
202.192.254.4

ip route add gateway= 10.20.25.250

/ip address add address= 192.168.0.1/24 interface=lan

/ip firewall nat add chain=srcnat src-address=192.168.0.1/24 action=masquerade
out-interface=wan

my windowsXP ip is : 192.168.0.2
subnet : 255.255.255.0
gateway : 192.168.0.1
dns : 202.168.200.98
202.192.254.4

but I cant browse or ping yahoo or google from Xp pc. plz hlp.

hilton · May 25, 2009, 7:40pm

change

out-interface=wan

to this

in-interface=wan

try it and let us know.

ferdous · May 25, 2009, 8:04pm

/ip firewall nat add chain=srcnat src-address=192.168.0.1/24 action=masquerade in-interface=wan

Mikrotik shows this message when i put this command

Couldn’t change NAT Rule <192.168.0.0/>- ingoing interface matching not possible in output and postrouting chains(6)

mps01k · May 25, 2009, 10:31pm

dont specify what interface is the in or out and it should work fine.

ferdous · May 26, 2009, 9:51am

I tried this two rule. but no positive result. normal routing is blocked by isp.

/ip firewall nat add chain=srcnat src-address=192.168.0.1/24 action=masquerade
/ip firewall nat add chain=srcnat action=masquerade

I think isp blocked nat port or something like that.

regards
ferdous

hilton · May 26, 2009, 10:15am

Sounds like you may be blocked then. Perhaps you could take the router to a friend whose is using a different ISP and test your config. Also check the terms and conditions of your internet access because they may specifically deny sharing of the line.

mrz · May 26, 2009, 10:21am

check dns settings

if client is using router as dns server then you have to set allow-remote-request=yes

ferdous · May 26, 2009, 4:15pm

…help needed…

Aug · May 26, 2009, 4:37pm

/ip firewall nat add chain=srcnat src-address=192.168.0.1/24 action=masquerade 
out-interface=wan

get rid of “src-address=192.168.0.1/24”

this should work

ip firewall nat add chain=srcnat action=masquerade out-interface=wan

Disable any other firewall filter/nat rules and try it without being bridged.

ferdous · May 26, 2009, 6:07pm

Not working . I tried this before it’s useless. NAT BLOCKED BY ISP. Is there any other way to share this type of connection by mikrotik. Don’t tell for webproxy or ip proxy. Is there any other rule, I mean ip tunnel or with bonding or with any other rule to share this nat blocked connection by mikrotik .

jimbojones · May 26, 2009, 6:24pm

Yup. Get a new ISP, although the one you have must have a pretty extreme reason for doing what they are doing. To limit a person to 1 machine these days is financial suicide for ISP’s. They can keep an eye on users based on traffic, and limiting total connections is easy enough, so there really is no excuse for it these days.

ferdous · May 26, 2009, 6:39pm

jimbojones that means u dont know how to do share it. but it possible by mikrotik . bad news is i dont know how to do it . any mikrotik specialist can do it. may be he doesnt see my post… somehow wan 80 port redirected to lan port , then its possible to share. help needed …plz.

ferdous · May 26, 2009, 6:41pm

jimbojones · May 26, 2009, 7:34pm

So basically, your looking for a way to bypass your ISP’s firewall rules, with a Mikrotik solution? and i’ll pretend I didn’t hear your first comment.

Can you not just approach the ISP and talk to them nicely? Or are you trying to resell a service you shouldn’t be reselling? Sorry if thats blunt, but thats what it sounds like to me.

Jimbo

mrz · May 27, 2009, 4:48am

Check the firewall manual, and you will find the answer how to overcome ISP’s limitations. It’s quite easy if you know how networking protocols work.

Or are you trying to resell a service you shouldn’t be reselling? Sorry if thats blunt, but thats what it sounds like to me.

That is the problem of some ISP’s, they think that everybody is trying to sell something. But in most cases users just want to set routers with wireless to connect their laptops, Iphones and other devices.

Chupaka · May 27, 2009, 8:06am

couldn’t it be a ttl problem?..

ferdous · May 27, 2009, 9:19am

no its not ttl problem . …

Chupaka · May 27, 2009, 10:09am

but it seems like it is. please post here ‘tracert google.com’ result from your NATted machine and from directly connected one