Before I did a question related with the NAt but that don’t fix the problem. Lets me explain what I need to do and maybe you can give me and advise.
I’ve to implement a private network inside - connected to other private network which this last one is connected to the public network. Why this? well is a proyect but it’s something that implements a pbx + softphone and this inner lan (my lan) it’s think to has a mikrotik rb2011 which will implements QoS for voice and a VPN.
The mikrotik RB2011 has configured the ports ether1, ether3, ether4, ether5 with ether2 as master-port and there is on ether2 a DHCP server with this IP pool:
100.64.0.0/24 and yes it’s a grade nat pool. This is because this inner LAN (my lan) is connected to an other LAN (mikrotik’s ether6 ) and I dont’ know what private pool IP this lan would have (so I use grade nat pool to avoid ip overlap). As it’s think to can connects in a lot of place or situacion, the outside private lan can implements a network with 10.0.0.0/24 or 192.168.0.0/24 etc.
in this outside lan would be a DHCP server with this pool 10.0.0.0/24 (as example.) and just one public IP. So this outside private network has a router which implements NAT.
If I connect the mikrotik RB2011 to the outside private network by ether6, it would get a IP from 10.0.0.0/24 pool. Lets suppose it’s 10.0.0.6 and the ether2 is configure as gateway with this IP 100.64.0.1.
I must implement a NAT between 10.0.0.6 and 100.64.0.1? or I must implement a router that every IP that does not belong to 100.64.0.0/24 is route to 10.0.0.0/24? the problem here is that I don’t know what IP the DHCP client on port ether6 can get. It could be from a pool like 10.0.0.0/24 or 192.168.0.0/24 etc.
Could you please give me and advise? this is a code I used but it doesn’t works
If you have access to Any Router, make routing , just set another nat rule with youre network.If yo have not access, respectivly setup nat on second router !
In this setup just add this rule in firewall and tell us what’s happened :
/ip fi fi add chain=forward
use Terminal
I don’t have access to second router, just the mikrotik router that i’m using to implement my lan. So I can’t do the routing. It still keeps the problem. I add the line code you said:
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether1 ] master-port=ether2
/ip pool
add name=poolIPv4 ranges=100.64.0.2-100.64.0.100
/ip dhcp-server
add address-pool=poolIPv4 disabled=no interface=ether2 name=dhcp-IPv4
/ip address
add address=100.64.0.1/24 interface=ether2 network=100.64.0.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether6
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add chain=forward
/ip firewall nat
add action=masquerade chain=src-nat disabled=no out-interface=ether6
So, I think there is something wrong with the nat. The ousite private network that actually I’m connection to the mikrotik router give an ip from a 10.0.0.0/24 pool. But other can give me other IP pool
if you have ttl=1 the packet will die on the wan interface… some ISP still use this limitation !
ОК now you try to use private network not carrier network for your lan - example: 172.16.0.0/24
Dont use master port for ether 6
remoove my firewall rule and paste this basic rules:
There is this tutorial https://wiki.mikrotik.com/wiki/NAT_Tutorial
but there is a problem for my implementation. I don’t know the Wlan ip pools and the gateway for this. So I can implement the nat using the masquerade but how can I make the route? I think now this is the problem that I’m having. The routing to the other lan.
P.S. The routes are enough, you do not have to add others!
P.P.S. I want to see too:
/ip dhcp-server network print
and
/ip dhcp-server lease print detail
It’s works!!! when I changed the /32 to /24. It needed just a minute to changes the configurations.
Thank you very much John. You help me a lot. Right now I’m using the connection through RB2011.
Also, I changed the IP pool to the grade nat 100.64.0.0/24 and it’s working. Do you think that I can bring any trouble? because generally it’s the opossite. The private ip pool and then the grade nat pool. In this case is grade nat pool and a nat to a private pool. But with this implementation I can connect the ether6 to any private network and there wouldn’t be ip overlap. So, this implementation brings portability. right?
I think that in this situation it will not be a problem to use this network. Anyway, but you did not set your DNS on the DHCP server too and make the lease time at least 24 hours /this is standard setting/!
the firs allow connection with the router from external host through that ports (22,8291,80,443)
the second allow pinging the router from external host.
the third allow a connection to what? and the fourth dissable (drop a package) to any connection that cames from a host connected (it doesn’t means that is directly connected) port ether6?
and why there is a drop before an acept? it’s like you are denying something that was before accepted
The rules in a filter section are read in sequence for their execution. For that we first allow, and then we drop everything else!
the firs allow connection with the router from external host through that ports (22,8291,80,443) - Yes because we have drop on input chain on ether6 on rule 4 !
the second allow pinging the router from external host . - Yes ,every different kind of icmp not only ping ,the same reason - we have drop on input chain on ether6 on rule 4 !
the third allow a connection to what? Аs you translate it - пропуска пакетите на вече изградените връзки и на тези които са свързани с тях !
and the fourth dissable (drop a package) to any connection that cames from a host connected (it doesn’t means that is directly connected) port ether6? - Yes drop any packet from any src address which comes on the ether6 without the protocols and ports described above!
