Double-Nat with overlapping IP Networks

Eter · August 12, 2010, 9:55pm

Hello everyone. I have a problem, and I am thinking of an ugly solution. Question is: Can it be done in Mikrotik?

I have two networks:

A: 192.168.100.0/24
B: 192.168.100.0/24 (Yes, both networks has same IP:s).

In network B, there are two servers 192.168.100.10 and 192.168.100.11 that needs to be reached from network A.

My plan was if I could setup IP 192.168.100.10 and 11 on Mikrotik in network A, and then
192.168.100.2 in Network B. When traffic comes in on 100.10/11 in network A, some magic
NAT/routing happens, and goes on to the “real” 100.10 and 100.11 in network B, those two
servers would see the traffic as coming from 192.168.100.2.

I am aware of routing/NAT issues, but I know this can be done in other systems, eventually with
two boxes.

Any ideas appreciated

Chris

fewi · August 12, 2010, 10:14pm

You can’t do this with both networks connected to the same router - you’ll need two routers.

Router A has behind it network A on ether2, router B has behind it network B on ether2. Connect both routers to one another via some /30 like 192.168.255.252/30 on their ether1 ports.

Router A:

/ip address
add address=192.168.100.1/24 interface=ether2
add address=192.168.255.253/30 interface=ether1

Router B:

/ip address
add address=192.168.100.1/24 interface=ether2
add address=192.168.255.254/30 interface=ether1

On network A you’ll refer to the servers as 192.168.99.10 and 192.168.99.11. You install a route to 192.168.99.0/24 on router A with a gateway of 192.168.255.254 (router B). You install a source NAT rule that changes the source address of the packets to 192.168.98.0/24. Packets will now have that changed source address and be forwarded to router B.

Router A:

/ip route
add dst-address=192.168.99.0/24 gateway=192.168.255.254
/ip firewall nat
add chain=srcnat src-address=192.168.100.2-192.168.100.254 dst-address=192.168.99.0/24 action=netmap to-addresses=192.168.98.2-192.168.98.254

On router B you destination NAT traffic to 192.168.99.10 and 192.168.99.11 to the real IP addresses in the 192.168.100.0/24 subnet behind router B. You also need a route back to 192.168.98.0/24 through router A so that return traffic can go back to the clients behind that router. You’ll see source addresses from 192.168.98.0/24 on those servers, but because netmap maps 1:1 you’ll still be able to tell which client originated the traffic because the last octet will still match.

Router B:

/ip route
add dst-address=192.168.98.0/24 gateway=192.168.255.253
/ip firewall nat
add chain=dstnat dst-address=192.168.99.10 action=dst-nat to-address=192.168.100.10
add chain=dstnat dst-address=192.168.99.10 action=dst-nat to-address=192.168.100.11

Eter · August 15, 2010, 7:19pm

Hmm. Yes, I follow you on this one. Problem is I don’t want to refer to the servers as 192.168.99.xx. I want
to be able to connect to them with their original adress. Is that possible?

Chris

fewi · August 15, 2010, 7:37pm

Add 192.168.100.10 and .11 to the interface on router A so that hosts behind it can resolve the router MAC address via ARP and make the translation to 192.168.99.10 and .11 there:

/ip firewall nat 
add chain=dstnat in-interface=ether2 dst-address=192.168.100.10 action=dst-nat to-address=192.168.99.10
add chain=dstnat in-interface=ether2 dst-address=192.168.100.11 action=dst-nat to-address=192.168.99.11