Double NATTING !

nominet · December 4, 2012, 12:14am

Hi guys, I’m newbie to MikroTik. I need help in disabling NAT from hotspot.

On my network I have load balancing and hotspot on separate routers, which leads to double NATTING.

Could you please explain me on how to disable NAT from hotspot. At the moment I’m using following script

/ip firewall nat
chain=srcnat action=masquerade to-addresses=0.0.0.0 src-address=172.16.1.0/24

Could you please give me a script to replace this rule.

Thanks

tws101 · December 4, 2012, 9:30pm

Just disable the NAT rule on the back end router.

No need to replace the rule just KILL IT.

nominet · December 5, 2012, 12:46pm

Thanks for a reply, when I disable masquerade rule from NAT of Hotspot, internet stops working

nominet · December 5, 2012, 3:09pm

I also added ip route dst-address=(network address of hotspot lan) gateway=(wan ip of hotspot)

To load balaning but it still not worked!

tws101 · December 5, 2012, 3:19pm

Is the front end router setup with an IP address on the same subnet as the hotspot?

nominet · December 5, 2012, 7:57pm

At the moment I have Load Balancing of two internet lines. Then after that I’ve Hotspot.

The configuration on Load Balance is as follows

/ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2

/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=\
    WAN1_conn
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=\
    WAN2_conn
add action=mark-connection chain=input in-interface=WAN3 new-connection-mark=\
    WAN3_conn
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2
add action=mark-routing chain=output connection-mark=WAN3_conn \
    new-routing-mark=to_WAN3
add chain=prerouting dst-address=192.168.1.0/24
add chain=prerouting dst-address=192.168.2.0/24
add chain=prerouting dst-address=192.168.3.0/24
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=Local new-connection-mark=WAN1_conn \
    per-connection-classifier=both-addresses-and-ports:3/0 src-address=\
    192.168.0.2-192.168.0.254
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=Local new-connection-mark=WAN2_conn \
    per-connection-classifier=both-addresses-and-ports:3/1 src-address=\
    192.168.0.2-192.168.0.254
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=Local new-connection-mark=WAN3_conn \
    per-connection-classifier=both-addresses-and-ports:3/2 src-address=\
    192.168.0.2-192.168.0.254
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=Local new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=Local new-routing-mark=to_WAN2
add action=mark-routing chain=prerouting connection-mark=WAN3_conn \
    in-interface=Local new-routing-mark=to_WAN3

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping

/ip firewall nat
add chain=srcnat src-address=172.16.1.0/24 action=masquerade

Configuration on Hotspot router is as follows

/ip address
add address=172.16.1.1/24 comment=LAN disabled=no interface=Local network=172.16.1.0
add address=192.168.0.2/24 comment=WAN disabled=no interface=WAN network=192.168.0.0

/ip pool
add name=hs-pool-1 ranges=172.16.1.10-172.16.1.255

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=10000KiB max-udp-packet-size=512 servers=192.168.0.1

/ip dhcp-server
add address-pool=hs-pool-1 authoritative=after-2sec-delay bootp-support=static disabled=no interface=Local lease-time=1h name=dhcp1

/ip dhcp-server config set store-leases-disk=5m

/ip dhcp-server network add address=172.16.1.0/24 comment="hotspot network" gateway=172.16.1.1

/ip hotspot profile

set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no

add dns-name=nominet.login hotspot-address=172.16.1.1 html-directory=hotspot http-cookie-lifetime=1d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=hsprof1 rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no

/ip hotspot
add address-pool=hs-pool-1 addresses-per-mac=2 disabled=no idle-timeout=5m interface=Local keepalive-timeout=none name=hotspot1 profile=hsprof1

/ip hotspot user profile

set default idle-timeout=none keepalive-timeout=2m name=default shared-users=1 status-autorefresh=1m transparent-proxy=no

add address-pool=hs-pool-1 advertise=no idle-timeout=none keepalive-timeout=2m name="512k Limit" open-status-page=always rate-limit=512k/512k shared-users=1 status-autorefresh=1m transparent-proxy=no

add address-pool=hs-pool-1 advertise=no idle-timeout=none keepalive-timeout=2m name="256k Limit" open-status-page=always rate-limit=256k/256k shared-users=1 status-autorefresh=1m transparent-proxy=no

/ip hotspot service-port set ftp disabled=yes ports=21


/ip hotspot set numbers=hotspot1 address-pool=none

/ip firewall nat add action=masquerade chain=srcnat src-address=172.16.1.0/24 disabled=no


/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 scope=30 target-scope=10

Now can you please tell me which rules should I remove and which rules should I add and where?

Sorry I’m a newbie

tws101 · December 5, 2012, 8:42pm

Add this to your front end router and kill NAT on your back end router.

add dst-address=172.16.1.0/24 gateway=192.168.0.2 distance=1 check-gateway=ping

nominet · December 5, 2012, 9:05pm

okay on Hotspot I should add

/ip route
add dst-address=172.16.1.0/24 gateway=192.168.0.2 distance=1 check-gateway=ping

and on Load balancing I just kill

 /ip firewall nat
add chain=srcnat src-address=172.16.1.0/24 action=masquerade

correct?

tws101 · December 5, 2012, 9:27pm

No I would say that is exact opposite.

Load Balancing should be front end as it leads out the external gateway.

Hotspot should be back end as it must go to the front end to get out.

nominet · December 5, 2012, 9:59pm

tried other way round but still no internet

login page does comes up but it does not redirect to internet

nominet · December 7, 2012, 8:30pm

Look at the configuration once again

Load Balancing configuration - There’s NAT and I’ve added routing as said.

/ip address
add address=192.168.0.1/24 interface=Local
add address=192.168.1.2/24 interface=WAN1
add address=192.168.2.2/24 interface=WAN2

/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=\
    208.67.222.222,208.67.220.220

/ip firewall filter
add action=drop chain=forward src-address=192.168.1.1
add action=drop chain=forward src-address=192.168.2.1

/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=\
    WAN1_conn
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=\
    WAN2_conn

add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2

add chain=prerouting dst-address=192.168.1.0/24
add chain=prerouting dst-address=192.168.2.0/24

add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=Local new-connection-mark=WAN1_conn \
    per-connection-classifier=both-addresses:2/0 src-address=\
    192.168.0.2-192.168.0.254
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=Local new-connection-mark=WAN2_conn \
    per-connection-classifier=both-addresses:2/1 src-address=\
    192.168.0.2-192.168.0.254

add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=Local new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=Local new-routing-mark=to_WAN2
------------------------------------------------------------------------------------
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.2-192.168.0.254
------------------------------------------------------------------------------------

/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_WAN2

add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.2.1
------------------------------------------------------------------------------------
add check-gateway=ping comment=Routing distance=1 dst-address=172.16.1.0/24 \
    gateway=192.168.0.2 
------------------------------------------------------------------------------------

Configuration of Hotspot - I’ve disabled NAT and added gateway

/ip address
add address=172.16.1.1/24 comment=LAN disabled=no interface=Local network=172.16.1.0
add address=192.168.0.2/24 comment=WAN disabled=no interface=WAN network=192.168.0.0

------------------------------------------------------------------------------------
/ip firewall nat 
add action=masquerade chain=srcnat src-address=172.16.1.0/24 disabled=yes
------------------------------------------------------------------------------------

/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=\
    208.67.222.222,208.67.220.220

/ip hotspot profile

set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no

add dns-name=nominet.login hotspot-address=172.16.1.1 html-directory=hotspot http-cookie-lifetime=1d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=hsprof1 rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no

/ip hotspot
add address-pool=hs-pool-1 addresses-per-mac=2 disabled=no idle-timeout=5m interface=Local keepalive-timeout=none name=hotspot1 profile=hsprof1

/ip hotspot user profile

set default idle-timeout=none keepalive-timeout=2m name=default shared-users=1 status-autorefresh=1m transparent-proxy=no

add address-pool=hs-pool-1 advertise=no idle-timeout=none keepalive-timeout=2m name="512k Limit" open-status-page=always rate-limit=512k/512k shared-users=1 status-autorefresh=1m transparent-proxy=no

add address-pool=hs-pool-1 advertise=no idle-timeout=none keepalive-timeout=2m name="256k Limit" open-status-page=always rate-limit=256k/256k shared-users=1 status-autorefresh=1m transparent-proxy=no

/ip hotspot set numbers=hotspot1 address-pool=none

------------------------------------------------------------------------------------
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 scope=30 target-scope=10  :)
------------------------------------------------------------------------------------

I’ve made the changes as you said, but there is no internet access after hotspot!

Is there something else I’m missing or doing wrong?

nominet · December 10, 2012, 9:31am

Problem Solved!

In Load Balancing I’ve used the following rule, which was wrong…

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.2-192.168.0.254

Then I’ve changed the rule to the following and everything was working as it should be

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

Thanks