help in NETMAP

Myron · March 19, 2010, 11:09am

hello guys need ur help here , my isp provide me 2 public ip and the first ip xxx.xx.124.201 asign in my mikbox WAN ether1 the second ip is xxx.xx.124.203, now i have my freebsd box i want to map the second public ip in my freebox i olredy asign the xxx.xx.124.203 in my freebox, take look my config in netmap if is this correct? but i cant ping the the xxx.xx.124.203

add action=netmap chain=dstnat comment=netmap disabled=no dst-address=
202.78.124.203 to-addresses=10.13.0.2
add action=netmap chain=srcnat comment=netmap disabled=no src-address=
10.13.0.2 to-addresses=202.78.124.203

any help?

thanks

SurferTim · March 19, 2010, 10:26pm

Netmap isn’t required for this. That is for forwarding a range of ips. I would use srcnat and dstnat rules.

/ip firewall nat
add chain=srcnat action=src-nat src-address=10.13.0.2 to-addresses=x.x.124.203 place-before=0
add chain=dstnat action=dst-nat dst-address=x.x.124.203 to-addresses=10.13.0.2 place-before=0

These should be first in the nat list. Order is important.

If you have a “action=masquerade” in the nat list, I would replace it with this:
add chain=srcnat action=src-nat to-addresses=x.x.124.201 out-interface=ether1

Sometimes masquerade is unreliable with more than one ip assigned to the interface. If you have any challenges, please post your “/ip firewall nat”.

Also, the ip x.x.124.203 should be assigned to ether1 (same interface as x.x.124.201) in the router. The localnet server should be assigned only 10.13.0.2.

Myron · March 20, 2010, 2:05am

SurferTim:

Netmap isn’t required for this. That is for forwarding a range of ips. I would use srcnat and dstnat rules.

/ip firewall nat
add chain=srcnat action=src-nat src-address=10.13.0.2 to-addresses=x.x.124.203 place-before=0
add chain=dstnat action=dst-nat dst-address=x.x.124.203 to-addresses=10.13.0.2 place-before=0

These should be first in the nat list. Order is important.

If you have a “action=masquerade” in the nat list, I would replace it with this:
add chain=srcnat action=src-nat to-addresses=x.x.124.201 out-interface=ether1

Sometimes masquerade is unreliable with more than one ip assigned to the interface. If you have any challenges, please post your “/ip firewall nat”.

Also, the ip x.x.124.203 should be assigned to ether1 (same interface as x.x.124.201) in the router. The localnet server should be assigned only 10.13.0.2.

thanks surfer, i follow your instruction post earlier now here my config in nat

/ip firewall nat
add action=src-nat chain=srcnat comment=“” disabled=no src-address=10.13.0.2 to-addresses=xxx.xx.124.203
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=xxx.xx.124.203 to-addresses=10.13.0.2
add action=src-nat chain=srcnat comment=NAT disabled=no out-interface=Ether1-WAN to-addresses=xxx.xx.124.201

and my local server connected to the subnet 10.13 was asign in ether 5 and i already asign the xxx.xx.124.203 in ether1 as my 124.201 as WAN too

/ip address
add address=10.11.0.1/24 broadcast=10.11.0.255 comment=“Office Network” disabled=no interface=ether3-local
network=10.11.0.0
add address=10.12.0.1/24 broadcast=10.12.0.255 comment="Hotel " disabled=yes interface=ether4-local network=
10.12.0.0
add address=10.13.0.1/24 broadcast=10.13.0.255 comment=“reserve” disabled=no interface=ether5-local
network=10.13.0.0
add address=10.2.2.1/24 broadcast=10.2.2.255 comment=servers disabled=no interface=ether2-local network=
10.2.2.0
add address=xxx.xx.124.201/24 broadcast=xxx.xx.124.201 comment=WAN disabled=no interface=Ether1-WAN network=
xxx.xx.124.201
add address=xxx.xx.124.203/24 broadcast=xxx.xx.124.203 comment=“for netmap test” disabled=no interface=
Ether1-WAN network=xxx.xx.124.203

the ip still distination host unreachable, where i miss this setup?

thanks surfer

SurferTim · March 20, 2010, 10:26am

I noticed the interface names are not “normal”. Is the router a RB750? If so, you need to remove all the local interfaces from the switch in “/interface ethernet”.

/interface ethernet
set X master-port=none

ADD: If you are doing these changes from one of the localnet ports (2-5), insure it is 2. The others will change to the new ip network, and you will be disconnected on the other interfaces.

Myron · March 20, 2010, 12:44pm

/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment=“” disabled=no full-duplex=yes
l2mtu=1526 mac-address=00:0C:42:52:A9:1E mtu=1500 name=Ether1-WAN speed=
100Mbps
set 1 arp=proxy-arp auto-negotiation=yes bandwidth=unlimited/unlimited
comment=“” disabled=no full-duplex=yes l2mtu=1524 mac-address=
00:0C:42:52:A9:1F master-port=none mtu=1500 name=ether2-local speed=1Gbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=
“” disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:52:A9:20
master-port=none mtu=1500 name=ether3-local speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=
“” disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:52:A9:21
master-port=none mtu=1500 name=ether4-local speed=1Gbps
set 4 arp=proxy-arp auto-negotiation=yes bandwidth=unlimited/unlimited
comment=“for testing only” disabled=no full-duplex=yes l2mtu=1524
mac-address=00:0C:42:52:A9:22 master-port=none mtu=1500 name=ether5-local
speed=100Mbps

hi surfer the all ports are set to none, im using rb450G, im gonna reconfig by tomorow im gonna try to findout what is going on this setup.

thanks

SurferTim · March 20, 2010, 12:47pm

My bad! I assumed RB750. If not, then check “/ip route”. Do you have a default route?

ADD: After looking closely, I also found this:

add address=xxx.xx.124.201/24 broadcast=xxx.xx.124.201 comment=WAN disabled=no interface=Ether1-WAN network=
xxx.xx.124.201
add address=xxx.xx.124.203/24 broadcast=xxx.xx.124.203 comment=“for netmap test” disabled=no interface=
Ether1-WAN network=xxx.xx.124.203

The networks should be xx.xx.124.0
The broadcasts should be xx.xx.124.255