Help with NAT

cavementech · November 12, 2024, 12:32am

I have attached 2 configs from 2 different hexs routers. They both their own a cell modem as their ISP. Both hexs have the same subnet on them, so I need to setup a NAT. I am not good at routing or NAT…at all…so bear with me.

Stebbins Mikrotik
Public: 166.152.1.2
Local: 10.116.12.6/22
Stebbins PC - 10.116.12.5/22

Judah Mikrotik
Public: 64.221.1.2
Local: 10.118.1.2/28
Judah - NAT - 10.118.1.4 to 10.116.22.134 (Will be a Flow meter)
Judah - NAT - 10.118.1.5 to 10.116.22.135 (Will be a Flow meter)

I have established a site-to-site tunnel between the 2 hexs routers.

From the Stebbins PC, I can ping address through the tunnel that are not NAT’ed, for instance, 10.118.1.2 (Mikrotik) and 10.118.1.3 (PC plugged into ether3). When I ping

From the Judah Mikrotik, I have a laptop setup representing the flow meter. The PC has an IP of 10.116.12.134/22. I cannot ping anything on the Stebbins side from this PC.

My goal is to be able to pull flow meter data from the Judah meters through the tunnel to the Stebbins PC for analysis.

Can someone be my hero? I have exhausted my attempts to get this working.

Thank you!
Judah_Mikrotikv1.txt (3.04 KB)
Stebbins_Mikrotikv1.txt (3.87 KB)

sindy · November 12, 2024, 6:21pm

I must admit I am a bit confused. You state that the LAN subnets on the two sites overlap, but it’s actually not the case - in Judah configuration, there is address=10.118.1.2/28 so the subnet spans 10.118.1.0-10.118.1.15, whilst in Stebbins, there’s address=10.116.12.6/22, so the range is 10.116.12.0-10.116.15.255, i.e. no overlap at all. So from this point of view, there is no need for NAT.

But looking at your description what can be pinged and what cannot, and looking at the choice of LAN addresses on both Mikrotiks, could it be that these devices are not the default routers for the other devices in their LANs? So when you ping a “box S” in the 10.116.12.0/22 in Stebbins from “box J” in 10.118.1.0/28 in Judah, would it be possible that box S would not know that it should send traffic for 10.118.1.0/28 to the hEX and would send it to some other router instead?

Other than that, the NAT rules make little sense to me at both routers, so I’d like to understand what was the intention for each of them, except the ones from the default configuration, action=masquerade chain=srcnat out-interface-list=WAN.

In general, bare IPsec with policy matching picks up the packets to deliver at the very last moment before they get sent out via the interface chosen by the regular routing, so in order that a policy that matches on dst-address=10.116.12.0/22 src-address=10.118.1.0/28 would pick a packet from Box J to Box S, you must prevent the packet from getting src-nated. There are multiple ways how to do that, one of them is to add an action=accept rule to the srcnat chain before (above) the action=masquerade one, another way is to create a route to 10.116.12.0/22 that does not send the packets via WAN so the action=masquerade that matches on out-interface-list=WAN rule will ignore it.

I’d prefer that you’d clarify my doubts before I suggest any particular change - the above is just an illustration what may be necessary, but I may have got it completely wrong.

Also, “pulling flowmeter data” may be an actual pulling, as in “the data collector actively initiates a connection to the flowmeter and requests the data”, or just a high level description whilst the flowmeter would actually push them, as in “the flowmeter is configured with the data collector address and actively initiates a connection to it”. So please clarify this part too.

anav · November 12, 2024, 6:30pm

Can you EVEN do ipsec to ipsec without one side having a public IP???

sindy · November 12, 2024, 7:36pm

If some specific conditions are met, you can, but here both ends happen to have one.

anav · November 12, 2024, 8:28pm

Well I could do this on wireguard, but since you like ipsec and are able to satisfy the OP with less mess… I will find another to assist.

cavementech · November 13, 2024, 12:08am

I must admit I am a bit confused. You state that the LAN subnets on the two sites overlap, but it’s actually not the case - in Judah configuration, there is address=10.118.1.2/28 so the subnet spans 10.118.1.0-10.118.1.15, whilst in Stebbins, there’s address=10.116.12.6/22, so the range is 10.116.12.0-10.116.15.255, i.e. no overlap at all. So from this point of view, there is no need for NAT.

But looking at your description what can be pinged and what cannot, and looking at the choice of LAN addresses on both Mikrotiks, could it be that these devices are not the default routers for the other devices in their LANs? So when you ping a “box S” in the 10.116.12.0/22 in Stebbins from “box J” in 10.118.1.0/28 in Judah, would it be possible that box S would not know that it should send traffic for 10.118.1.0/28 to the hEX and would send it to some other router instead?

Other than that, the NAT rules make little sense to me at both routers, so I’d like to understand what was the intention for each of them, except the ones from the default configuration, action=masquerade chain=srcnat out-interface-list=WAN.

In general, bare IPsec with policy matching picks up the packets to deliver at the very last moment before they get sent out via the interface chosen by the regular routing, so in order that a policy that matches on dst-address=10.116.12.0/22 src-address=10.118.1.0/28 would pick a packet from Box J to Box S, you must prevent the packet from getting src-nated. There are multiple ways how to do that, one of them is to add an action=accept rule to the srcnat chain before (above) the action=masquerade one, another way is to create a route to 10.116.12.0/22 that does not send the packets via WAN so the action=masquerade that matches on out-interface-list=WAN rule will ignore it.

I’d prefer that you’d clarify my doubts before I suggest any particular change - the above is just an illustration what may be necessary, but I may have got it completely wrong.

Also, “pulling flowmeter data” may be an actual pulling, as in “the data collector actively initiates a connection to the flowmeter and requests the data”, or just a high level description whilst the flowmeter would actually push them, as in “the flowmeter is configured with the data collector address and actively initiates a connection to it”. So please clarify this part too.

Yes, I knew I wouldn’t be able to provide all the info the first time. Ha Both sides do have 10.116.12.0/22 but on the Judah MK, the meter of 10.116.12.134/22 will be plugged directly into ether2 and 10.116.12.135/22 will be plugged directly into ether3. I don’t know if I am supposed to create an address list for that subnet or not.

As for default routers, The MK’s on both sides will be the default router for each respective location.

The flowmeters are generally a one-way direction as the meter is a data-collector in itself for onsite collection and buffering. The Stebbins PC will receive the data when the comms are online (very bad cell service area) to collect into Kepware software. Bi-directional traffic will only be needed when we need to change a configuration on the meter at any point.

Here is a link to Lucidcharts to help explain the layout.

https://lucid.app/lucidchart/3d41c239-c0e5-4351-bcca-a9d5f8b851bd/edit?viewport_loc=-1944%2C-1503%2C2741%2C1507%2C0_0&invitationId=inv_f75a5ec1-d490-4f86-94ed-803d3e3bc33f

sindy · November 13, 2024, 8:44am

OK. So the 10.116.12.0/22 is not known to the Judah hEX yet, but for some reasons, you want the two flowmeters you plan to ultimately place in Judah to have addresses from this range. Can you explain the reasons why it is overall easier to have overlapping subnets and handle it using NAT than just giving Judah a LAN subnet of its own?

If an IP host device (like the flowmeter) is placed in some subnet (like 10.116.12.0/22) and needs to talk to other devices outside that subnet, it must use a gateway device that has an IP address within the same subnet. So indeed, the hEX in Judah must have an address inside 10.116.12.0/22 in order that the flowmeters could use it to talk to the world. However, if the flowmeter is supposed to talk to another host inside its own subnet, it does not use a gateway for that - instead, it broadcasts an ARP request from the interface, saying “whoever has this IP address, please tell me your MAC address” and expects to get a single MAC address in response. There are ways to make the router respond with its own MAC address if the actual destination device is in the same address range but in another physical network, and there are ways to use yet another NAT rule to make the flowmeter see the request from the PC as coming from an address outside its own subnet, but both approaches add complexity to the setup. That’s why I ask whether the ability to use the same subnet that is used in Stebbins also for the flowmeters in Judah is so important that it is worth the burden required to make that possible.

Unfortunately none of these answers my question regarding who is the initiator (client) and who is the responder (server) in the connection that delivers the data from the flowmeter to the Kepware. Kepware supports various data acquisition protocols so the mere fact that it is Kepware gives no clue about this. Since the firewall chooses the NAT treatment for the whole connection when processing its first packet, the information about the roles of the PC and the flowmeter in establishing the connection is critical.

It would be easiest to use an L2 tunneling protocol and indeed extend the 10.116.12.0/22 from one site to the other, but you can afford things like this in a datacenter, not across a bad quality mobile connection, due to all that broadcast traffic that would pass through the tunnel and stress the bad link even more.

But on top of the NAT way, there is also a possibility to let the flowmeters think they are connected to the whole 10.116.12.0/22 but let the routers treat 10.116.12.134/31 as a separate subnet.

Each approach has its pros and cons and each may fit better or worse to your understanding of networking, affecting your ability to eventually troubleshoot it in future, so it is very important to understand whether this is a proof of concept you want to replicate to tens of sites similar to Judah or a one-shot solution for Judah alone.

Just a side note, whilst the flow of the application data (the measured values) is always unidirectional, from the flowmeter to the Kepware, the transport protocols that guarantee delivery use a reverse channel to send the acknowledge messages. So the communication will always be bidirectional.

Yet anothet site that asks me to register just to see a single drawing? No, thanks. Please export it (or make a printscreen if that’s not possible) and attach it as a png here (there’s an Attachments tab just below the editing window here).

cavementech · November 19, 2024, 3:43pm

I apologize for the delay in responding. Had other fires to extinguish, ha.

By adding 10.116.12.128/28 to the Judah MK, resolved the issue. I didn’t realize that was necessary for the NAT process. It makes total sense.

I really appreciate you slapping me and telling me the simple fix! haha

anav · November 19, 2024, 4:55pm

Too funny, and so politely too!! No worries, I have been slapped many times …
I do prefer the more straightforward german approach … You Dummkopf