How to access server on NATed network?

Gareth · July 14, 2011, 10:18am

I need some advice please.

I need to connect a hotel to my wireless network and I’m testing the configuration before I install it. I’m installing a RB433 v4.17. The Hotel’s office network is on ether1 and is NATed. ether2 connects to their existing WiFi network (for guests) which is on a different IP subnet. The RB is connected via wireless to a Hotspot on my network. All of that is working so far.

What I have a problem with, is that the hotel wants to use hand-held wireless POS devices in their restaurant and bar. These devices will connect to the WiFi network and must be able to communicate with a server on their private LAN.

I don’t really understand NAT very well and I’ve tried implementing the example in the Wiki, but it’s not working.

Here are my settings, if anyone can see a way to help?
192.168.0.99 is the server on the LAN that all POS devices need to communicate with

/ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE              
 0   192.168.1.5/24     192.168.1.0     192.168.1.255   toHotspot              
 1   192.168.0.254/24   192.168.0.0     192.168.0.255   ether3-LAN             
 2   192.168.1.10/24    192.168.1.0     192.168.1.255   ether1-WiFi

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Hide private LAN behind one WAN address
     chain=srcnat action=masquerade src-address=192.168.0.0/24 
     out-interface=bridge1 

 1   chain=dstnat action=dst-nat to-addresses=192.168.0.99 
     dst-address=192.168.1.5 

 2   chain=srcnat action=src-nat to-addresses=192.168.1.5 
     src-address=192.168.0.99

/interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                         TYPE             MTU   L2MTU
 0  R  ether1-WiFi                                  ether            1500  1526 
 1     ether2                                       ether            1500  1522 
 2  R  ether3-LAN                                   ether            1500  1522 
 3  R  toHotspot                                    wlan             1500  2290 
 4  R  bridge1                                      bridge           1500  2290

 /ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.1.254      1       
 1 ADC  192.168.0.0/24     192.168.0.254   ether3-LAN         0       
 2 A S  192.168.0.99/32                    ether3-LAN         1       
 3 ADC  192.168.1.0/24     192.168.1.10    ether1-WiFi        0       
                                           bridge1

fewi · July 14, 2011, 11:14am

If the two networks are connected to the same router why do you need to NAT between the two networks at all? Just don’t NAT - problem solved.

Gareth · July 14, 2011, 11:25am

The hotel would like their network to be private and separate from the wifi network which the guests will be using to access the Internet. Their private network is in the 192.168.0.0/24 range and they don’t want it to be changed, my network is 192.168.1.0/24. Guests will not be using the Hotel’s bandwidth allowance or data cap. They will purchase vouchers and login via my hotspot. The hotel will bypass the hotspot and I will rate limit them with queues.

Could this a routing problem? I get 'destination host unreachable" when I try to ping the server

fewi · July 14, 2011, 11:50am

They already are on a separate network. NAT is not a good security measure at all, NAT is only an obfuscation measure. If you don’t want the two networks to reach each other you should configure firewall filters between them instead and allow the traffic you need through.

It can’t possibly be a routing issue if the two networks are directly connected on the same router.

If you really need strong distinction and separation between the two networks you should also deploy a secondary WiFi network - after all putting the POS machines on the guest network and then allowing them access to the hotel network would break that separation.

Looking through the config snippets you posted it is unclear what the actual network layout is. Also, when you’re bridging interfaces to put them on the same broadcast domain you should only put an IP address on the bridge interface, not the physical interfaces being bridged together.

Gareth · July 14, 2011, 12:44pm

Thanks fewi,

I intend to implement firewall rules to secure the hotel’s network, while still allowing access from the POS devices. I need to use NAT because a) I want to rate limit all of the hotel’s office computers as a WHOLE at the hotspot router and it would help to have them all on the same IP address b) I don’t want them to use up 20 plus IP addresses on my network c) their network uses a different IP range to my network and I don’t want to have to change all of that as well.

There are too many different wireless frequencies in use here, so I don’t want to set up a dedicated network just for a couple of POS devices.

I’ve got it all working fine, I just need to get the POS devices to talk to the POS server. Is there no way this can be done?

Here is the network layout.

Feklar · July 14, 2011, 1:41pm

What kind of hotel is it? If it’s an IHG, Marriot, or Hilton brand, you are in serious violation of franchise specs by having any of their PoS systems share the guest network without separation. Not to mention problems with PCI compliance if there is any form of credit card processing going on with those systems.

It would be best for you to separate them like Fewi said and get them at the very least on separate interfaces. Look at setting up a secondary SSID with VLANs on the access points and switches to keep things separate. You will also want to set up WPA2 on that secondary SSID to make sure no one can sniff the wireless traffic of the PoS system talking to the wireless.

Gareth · July 14, 2011, 2:18pm

You guys are over-complicating this

It’s a privately owned 3 star hotel in a small South African village by the sea where people go for their summer holidays. There is no 3G or ADSL available there and the guests just need basic Internet access to check their emails and do Internet banking.

The handheld POS devices do not handle credit card transactions, just the taking of food and drink orders. Payments must be made at the counter.

The existing wireless network consists of a bunch of basic indoor APs. Some are wired together, some are WDS’ed together (It’s a mess; Overlapping channels etc… the hotel owner set this up himself and it’s up to me to sort it out)

The existing setup is currently like this: The whole network (hotel and wifi) is on the same network and connects to the Internet via a 512kbps satellite connection. The guests are slowing things down to a crawl when they go online.

The owner wants me to separate it into two networks, provide his private network with a 1Mbps connection to Internet and connect his existing wifi network, via the RB433, to my hotspot so I can provide a basic 384kbps per customer connection to his guests.

Toiletbowl · July 15, 2011, 4:41am

hello i solved this issue since i worked a in-house IT in a hotel if you have an AP capable of vlan trunking it should be a good solution now segregate your hotspot network and POS network as well.

thanks