how to achive this routing case

RouterOS Beginner Basics
1

Dear all ;
Glad to write in the forum again after long time .
i have a case need to do , i tried to program it but it failed at last .
what i need to do as follow :

  1. i have RB493AH , i am marking the connection , packet and the route for my clients working with the wireless and wire networks which they are in bridge1 .
    i mark the traffic ports and then let that traffic to my first public1 interface .
    also i mark the traffic coming from groups of users and route them to internet so each group use one IP of my internet .
    and mark traffic of ports like 443 coming from a group of users , route them to access internet through IP of my internet .
    also mark traffic of ports 5000-5061 coming from another group of users , route them to access internet through another IP of my internet .
    i used the RB and a pc to do this as follow :
  2. mark connection , packet , and route of traffic coming from group A , route it to go through ether2 from the RB to the pc
    the users IP’s like 192.168.0.0/24 masquraded and by routing mark send them to IP like 100.100.100.2 .
    at the pc this ip 100.100.100.2 src-nat to another ip which it the ISP ip like , 192.168.4.2
    the same for the group B and c etc as follow , 192.168.0.0/24 to 100.100.101.2 and 192.168.0.0/24 to 100.100.102.2 respectively .
    all these going out from RB by one ether NIC and enter the pc from one ether NIC .
    at the pc i src-nat the ip 100.100.100.2 to 192.168.4.2 and the ip 100.100.101.2 to 192.168.4.3 and so on .

so the ether NIC at RB have the ip’s : 100.100.100.2 , 100.100.101.2 , 100.100.102.2 , 100.100.103.2 and so on with GW 100.100.100.1 , 100.100.101.1 , 100.100.102.1 , 100.100.103.1 and so on .
at the pc the ether NIC ip’s will be 100.100.100.1 , 100.100.101.1 , 100.100.102.1 , 100.100.103.1 and so on for incoming traffic and the ISP ip’s like , 192.168.4.2 , 192.168.4.3 , 192.168.4.4 with GW 192.168.4.1 .
what happen is when the RB connect to the PC , the DAC ip on the routing table of the pc showing that only one ip of the ISP is active and all the traffic going to the internet will be through that ip . while i need each group of my user or port as above to use IP of the ISP ip’s and the traffic will not be conjusted .
my question are :
can i do this only with the RB ? , how to manage this ?
if not and i have to use the pc or another RB with mine RB493AH how to do it ?
below are the seetings i did on the RB and the pc for this topology , some settings i will remove because it is un necciesary here :
first the RB :
IP :

/ip address
add address=192.168.0.1/24 broadcast=192.168.0.255 comment="" disabled=no \
    interface=bridge1 network=192.168.0.0
add address=100.100.100.2/24 broadcast=100.100.100.255 comment="" \
    disabled=no interface=ether2 network=100.100.100.0
add address=100.100.101.2/24 broadcast=100.100.101.255 comment="" \
    disabled=no interface=ether2 network=100.100.101.0
add address=100.100.102.2/24 broadcast=100.100.102.255 comment="" \
    disabled=no interface=ether2 network=100.100.102.0
add address=100.100.104.2/24 broadcast=100.100.104.255 comment="" \
    disabled=no interface=ether2 network=100.100.104.0
add address=100.100.105.2/24 broadcast=100.100.105.255 comment="" \
    disabled=no interface=ether2 network=100.100.105.0
add address=100.100.106.2/24 broadcast=100.100.106.255 comment="" \
    disabled=no interface=ether2 network=100.100.106.0
add address=100.100.103.2/24 broadcast=100.100.103.255 comment="" \
    disabled=no interface=ether2 network=100.100.103.0

route :

/ip route
add check-gateway=arp comment="" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=100.100.100.1 routing-mark="g1 mess" scope=255 target-scope=10
add check-gateway=arp comment="" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=100.100.100.1 routing-mark="g1 rest" scope=255 target-scope=10
add check-gateway=arp comment="" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=100.100.101.1 routing-mark="g3 rest" scope=255 target-scope=10
add check-gateway=arp comment="" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=100.100.101.1 routing-mark="g3 mess" scope=255 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    100.100.102.1 routing-mark=speed1 scope=255 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    100.100.103.1 routing-mark=speed2 scope=255 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    100.100.104.1 routing-mark=speed3 scope=255 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    100.100.105.1 routing-mark=speed4 scope=255 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    100.100.106.1 routing-mark=speed5 scope=255 target-scope=10
/ip route rule
add action=lookup comment="" disabled=no interface=bridge1 routing-mark=\
    "g1 rest" src-address=192.168.0.0/24 table="g1 rest"
add action=lookup comment="" disabled=no interface=bridge1 routing-mark=\
    "g1 mess" src-address=192.168.0.0/24 table="g1 mess"
add action=lookup comment="" disabled=no interface=bridge1 routing-mark=\
    "g3 rest" src-address=192.168.0.0/24 table="g3 rest"
add action=lookup comment="" disabled=no interface=bridge1 routing-mark=\
    "g3 mess" src-address=192.168.0.0/24 table="g3 mess"
add action=lookup comment="" disabled=no interface=bridge1 routing-mark=\
    speed1 src-address=192.168.190.0/24 table=speed1
add action=lookup comment="" disabled=no interface=bridge1 routing-mark=\
    speed2 src-address=192.168.190.0/24 table=speed2
add action=lookup comment="" disabled=no interface=bridge1 routing-mark=\
    speed3 src-address=192.168.190.0/24 table=speed3
add action=lookup comment="" disabled=no interface=bridge1 routing-mark=\
    speed4 src-address=192.168.190.0/24 table=speed4
add action=lookup comment="" disabled=no interface=bridge1 routing-mark=\
    speed5 src-address=192.168.190.0/24 table=speed5

Nat :

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no src-address=\
    192.168.190.0/24

second the PC :
IP :

/ ip address 
add address=192.168.4.2/24 network=192.168.4.0 broadcast=192.168.4.255 \
    interface=ether1 comment="" disabled=no 
add address=192.168.4.3/24 network=192.168.4.0 broadcast=192.168.4.255 \
    interface=ether1 comment="" disabled=no 
add address=192.168.4.4/24 network=192.168.4.0 broadcast=192.168.4.255 \
    interface=ether1 comment="" disabled=no 
add address=192.168.4.5/24 network=192.168.4.0 broadcast=192.168.4.255 \
    interface=ether1 comment="" disabled=no 
add address=192.168.4.6/24 network=192.168.4.0 broadcast=192.168.4.255 \
    interface=ether1 comment="" disabled=no 
add address=192.168.4.7/24 network=192.168.4.0 broadcast=192.168.4.255 \
    interface=ether1 comment="" disabled=no 
add address=192.168.4.8/24 network=192.168.4.0 broadcast=192.168.4.255 \
    interface=ether1 comment="" disabled=no 
add address=100.100.100.1/24 network=100.100.100.0 broadcast=100.100.100.255 \
    interface=ether2 comment="" disabled=no 
add address=100.100.101.1/24 network=100.100.101.0 broadcast=100.100.101.255 \
    interface=ether2 comment="" disabled=no 
add address=100.100.102.1/24 network=100.100.102.0 broadcast=100.100.102.255 \
    interface=ether2 comment="" disabled=no 
add address=100.100.103.1/24 network=100.100.103.0 broadcast=100.100.103.255 \
    interface=ether2 comment="" disabled=no 
add address=100.100.104.1/24 network=100.100.104.0 broadcast=100.100.104.255 \
    interface=ether2 comment="" disabled=no 
add address=100.100.105.1/24 network=100.100.105.0 broadcast=100.100.105.255 \
    interface=ether2 comment="" disabled=no 
add address=100.100.106.1/24 network=100.100.106.0 broadcast=100.100.106.255 \
    interface=ether2 comment="" disabled=no

route :

/ ip route 
add dst-address=0.0.0.0/0 gateway=192.168.4.1 scope=255 target-scope=10 \
    comment="" disabled=no

Nat :

/ ip firewall nat 
add chain=srcnat out-interface=ether1 src-address=100.100.100.2 action=src-nat \
    to-addresses=192.168.4.2 to-ports=0-65535 comment="" disabled=no 
add chain=srcnat out-interface=ether1 src-address=100.100.101.2 action=src-nat \
    to-addresses=192.168.4.3 to-ports=0-65535 comment="" disabled=no 
add chain=srcnat out-interface=ether1 src-address=100.100.102.2 action=src-nat \
    to-addresses=192.168.4.4 to-ports=0-65535 comment="" disabled=no 
add chain=srcnat out-interface=ether1 src-address=100.100.103.2 action=src-nat \
    to-addresses=192.168.4.5 to-ports=0-65535 comment="" disabled=no 
add chain=srcnat out-interface=ether1 src-address=100.100.104.2 action=src-nat \
    to-addresses=192.168.4.6 to-ports=0-65535 comment="" disabled=no 
add chain=srcnat out-interface=ether1 src-address=100.100.105.2 action=src-nat \
    to-addresses=192.168.4.7 to-ports=0-65535 comment="" disabled=no 
add chain=srcnat out-interface=ether1 src-address=100.100.106.2 action=src-nat \
    to-addresses=192.168.4.8 to-ports=0-65535 comment="" disabled=no

i will be waiting your help as this is too urgent to me .
with best regards

Help Help Help with a RB433
2

hi ahmad,

well, i’m new to mikrotik (please bare with me) - but let me try to help :
so basically here is your scenario right, am i correct?

192.168.0.0/24 RB —> 100.100.100.0/24 PC —> ISP 192.168.4.0/24

so the RB do the translation for 192.168.0.0/24 network to 100.100.100.0/24
and the PC do the 100.100.100.0/24 to 192.168.4.0?

what happen is when the RB connect to the PC , the DAC ip on the routing table of the pc showing that only one ip of the ISP is active and all the traffic going to the internet will be through that ip . while i need each group of my user or port as above to use IP of the ISP ip’s and the traffic will not be conjusted .

the question is :
i see that you have putted ip addresses on single ether interface like these

add address=100.100.100.2/24 broadcast=100.100.100.255 comment="" \
    disabled=no interface=ether2 network=100.100.100.0
add address=100.100.101.2/24 broadcast=100.100.101.255 comment="" \
    disabled=no interface=ether2 network=100.100.101.0
add address=100.100.102.2/24 broadcast=100.100.102.255 comment="" \
    disabled=no interface=ether2 network=100.100.102.0

omitted ...

were those somekind of vlan ip addresses or just ip aliases for that single ethernet interface?
if those were vlan ip addresses - then you should have no problem doing translations.
but, if those were some ip aliases for a single NIC - then its very obvious that the PC will use a single IP as an outgoing source.

and, i dont see any significant error at your NAT config here - i think it should work (if you did create vlan) :

add chain=srcnat out-interface=ether1 src-address=100.100.104.2 action=src-nat \
    to-addresses=192.168.4.6 to-ports=0-65535 comment="" disabled=no
add chain=srcnat out-interface=ether1 src-address=100.100.105.2 action=src-nat \
    to-addresses=192.168.4.7 to-ports=0-65535 comment="" disabled=no

just my thought.

HTH.

3

It is behaving as expected. You need to re consider the IP numbering plans. Here is what is going wrong:
Your PC configuration for IP addresses go like this:

/ ip address
add address=192.168.4.2/24 network=192.168.4.0 broadcast=192.168.4.255
interface=ether1 comment=“” disabled=no
add address=192.168.4.3/24 network=192.168.4.0 broadcast=192.168.4.255
interface=ether1 comment=“” disabled=no
add address=192.168.4.4/24 network=192.168.4.0 broadcast=192.168.4.255
interface=ether1 comment=“” disabled=no
add address=192.168.4.5/24 network=192.168.4.0 broadcast=192.168.4.255
interface=ether1 comment=“” disabled=no
add address=192.168.4.6/24 network=192.168.4.0 broadcast=192.168.4.255
interface=ether1 comment=“” disabled=no
add address=192.168.4.7/24 network=192.168.4.0 broadcast=192.168.4.255
interface=ether1 comment=“” disabled=no
add address=192.168.4.8/24 network=192.168.4.0 broadcast=192.168.4.255
interface=ether1 comment=“” disabled=no

All the addresses listed above are in the 192.168.4.0/24 Subnet. This means that in your routing table you will see only one entry(DAC) for this. Not 7 entries as you are expecting.

Hope this helps you to identify the problem. :slight_smile:

4

  1. Use Netmap instead of sourcenat on the PC.

  2. Assign only one IP address to ether1 in the subnet 192.168.4.0/24. Remove six others in the same subnet.

  3. Consider the following netmap example.

If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use destination address translation and source address translation features with action=netmap.

/ip firewall nat add chain=dstnat dst-address=11.11.11.1-11.11.11.254
action=netmap to-addresses=2.2.2.1-2.2.2.254

/ip firewall nat add chain=srcnat src-address=2.2.2.1-2.2.2.254
action=netmap to-addresses=11.11.11.1-11.11.11.254


Hope this will take you closer to the solution.

5

Hi everybody ;
Thanks for the reply i got for my question but :

  1. i test the vlan , also it gives only one active vlan ( DAC )
  2. if i put only one ip to the PC ethernet NIC and let us assume the following :
    the traffic coming from group1 of users with ip’s 192.168.0.1 , 192.168.0.2 , 192.168.0.3 which they had been masquraded to 100.100.100.2
    then the traffic will enter the pc with the ip 100.100.100.2 and the pc NIC ip is 100.100.100.1 .
    then if i src-nat or net map the ip 100.100.100.2 to 192.168.4.2 while the NIC ip is 192.168.4.1 .
    will the ISP see that the traffic is coming from the ip 192.168.4.2 or 192.168.4.1 ???
    need to test it practically .

can i do masqurade for the traffic coming from specific group to an IP within only one device ??? , in other word masqurade traffic of group of users to ip like 192.168.4.2 and the traffic of other group to ip 192.168.4.3 and the traffic for port 443 to ip 192.168.4.4 ???
if i couldn’t find i solution for this case maybe i have to buy tens of routers to manage it and this not good as it will consume more power and need to over pass this issue .
will be waiting your comments eagerly .
with best regards .

6

pls understand that ‘masqurade’ is not the action that is appropriate for achieving this objective. Have a look at the ‘netmap’ example shown above in my previous post.

Let me clarify.

Masqurade is actually doing a Port address translation using the IP address of an interface. In the CLI, pls note that you are not given the freedom of selecting which interface IP would be used for masqurading.

What you rather require is ‘Netmap’ that does PAT a subnet over one or more IP addresses.

7

Dear sudiptakp ;
thanks for your reply again .
i need to clear my case to you as follow :

  1. assum i have three computers which they are in one group , the ip’s for them are : 192.168.0.2 , 192.168.0.3 , 192.168.0.4
    so i put these computers in address lists in the firewall to a goup named like " group 1 " .
  2. i mark the connection and packets and the route of the traffic coming from group 1 .
  3. from ip route i define rules to direct the traffic with a route mark to go to a specific ip like 100.100.100.2
  4. i think i have to make a nat rule with masqurade or the traffic will not go out the RB ,
    all above will be within the main router board , now the traffic reach the PC and here i agree with you to use net map or src-nat rules in the Nat menu .

here i post two questions to you :
A) what do you think , do i have to use masqurade rule in the first RB ? if not what i should do then ?
B) at the PC , i will net map the ip 100.100.100.2 to 192.168.4.4 while the NIC ip to the internet is 192.168.4.1 , the ISP will see that the traffic is coming from 192.168.4.1 or 192.168.4.4 ??? .
i need him to see the traffic is coming from the 4.4 , because there will be another groups and he should see them seperately .
will be waiting your kind reply .
with best regards .

8

My bad. Maybe I did not understand what you were asking. Do you want to srcnat a specific set of ips to a specific public ip? Maybe a few sets of localnets to a few public ips? Like:
192.168.0.0/24 to xxx.xxx.xxx.2
192.168.1.0/24 to xxx.xxx.xxx.3
etc…

I don’t know if those are the exact ip nets you want, but it is an easy conversion.

/ip firewall nat
add chain=srcnat action=src-nat src-address=192.168.0.0/24 to-addresses=xxx.xxx.xxx.2
add chain=srcnat action=src-nat src-address=192.168.1.0/24 to-addresses=xxx.xxx.xxx.3

ADD: This presumes all (EDIT:) public ips are on the same interface. If not, let me know.

9

From the other post:

If they are in sets you can. Like this will split a subnet:

/ip firewall nat
add chain=srcnat action=src-nat src-address=192.168.0.0/25 to-addresses=100.100.100.2
add chain=srcnat action=src-nat src-address=192.168.0.128/25 to-addresses=100.100.100.3
10

Hi ;
i moved the reply after you and here it is

Hello again ;
yes you are now too close to what i am looking for .
but , i have only one subnet which it 192.168.0.0/24 i divide it to groups like group1 , group2 , group3 … etc .
i mark the connection and route of each group of them and masqurade them to Internet .
now yes i need to make group1 use one ip of the ISP and group2 to use another ip … etc .
you say that by using src-nat i could make a group of ip’s ( 192.168.0.0/24 ) seen as if they 100.100.100.2
and another group of ip’s ( 192.168.0.0/24 ) seen as if they 100.100.100.3
and so on , will be waiting your reply .
i hope this will solve the case .
with best regard .

11

Hi ;
what about the roule in / ip route ???
do i have to put GW 100.100.100.1 ?

with great thanks to you .

12

Yes, That is all it takes:
/ip route add gateway=100.100.100.1
Glad I could help. Sorry I did not see what you wanted right away.

ADD: Well, almost all. Insure your internet interface is assigned both 100.100.100.2/24 and 100.100.100.3/24

13

Hi ;
Thanks for all help you provide , i will test everything but i think i back again to the same problem
where in the routing table it will show only one ip as DAC not all the ip’s
if i put ip’s 100.100.100.2 , 100.100.100.3 , 100.100.100.4 …
only one ip of them will be DAC and the ISP will see it .
any way i will test and back to you .
with great thanks to you .
with best regards .

14

No. Your ISP will see
192.168.0.1-127 as 100.100.100.2
and
192.168.0.128-255 as 100.100.100.3
I have checked, and it does work. I use a php script called myip.php in one of my servers to check.

ADD: The PREF-SRC parameter you see in there is what the OS will use if you used action=masquerade instead of src-nat.

Your mac address will be on both ip assignments on your ISP’s end. So hopefully, you are doing all this with their approval.

15

table.xls (13.5 KB)
table.xls (13.5 KB)
table.xls (13.5 KB)
table.xls (13.5 KB)

Hello,

i have studied your configuration in depth. I think i must know the design phylosophy before going any further.

Please fill up the excel sheet attached here.

sudipta

16

Dear sudiptakp ;
i filled the excel sheet as you request , i hope the info i put in it are clear and will help .
as i informed you earlier , i mark the connection , packet and route for each group . use the route mark in the route table as i route the browsing to my one way internet connection and the rest of the traffic to my ISP .
i tried to send you private e-mail here but it still in outbox , i didn’t find the send to click it and for that the e-mail still in outbox :confused: .
hope to hear from you soon .
with best regards .
table.xls (43 KB)

17

My Suggestion is

  1. Create VLAN interfaces on the link between RB493 and CPE.
  2. As shown in the diagram select vlan 10 to grp1, vlan 20 to grp2, vlan 30 to grp3.
  3. Adjust your Policy routing configuration on RB493 so that 172.16.1.2 for group 1 and …see the diagram.
  4. on the CPE, mark the packets coming in the vlan interface with vlan=10
  5. do netmap on sourcenat for the marked packets.
    in the diagram, i have shown example for group 1

Please try to understand my concept, if you find this viable, consider the ip renumbering tasks on the RBs. After everything else plan and try this configuration.

It would have been easier if you had multiple ISPs connected to the PC.
mktk.ppt (56.5 KB)
Thanks and Regards,
sudipta

18

Dear all ;
i am glad to write here again for this topic
i used to use two routerboards to do this case and it work
first src-nat the group traffic to ip and within the second router board i do netmap
this is working long time and was monitoring it all that time , it works without any problems .
many thanks to all who help me in this case .
with best regards .

19

Hi,

Glad to hear that it worked. Mikrotik is great :astonished:


Sudipta

20

Hi ;
Yes it is great but need more and more work to do your needs.
also it needs from you to forget sleep all the night to try and try until you reach the target .
also it needs from you to read and read and read .

so to sail in MikroTik sea you have to reserve all your efforts for that .
with best regards to all .