How to create to subnets and one NAT gateway.

RouterOS Beginner Basics
1

I want to create to subnets to one NAT gateway on a RB450G. I want to set subnet 172.26.10.0/24 on port ether2-local and on port ether3-local 10.0.0.1/24. On port ether1-gateway I have to set manual IP number 192.168.178.205 subnet 255.255.255.0 and gateway 192.168.178.1. DNS and DHCP is disabled on both subnets.

To create this I have done the following:
ip firewall mangle add chain=prerouting src-address=172.26.10.0/24 action=mark-routing new-routing-mark=gw1
ip firewall mangle add chain=prerouting src-address=10.0.0.0/24 action=mark-routing new-routing-mark= gw1
ip route add gateway=192.168.178.205 routing-mark=gw1.

But this doesn’t work. I can’t see/ping anything through the gateway. Has anyone any idea how I can do this?

2

I’m not sure I understand what you’re trying to do.

ether1 will be your WAN uplink, and ether2 and ether3 will be two LAN networks, but with different IP addressing?

If yes, you don’t need any mangle rules. Just set a default route out via 192.168.178.1, make sure the master-port on ether2 and ether3 is set to ‘none’, add IP addresses to ether2 and ether3, and make a NAT rule out ether1. That’s it.

/interface ethernet
set ether2-local master-port=none
set ether3-local master-port=none
/ip address
add address=192.168.178.205/24 interface=ether1-gateway
add address=172.26.10.1/24 interface=ether2-local
add address=10.0.0.1/24 interface=ether3-local
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.178.1
/ip firewall nat
add chain=srcnat out-interface=ether1-gateway action=masquerade
3

Yes that what I mean. And I have already tried that but it doesn’t work….
Maybe I have forgot something here my settings:

[admin@MikroTik] > interface ethernet print
Flags: X - disabled, R - running, S - slave 
 #    NAME      MTU   MAC-ADDRESS       ARP        MASTER-PORT      SWITCH     
 0 R  ether1... 1500  00:0C:42:BD:8E:01 enabled    none             switch1    
 1    ether2... 1500  00:0C:42:BD:8E:02 enabled    none             switch1    
 2 R  ether3... 1500  00:0C:42:BD:8E:03 enabled    none             switch1    
 3    ether4... 1500  00:0C:42:BD:8E:04 enabled    none             switch1    
 4    ether5... 1500  00:0C:42:BD:8E:05 enabled    none             switch1    

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE              
 0   192.168.178.205/24 192.168.178.0   192.168.178.255 ether1-gateway         
 1   172.26.10.0/24     172.26.10.0     172.26.10.255   ether2-local           
 2   10.0.0.0/24        10.0.0.0        10.0.0.255      ether3-local           

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.178.1      1       
 1 ADC  10.0.0.0/24        10.0.0.0        bridge             0       
 2 ADC  172.26.10.0/24     172.26.10.0     bridge             0       
 3 ADC  192.168.178.0/24   192.168.178.205 ether1-gateway     0       
[admin@MikroTik] > 

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade out-interface=ether1-gateway 
[admin@MikroTik] >
4

why is route 1 and 2 saying gateway “bridge” ? do you have a bridge interface? shouldn’t it be, ‘ether3-local’ and ‘ether2-local’ ?

5

I have removed the bridge and now have:

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
0 A S  0.0.0.0/0                          192.168.178.1      1       
1 ADC  10.0.0.0/24        10.0.0.0        ether3-local       0       
2 ADC  172.26.10.0/24     172.26.10.0     ether2-local       0       
3 ADC  192.168.178.0/24   192.168.178.205 ether1-gateway     0       
[admin@MikroTik] >

But it’s not working same problem…

6

print your mangle. as far as i know, you don’t need any of it. so it should be empty.

7

Mangle is empty.

8

This is not correct:

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 192.168.178.205/24 192.168.178.0 192.168.178.255 ether1-gateway
1 > 172.26.10.0/24 > 172.26.10.0 172.26.10.255 ether2-local
2 > 10.0.0.0/24 > 10.0.0.0 10.0.0.255 ether3-local

It should be:

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 192.168.178.205/24 192.168.178.0 192.168.178.255 ether1-gateway
1 > 172.26.10.1/24 > 172.26.10.0 172.26.10.255 ether2-local
2 > 10.0.0.1/24 > 10.0.0.0 10.0.0.255 ether3-local

9

the ones you bold, are dynamic rules which automatically created as you add an IP, which can’t be changed.

10

The ip/subnets I highlighted are not in “/ip route”. This is “/ip address”. That is entered by the user, and they can be changed.

11

o yes, you’re right :laughing: sorry, my bad

12

That is an easy one to miss. :slight_smile:

It was actually the “/ip route” entries that gave it away. If you look carefully, you will notice the “PREF-SRC” entries for those networks are invalid. That is what made me look carefully at “/ip address”.

13

Thanks, It’s working!!!

I have changed it. And it works perfect.