How to disable NAT and still be able surf the internet?

Xuna · April 1, 2015, 1:47pm

I bought RB2011UiAS-RM for my small hotspot, I dont need NAT on AR2 but when i disable NAT i can not access internet,
Is there any way I can turn off NAT and keep surfing through the internet?

From the diagram,everything is work fine if i enable NAT on AR2, but when disable the clients can not access internet.
even ping also can not go through.
So how to configure AR2(RB2011UiAS-RM) without NAT.

Here is network diagram
final network copy.png

unietis · April 2, 2015, 12:05pm

Do you know what NAT is?

ZeroByte · April 2, 2015, 12:42pm

Basically, NAT fixes things because it takes addresses which the network doesn’t know how to reach (192.168.3.0/24) and converts them to an address (192.168.2.2) which the network actually DOES know how to reach.

So NAT is the first way to make an unreachable network have access to another network anyway…

The other way is much more simple: Tell the network how to get there.

On R1 add a static route which explains that 192.168.3.0/24 is reachable by going to gateway 192.168.2.2

If R1 is a mikrotik:
/ip route add dst-address=192.168.3.0/24 gateway=192.168.2.2

R2 needs no changes, and now, no NAT.

Xuna · April 2, 2015, 4:13pm

Thanks for your suggestion, i did it as you said but it does not fix the problem. can it be firewall? do you have any other idea, or please give me tutorial links if you dont mind..

Thank you in advance

ZeroByte · April 2, 2015, 5:17pm

If R1 has a NAT rule that is too specific, or a firewall which only allows 192.168.2.0/24 to go out to the Internet, then this is another problem.

While testing, disable any filter rules on R2 - take them out of the equation. Once you have the Internet working, add them back and if it causes problems, you will know exactly what the source of the problem is.

Anyway - on R1:
if it is a Mikrotik (never has been stated) then you should look in the NAT firewall table, on the srcnat chain.
Many people would have a rule like this:
action=masquerade src-address=192.168.2.0/24 action=masquerade
While this works for the first lan, it’s very specific.
The correct NAT rule (in my opinion) is this:
if ether1 = the wan interface of R1…

/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
(and remove the old masquerade rule)

Also make sure the filter table will allow 192.168.3.0/24 → internet