how to NAT outside IP range?

SilverNodashi · September 5, 2017, 10:35am

Hi,

I wonder if someone can help me. Two remote sites are connected to each other via a MetroLAN VPN (i.e. an ISP has their own VPN for the two sites)

Site1 is on 10.1.1.1 and site2 is on 10.1.1.2
Site1 LAN IP’s are 192.41.100.0/24
Site2 LAN IP’s are 192.168.4.0/24

I can ping both routers from both sides. I can also ping network printers from both sides. But, I cannot ping, or connect to SMB (Windows shares) from Site1 to Site2. On a PC from Site2, I had to add the gateway IP, 10.1.1.2 to Eset Nod32 Endpoint Security, then I could ping 192.168.4.117 from 192.41.100.13.

But, instead of having to do this on each PC, is there a way to NAT both networks so they “appear” as local on any PC, on either side of the VPN?

I guess NAT could be used, not sure, or is there another way?

Sob · September 5, 2017, 5:25pm

Yes, NAT can probably help you. If you add masquerade rule for traffic from remote site (tunnel) to local, everything will appear as comming from router’s internal address, i.e. from local LAN.

SilverNodashi · September 5, 2017, 6:24pm

Thanx, I guessed as much, but honestly don’t know what NAT rule to put in.

Sob · September 5, 2017, 6:29pm

E.g. this on one router and reverse on another (swap src and dst) should do the trick:

/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.41.100.0/24 src-address=192.168.4.0/24

SilverNodashi · September 8, 2017, 3:09am

Sob:

E.g. this on one router and reverse on another (swap src and dst) should do the trick:
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.41.100.0/24 src-address=192.168.4.0/24

Great, thanx for the help

SilverNodashi · September 11, 2017, 10:44am

Can you please help me once more?

The remote office installed a Hauwei HUAWEI B315s-936 LTE router onto the MikroTik, with IP address 192.168.4.4.

I can ping it from the remove MikroTik router (IP address 192.168.4.1), but not from our local LAN, 192.41.100.0.

I didn’t see any way to specify a default gateway on the Hauwei LTE router so I’m suspecting that is the problem.

Sob · September 13, 2017, 12:52am

The router is probably choosing wrong source address. Set the right one 192.41.100.x (I assume .1) using src-address parameter for ping.

SilverNodashi · September 13, 2017, 4:31am

How can it probably choose the wrong source address? I only specified one subnet

Sob · September 13, 2017, 11:57am

I don’t see complete config of that router, but it has more than one IP address, right? Based on first post, in addition to 192.41.100.x it should have at least 10.1.1.1. And when you try to access remote subnet from the router itself, it won’t choose 192.41.100.x as source. Packets may come through VPN just fine, but then the added srcnat rule won’t match, because it’s for src-address=192.41.100.0/24.