Hi
I have the following setup:
Internet-Modem/Router from my provider, static IP: 192.168.1.1 / DHCP Range 192.168.1.100-150
Then I have a Cisco Router with the static IP 192.168.1.100 (towards modem) and 10.50.50.1 for “his” subnet with DHCP Range 10.50.50.10-10.50.50.150
Now I connect to this Cisco -Subnet the Mikrotik Router hEX Lite: IP 10.50.50.10 (towards cisco router) and 10.120.120.1 for “his” subnet with DHCP Range 10.120.120.10-10.120.120.150
When I connect a PC to the Mikrotik Router I get correctly a IP (e.g. 10.120.120.120), can see the cisco router and internet provider router, but I can’t access the Internet.
As Gateway and DNS Server I configured the IP of the Inernet-Modem, which is 192.168.1.1
What must I do in the Webinterface in order to be able to access the Internet from within the Mikrotik Subnet?
thanks for any help!
So you have triple NAT.
Why would you choose that setup? Is it possible to plug in the Mikrotik directly into eht ISP modem? If you cannot do that, then remove the third NAT. Do not let the MIkrotik do NAT. You CAN have the Mikrotik do the DHCP, but in the same subnet as the Cisco 10.50.50.10-10.50.50.150
haik01, not necessarily triple NAT but definitely possible.
That said, we’d need you to clarify that OP.
To address the original post more directly, we have 3 devices, ISP, Cisco and hEX.
The ISP device has an internal IP of 192.168.1.1/24
The Cisco device has a leg into the 192.168.1.0/24 network at 192.168.1.100 and has a leg into the 10.50.50.0/24 network at 10.50.50.1
The hEX device has a leg into the 10.50.50.0/24 network at 10.50.50.10 and has a leg into the 10.120.120.0/24 network at 10.120.120.1
Lastly, a PC plugged into the hEX device has an IP of 10.120.120.120
Now we’re going to assume you need NAT in the fewest places possible. This means only at the Cisco device. Why? I assume you don’t have access to the ISP device to add any routes. So we enable NAT on the Cisco device to translate packets originating (source IP) of either 10.50.50.0/24 or 10.120.120.0/24. We also tell it how to route packets to the hEX device at by adding a static route for any packets destined to 10.120.120.0 to go to 10.50.50.10. A default route is added on the Cisco device pointing to the ISP device and a default route is added on the hEX device to point to the Cisco device. The default gateway of the PC needs to be 10.120.120.1 and the DNS can stay 192.168.1.1 if you’d like.
:::: Now, you likely are already doing NAT at the Cisco device and running the default configuration on the hEX which is also doing NAT ::::
In reality you probably only need to fix the default gateway on the PC. Set it to 10.120.120.1 instead of 192.168.1.1
Hi idlemind
thanks for your detailed and clear answer. the setup is exactly as you summarize.
I tried what you recommend in the last line (change IP of default gateway), however this did not work. I did not try the more detailed solution,because I simply do not have enough knowledge.
My “simple” idea as beginner was to create a cascacing network where
- in the first zone are the media devices (media nas, printer, playstation etc) → Connected directly to ISP Router
- in the second zone are the family pc/laptops → Connected to CISCO
- in the third zone are the office devices (office pc’s, laptops, nas, backup nas) → Connected to MikroTik
The idea is:
- Third zone PC’s can access devices in all zones and the internet
- Second zone PC’s can access devices in 2nd and 1st zone plus the internet
- First zone Media Devices can access only devices in this zone and the internet
I read some articles that with cascading routers this could be solved. But it seems it is not so easy, or do I overlook something?
I would say to simplify things by removing the Cisco router, and using the hEX as your “core” router.
Make two LAN segments on the hEX by making two bridge interfaces - let’s call them “family” and “office”
then configure both bridges as LAN interfaces:
/ip address add address=192.168.2.1/24 interface=family
/ip address add address=192.168.3.1/24 interface=office
Add whichever physical ports to the bridges as requured:
(I forget if the hEX has a hardware switch, but if so, you’ll need to set all ethernet interfaces with master=none before doing this)
/interface bridge ports
add bridge=family interface=ether2
add bridge=family interface=ether3
add bridge=office interface=ether4
add bridge=office interface=ether5
Then go into /ip dhcp-server and use the setup wizard twice to create a DHCP server for each of the two LANs.
Now add one NAT rule:
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
Then you can prevent the LANs from talking to each other in the way you desired:
/ip firewall filter
add chain=forward connection-state=established,related action=accept
add chain=forward out-interface=wan action=accept
add chain=forward in-interface=office action=accept
add chain=forward action=drop
the input chain rules should be pretty much standard - protect the WAN interface (ether1) and allow anything on the remaining interfaces.
That will give the behavior you want and be much easier to manage and monitor.
As an extra step, if your ISP’s router can be put into bridge mode and allow your Mikrotik to get a direct public IP address using DHCP client or PPPoE, then I highly recommend this. In this case, you would need to add the “devices” network to your Mikrotik as a third LAN interface. Add that bridge, put 192.168.1.1/24 on it, activate DHCP server for it, and move one of the ethernet ports off of the other bridge(s) onto the “devices” bridge. You’ll need to add one more rule to the forwarding filter chain as well: accept all traffic if out-interface=devices.
Yup +1 for everything Zerobyte said. If possible put the ISP device into bridge mode and use VLANs (bridges) to create the separation you need.
thanks a lot for support! This is really appreciated. I will checkout what you proposed