I have a firewalled subnet: 10.74.0.0/16. From this firewall traffic is forwarded to my mikrotik. From a PC in this subnet (IP 10.74.0.2) I ping: 10.14.16.97.
On the mikrotik packetsniffer I see traffic coming in on the ethernet port 5 which is connected to this firewall:
4.969 ether5 rx 10.74.0.2 10.14.16.97 2048 (ip) 74 [in other words the ping arrives correctly as far as I understand this]
Now I need to translate the package to a specific IP: 172.16.1.97 and have it respond back to the original PC. I have tried a few NAT rules but nothing seems to work.
My goal is to have devices from the 10.74.0.0/16 subnet able to get to a few specific IP’s in the 172.16.0.0/22 subnet using a specific 10.14.16.x IP - if this seems over complicated, I have no real control over the 10.74.0.0/16 subnet
Any assistance or advice will be greatly appreciated.
I suck at pictures and uploading them but here is an attempt.
From A, I ping 10.14.16.97 and this ping arrives on the mikrotik ethernet port 5 (IP 10.14.16.254) as src: 10.74.0.2 dst: 10.14.16.97. I have to get that on to B and back
I see no traffic hitting this rule even though I do see incoming packets on ethernet 5 with this destination? (I have no other enabled rules currently, is there a basic ruleset I am missing?)
What else am I missing? Routing? I only have the two DAC rules automaticaly added from entering IP’s for the two ethernet ports in question. Firewall filtering? I have none!
I’m not 100% sure, but I’ve never seen a NAT that is not pointing to the IP of the router. In other words, you would need to point your ping to an address that exists on the router, not to a fake address that does not really exist. You would also need to make sure that the router itself was not responding to that ping (easy enough with a rule). Then you would setup your NAT to forward the specific port (or ports) that were desired to go to the destination.
For example, using your numbers, source PC would be pinging 10.14.16.254. The router would have a NAT rule to forward ICMP traffic to 172.16.1.97. The router would then have a rule to allow established and related connections in the forward chain. Lastly, the router would have a rule in the input chain to not respond to ICMP traffic either from anyone, or from 10.74.0.2.
BTW, is the firewall providing the gateway function to get from the 10.74.0.x LAN to the 10.14.16.x LAN,or is there another router in here somewhere operating as the gateway?
I could be all wet on this one too! I’m not the expert here and you are asking stuff a bit outside my comfort zone.
I have 5 servers that I need accessible from the 10.74.0.0/16 network so I am not sure how using one IP can accomplish this??
I have added a route to the 10.74.0.0/16 subnet one Ethernet port 5 (previously had this, then removed it but in testing various settings, I do need that, so thank you for that)
This is not necessarily a problem. You can NAT any packet that gets to router, its original destination address does not need to be owned by router. But if it’s not owned by router, then it needs to be either routed to it (something else must have route to with gw <router’s address>; then packets to will reach your router), or router has to “pretend” that it has the address using proxy ARP (if it’s in same subnet as destination).
I don’t see what subnet is between mikrotik and firewall. My first guess would be /24, because it’s the usual size. But the confusing part is that if packets to 10.14.16.97 come to mikrotik, then something must have answered the ARP request. But mikrotik would not do it by default, if it doesn’t have the address. If there were smaller subnets and it was routed to it, then it would have to be caught by dstnat rule. One explanation I can think of right now would be if 10.14.16.97 was actually used by some other device and network was connected using hub instead of switch, which does not sound very likely to me.
It won’t help by itself, but what do you have as gateway? It can’t be interface, you need whatever address in 10.14.16.x/xx subnet the firewall has.
Hi Sob. Thank you much The mikrotik and firewall are directly connected - firewall has IP of 10.14.16.1 on that port and the mikrotik has IP 10.14.16.254
It won’t help by itself, but what do you have as gateway? It can’t be interface, you need whatever address in 10.14.16.x/xx subnet the > firewall > has.
That is extremely helpful! Off to go and try that immediately and will report back asap.
I told you the route by itself won’t save you, it was only one part. Next one is the 10.14.16.97 address. The second image is not available, so I don’t see your traffic, and I’m still not sure how it can get to your router. But if you’re sure that the address is not used by any other device, you may try to add it as second address to ether5.
Another likely problem might be the return path. Does server B have 172.16.1.109 as default gateway? If not, you need to either add route to 10.74.0.0/16 via 172.16.1.109 to server B, or masquerade connections like this:
Also in the image traffic is now arriving from the firewall’s IP (not showing the original IP of 10.74.0.2 anymore) - I don’t know if this is better or not
I added the masquerade rule but I don’t see trafiic coming back on ethernet port 2 from 17.14.16.97… I do see traffic from 10.14.16.1 to 172.16.1.97 so I presume my NAT rule works? (I see no counters increase on this rule however)
So it does look like the route back is still obscured. If Server B (172.16.1.97) receive a ping from what it believes to be 172.16.1.109 it should return to that? (The gateway on this Server is not 172.16.1.109)
EDIT to add info:
running a continous ping from the router to 172.16.1.97 I see to and fro and then it looks like the ping from the PC jumps in with a source of 10.14.16.1 on ethernet 2 - is my masquareade rule failing?
2nd EDIT (apoplogies)
When I run torch on ethernet port 2 - I see traffic from 172.16.1.97 to 10.14.16.1! Not on the packet sniffer though. In desperation I added a route: 1 A S 10.14.16.1/32 ether5 1 didn’t help
But it looks and feels like I am making progress - any further thoughts or suggestions please?
These current results are strange. If counters for your dstnat rule do not increase, then this rule is not forwarding anything to server B. But in that case, where those packets on ether2 from firewall to server B came from?
Try to first use your 10.14.16.254 address. We know it’s there and it works (I assume you use it to access the router). So try to forward just one port to server B. You know what service you want to access, so pick the port used by it:
Then try to connect to this service on router’s address 10.14.16.254 from your 10.74.0.2 and it should work. Then we can think about what’s the deal with this “virtual” 10.14.16.97. What exact info you have from firewall’s admin?
Sob your question about B’s gateway was haunting me last night. So this morning I got onto that gateway (which is a firewall in the 172.16.0.0/16 subnet) and added a route for traffic to destination 10.14.16.1 to point to 172.16.1.109.
I am not 100% sure because I am far away from the network over the weekend and can’t monitor the continous ping I am running but that looks encouraging I’l be doing that first thing Monday morning.
I’ll be keeping your suggestion above close at hand and thank you so much for the time and effort you have done on my behalf!
I would like to understand why the NAT rule counter is not going up because I do know it is being used! (In testing I disabled the rule and pings change from Request Timeout to Destination Unreachable!!
If you can set routing for B, is there any chance you could tell firewall’s admin to set route to 172.16.x.x subnet? Then you could drop all NAT, connect directly to 172.16.1.97 and have nice clean solution.
But not this. All services are now working and the 10.74.0.0/16 subnet can access the servers in my 172.16.0.0/22 network.
Sob, that would have made the most sense and easiest to impliment but they guys behind the 10.74.0.0/16 subnet have very strict rules for their subnets and they use 172.16 somehow already.
I’l be doing that first thing Monday morning.