I have an RB433 that is connected back to the AP with a single wireless interface. I am trying to nat two separate networks on on eth1 and one on eth2 to two different IP’s on the wireless interface.
I have tried it the following ways. Ip’s have been changed to privates for the example.
Wlan1 in station mode assigned two IP addresses then I set up a nat rule for each network using src-nat and pointing each one to its IP address that is assigned on the Wlan1
I have also tried it with the Wlan as part of a wds bridge and assigning the 172.16.0.23 and 24 to the bridge interface and using the bridge for the out-interface.
What happens is both the src-nat networks can connect to anything on the 172.16.0.0/24 network but can’t connect to anything outside that network. The routes appear to be setup correctly because the router itself can connect to outside networks with no problem.
I am sure that I have setup Ros like this in the past with older versions but I am scratching my head on this one. Does anyone have any tips or see any glaring problems?
Do you have default routes assigned? The router will need one also.
/ip route
add gateway=172.16.0.1
If that is not the gateway ip for the 172.16.0.x net, then change that.
You might want to post “/ip route” just to insure nothing is wrong there.
ADD: WDS bridge requires a bridge on both sides of the connection. In that case, the out-interface on the nats would be bridge1 (or whatever you called it). And the ip addresses should be assigned to the bridge also.
You might want to post “/interface bridge” and “/interface bridge port” also.
And the question I forgot to ask: Is the wireless equipment on the other side of the wireless connection yours or your ISP?
I am the ISP so it is my equipment. I do have a route setup for the 172.16.0.1 and yes that is how I had the WDS setup when I tried it in that configuration, our entire network is MT so I am very familiar with ROS and from everything I see this should work.
As I mentioned the router itself can get out side the 172 network for example I can to into tools ping yahoo.com and it comes back fine but neither of the two natted networks can. They can access anything on their networks and anything on the 172 network but they can’t get outside of that.
Ineternet → Cisco Edge router → Managed Switch → MT AP WDS/Bridged interfaces → MT 433 Client either Station WDS or Station → Client networks running on eth 1 and eth 2.
The CPE is currently setup to bridge public addresses to the customers routers. But I am trying to move the public IP’s from the customers router to the MT CPE and src-nat their networks behind the public IP’s on the Wlan interface.
I don’t see any glaring problems. I would suggest trying to connect from one of the client networks to somewhere, then go look in the firewall connection tab find the relevant entry, and double-click it (to get a detailed view) and verify that the NAT is established with the correct addresses.
After that, either torch, or packet sniff on either (or both) of the CPE and the AP, (i’d probably use packet sniff actually) and see what is actually leaving, with what IP addresses. Then go from there.
Possible glaring problem I just thought of. If its wds, your out-interface might actually need to be the WDS one or its bridge. (or you could try it without any out-interface specified).
Just wanted to update you guys to let you know I figured it out, there was nothing wrong with the config. I finally remembered the other 433 that I had setup this way in the past and compared the configs and they were identical. So I did some digging finally figured out that for some reason my Cisco edge router had the clients old router MAC stuck in its’ ARP table and wouldn’t refresh it to the WLAN MAC. So I cleared the ARP table and poof it started working like magic.
Anyway thanks for the help on this one guys. It was nice having another set of eyes telling me that it should work.