how to masquerade on public eth with incoming traffic on the same public interface?
scheme:
public interface ip connected to internet - 80.22.232.35
private network coming trough public interface from a vpn tunnel - 192.168.2.0/24
I have permited all traffic from 192.168.2.0/24 that goes trough public interface.
but the problem is that I dont know how to masquerade traffic from 192.168.2.0/24 so they have access to internet.
Pls help.
thx.
Hai fren
ya, i have little experince like yours
this my history 18 moths ago, i did remember:
on my RB511 has one ether and one wireless interface, before use it, i had problem cos public and loacl on one interface, and i had idea is Bridge interface solution.
on ether i made bridge and local subnet i put on bridge, and put public address to ether and just put incoming and local network with one physical interface and to switch too :
before i am not believe but, it work fine and incredible. and so sorry my english isn't well
this my diagram and benefit: you will have public and private for supply link to your client together.
|ISP with public address
|
Hub ---- RB511 ))))))) Local subnet wirelessly
|
|------- Local subnet over wire
my suggestion i did do one physic for public and local address. nice...
but now i am not need it, cause i have centralized aaa one with x86
and how to nat for private, i did like this:
/ip fi nat add chain=scrnat out-interface=ether action=masquerade
I dont understand what you are saying. as I read i see that bridging them its not a solution.
scheme:
internet vpn location with 192.168.2.0/24 (some kind of mpls VPN from our ISP)
| |
| |
| |
public eth ---------------
|
local eth
|
|
|
my local networks
/ip route print
A S 192.168.2.0/24 r 8?.?2.2?3.?3 public_eth0
A S 0.0.0.0/0 r 8?.?2.2?3.?3 public_eth0
ADo 172.16.1.0/24 r 172.16.100.1 lan
ADo 172.16.2.0/24 r 172.16.100.1 lan
ADo 172.16.3.0/24 r 172.16.100.1 lan
ADo 172.16.4.0/24 r 172.16.100.1 lan
ADo 172.16.5.0/24 r 172.16.100.1 lan
ADo 172.16.6.0/24 r 172.16.100.1 lan
ADo 172.16.7.0/24 r 172.16.100.1 lan
ADo 172.16.8.0/24 r 172.16.100.1 lan
ADo 172.16.9.0/24 r 172.16.100.1 lan
and I have putted masquerade rule for source 192.168.2.0/24:
chain=srcnat src-address=192.168.2.0/24 dst-address-list=!localnetworks action=masquerade
routing between 192.168.2.0/24 and my local networks works great, but when I’m trying to ping an external IP, from 192.168.2.0/24 I get request time out.
PLEASE HELP.
Thank you.
Isn’t it better to assign the network 192.168.2.0/24 to the LAN interface (local eth)? Where are the VPN tunnel coming from, internet or a leased line? The normal procedure if the VPN tunnel are coming from the internet, is to to not use default gateway on remote network.
