Hello,
I would like to implement a site-to-site VPN to a client that we bought and want to merge with our network. Unfortunately their IP scheme already exists on our network so we would need to use NAT to combat this issue.
I know that this should be done using netmap, however I would like to know whether netmap translates the IPs in the same order as the original IPs. For example:
If I want to NAT the IP address 192.168.0.0/16 to 172.16.0.0/16, will the IP translations be:
192.168.0.1 → 172.16.0.1
192.168.0.2 → 172.16.0.2
192.168.0.3 → 172.16.0.3
etc.
or the translated IPs would be using any IP address that is not used in the range? Like can I have 192.168.0.1 translated to 172.16.0.5, for example?
Thanks and kind regards,
Vince
I think that’s how netmap works because it’s stateless - meaning that it couldn’t dynamically choose an “available” address from the translation pool and then map the reply traffic by this entry… it’s stateless, so it must be 1:1 in a predictable, repeatable fashion.
Basically, you’d want site1 to do 1:1 to appear as 172.16.x.x at site2, and you’d want site2 to appear as 172.17.x.x at site1
site1:
add ip route dst=172.17.0.0/16 gateway=site2
firewall nat srcnat rule: out-interface=to-site2 action=netmap to-addresses=172.16.0.0/16
firewall nat dstnat rule: in-interface=to-site2 dst-address=172.16.0.0/16 action=netmap to-addresses=192.168.0.0/16
Do the same on site2:
add ip route dst=172.16.0.0/16 gateway=site1
firewall nat srcnat rule: out-interface=to-site1 action=netmap to-addresses=172.17.0.0/16
firewall nat dstnat rule: in-interface=to-site1 dst-address=172.17.0.0/16 action=netmap to-addresses=192.168.0.0/16
Thank you for your reply ZeroByte, that is very helpful indeed!
I will try my setup and let you know the results.
Kind Regards,
Vince
Netmap worked perfectly as you described! I’m thrilled 
Awesome. Yours is exactly the reason for netmap. Glad you got it working.
I have another issue now, concerning DNS. I would like to get the DNS server from the other company to forward records to my company, but I would like the IP address I get translated.
For example, imagine I have an IP scheme of 192.168.0.0/16 at my company, and 192.168.100.0/24 at the other company. Using Netmap I create mappings from 172.16.0.0/24 to 192.168.100.0/24 and perform site-to-site VPN between 192.168.0.0/16 and 172.16.0.0/24. If I have a DNS server at the other site of 192.168.100.100. its address would be 172.16.0.100, that is fine. But the addresses it contains would still be 192.168.100.0/24. How shall I get DNS records from such DNS server to my company in the 172.16.0.0/24 range so that I can ping them perfectly from here?
Thanks,
Vince
Mikrotik doesn’t have such an engine as far as I know.
If you’re using different domains at the two sites, you can configure an alternate view in DNS for queries coming from the other side’s 172.x.x.x range - in other words, if the query comes from 192.168, then give that address, and if it comes from 172.x.x.x then give the 172.x.x.x address. Unfortunately, you have to configure this by hand as far as I know.
The only way to do it in Mikrotik is if you’re using your Mikrotik as the DNS resolver, you can create static entries for the interesting 172.x.x.x hostnames of the remote site, and the Mikrotik will give these answers instead of going to resolve them.