NAT 1:1 Questions

Hi Everyone,

New to MikroTik and router in general, below is a diagram of two different subnets, I would like to configure the router in between where the 192.168.128.0/24 network can obtain information from the 192.168.150.0/24 network. Knowing that I can configure the router with static routes between the subnets. I do however trying to minimize any devices configuration changes to the 192.168.150.0/24 network, namely not wanting programming in the default gateway into existing devices. How would I go by setting NAT 1:1 with the MikroTik hEX lite?

Thanks for all your help.

HSL

Just to be clear the device in the middle, the MT router is accepting multiple WANIPs and you wish for example to use one IP for the router and main LAN and then two separate WANIPs one for each of the subnets (or servers whatever) that you have identified

192.168.128.226 is needing information from 192.168.150.44, thinking that with 1:1 NAT, 192.168.128.226 should be able to request information from 192.168.150.44 via 192.168.128.44.

Trued to configure 1:1 NAT with the following commands and it did not work, need some tips and tricks to troubleshoot.
Thanks

/ip firewall nat add chain=dstnat dst-address=192.168.128.226
action=netmap to-addresses=192.168.150.44

/ip firewall nat add chain=srcnat src-address=192.168.150.44
action=netmap to-addresses=192.168.128.226

Thanks very much for your time.

what you need to do:

• on 128/24 network configure the MT as default gateway. If you MT is dhcp server for that network, just distribute gw setting with dhcp lease.
• configure src nat on traffic leaving on 150.55, so that replies will come back to router

sebastia

Thanks so much on your reply.

The scenario that we are currently in, all of the devices are non-PCs that utilize static IPs with no initial gateway address programmed in them. To re-program all of the non-PCs devices would likely cost the loss of production. My understanding is 1:1 NAT will work, but just need advice on the command syntax, and 1:1 NAT troubleshooting tips.

/ip firewall nat add chain=dstnat dst-address=192.168.128.226
action=netmap to-addresses=192.168.150.44

/ip firewall nat add chain=srcnat src-address=192.168.150.44
action=netmap to-addresses=192.168.128.226

If you haven’t understood my last response “between the lines” comment: “NAT 1:1 are NOT the droids you’re looking for”

Referencing: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT, It seems that 1:1 NAT Mapping would work for MT. Just need to know what else is missing, please elaborate on the why 1:1 NAT would not work. Is it a hardware, or configurations limitations?
Thanks

Based on what you shared: all you want is connect from .128. ip to .150. ip. For that normal routing would suffice, since .128. systems have proper gateway. (1)
.150. systems don’t have gateway set, so you’ll need to communicate with an ip in their range, and one which can relay responses back: router’s ip => src-nat (2)

(1) + (2) = src-nat != nat 1:1

In other words, if 192.168.128.226 uses 192.168.128.250 as its default gateway, and 192.168.128.226 will initiate connections to 192.168.150.44 (not the other way), then all you need is:

/ip firewall nat
add chain=srcnat out-interface=<interface connected to .150 network> action=masquerade

In case even 192.168.128.226 doesn’t have this router as default gateway, you can add:

/ip firewall nat
add chain=dstnat dst-address=192.168.128.250 action=netmap to-addresses=192.168.150.44

Then if you connect to 192.168.128.250, router will forward packets to 192.168.150.44.

If you need this for multiple devices in .150 network, then add additional “virtual” addresses:

/ip address
add address=192.168.128.44/24 interface=<same interface where 192.168.128.250 is>
add address=192.168.128.45/24 interface=<same interface where 192.168.128.250 is>
...
/ip firewall nat
add chain=dstnat dst-address=192.168.128.44 action=netmap to-addresses=192.168.150.44
add chain=dstnat dst-address=192.168.128.45 action=netmap to-addresses=192.168.150.45
...

It works, thanks all for being patient with me.