NAT Can't be that hard?

RouterOS Beginner Basics
1

Hi,

I am trying to setup NAT on one of my border routers to do some testing while we wait for another Public IP range to arrive.

I have the below setup

Public iP [RB411A] Private IP

I have configured src-nat set it to masq and set the outgoing adapter in this case ether1

From perioud times this is all I have had to do to get it working, but for some reason it will got pass private traffic to the internet. Am I doing something wrong?

Cheers

Cameron

2

More configuration details are necessary I guess. Have you bridged public and local interfaces? Is that your only NAT rule?

3

Hi,

No bridging, I was using it bridged with a public ip to test the network but now just trying to use NAT. The unit itself can get on the internet etc without any troubles.

It is the only NAT rule.

Cheers

Cameron

4

Do you mean you can’t access your private lan from the internet? If that’s what you’re trying to achieve you’ll need a dstnat rule as well.
http://www.mikrotik.com/testdocs/ros/3.0/qos/nat.php

5

Hi,

I am just wanting to use it as home style router where all computers on the Lan Side of the Rb411A has access to the internet. I have followed every guide I can find on the net and they are all saying to configure the same way I have.

Cheers

Cameron

6

It’s impossible to troubleshoot this without you posting your configuration.

7

Ok Here goes,

RB411A
ether1 (public IP)
wlan1 (10.0.0.64/24)

Nat:

[admin@Gateway-Bridge] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=ether1

Thats all the configuration there is. From the lan clients I can ping the Public IP on the rb411A so it is working as a router but NAT is not working, I have configured it how I have done all the clients on the network but no go.

Cheers

Cameron

8

Post output of

/ip route export
/ip firewall export
/interface export
9

Hi,

[admin@Gateway-Bridge] > ip route export
# oct/15/2009 09:44:35 by RouterOS 4.0
# software id = A6EJ-FHHU
#
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=115.69.XXX.XXX scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=10.50.50.0/24 gateway=10.0.0.100 scope=30 target-scope=10
add disabled=no distance=1 dst-address=10.171.0.0/16 gateway=10.0.0.1 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=10.171.128.0/17 gateway=10.0.0.128 scope=30 target-scope=10




[admin@Gateway-Bridge] > ip firewall export
# oct/15/2009 09:45:19 by RouterOS 4.0
# software id = A6EJ-FHHU
#
/ip firewall connection tracking
set enabled=no generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="" disabled=no src-address=10.171.0.0/16
add action=accept chain=input comment="" disabled=no src-address=10.0.0.0/24
add action=accept chain=input comment="" disabled=no src-address=60.241.XXX.XXX
add action=accept chain=input comment="" disabled=no src-address=60.241.XXX.XXX
add action=accept chain=input comment="" connection-state=established disabled=no
add action=accept chain=output comment="" connection-state=related disabled=no
add action=drop chain=input comment="" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether1
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no




[admin@Gateway-Bridge] > interface export 
# oct/15/2009 09:46:10 by RouterOS 4.0
# software id = A6EJ-FHHU
#
/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes l2mtu=1526 mac-address=00:0C:42:27:XX:XX \
    mtu=1500 name=ether1 speed=100Mbps
/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers="" group-key-update=5m interim-update=0s \
    management-protection=disabled management-protection-key="" mode=none name=default radius-eap-accounting=no \
    radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX \
    radius-mac-mode=as-username static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=none static-key-0=\
    "" static-key-1="" static-key-2="" static-key-3="" static-sta-private-algo=none static-sta-private-key="" \
    static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=none tls-mode=no-certificates unicast-ciphers=\
    "" wpa-pre-shared-key="" wpa2-pre-shared-key=""
add authentication-types=wpa2-psk group-ciphers=aes-ccm group-key-update=5m interim-update=0s management-protection=\
    allowed management-protection-key="" mode=dynamic-keys name=secure radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=\
    as-username static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=none static-key-0="" static-key-1=\
    "" static-key-2="" static-key-3="" static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0 \
    supplicant-identity="" tls-certificate=none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key="" \
    wpa2-pre-shared-key=puddlenetsecretkey
/interface wireless
set 0 ack-timeout=dynamic adaptive-noise-immunity=none allow-sharedkey=no antenna-gain=0 antenna-mode=ant-b area="" arp=\
    enabled band=5ghz basic-rates-a/g=6Mbps,9Mbps,12Mbps burst-time=disabled comment="" compression=no country=australia \
    default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 default-forwarding=yes dfs-mode=none \
    disable-running-check=no disabled=no disconnect-timeout=3s frame-lifetime=0 frequency=5210 frequency-mode=\
    manual-txpower hide-ssid=no hw-fragmentation-threshold=disabled hw-protection-mode=none hw-protection-threshold=0 \
    hw-retries=4 l2mtu=2290 mac-address=00:15:6D:64:CF:4A max-station-count=2007 mode=station mtu=1500 name=wlan1 \
    noise-floor-threshold=default on-fail-retry-time=100ms periodic-calibration=default periodic-calibration-interval=60 \
    preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=gw2mc rate-set=configured scan-list=default \
    security-profile=secure ssid=mc2gw station-bridge-clone-mac=00:00:00:00:00:00 supported-rates-a/g=6Mbps,9Mbps,12Mbps \
    tx-power-mode=default update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=\
    100 wds-ignore-ssid=no wds-mode=disabled wmm-support=disabled
/interface wireless nstreme
set wlan1 comment="" disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=3200 framer-policy=none
/interface wireless manual-tx-power-table
set wlan1 comment="" manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps\
    :17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:0,HT20-1:0,HT20-2:0,HT20-3:0,HT20-4:0,HT20-5:0,HT20-6:0,HT20-7:0,HT40-0:0,HT4\
    0-1:0,HT40-2:0,HT40-3:0,HT40-4:0,HT40-5:0,HT40-6:0,HT40-7:0"
/interface bridge port
add comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=ether1 path-cost=10 point-to-point=auto \
    priority=0x80
add comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=wlan1 path-cost=10 point-to-point=auto \
    priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=\
    disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60 \
    mac-address=FE:D2:F7:01:BE:E9 max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1460 \
    max-mtu=1460 mrru=disabled
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=\
    300 frames-per-second=25 receive-all=yes ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 multiple-channels=no only-headers=no receive-errors=no \
    streaming-enabled=no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no

I have tried it with the firewall rules disabled and still the same issue.

10

Try to enable

/ip firewall connection tracking set enabled=yes

That might be the problem your NAT rule is not working correctly.

11

That was it!

Why would this be disabled by default? I was setting it up in winbox I cannot see this option any place?

Cheers

Cameron

12

This is not disabled by default :slight_smile:. In winbox under “connections” tab there is a button “tracking” that shows you connection tracking options.