NAT help with using a public range

reactive · November 19, 2010, 4:27am

Hi Everyone,

I’m just doing my research before changing our core PFsense router over to a Mikrotik RB1100. To help get things moved across smoothly I’m making sure I know how to implement the current config on the Mikrotik.

Currently we have a /30 for a point to point to our ISP delivered over ethernet. We also have a /29 and /28 that are statically routed to us. At the moment PFsense has all of the public IP’s in the /29 and /28 assigned to it as Virtual IP’s (proxy ARP). We have two local subnets attached to the pfsense box (192.168.11.0/24 and 10.23.1.0/24) which are default NAT’d to two different public IP’s.

When we add a server that requires a public IP we assign it an address in the 10.23.1.0/24 subnet and use 1:1 NAT to forward all ports or we just forward specific ports and block the rest. When we do this we also get PFsense to set the outbound NAT as its assigned IP so any outbound connections come from the assigned public IP instead of the default one.

As an example -
xxx.xxx.132.8 ← 192.168.11.0/24
xxx.xxx.132.9 ← 10.23.1.0/24
xxx.xxx.132.10 ↔ 10.23.1.5 (1:1 NAT)

On our WAN interface, do I need to assign all of our /29 and /28 public IPs like below? Should they be entered as /32’s?

### WAN address from the /30 ###
/ip address add address=xxx.xxx.132.6/30 interface=Wan

### Addresses from the /29 ###
/ip address add address=xxx.xxx.132.8/29 interface=Wan
/ip address add address=xxx.xxx.132.9/29 interface=Wan
...
/ip address add address=xxx.xxx.132.14/29 interface=Wan

### LAN subnets ##
/ip address add address=192.168.11.254/24 interface=Lan1
/ip address add address=10.23.1.254/24 interface=Lan2

From here the NAT should be straightforward?

### Nat the 192.168.11.0/24 
/ip firewall nat add chain=srcnat src-address=192.168.11.0/24 action=src-nat \
	to-addresses=xxx.xxx.132.8
### Nat the 10.23.1.0/24
/ip firewall nat add chain=srcnat src-address=10.23.1.0/24 action=src-nat \
	to-addresses=xxx.xxx.132.9

### 1:1 NAT the server at 10.23.1.5
/ip firewall nat add chain=dstnat dst-address=xxx.xxx.132.10 action=dst-nat \
	to-addresses=10.23.1.5 
/ip firewall nat add chain=srcnat src-address=10.23.1.5 action=src-nat \
	to-addresses=xxx.xxx.132.10

If I’ve stuffed up anything please let me know

Thanks guys
-Matt

fewi · November 19, 2010, 2:39pm

That’s it. You can add the routed network as /32s but I prefer to use the real netmask. I would also create an empty bridge interface and call it “loopback” and assign the routed IPs to that interface rather than overloading the WAN - that way you’re not leaking ARP traffic on the point to point interface for a network that doesn’t exist on that broadcast domain.

Your NAT rules must mention the more specific 1:1 NAT rules for servers BEFORE you NAT the entire network as the rules are evaluated top to bottom and the first hit will take. If the broader network NAT comes first then connections initiated by the server will not have the source address you expect.