NAT of Public IPs behind 750GL (Ipchains Noob)

rroddy · November 24, 2011, 12:10pm

We are a small startup community ISP; we have been advised by our backhaul provider to provide static, public, IP addresses to each of our subscribers.

Our public range, which the router is supposed to pass through is 95.142.121.0/24
However, pass through (via NAT setup) is not working. (And I believe all the Mikrotik can do is NAT IP ranges).

I have altered the rule order, so that it should match, and it does not.

(Rules below are disabled, but when enabled they do not work)
add action=accept chain=srcnat disabled=yes dst-address=95.142.121.0/24
src-address=95.142.121.0/24
add action=accept chain=dstnat disabled=yes dst-address=95.142.121.0/24
src-address=95.142.121.0/24

What am I doing wrong?

Thanks,
rroddy

[admin@gw1-wwcbb] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=194.0.76.236/29 network=194.0.76.232 interface=ether1-gateway
actual-interface=ether1-gateway
1 address=95.142.121.1/24 network=95.142.121.0 interface=ether2-local-master
actual-interface=ether2-local-master
2 address=194.0.76.237/29 network=194.0.76.232 interface=ether1-gateway
actual-interface=ether1-gateway
3 address=192.168.88.1/24 network=192.168.88.0 interface=ether2-local-master
actual-interface=ether2-local-master

[admin@gw1-wwcbb] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=194.0.76.234
gateway-status=194.0.76.234 reachable ether1-gateway distance=1
scope=30 target-scope=10
1 ADC dst-address=95.142.121.0/24 pref-src=95.142.121.1
gateway=ether2-local-master
gateway-status=ether2-local-master reachable distance=0 scope=10
2 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1
gateway=ether2-local-master
gateway-status=ether2-local-master reachable distance=0 scope=10
3 ADC dst-address=194.0.76.232/29 pref-src=194.0.76.236
gateway=ether1-gateway gateway-status=ether1-gateway reachable
distance=0 scope=10
[admin@gw1-wwcbb] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name=“ether1-gateway” type=“ether” mtu=1500 l2mtu=1598
1 R name=“ether2-local-master” type=“ether” mtu=1500 l2mtu=1598
2 R name=“ether3-local-slave” type=“ether” mtu=1500 l2mtu=1598
3 R name=“ether4-local-slave” type=“ether” mtu=1500 l2mtu=1598
4 R name=“ether5-local-slave” type=“ether” mtu=1500 l2mtu=1598
[admin@gw1-wwcbb] >

[admin@gw1-wwcbb] > /ip firewall export

jan/03/1970 23:06:19 by RouterOS 5.2

software id = SMTH-A17F

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=“default configuration” disabled=no
protocol=icmp
add action=accept chain=input comment=“default configuration”
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment=“default configuration”
connection-state=related disabled=no in-interface=ether1-gateway
add action=accept chain=input comment=“default configuration” disabled=no
in-interface=ether1-gateway
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=95.142.121.0/24
src-address=95.142.121.0/24
add action=accept chain=dstnat disabled=yes dst-address=95.142.121.0/24
src-address=95.142.121.0/24
add action=accept chain=dstnat disabled=yes dst-address=192.168.88.0/24
src-address=95.142.121.0/24
add action=accept chain=srcnat disabled=yes dst-address=95.142.121.0/24
src-address=192.168.88.0/24
add action=accept chain=dstnat disabled=no dst-address=192.168.88.55
src-address=194.0.76.237
add action=masquerade chain=srcnat comment=“default configuration” disabled=
no out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

fewi · November 24, 2011, 2:23pm

First things first: any particular reason you’re not just routing your customers public IPs instead of using NAT? Routing them to the customers would be much easier and enable them to do stuff like forward their own ports for whatever purpose they want (a common one is video games). You would also save the customers from having to use double NAT since they’ll presumably also NAT on the CPE.

That would be, incidentally, what “pass through” would mean to me. You’re passing that IP through to the end customer. NAT most decidedly doesn’t do that.