nat related question ... need help

RouterOS Beginner Basics
1

i need some help i have 2 routers router1 is Load Balancing 2 DSL-Lines and then output the traffic to router2 which is facing the network users (have hotspot,dchp,dns,web-proxy)
the problem is , i want to manage specific internal ip traffic throught router1 (the one with PCC) but all i see is Lan ip of router2

router1 *interfaces WAN1 192.168.1.22/24
WAN2 192.168.2.22/24
Lan 10.10.10.10/24
router2 *interfaces Lan 20.20.20.20/24 (facing users)
Mik 10.10.10.100

router1 is connected to rourter2 Lan<—>Mik

how can i manage internal ip throught router1 ?? is it something to do with nat rules ! need help

2

Don’t use nat on the internal router. Then just add a /30 between the two and in your isp facing router add routes to the lans on the internal router. Do the nat masquerade on your isp facing router. That would allow you to expose the src addresses from your internal router to isp facing router.

3

can u explain more … i do understand the rest but this

4

Yes the two routers need to have a shared network between them so that they can have an address to use as a gateway for routes.

For instance instead you could put 10.1.1.1/30 on router one and 10.1.1.2/30 on router two.

The subnet would have the following properties.

10.1.1.0 network address
10.1.1.1 host 1 (router one isp facing)
10.1.1.2 host 2 (router two lans/pcc)
10.1.1.3 broadcast address

So that router one can communicate with hosts connected to routers two’s lan interfaces you would need to add routes for router two’s lan networks.

on router one(isp facing)
/ip firewall address-list
add list=natted-lans address=20.20.20.0/24
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=wan1 src-address-list=natted-lans
add action=masquerade chain=srcnat disabled=no out-interface=wan2 src-address-list=natted-lans
/ip routes
add gateway=10.1.1.2 dst-address=20.20.20.0/24

on router two
remove nat masquerade rule
/ip routes
add gateway=10.1.1.1 dst-address=0.0.0.0/0

5

ty bro. i did the config and it works fine with pcc and proxy

6

No Problem glad I could help :slight_smile:.

7

yea bro u helped so much,but there is a little problem i’m facing
this solution solved the problem for all types of connections except http connection (i.e port 80) i still see src-address of router2 not the internal IPs…i think web-proxy causing the problem
is there a way to solve this while keeping web-proxy ON

8

Assuming the web proxy is still on the customer facing router, that would make sense because the web proxy is doing src nat in a way, but only with port 80.

Assuming you are running a translucent proxy, I would add a dst nat rule on the isp facing router that would redirect port 80 to a web proxy running on its own hardware.

Start by adding a proxy on the isp facing router.

Then remove the dst nat for the proxy on the customer facing router, then add it to the isp facing router.

something along the lines of…

/ip firewall nat
add chain=dstnat src-address-list=natted-lans protocol=tcp \
    dst-port=80 action=redirect to-ports=<web proxy port here>

your nat rules should look something like this on your isp facing router when you are done…

/ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic 
 5   ;;; default masquerade out wan
     chain=srcnat action=masquerade src-address-list=natted-lans 

 6   ;;; translucent proxy redirect 
     chain=dstnat action=redirect src-address-list=natted-lans to-ports=8080 protocol=tcp dst-port=80