NAT Static

RouterOS General
1

Hello,
I have my network architecture each device that has a local @IP connects to the internet with a public @IP ie
PC1: @local: 192.168.1.2 => 172.16.128.2
PC2: @local: 192.168.1.3 => 172.16.128.3
@ public: 172.16.128.0/24
@ local: 192.168.1.0/24
public gateway: 172.16.128.1
local gateway: 192.168.1.1
and that the ether1 interface 192.168.254 and the other ether2 interface takes 172.16.128.254
then in the configuration of my router I did the NAT static but the problem is that all the equipments take like @public 172.16.128.254 (ether2)
this is my config:

/ip address add interface=ether1 address=192.168.1.254/24
/ip address add interface=ether2 address=172.16.128.254/24

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether2
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.2 to-addresses=172.16.128.2
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.3 to-addresses=172.16.128.3

/ip route add dst-address=192.168.1.0/24 gateway=172.16.128.1
/ip route add dst-address=0.0.0.0/0 gateway=172.16.1.254

Help plz :frowning: :frowning:

2

Rules are processed in order, so everything just uses the first masquerade rule.

3

if i do the test with the command line to discover on which public @IP connects the equipment that has the @ 192.168.1.2

curl ipinfo.io/ip
172.16.128.254

it’s wrong, i have to find 172.16.128.2 :frowning:

4

And did you follow my hint and moved the first maqeurade rule at the end of chain?

5

When i moved the first masquerade rule at the end of chain, the network stopped

6

If you have:

/ip firewall nat
add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.2 to-addresses=172.16.128.2
add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.3 to-addresses=172.16.128.3
add chain=srcnat action=masquerade out-interface=ether2

Then it could possibly break connectivity for 192.168.1.2 and 192.168.1.3, if there’s some problem with 172.16.128.2 and 172.16.128.3. But for all other sources, those two rules won’t touch their packets and only the masquerade rule will be used as before.

If all public addresses are in same /24, you also need to add the new ones to router, otherwise the ISP’s gateway can’t reach them. And then also change the masquerade rule to:

add chain=srcnat action=src-nat out-interface=ether2 to-addresses=172.16.128.254

It will make sure that traffic not srcnatted by previous rules will always use the correct address and won’t pick another one.

7

Thank you for your quick rep;
I deleted all the NAT rules and i repeated them by the order like you said but nothing to change (without connectivity)
the public@ is on /26 and the local@ is on /24

8

In that case, try a better description of public addresses.

You wrote that the main one is 172.16.128.254/24 (it’s not public, but it’s not the important part). But you also wrote that others are 172.16.128.2-3, which would put them in same /24 subnet. Now if you say that .254 is in /26, then .2-3 would be in different subnet and even .1 would not work as gateway, because that’s not in the same /26 either. And on second look, you have one gateway in description and another in config, which is in completely different subnet too. And both routes are strange.

You don’t need to share your real public addresses, write them as x.x.128.254/26, or use 172.16 prefix as you did, but keep the right part (numbers and mask) unchanged.

Also, are these three srcnat rules the only rules in srcnat chain, or are there also others?

9

Hello,
Yes propably I have not described well to you
1- it just exists that its 3 rules of NAT there is no other
2- Yes, you are right for public IP addresses because I was not clear to detail the information, so
Local network: 192.168.1.0/24
Public network: 172.16.128.0/26
Public Gateway: 172.16.128.1
ether1: 192.168.1.254
ether2: 172.16.128.62
this is my simulation
Capture du 2018-09-20 09-27-57.png

10

This is wrong:
/ip route add dst-address=192.168.1.0/24 gateway=172.16.128.1
/ip route add dst-address=0.0.0.0/0 gateway=172.16.1.254

This is correct:
/ip route add dst-address=0.0.0.0/0 gateway=172.16.128.1

11

yes
This is my new config

/ip address add interface=ether1 address=192.168.1.254/24
/ip address add interface=ether2 address=172.16.128.62/26

/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.2 to-addresses=172.16.128.3
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.3 to-addresses=172.16.128.4
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.4 to-addresses=172.16.128.5
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.5 to-addresses=172.16.128.6
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether2

/ip route add dst-address=0.0.0.0/0 gateway=172.16.128.1

12

Does it work in your environment?

13

it works but the problem is that all devices (192.168.1.2 # .3 # .4 # .5) take as public IP address 172.16.128.62
that is, NAT does not work :frowning:

14

What ROS version do you use?

15

6.42.6

16

Should work, dunno. Is it emulated environment or real devices?

17

Real devices

18

You have common condition (out-interface=ether2) in all rules, so the only difference is src-address=192.168.1.x. As long as the connection has source address 192.168.1.x, the matching rule will be used. And since action=src-nat ends the processing, source will be changed to 172.16.128.x. I don’t see how it could not work.

19

What are your firewall filter rules?

20

For a couple of seconds, set log=yes to all the rules in chain=srcnat using /ip firewall nat set [find chain=srcnat] log=yes. After that, stop logging them using /ip firewall nat set [find chain=srcnat] log=no. Then, print the logged src-nat events using /log print where topics~“firewall” and see what was actually happening there.