NAT to change IP addresses using dstnat on ip-range

mikear · March 19, 2023, 11:10pm

Hi,
I have 2 MT-routers (local and remote) at different locations which are connected with a WireGuard virtual network. To access the network behind the remote router (192.168.1.0/24) I cannot use the ip range in the local router as this subnet is also locally present. I thought to use another (unused) ip-range which is locally routed towards the WireGuard ip address of the remote router, where it is natted into the 192.168.1.0/24 subnet.

In the local router I added to the routing table:

/ip route
add dst-address=192.168.6.0/24 gateway=wireguard_remote_ip

The following setting in the remote router works, but is only valid for one ip destination:

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.6.254 to-addresses=192.168.1.254

Because I want all remote ip addresses in the 192.168.1.0/24 range accessible through the 192.168.6.0/24 subnet, I would prefer:

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.6.0/24 to-addresses=192.168.1.0/24

This apparently does not work.

What is the concept I’m missing?

anav · March 19, 2023, 11:58pm

I think the problem is locally, any attempt to have a destination address in the same subnet will never see the light of day of an L3 rule.
My grasp of fundamentals is weak so that is just a guess as sourcenat seems to come as a last step in traffic flow.

Why not change device needing access to a different subnet.
Why not change one of the subnet addresses at either end?

mikear · March 20, 2023, 7:29am

I’ve also tested this with another (virtual) subnet remotely (not corresponding with any local subnet) but the effect is the same. This makes me think the problem is in the remote router. Moreover it works for a single ip-address.

Why not change device needing access to a different subnet.
Why not change one of the subnet addresses at either end?

Good points, would have been the most pragmatic solution. However on both sides these subnets cannot be modified, On the local side because the ISP has fixed it, on the remote side because the network is completely built around this subnet and it’s not desirable to change the architecture.

anav · March 20, 2023, 12:27pm

Check out this, fresh out of the box…
https://forum.mikrotik.com/viewtopic.php?p=990947#p990947

mikear · March 20, 2023, 12:50pm

This looks promising @anav! It is exactly the configuration I had in mind, but I used the wrong nat-tools. Will try it out tonight.

mikear · March 21, 2023, 9:52pm

Here is my solution for a simple (one way) netmap configuration, hopefully it may help others (with limited network knowledge, like me)

This is based on @anav’s instruction page (brilliant work!) however I only need to initiate contact from Local to Remote therefor my setup is a bit simpler, but it works as intended:

In this example:

the common subnet on both sides of the linked networks is: 192.168.5.0/24
the netmap virtual network is 192.168.2.0/24

So if you need to access a remote (common) IP-address like 192.168.5.10 you need to use 192.168.2.10 (which is remotely translated into 192.168.5.10)

Local CONFIG

/ip route
add dst-address=192.168.2.0/24 gateway=wireguard_remote_ip table=main
/interface wireguard peers
add allowed-address=whichever_remote_ips_you_already_have,192.168.2.0/24 interface="WireGuard_interface_name " public-key="......"

Remote CONFIG

/ip firewall nat
add action=netmap chain=dstnat dst-address=192.168.2.0/24 to-addresses=192.168.5.0/24