NAT WAN to subnet

wguerrero42 · June 22, 2020, 8:15pm

Hello,
I am running RouterOS v6.45.9 (long-term) with the following rules:

/ip address
add address=192.168.0.189/24 comment=LAN interface=ether3-LAN network=192.168.0.0
add address=192.168.5.1/24 comment="LAN2" interface=ether3-LANO network=192.168.5.0
add address=a.a.a.a/29 comment=WAN interface=ether2-WAN network=x.x.x.x

/ip firewall nat
add action=dst-nat chain=dstnat comment="IT WORKS" dst-address=a.a.a.a dst-port=8211 protocol=tcp to-addresses=192.168.0.11 to-ports=22
add action=dst-nat chain=dstnat comment="DOES NOT WORK" dst-address=a.a.a.a dst-port=6911 log=yes log-prefix=NOPE protocol=tcp to-addresses=192.168.5.21 to-ports=22

If I edit the second NAT rule and replace the IP 192.168.5.21 to any other from the 192.168.0.0 range, it will work. The question is, what do I need to configure to be able to NAT to 192.168.5.0.

mutluit · June 24, 2020, 9:39pm

It should work.
But your device (PC?) must be attached to the right interface on the router…
Can you ping the 192.168.5.21 from the router? From other PC?
And what does “/ip route print” say?
And what does “/interface print” say?

It seems the problem is rooted in the fact that you renamed the interfaces to “ether3-LAN” and “ether3-LANO”.

anav · June 25, 2020, 11:06am

Forget IP addresses, and tell us in words, what the use case is or cases are?
What do you need to provide to people or devices, (capabilities, requirements) without talking solution space(the config).
Then it will be clearer.
(So far it looks like you have two subnets on the same port that you want to nat one to another and which makes no sense at all anyway I think about it)

wguerrero42 · June 25, 2020, 2:24pm

@mutluit ‘It seems the problem is rooted in the fact that you renamed the interfaces to “ether3-LAN” and “ether3-LANO”.’ It’s a typo, both are ether3-LAN.

There are 2 Lan networks, one for the PC/Laptops/Access points/etc (192.168.0.0/24), and another one for PLCs/etc (192.168.5.0/24). Being on the same interface I guess, I can ping to any PLC on the other LAN.

The thing is, a provider needs to have access to a PLC, 6 to be specific, I will use the same public IP, but different ports.

Checking the status of the rule using Winbox/web interface, it appears to be working, looks like the package gets lost somewhere.

mutluit · June 25, 2020, 2:40pm

It is simply impossible to have two /24 IP networks on the same router port (that’s IP routing 101, first lesson ).
Either use a separate router port for each, or change the mask from /24 to /21 for example, and attach a dumb switch to the router port and attach the end-user devices to that switch:

$ ipcalc 192.168.0.0/21
Address: 192.168.0.0 11000000.10101000.00000 000.00000000
Netmask: 255.255.248.0 = 21 11111111.11111111.11111 000.00000000
Wildcard: 0.0.7.255 00000000.00000000.00000 111.11111111
=>
Network: 192.168.0.0/21 11000000.10101000.00000 000.00000000
HostMin: 192.168.0.1 11000000.10101000.00000 000.00000001
HostMax: 192.168.7.254 11000000.10101000.00000 111.11111110
Broadcast: 192.168.7.255 11000000.10101000.00000 111.11111111
Hosts/Net: 2046 Class C, Private Internet

>

For mask /21 change it as follows, and remove the 2nd there:
/ip address
add address=192.168.0.189/21 comment=LAN interface=ether3-LAN network=192.168.0.0

wguerrero42 · June 25, 2020, 3:15pm

I see, check this out:

/ip address
add address=192.168.0.189/24 comment=LAN interface=ether3-LAN network=192.168.0.0/24
add address=192.168.5.1/24 comment="LAN2" interface=ether3-LAN network=192.168.5.0/24
add address=192.168.248.1/24 comment="Visitors" interface=ether3-LAN network=192.168.248.0/24
add address=192.168.250.1/24 comment="Cookers" interface=ether3-LAN network=192.168.250.0/24
add address=x.x.x.y/29 comment="ISP 2 IP 1" interface=ether1-WAN network=x.x.x.0/30
add address=x.x.x.x/29 comment="ISP 2 IP 2" interface=ether1-WAN network=x.x.x.0/30
add address=a.a.a.a/29 comment="ISP 1 IP 1" interface=ether2-WAN network=a.a.a.0/29
add address=a.a.a.b/29 comment="ISP 1 IP 2" interface=ether2-WAN network=a.a.a.0/29

How on earth is this possible?

Everything is working just fine, but the NAT thing. From my point of view, is like having a single card and adding a secondary address on windows.

Does Mikrotik add another routing table for the other addresses?

BTW, I inherited this from the guy who used to work here and left.

anav · June 25, 2020, 3:29pm

It is far too complex for me to understand, hopefully Sob or Mkx, can make sense of that config LOL.

mutluit · June 25, 2020, 3:31pm

On the router you can assign multiple networks to a port, yes.
But how do you attach the end-user devices to that port? Surely you must be using a switch for this. But then the switch cannot handle such 2 networks, unless it’s a managed switch and you can tell the switch the same that you told the router… Ie. you would need to do similar settings on the switch as well…

Don’t get me wrong, but I prefer pure clean IP routing, not any tunneling nor some other tricks nor some esoteric protocols. Yes, it might somehow work, but it wouldn’t be a “clean” solution, IMO. Maybe someone else can help you further, I’m giving up.

wguerrero42 · June 25, 2020, 6:10pm

For the record, everything is working now. The rule bellow was affecting my NAT rule.

chain=forward action=drop src-address=192.168.5.0/24 out-interface=ether1-WAN

I added a new rule:

chain=forward action=accept protocol=tcp src-address-list=ReadersOK src-port=22
chain=forward action=drop src-address=192.168.5.0/24 out-interface=ether1-WAN

wguerrero42 · June 25, 2020, 6:12pm

Indeed there are at least two switches, as far as I can see.