NATed subnet in LAN

hedgehog3003 · September 30, 2023, 4:14pm

hello everybody )
few days i try to find solution if it could be at all
i have Tik with lan on bridge (eth3,4) xx.0/24
configured on eth5 another network yy.0/24
for now i want to “hide” network yy.0/24 eth5 from any incoming connections, but now network xx.0/24 could ping network yy.0/24 (for example)
if i block traffic from xx.0/24 to yy.0/24 i also can not access network xx.0/24 because of (i guess) responses couldnt be delivered back.
in simple words before i used usual router with NATing my “secret” network.
i could access everything and the same time nothing “know” about this “secret” network, i need it because of security reasons.
i want to configure eth5 on mikrotik with similar behavior if it could be done.

bpwl · September 30, 2023, 7:22pm

in simple words before i used usual router with NATing my “secret” network.

This can still be done, it is a limited way of hiding that network, as hide behind NAT.

In the default config there is already a masquerade rule for things going out via the WAN list interface
Now we want that ALL connections coming from ether5 (or yy.0/24) are masqueraded, not only for WAN list output.
So just add that masquerade rule in FW (lets take 192.168.7.0/24 as yy.0/24 address)

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade secret network for all" src-address=192.168.7.0/24

Also have a close look at these default firewall rules (e.g. allow the answer packet to pass, this is not interface specific in the default firewall rule set)

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

hedgehog3003 · October 1, 2023, 4:12pm

thanx for your attention, but sorry, i have no mind how i can implement your advice
take a look pls, if you could
0 X chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“”
1 X chain=srcnat action=masquerade out-interface=ether2 log=no log-prefix=“”
2 chain=srcnat action=masquerade src-address=192.168.78.0/24
3 chain=srcnat action=masquerade src-address=192.168.100.0/24
number 2 is LAN and number 3 “NATted security” network
with this config i can access from xx.xx.78.0 to xx.xx.100.0 but i want to have no this access. the same time i want to have access from network xx.xx.100.0 to xx.xx.78.0
i thought that i “NATting” network with that rule 3 i “hide” this network from anywhere but i see that i wrong.
the result i want to get is “hide” network xx.xx.100.0/24 on eth5 from anywhere, and the same time i want to leave access to everywhere for this network like now i have via using usual simple router connected between network xx.xx.100.0/24 and mikroTik.
Maybe another way to reach this result could be done. Thanx in advance for any help ))

bpwl · October 1, 2023, 8:34pm

OK OK I only said “Also have a close look” . This is not the final solution, but the type of rules to be used.

A bit closer to the final solution … (not tested, mistakes are always possible, to be tested and debugged)
out interface ether5 or destination address 192.168.100.0/24 could be used for the extra drop rule

1 allows response packets to all (including the secret network)
2 drops packets when the state is invalid
3 is not used in your case, if you do not have incoming connections from the internet (dstNAT rule would allow this special incoming case). It’s a rule of the default set.
4 is the extra rule to deny access setup towards the secret network

This is an open ended firewall rule set, all is allowed at the end, if not forbidden before.
Sometimes we prefer closed firewall rules, denying all else at the end, if not allowed before.
Sequence of the rules is very important, the first selection match is used

NAT is still usefull for the return path if the 192.168.78.0/24 devices do not use this router as gateway

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all new connections to secret network"  connection-state=new out-interface=ether5

hedgehog3003 · October 2, 2023, 7:00am

tried to block trafic to secret network with rule 4 (in my case rule #7). below ALL FW rules and only first rule has action accept, but i guess that it’s not affect my situation
0 chain=input action=accept protocol=ospf log=no log-prefix=“”
1 X ;;; not accessible from (eth2) for check (eth1)
chain=output action=drop protocol=icmp dst-address=XXXXXXX
out-interface=ether2 log=no log-prefix=“”
2 chain=forward action=drop protocol=tcp src-address-list=XXXXXXX
dst-address-list=!XXXXXXX dst-port=!XXXXXXXX log=yes
log-prefix=“XXXXXXX drop”
3 chain=forward action=drop dst-address=XXXXXXXXX log=yes
log-prefix=“XXXXXXX”
4 chain=forward action=drop dst-address=XXXXXXXX log=yes log-prefix=“XXXXXXX”
5 chain=forward action=drop dst-address=XXXXXXX dst-address-list=“” log=yes
log-prefix=“XXXXXXXX”
6 chain=forward action=drop protocol=tcp src-address-list=XXXXXXX
dst-port=!XXXXXXX log=no log-prefix=“XXXXXX”

7 ;;; drop incoming from bridge to “NAT” network
chain=forward action=drop connection-state=new out-interface=ether5 log=no
log-prefix=“”

i have no rules that could allow trafic from xx.xx.78.0/24 to xx.xx.100.0/24. rule
i’m checking result with pinging PC from network 78 to network 100 and vice versa. i guess when PC (xx.xx.78.52) will not ping PC (xx.xx.100.150) and the same time PC (xx.xx.100.150) will ping PC (xx.xx.78.52) then i thing is reach the goal, am i right ?
as for your words
“NAT is still usefull for the return path if the 192.168.78.0/24 devices do not use this router as gateway”
this network 192.168.78.0/24 surely use this Tik as gateway
eth1 - ISP1
eth2 - ISP2
eth3,eth4,wlan - bridge 192.168.78.0/24 with Tik 192.168.78.1 as GW
eth5 wish to make 192.168.100.0/24 with Tik 192.168.100.1 as GW and hidden from anywhere, but with ability access everywhere
i just want to throw out usual simple router and implement this functionality (hide network from everywher) on Tik if it possible.

hedgehog3003 · October 2, 2023, 5:10pm

after billion tries there combination that seems fits my necessity
regarding to advices of bpwl with great thanx, i’ve got a next configuration
pls if someone have ability explain it to me in simple words, how and why it works?

FW:
7 chain=forward action=accept connection-state=established,related log=no
log-prefix=“”
8 ;;; drop incoming from bridge to “NAT” network
chain=forward action=drop src-address=192.168.78.0/24 out-interface=ether5
log=no log-prefix=“NAT”
9 chain=input action=drop dst-address=192.168.100.1 log=no log-prefix=“”

understand that rule #8 block trafic from LAN to my “hidden” network and rule #9 block traffic to ip address of Tik at this subnet. the main things, i guess at rule #7
also here’s config of NAT, if it important and works in co-op with FW

NAT:
2 chain=srcnat action=masquerade src-address=192.168.78.0/24
3 chain=srcnat action=masquerade to-addresses=192.168.100.1
src-address=192.168.100.0/24 log=no log-prefix=“NAT”