Nating Question on RB1100

I recently had a moment of clarity regarding my RB1100, and now think there is more that I can do with nating. So I’m looking for some advice.

The moment of clarity relates to how the router is configured. I have a public IP address on my WAN port, and then 5 more ports switched together with a PUBLIC subnetwork (different than the WAN port address range). I have a second block of ports switched together as a PRIVATE 10.10.x.x subnetwork, and a single port with the default DHCP 10.88.1.0/24 subnetwork.

All of the equipment connected to the PUBLIC subnetwork routes just fine. But I’ve never been able to go online with either of the PRIVATE subnetworks. I finally realized that I need to setup a NAT rule to route the traffic out of the my network. The moment of clarity!

As a second objective, I’m thinking of moving all of my nating that’s in network, into the RB1100 (e.g. I have a small WISP, and the local radio’s perform the nating function today).

For the first objective, I’d like to understand how the nating should be configured:

• My WAN port is address a.b.c.d/252 on interface “Uplink”
• My PUBLIC subnetwork is e.f.g.h/224 on interface/switch group “WAN”
• One PRIVATE subnetwork is 10.10.0.0/16 on interface/switch group “LAN”
• Another PRIVATE subnetwork is 192.168.88.0/24 on interface “Local”

Based on what I’ve read, I need to masquerade the PRIVATE subnetworks as a public address/port. So I assume the following rule will accomplish part of my goal:

/ip firewall nat add chain=srcnat action=masquerade out-interface=Uplink

However, how does this distinguish which subnetwork is being nated? Certainly I don’t want the “WAN” subnetwork to be nated.

Can I nat a specific subnetwork to a specific address in my PUBLIC subnetwork, and then routed out the “Uplink”?

If yes, then my next question, can I have a different public address associated with each PRIVATE subnetwork or IP address?

Ideally, I like to assign each radio a 10.10.0.x IP address (instead of a PUBLIC address) and have the RB1100 map it to a public address. Basically moving the nating functions out of the radios, into a far more capable device.

Any and all help would be greatly appreciated.

Thanks,

Sig

However, how does this distinguish which subnetwork is being nated? Certainly I don’t want the “WAN” subnetwork to be nated.

/ip firewall nat
add chain=srcnat out-interface=Uplink src-address=192.168.88.0/24 action=masquerade
add chain=srcnat out-interface=Uplink src-address=10.10.0.0/16 action=masquerade

Can I nat a specific subnetwork to a specific address in my PUBLIC subnetwork, and then routed out the “Uplink”?

Yes, but the IP address has to reside on a router interface. You could achieve that by creating an empty bridge (a bridge with no ports in it) - this emulates what other routers know as loopback devices. Then implement that IP address as a /32 on the loopback interface. The Internet still knows to route that IP via your WAN /30 link, but then the router has a specific connected route to that IP.

If yes, then my next question, can I have a different public address associated with each PRIVATE subnetwork or IP address?

/ip firewall nat
add chain=srcnat out-interface=Uplink src-address=192.168.88.0/24 action=src-nat to-address=1.1.1.1
add chain=srcnat out-interface=Uplink src-address=10.10.0.0/16 action=src-nat to-address=1.1.1.2

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

Hi Fewi,

Thanks a lot! I put the firewall nating rules in place, and can now directly connect to the net at my exchange. Sorry for the delay in responding, but I needed to take a truck up the mountain to actually test it out.

I think I need a little more time to experiment with the creation of an empty bridge, but trust your guidance is bang on. The RB1100 is in a live environment, so I’m a little cautious at this time.

Again, many thanks. I’ll update this thread when I’ve tried the empty bridging, but it will probably be a few months before I get to that - so many other headaches…

Cheers,

Sig