new to NAT, can't get it working, please help

RouterOS Wireless Networking
1

Hi all

I’m trying to understand how to setup NAT on a RB532, but just can’t get it working. I have read through the manual, and have tried just about every example I could get my hands on, but still don’t have any luck with it.

I have 2x RB532’s & 1x RB333, setup as follows:

RB333-1-ether1 (192.168.50.10/29)
|
|
|
RB532-2-ether2 (192.168.50.10/29)
|
|
|
RB532-2-ether3 (192.168.50.33/28)
|
|
|
RB532-1-ether2 (192.168.50.34/28)
|
|
|
RB532-1-ether3 (192.168.1.33/24)
|
|
|
Internet access (192.168.1.1)



RB532-1 (which is the router, connected to the internet) can ping google.co.za, so DNS lookups & routing works fine.
But, now I’m trying to get the other 2 routerboard (which will each have it’s own network & clients) to do DNS lookups, and be able to “see” (ping / traceroute) hosts on the internet.

So far:
[] Every router can ping every other router
[] Every router can ping 192.168.1.33
[] Every router can ping 192.168.1.1
[] ONLY RB532-1 can ping google.co.za
[*] Every router does DNS lookup, so DNS is fine, but routing to the internet doesn’t work.

[admin@RB333-2] /ip route> /ping google.co.za
no route to host

Here’s my layout:
RB532-1

[admin@RB532-1] ip firewall nat> /ip add pr
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   192.168.50.50/28   192.168.50.48   192.168.50.63   ether1
 1   192.168.1.33/24    192.168.1.0     192.168.1.255   ether3
 2   192.168.50.34/28   192.168.50.32   192.168.50.47   ether2

[admin@RB532-1] ip firewall nat> /ip add pr
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   192.168.50.50/28   192.168.50.48   192.168.50.63   ether1
 1   192.168.1.33/24    192.168.1.0     192.168.1.255   ether3
 2   192.168.50.34/28   192.168.50.32   192.168.50.47   ether2

[admin@RB532-1] ip firewall nat> /ip add pr
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   192.168.50.50/28   192.168.50.48   192.168.50.63   ether1
 1   192.168.1.33/24    192.168.1.0     192.168.1.255   ether3
 2   192.168.50.34/28   192.168.50.32   192.168.50.47   ether2


[admin@RB532-1] ip firewall nat> /ping google.co.za
72.14.207.104 64 byte ping: ttl=232 time=286 ms
2 packets transmitted, 1 packets received, 50% packet loss

RB532-2

[admin@RB532-2] > /ip add pr
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   192.168.50.33/28   192.168.50.32   192.168.50.47   ether3
 1   192.168.50.17/28   192.168.50.16   192.168.50.31   ether1
 2   192.168.50.9/29    192.168.50.8    192.168.50.15   ether2
[admin@RB532-2] > /ip ro pr
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf
 #     DST-ADDRESS        PREF-SRC        G GATEWAY         DISTANCE INTERFACE
 0 A S 192.168.1.0/24                     r 192.168.50.34            ether3
 1 ADC 192.168.50.8/29    192.168.50.9                               ether2
 2 ADC 192.168.50.16/28   192.168.50.17                              ether1
 3 ADC 192.168.50.32/28   192.168.50.33                              ether3
 4 A S 192.168.50.48/28                   r 192.168.50.34            ether3
 5 A S 0.0.0.0/0                          r 192.168.1.1              ether3

[admin@RB532-2] > /ping google.co.za
no route to host
no route to host

RB333-1

[admin@RB333-2] /ip route> /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   192.168.50.10/29   192.168.50.8    192.168.50.15   ether1
[admin@RB333-2] /ip route> /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        G GATEWAY         DISTANCE INTERFACE
 0 A S  192.168.1.0/24                     r 192.168.50.9    1        ether1
 1 ADC  192.168.50.8/29    192.168.50.10                     0        ether1
 2 A S  192.168.50.16/28                   r 192.168.50.9    1        ether1
 3 A S  192.168.50.32/28                   r 192.168.50.9    1        ether1
 4 A S  192.168.50.48/28                   r 192.168.50.9    1        ether1

[admin@RB333-2] /ip route> /ping google.co.za
no route to host
no route to host
2 packets transmitted, 0 packets received, 100% packet loss
2

Your initial explanation seems to have a number of errors, RB333-1 is actually called RB333-2 in the later listings, RB532-2’s 192.168.50.x address is 192.168.50.9, not 192.168.50.10.

Looks like your default routes are wrong. You don’t list the routes on RB532-1, but I guess you must at least have the default route there correct as the PING is OK. RB532-2’s default route should be 192.168.50.34, not 192.168.1.1. There appears to be no default route on RB333, this should be 192.168.50.9.

I can’t see any mention of NAT, where are you doing this?

The best place for NAT depends on how your Internet Gateway is configured. Ideally only one level of NAT should be used. Multiple levels just complicate things and can cause some protocols not to work properly. It’s difficult enough to get some protocols to work through one level of NAT let alone multiple levels.

Firstly, avoid doing NAT or using Firewall rules that require Connection Tracking on MT routers on RouterBoard hardware, these features use a lot of processing power and can affect performance. Wherever possible only use NAT/Connection Tracking on Internet Gateways or MT routers based on hardware with sufficient processing capacity.

If your Internet Gateway performs NAT, then only do NAT there, don’t do it on the MT routers, however you have to remember to add static routes to the Internet Gateway to tell it where to find each subnet or use RIP if the Gateway supports it. Alternatively if the Gateway doesn’t do NAT, then do NAT on only the MT router connected directly to it.