One-to-one NAT

otgooneo · December 28, 2009, 10:26am

Hey guys,

Please help me, how to do just one-to-one NAT. I`m very new for RouterOS and I have red wiki. And I set:

ADDRESS:

#   ADDRESS            NETWORK         BROADCAST       INTERFACE                     
 0   192.168.88.1/24    192.168.88.0    192.168.88.255  LAN                           
 1   202.XXX.XXX.27/28  202.XXX.XXX.16  202.XXX.XXX.31  internet                      
 2   10.10.10.2/24      10.10.10.0      10.10.10.255    vpn

VLAN:

#    NAME                      MTU   ARP        VLAN-ID INTERFACE                    
 0 R  internet                  1500  enabled    721     TRUNK                        
 1 R  vpn                       1500  enabled    333     TRUNK

NAT:

0   chain=srcnat action=masquerade src-address=192.168.88.0-192.168.88.250 
     out-interface=internet 

 1   chain=srcnat action=src-nat to-addresses=202.XXX.XXX.23 
     src-address=192.168.88.253 

 2   chain=dstnat action=dst-nat to-addresses=192.168.88.253 
     dst-address=202.XXX.XXX.23

LAN clients (192.168.88.2-192.168.88.250) are connecting to internet and to vpn without any problem. But web server (192.168.88.253) can`t NATranslated to 202.XXX.XXX.23.
Please tell me what is wrong there?

SurferTim · December 28, 2009, 11:02am

Order is important here. The reason the current setup doesn’t work is the masquerade rule is first. It should be last in this case. Try this:

/ip firewall nat
print
move 2 0
print
move 2 0

The srcnat and dstnat rules should now be line numbers 0 and 1, and the masquerade should be line number 2.

macgaiver · December 28, 2009, 11:17am

Dstnat and srcnat are 2 different chains - you need to swap rules 0 1, not 0 2

SurferTim · December 28, 2009, 11:22am

You are correct, but both work. I ALWAYS keep my srcnat/dstnat rules together. That way I can see mistakes or omissions better.

otgooneo · December 29, 2009, 1:30am

TnQ very very much SurferTim & macgaiver. Sorry my bad english. I have changed NAT rule position. But it didn`t work. Then I added IP (202.XXX.XXX.23/28) to interface (vlan-internet). Now all working.

0   chain=srcnat action=src-nat to-addresses=202.XXX.XXX.23 
     src-address=192.168.88.253 

 1   chain=dstnat action=dst-nat to-addresses=192.168.88.253 
     dst-address=202.XXX.XXX.23 

 2   chain=srcnat action=masquerade src-address=192.168.88.0-192.168.88.250 
     out-interface=internet

0   192.168.88.1/24    192.168.88.0    192.168.88.255  LAN                           
 1   202.XXX.XXX.27/28  202.XXX.XXX.16  202.XXX.XXX.31  internet                      
 2   10.10.10.2/24      10.10.10.0      10.10.10.255    vpn                           
 3   202.XXX.XXX.23/28  202.XXX.XXX.16  202.XXX.XXX.31  internet

otgooneo · December 30, 2009, 8:21am

Hey SurferTim & macgaiver

Are you know how to add one-to-one NAT by user name (hotspot client or PPPoE client)?
I want to: User “Xman” NAT-ed to 202.XXX.XXX.29. Users get thier IP addresses by DHCP. Help me one more time please?

SurferTim · December 30, 2009, 11:24am

What do you use for your user database? Is it local? Or a radius server like freeRADIUS or UserManager?

The challenge is going to be the only time you would be able to access the NAT’ed address is when the user is logged in. There is another way, but it involves using a static dhcp assignment and bypassing the hotspot. Then you could access the client computer if it is connected (doesn’t need to be logged in).

I am not a pppoe user, so I don’t know if that works with the pppoe service the same way.

BeNBeN · March 6, 2010, 11:22am

it is working with pppoe perfect. Just assign him local address and remote address in “/ppp user”

otgooneo · May 1, 2010, 4:04am

Hey BENBEN. Could you please show me the your configuation.
I was busy and couldn`t access to my favorite forum