PAT/NAT Overload RB1100

Hardware MikroTik hardware general
1

Hello,

I’m newbie and I have some problem to configure a RB1100.

I have one public IP which must be shared with network 192.168.40.0

In Firewall/NAT which chain I must used srcnat or dstnat? Which action srcnat/dstnat/masquerade?

I have try different solution but I have the following problem sometimes I can ping outside and sometimes not.

It seem that there is an instability.

The problem is not on my ISP, if I connect my laptop directly on the modem without RB1100 no problem with the internet connection.

I think that the problem is on the NAT not correcly configured.

An idea?

2

If you’re trying to make an entire network appear as one address when devices on that network connect to that Internet you need to use source NAT. After all you’re trying to translate the SOURCE address of the packet to a public IP address. Source NAT is of course configured in the srcnat chain.

The srcnat chain only has ‘src-nat’ and ‘masquerade’ as available options. They are both mostly the same thing, with one crucial difference: ‘src-nat’ also requires you to specify a ‘to-address’, which is the address that the source IP address of a packet will be changed to in its header. ‘masquerade’ automagically picks the preferred source address of the interface and you don’t have to specify a ‘to-address’. If you have a static public IP it’s best practice to use ‘src-nat’ and manually set the ‘to-address’ to your static IP. If you have a dynamic public IP (you are running a DHCP client on your WAN interface) you have to pick ‘masquerade’.

3

Thank you Fewi for your answer.

If I understood everything, I can configure NAT like that

chain: srcnat
Out interface : “interface wan to ISP”

Action : src-nat
to Adresses: “public IP”
To port : 0-65535 (it’s necessary ?)

Right?

4

‘to-port’ is indeed unnecessary. Assuming the public IP is 1.1.1.1 and your WAN interface is called ‘WAN’ the CLI command would be:

/ip firewall nat
add chain=srcnat out-interface=WAN action=src-nat to-address=1.1.1.1
5

Thank you Fewi for your assistance, it’s working fine now.

:smiley: