Please help with this :(

loma · October 15, 2014, 8:10am

Hi,

Here is my situation, it’s really urgent for me so pleas help.

I have 2 routers:
Router1 - 192.168.4.0/24 which is doing NAT and other stuff…
Router2 - Handles multiple IP ranges 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24

These two routers are connected. Situation is that all the computers from 192.168.0.0/24 range I see as one IP address on this Router1.
I would like to see each device individual IP address on the Router1.

Can anyone help me on how to do that?

CyberTod · October 15, 2014, 8:20am

Probably you are making some nat on Router2. Remove it so it only routes.

loma · October 15, 2014, 1:38pm

I’m not sure you understood my question. Maybe I didn’t described my network config and what I want properly.

Here it is…

Main router with 2 WAN connections:
Router1 - 192.168.4.0/24

Router2 - which is connected to Router1 and has IP 192.168.4.X
Router2 manages 3 different IP ranges on 3 different interfaces.
ETH1 192.168.0.0/24
ETH2 192.168.1.0/24
ETH3 192.168.2.0/24

Both of these routers and many servers are connected to one switch and all the servers have IPs 192.168.4.X

Behind ETH1 (192.168.0.0/24) interface I have a lot of devices (computers, phones, etc).
The problem is that for ex. one of these computers is accessing for my domain server (192.168.4.X) and I can’t see his real IP of that PC (ex. 192.168.0.55), but I see him/all of them as 192.168.4.X.

How can I make it so that I see individual IP of every computer connecting to my server on my Router1?

cdiedrich · October 15, 2014, 1:49pm

I second CyberTods suggestion.
Post a compact export of your configs (of both routers) and we will have a look.
It still seems that router2 is connected to your 192.168.0.0/24 subnet on ether1 with some default settings active, i.e. NAT/masquerading.
This would explain your observations.
-Chris

loma · October 16, 2014, 7:17am

Ok here are the configs.
I’ve removed all the information that public shouldn’t see.
central.rsc (14.5 KB)
core.rsc (9.68 KB)

CyberTod · October 16, 2014, 7:24am

I am assuming central.rsc is your 2nd router.
You have this rule :

add action=masquerade chain=srcnat out-interface=ether12-WAN

This is exactly the nat you must disable. Otherwise everything leaving the router through ether12-WAN is masquaraded with the router’s ip.

loma · October 16, 2014, 8:13am

OK. So when I disable this rule I will see individual IP from all the PCs (172.20.0.0/24) connecting to my domain controller (172.20.4.4) ?

loma · October 16, 2014, 9:35am

I’ve tried this and it’s not working.

So again… All I want is to see on ma Router1 computers connecting from Router2 with their real IP addresses.

Router1 - 172.20.4.254

Router2 IP address - 172.20.4.31
Router2 manages 3 subnets (172.20.0.0/24 , 172.20.1.0/24 , 172.20.2.0/24)

Computers connecting from 172.20.0.0/24 that are connecting to my DC…I can’t see their individual IPs like 172.20.0.10, 172.20.0.11… etc.. but I see all the PCs coming from one IP 172.20.4.31. That is the IP of my Router2.

How can I see all the PCs with their individual IP address???

Thank you in advance.

loma · October 16, 2014, 1:12pm

Please, please is there anyone that can give me a solution on this.
I think I managed to describe what I want.
If somebody didn’t understand me or something please ask so we can talk more on this.
I really really need the solution.

Thank you in advance.

jarda · October 16, 2014, 2:04pm

Create a neutral net between the routers and route the traffic both ways thru it without using nat or masquerade.

flipk12 · October 16, 2014, 9:43pm

It’s easy …

You have a rule on router 2 (core firewall) that masquerade all traffic that goes to router 1 (internet gateway). Disable it.
You must also put 3 static routes on router 1 ponting to router 2 gateway, one for each subnet behind it.

…

I’ve readen your rsc and I can’t undesrtand what are you trying to do with all this nat rules. I supose that you’re working on someone’s else cfg files and you want us to do the same for you, but I’m so sorry, it is not easy without a draw of the whole network and more knowledge about the project.

It looks like you are trying to do a two firewalls schema, with dmz to core firewall and inernet to dmz IP napt, two gateways and a Ipsec VPN to somewhere, but I’m not sure …

loma · October 17, 2014, 9:00am

flipk12 thank you for your reply very much. I will give it a try and let you guys know.

I’m not doing configuration for someone else. These are actually configs from company’s routers where I work.
My colleague that usually does the administering Mikrotik is not here and I need to do this.
I’m a newbie to network and Mikrotik in general, but I’m learning about networks and hopefully I won’t ask these kind of questions in future.
I’m sorry for asking some trivial question, please be patient with me because as I said I’m new to computer networks.

Thank you very much for the help.

Regards

flipk12 · October 17, 2014, 11:32pm

No, it is not a trivial question … so we have to know the whole problem to be able to help you.
Yes, your college is someone else, not you, is that i’m trying to say. You’re trying to change a cfg that you don’t understand, but you know the network, what you are trying to do and we don’t.
Don’t worry, ask all what you want.

loma · October 27, 2014, 1:16pm

Just to inform you guys that I’ve solved this by following your instructions.
Thank you all very much, you have been very helpful!

flipk12 · October 27, 2014, 7:05pm

Congratulations!