Hello,
I just want to make sure I am doing things correctly. We are going to be replacing our mostly maxed out Cisco 3825 router with a RB1000. I am porting our Cisco config to MikroTik and want to make sure I am doing it correctly. Please correct me if I am wrong.
Here is a sample sub-interface on the cisco router:
interface GigabitEthernet0/0.8
description Trango 5800, North of Bowman
encapsulation dot1Q 8
ip address 10.155.0.1 255.255.254.0
ip access-group 130 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow egress
ip nat inside
ip policy route-map proxy-redirect
and my plan for the mikrotik:
1)I should create a vlan with a “VLAN ID” of 8 on one of the Ethernet interfaces.
2) add the description as the comment of that vlan
3) add the ip on the vlan interface
4) add firewall rules to recreate the access group, redirects, unreachables
5) “no ip proxy-arp” this is the setting ARP in the vlan, just setting it to “enabled” is what I want to do.
6) /ip traffic-flow is mikrotik’s netflow, enable for any interfaces I want.
7) Nat is done in the firewall, make a srcnat, out. Interface: , action=src=nat, to address=our address pool. Do I need to make a rule for each inside interface and specify the in. interface? In the examples I have seen they don’t specify the incoming interfaces. ip policy route-map proxy-redirect… I think I deleted the route map some time ago and just never removed it off each interface. Not worried about this.
That is pretty much it. In regards to an in-interface on the NAT rule: it is a qualifier. So if you want all traffic going out the ISP facing interface to be NAT’d (all Cisco interfaces other than the ISP one carry an “ip nat inside” statement) you can forego the qualifier. If that is not the case you either need lots of rules filtering by in-interface, or you can make an address list (much like a standard ACL with only accept statements) matching the networks to be NAT’d and use src-address-list as a qualifier instead.
Thanks for the quick response. Re nat in interface: It cant be every interface but the address list idea would be perfect! I think I’ll just need two addresses in my address list: 10.0.0.0/8 and 192.168.0.0/16.
No, proxy-arp is for fooling machines that aren’t directly connected to one another by proxying ARP requests over interface barriers they usually wouldn’t go across.
I think your issue is simply that it’ll try to use the range from the top on down (last element of the range first), and that the IP address you are NAT’ing to can’t be ARPed by the gateway of the router since it isn’t tied to a MAC address anywhere. Simply overload ether1 with all the IP addresses in the range by creating them on the interface in “/ip address”. Just ran a quick test on a lab router and that seems to work fine with a range of two IP addresses - can’t get out without the overload, works fine once I overload.
ah, nice~
I wrote a small java program that printed the commands i needed to the console. Just copied and pasted that to a terminal window. I will read up on scripting though. Sounds very handy.
Did the swap about 1/2 an hour ago. Everything worked as expected except two things.
One (not as important if I can get the second thing to work):
"Cisco IOS NAT will translate the addresses that appear in DNS responses to name lookups (A queries) and inverse lookups (PTR queries). Therefore, if an outside host sends a name lookup to a DNS server on the inside, and that server responds with a local address, the NAT code will translate that local address to a global address. The opposite is also true. "
Does mikrotik have a similar feature?
Two:
I can ping (get reply directly from the machine’s internal ip) a users public ip but I could not access ssh or http from another computer inside the same vlan. Another vlan or our side our network works fine. This is annoying because when I use the URLs of of a server from the same management vlan things do not work.
One: unfortunately not, no. It would solve quite a few problems if it did.
Two: while that should work in general, it might not depending on your specific configuration. However, if what you’re doing is directly translating 1 public to 1 private for a customer, use netmap instead (http://wiki.mikrotik.com/wiki/Firewall_nat#1:1_mapping) and make sure you’re not running other actions (dst-nat or src-nat) on that IP.
ip policy route-map proxy-redirect… I think I deleted the route map some time ago and just never removed it off each interface. Not worried about this.