Public and Private IP routing on same interface problem

RouterOS General
1

Hey all.

I have a MT 2.9.rc10 box set up that has 2 interfaces, Public and Private.

Public has an IP of x.x.56.19/24, and Private has 192.168.10.1/24 and x.x.61.33/28 (a publicly routable block).

In order to get customers surfing I set up a masquerade rule as per the documentaiton. I tested both public and private Ip address routing and each block can get out just fine.

The problem I am having is that we have a customer off this router who needs a public Ip for a point to point VPN connection. He assigned his router x.x.61.36 and can surf the net just fine using that. However, he can’t set up his vpn because the remote end thinks his IP address is x.x.56.19 (the routers public IP) instead of x.x.61.36. We tested this via whatismyip.com and sure enough, the outside world thinks his router’s ip is the MT public address.

Obviously, the MT is natting his public IP, so my question is how do I exclude the public IP’s from nat and just route those addresses instead.

Thanks in advance!
~Jason

2

You should upgrade it to 2.9.8, lots of fixes have been made.

Just tell it that you only want the private network masquaraded.

add chain=srcnat src-address=192.168.10.0/24 action=masquerade comment="masquerade private network" disabled=no

–Tom

3

Well, that was my first attempt to solve the problem, and it didn’t work for the customer. When making changes, they take effect immediately, right? And connection tracking is on.

One question - the srcnat rule I have specifies the out interface as Public - should I not have that?

4

I also had the same problem. I solved it by following the messages in these threads:

http://forum.mikrotik.com/t/public-and-nat-addresses-behind-one-nic/3507/1

and

http://forum.mikrotik.com/t/proxy-arp-solution-solved-howto/3130/1

Hope that it also works for you! Good luck!

5

Yes use the PROXY ARP howto SOLVED thread.

Set up a ip route to handle passing traffic to and from the public IPs behind hotspot

You dont want the masquerade rule to take effect for the public IPS behind hotspot or else they will show as if they are coming from the router itself.

The howto suggests adding src-address 192.168.x.x to the masquerade rule. I prefer to do the opposite:

Add src-address: ! x.x.61.33/28 to your masquerade rule. Source address is not your public IPs. This will prevent those publics from getting masqueraded.