Hi everyone, a new user here and would like some help… I am using winbox for my configuration.
I need to build a GRE tunnel with IPSEC - so if anyone has information on how this can be done that would be great…
Additionally, I need to NAT the originating address… for example…
10.253.x.x → 1.2.3.4 → INTERNET → 5.6.7.8 ->10.32.x.x needs to become…
192.168.1.10.x.x → 1.2.3.4 → etc…
I need to understand how to modify the src-nat address so that when the traffic is seen at the other end over the tunnel, its seen to come from 192.168.1.x
Thankyou, I have done this with another product but not the ~Mikrotik…
Does that mean (so that I understand it) that traffic originates from my local network… (ie as follows) and that this rule modifies the the local network parameters so that it presents traffic as being from the 192.168.x.x subnet?
Is the key the Action=Netmap?
(site a) 10.253.x.x → (1 to 1 mapping modifies this to 192.168.x.x) ->GRE/IPSEC tunnel ->(site b)->10.32.x.x
Your chain would be srcnat or dstnat based on the direction your are going (Yes to source and dst address as well). You will need two rules for it to map both directions. The example in the article is really good.
In the example they are mapping a range. You don’t have to do this. It will take a single IP. In the example incoming 11.11.11.1 is mapped to 2.2.2.1 and outgoing 2.2.2.1 is mapped to 11.11.11.1.
Thanks for the link… I understand 1-1, Many-1 etc… as a principle, but I think its understanding it in Mikrotilk terminology…
What I think I need to explain is the following:-
I have multiple hosts say on 10.253.x.x - the remote end of the network is say 10.x.x.x and I need to communicate with a server (or servers) on that network… Due to restrictions - I need to mask the originating network to let’s say 192.168.x.x so that when VPN traffic is seen at the other end, it’s private IP address information has been modified…
So, I think I create a NAT rule… select src-nat as the chain and then define the local and destination address.
I believe that the next step is to go to the Action TAB and define the TO (192.168.x.x) address…
This is OK - but I am wondering if it is OK to set a single TO address (ie 192.168.1.10) and have ALL the traffic coming in from multiple hosts on my local network - NAT through that single IP?
tws101 - first of all thank you… I now have a working GRE tunnel using IPSEC. :O)
But, alas I have two tiny issues which I hope someone could help with…
It would seem that I can only ping over the tunnel if I receive a ping from the other end first - is there something I may have overlooked or missed here?
I have tried using the NETmap function… to ensure that traffic coming from:-
10.253.x.x goes over the GRE tunnel, only if the destination is 87.x.x.x but I also need to modify 10.253.x.x (to say 1.2.3.4) as the remote end cannot accept traffic from that Subet net…
I have a nat rule that says -
Source=10.253.x.x
Destination=87.x.x.x
Out Interface=GRE
Action=Netmap
To address=1.2.3.4
–
If I try to ping or traceroute the destination - I see the packet attempt to route to 87 via the default route 0.0.0.0/0 Wan IP
Sorry for delayed response have been out of town at the Wispa convention.
It would seem that I can only ping over the tunnel if I receive a ping from the other end first - is there something I may have overlooked or missed here?
Check your firewall rule… Add a rule and exempt this traffic.
I have tried using the NETmap function… to ensure that traffic coming from:-
10.253.x.x goes over the GRE tunnel, only if the destination is 87.x.x.x but I also need to modify 10.253.x.x (to say 1.2.3.4) as the remote end cannot accept traffic from that Subet net…
I have a nat rule that says -
Source=10.253.x.x
Destination=87.x.x.x
Out Interface=GRE
Action=Netmap
To address=1.2.3.4
–
If I try to ping or traceroute the destination - I see the packet attempt to route to 87 via the default route 0.0.0.0/0 Wan IP
NOTE: 87.x.x.x is a private address in this case.
Add the route for this traffic… The route will automatically add when you add one of those address to a mikrotik interface.