I’ve recently came from Garretcomm style routers, and was asked by my boss to test MikroTik. Logging into the router for the first time is a bit overwhelming as it appears everything including the kitchen sink was thrown in. I’m a little lost and after spending hours on youtube and reading different documents I’m still a bit lost.
My basic configuration:
Main PC at address 10.100.5.253
RB2011 WAN IP 10.100.5.40 Gateway 10.100.5.1
LAN IP 160.212.5.1
PC1 160.212.5.10
PC2 160.212.5.20
PC1 needs to be seen outside the LAN at address 10.100.5.41
PC2 needs to be seen outside the LAN at address 10.100.5.42
PC1 and PC2 are hard coded to send all communication to the main pc at LAN address 160.212.5.2 The router would have to pass anything sent to that address directly to 10.100.5.253
I would like to be able to plug PC1 and PC2 into any of the LAN ports and have the same functionality no matter where I put them.
Can someone help me outright or point me to the right documents so I can figure this out?
This should work, but it is not tested so be careful.
First you will need to assign, ip addresses 10.100.5.41, 10.100.5.42 and 10.100.5.2 to your WAN interface, then add this rules.
# this will make all comunication from PC1 seen as 10.100.5.41 but incoming connections to 10.100.5.41 will not be redirected to 160.212.5.10
add action=src-nat chain=srcnat comment="PC1" out-interface=WAN src-address=160.212.5.10 to-addresses=10.100.5.41
# this will make all comunication from PC2 seen as 10.100.5.42 but incoming connections to 10.100.5.42 will not be redirected to 160.212.5.20
add action=src-nat chain=srcnat comment="PC2" out-interface=WAN src-address=160.212.5.20 to-addresses=10.100.5.42
# this is so incoming connection from internet will be redirected to PCs
add action=dst-nat chain=dstnat dst-address=10.100.5.41 in-interface=WAN comment="PC1" to-addresses=160.212.5.10
add action=dst-nat chain=dstnat dst-address=10.100.5.42 in-interface=WAN comment="PC2" to-addresses=160.212.5.20
# we do this same for Mian-PC
add action=src-nat chain=srcnat comment="main-PC" out-interface=WAN src-address=160.212.5.253 to-addresses=10.100.5.2
add action=dst-nat chain=dstnat dst-address=10.100.5.253 in-interface=WAN comment="main-PC1" to-addresses=160.212.5.2
# this is tricky part, needed for comuniation from PC1&2 to Main-PC, read http://wiki.mikrotik.com/wiki/Hairpin_NAT
add chain=srcnat dst-address=160.212.5.2 out-interface=WAN src-address=10.100.5.0/24
Been working on this all day. So far I entered what kcybulski put and that did not seem to work. I may not have other things correct. I also studied the hairpin NAT and it seems like it is saying if you have an internal server and want to get to it internally you still need to go through the router. That is not exactly what I’m trying to do. Any ip on the internal network 160.212.5.x can send a packet to 160.212.5.2. I need the router to forward anything it gets with a destination address of 160.212.5.2 from the internal network to the public IP address 10.100.5.253. There is no physical machine with an IP address of 160.212.5.2.
Trying to understand, it appears src-nat changes the source address in the packet header. dst-nat changes the destination address in the packet header. src-nat from the internal network side, and dst-nat from the public network side. It’s almost like I need a mix of the 2, but when I try it doesn’t allow it. I need to check for a dst address of 160.212.5.2 on the internal network, and change the dst address to 10.100.5.253 and send it out to the public network.
As for the regular PC1 and PC2 I can see where on the IP->Firewall->connections tab where it is trying to ping from 10.100.5.253 to 160.212.5.10, but it shows a U for Unreplied. Not sure what is going on there. Currently I don’t have PC2 connected for testing purposes.
I’ve set up the interfaces, added the IP addresses to the WAN interface. Slaved ports 3-5 to port 2 of LAN, Slaved ports 7-10 to port 6 of LAN, Bridged all the LAN ports together along with the wireless into Bridge1. Setup DHCP for bridge1 160.212.5.160-160.212.5.200. Setup wireless where I can connect.
Is there any tests I can perform or things I could print out to show more information here so I can get more help?
I figured this out. I had a firewall on the one computer that fixed part of my problem. The second part was the PCs did not know what to do with the 160.212.5.2 address. I set that address as a 2nd IP address to the LAN side of the network, and dst-nat it to the main pc address.