Routing/NATing Problem

RouterOS Wireless Networking
1

My Question might be long but it just a detailed explanation so that nothing is left for assumption:
Here a rough sketch of my network:

Router A routing table:
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf

DST-ADDRESS PREF-SRC G GATEWAY DIS INTERFACE

0 ADC 41.72.204.160/30 41.72.204.162 Mumbu VLAN
1 ADC 172.168.150.0/30 172.168.150.2 Tuseme VLAN
2 ADC 192.168.123.0/24 192.168.123.253 LAN
3 ADC 192.168.150.0/24 192.168.150.1 LAN
4 A S 0.0.0.0/0 r 41.72.204.161 Mumbu VLAN
[admin@MikroTik] >

Router A NAT:
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat src-address=192.168.123.0/24 action=src-nat
to-addresses=41.72.204.162 to-ports=0-65535
[admin@MikroTik] >

Router B routing table:
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf

DST-ADDRESS PREF-SRC G GATEWAY DIS INTERFACE

0 ADC 10.5.7.0/24 10.5.7.1 ether2-lan
1 ADC 41.72.215.44/30 41.72.215.46 Office VLAN
2 ADC 172.168.150.0/30 172.168.150.1 Mumbu VLAN
3 ADC 192.168.50.0/27 192.168.50.1 ether1-wan
4 A S 192.168.150.0/24 r 172.168.150.2 Mumbu VLAN
5 A S 0.0.0.0/0 r 41.72.215.45 Office VLAN
[admin@MikroTik] >

Router B NAT:
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; masquerade hotspot network
chain=srcnat src-address=10.5.7.0/24 action=masquerade

1 ;;; dst nat ssh to linux
chain=dstnat dst-address=41.72.215.46 protocol=tcp dst-port=22
action=dst-nat to-addresses=192.168.50.21 to-ports=22

2 ;;; dst nat http to linux
chain=dstnat dst-address=41.72.215.46 protocol=tcp dst-port=80
action=dst-nat to-addresses=192.168.50.21 to-ports=80

3 ;;; Office Network
chain=srcnat src-address=192.168.50.0/27 action=src-nat
to-addresses=41.72.215.46 to-ports=0-65535

4 chain=srcnat src-address=192.168.150.0/24
src-address-list=192.168.150.0/24 action=src-nat
to-addresses=41.72.215.46 to-ports=0-65535
[admin@MikroTik] >

On Router A, network 192.168.123.0/24 works ok. The hotspot and LAN 192.168.50.0/24 on Router B work fine as well. My problem arises when i want network 192.168.150.0/24 on Router A to pass through VLAN 1431 to Router B and then be routed out through interface 41.72.215.46. From network 192.168.150.0/24 I can get to this interface, but I can't get to its gateway 41.72.215.45. Am not sure if I've given enough information but if not please inform me. If its adequate, please assist me :frowning: . Thank you

2

I suspect this:

4 chain=srcnat src-address=192.168.150.0/24
src-address-list=192.168.150.0/24 > action=src-nat
to-addresses=41.72.215.46 to-ports=0-65535

Do you mean to have the src-address-list entry there?

ADD: If you don’t add a “out-interface” entry to this rule, you will not be able to access the other private ip subnets on the router from the 192.168.150.x network.

3

Ok. You are right. That is not meant to be there. How do you add an out-interface rule so that traffic from 192.168.150.0/24 can be routed out interface 41.72.215.46?

4

If you remove that src-address-list entry, it should be correct. The other parameters on that rule appear to be correct. If you want to insure you can connect to the other localnets on the router

/ip firewall nat
set 4 out-interface=ether1

Change ether1 to the correct interface for your WAN interface (the interface where 41.72.215.46 is assigned).

5

Hi,
I’ve tried adding the out-interface rule to the NAT but it still isn’t working:
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; masquerade hotspot network
chain=srcnat src-address=10.5.7.0/24 action=masquerade

1 ;;; dst nat ssh to linux
chain=dstnat dst-address=41.72.215.46 protocol=tcp dst-port=22
action=dst-nat to-addresses=192.168.50.21 to-ports=22

2 ;;; dst nat http to linux
chain=dstnat dst-address=41.72.215.46 protocol=tcp dst-port=80
action=dst-nat to-addresses=192.168.50.21 to-ports=80

3 ;;; Office Network
chain=srcnat src-address=192.168.50.0/27 action=src-nat
to-addresses=41.72.215.46 to-ports=0-65535

4 ;;; Mumbu VLAN Test
chain=srcnat out-interface=ether1-wan src-address=192.168.150.0/24
action=src-nat to-addresses=41.72.215.46 to-ports=0-65535
[admin@MikroTik] >

Is there something I’m doing wrong? Network 192.168.150.0/24 travels without any problem through VLAN1431 to the other router. I can even ping 41.72.215.46 on this router (refer to diagram above) which is the public address interface. But I can’t go pass this. Help :frowning: :frowning: :frowning:

6

What is the purpose of the VLAN? Is that a secondary default route or are you looking to connect to those private ips on the other router? Router A has a default route. Router B has a separate default route.

If you want to route that one localnet through the other router, you will need to use “/ip firewall mangle” to routing-mark those connections from that localnet and enter another default gateway with that routing-mark that has a default gateway (dst-address=0.0.0.0/0) of 172.168.150.1.

Then either route that localnet back to RouterA in RouterB, or masquerade those connections as 172.168.150.2 in RouterA. You have that route entered in RouterB already, so that part is done.

ADD: Here is the mangle and route for RouterA:

/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=vlan src-address=192.168.150.0/24

/ip route
add dst-address=0.0.0.0/0 gateway=172.168.150.1 routing-mark=vlan

Then remove the src-nat rule #4. You have routerB set to route that localnet back to routerA already. No masquerade or srcnat required for that route.

It would help if you would change the identity on each router so I can tell which router’s setup you are posting.

In router A

/system identity
set name=RouterA

In router B

/system identity
set name=RouterB
7

Its a good idea to name the routers as suggested. I will work on that right away. So some clarification: network 192.168.150.0/24 is connected to RouterA. The default route on this router is for the other network, 192.168.123.0/24. Vlan 1431 is to provide a route for network 192.168.150.0/24 to RouterB so that it can access the internet. So what I should do is ip-firewall-mangle mark traffic from network 192.168.150.0/24 on RouterA and add the other default route of gw 172.168.150.1 for this marked traffic. I think i’ve got it right so far. What I didn’t understand is what to do after this on RouterB.

8

If you modified the nat for the 192.168.150.x srcnat in routerB, you should be set. I don’t use masquerades/srcnats like that. I use one srcnat for all, unless there is more than one ip assigned to your WAN interface. On routerB:

/ip firewall nat
add chain=srcnat action=src-nat to-addresses=xx.xx.xx.xx out-interface=ether1

Change xx.xx.xx.xx to the public ip on routerB, and if ether1 is not the wan interface, change that also. Then remove the rest of the srcnats.

9

For testing purposes, I've installed another router on another port to test this previous connection. The main router which will be doing all the routing is known as TheMall, while the second router for testing is known as Testing. TestingVLAN of identity 8 (192.168.150.0/30) has been created to form a connection. Network 192.168.160.0/24 has been created on Testing, and it is this network that has to travel through the vlan to TheMall router and finally out into the internet. Here are their routes and NATings:

TheMall:

[admin@TheMall] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; masquerade hotspot network
chain=srcnat src-address=10.5.7.0/24 action=masquerade

1 ;;; dst nat ssh to linux
chain=dstnat dst-address=41.72.215.46 protocol=tcp dst-port=22
action=dst-nat to-addresses=192.168.50.21 to-ports=22

2 ;;; dst nat http to linux
chain=dstnat dst-address=41.72.215.46 protocol=tcp dst-port=80
action=dst-nat to-addresses=192.168.50.21 to-ports=80

3 ;;; Main NAT Rule
chain=srcnat out-interface=ether1-wan action=src-nat
to-addresses=41.72.215.46 to-ports=0-65535

4 ;;; Masquerade Office Network
chain=srcnat src-address=192.168.50.0/24 action=masquerade
[admin@TheMall] >

[admin@TheMall] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf

DST-ADDRESS PREF-SRC G GATEWAY DIS INTERFACE

0 ADC 10.5.7.0/24 10.5.7.1 ether2-lan
1 ADC 41.72.215.44/30 41.72.215.46 Office VLAN
2 ADC 192.168.50.0/27 192.168.50.1 ether1-wan
3 ADC 192.168.150.0/30 192.168.150.1 TestingVLAN
4 A S 0.0.0.0/0 r 41.72.215.45 Office VLAN
[admin@TheMall] >

Testing:

[admin@Testing] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=Testing action=src-nat
to-addresses=192.168.150.2 to-ports=0-65535

1 chain=srcnat src-address=192.168.160.0/24 action=masquerade
[admin@Testing] >

[admin@Testing] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf

DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE

0 ADC 192.168.150.0/30 192.168.150.2 Testing
1 ADC 192.168.160.0/24 192.168.160.1 ether1
2 A S 0.0.0.0/0 r 192.168.150.1 Testing
[admin@Testing] >

Any machine connected on 192.168.160.0/24 on Testing can get to TheMall WAN interface of 41.72.215.46. It, however, still can't go pass this. I'm sure the issue is really small so please help me find it. :frowning:
Thank you

10

I route rather than double nat, so this is the way I do it. In TheMall, add one route:

/ip route
add dst-address=192.168.160.0/24 gateway=192.168.150.2

Then remove all “/ip firewall nat” rules in Testing.

11

Have just done as you have suggested and still no way out of router TheMall:

[admin@TheMall] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf

DST-ADDRESS PREF-SRC G GATEWAY DIS INTERFACE

0 ADC 10.5.7.0/24 10.5.7.1 ether2-lan
1 ADC 41.72.215.44/30 41.72.215.46 Office VLAN
2 ADC 192.168.50.0/27 192.168.50.1 ether1-wan
3 ADC 192.168.150.0/30 192.168.150.1 TestingVLAN
4 A S 192.168.160.0/24 r 192.168.150.2 TestingVLAN
5 A S 0.0.0.0/0 r 41.72.215.45 Office VLAN
[admin@TheMall] >

Communication between the routers and computers is not a problem. But I can't tell traffic to get to the internet through the WAN.

12

Then the challenge is in TheMall. Post “/ip address” from TheMall.
Which interface is the WAN on TheMall?

ADD: If it is Office VLAN, then this is the problem:

3 ;;; Main NAT Rule
chain=srcnat out-interface=> ether1-wan > action=src-nat
to-addresses=41.72.215.46 to-ports=0-65535

The out-interface should be Office VLAN.

FYI: If anyone wonders how localnet addresses end up on a public ip network, this is how.

13

You are right! It finally works! So now I can establish a connect between two Mikrotiks and the workstations behind them. I just have one last question; supposing one of our clients is using these over-the-shelves routers e.g. dlink or tp-link. They don’t have vlan capability so am sure we’ll assign them public ips, one for their router and the other for our WAN interface. How do I manage their bandwidth from this side, if it is possible? Coz am assuming you will need to know THEIR LAN ips so as to add them to the queue.

14

Is the new customer with the non-Mikrotik equipment requiring a separate public ip for themselves?
Or just using your network to access the internet?

My best advice here is to start another subject under the General heading. There are users here who are better at non-hotspot bandwidth control than I am.

ADD: Your new client is the reason I do not double nat my networks. If you have a client that connects with a Linksys or D-Link router, then they are doing a nat, and you would be doing 2, so for your client that would be a “triple nat”.