Hello,
I am really stuck with this and need some quick help. I need to route one subnet to another without NAT. Here are the details
CCR 1016
ether1
IP 192.168.0.1/24
ether2
IP 192.168.10.1/24
Route
0.0.0.0/0 gw 192.168.0.254 reachable via ether1
Now, I am able to ping 192.168.0.254 as it is but pings timeout if I use src-address=192.168.10.1 Any idea what do I need? Bridge, VLAN, Filter, Firewall?
My computers connect to ether2 and a NAT modem/router is at 192.168.0.254 connected to ether1.
I just setup a test environment on my spare hAP ac:
ether1:
IP 192.168.10.250/24 → goes to gateway modem/router at 192.168.10.11. I want NAT to happen only at the gateway.
ether2:
IP 192.168.0.1/24 → connected to my PC which has IP from the 192.168.0.0 range.
Routes:
2 dynamically created routes for the interface ranges plus 0.0.0.0/0 with gw 192.168.10.11 which is reachable through ether1.
From the PC, I can ping both 192.168.0.1 (ether2) and 192.168.10.250 (ether1). Pinging 192.168.10.11 or 8.8.8.8 returns “timeout”. Can someone please tell me what am I doing wrong?
If I add a srcnat firewall rule, I can ping the gateway as well as outside world but I understand this causes double NAT scenario? Does anyone know how to solve this? Really appreciate your help!
Think about how routing is configured at the modem/router. The packets from both your networks (192.168.10.0/24 and 192.168.0.0/24) do reach the modem. But out of the box, a home modem/router only recognizes “LAN” and “the rest” as it has a single default route via its WAN interface. So the responses to your pings from 192.168.10.0/24 are sent to WAN rather than back to you.
So you have three options:
to configure a route to 192.168.10.0/24 via 192.168.0.1 in the modem/router (which is not possible on many such devices)
to configure a src-nat rule on Mikrotik’s ether1 so that all connections from 192.168.10.0/24 would be src-nat’ed to 192.168.0.1 (or any other address within 192.168.0.0/24). You may even use netmap instead of srcnat to map 192.168.10.X to 192.168.0.X and vice versa if nothing else than Mikrotik’s ether1 is connected to the modem/router’s LAN interface. And yes, it this latter case, you will have double NAT between Mikrotik’s LAN and the internet.
to switch the modem/router into bridge mode and set up a PPPoE or DHCP client on ether1 in Mikrotik (which may not be possible if the modem/router doesn’t support that mode or if your ISP doesn’t use PPPoE or DHCP mode and uses e.g. PPPoA). In this case, the IP address from the ISP would be up directly on Mikrotik, and you have to use src-nat (or masquerade if the ISP doesn’t provide you a static address) there so that the devices in 192.168.10.0/24 could access internet.
Here is the firewall config output with the srcnat rule. As mentioned I don't want to do srcnat in Mikrotik:
[admin@MikroTik] > /ip firewall export hide-sensitive
You are a legend. i just added a static route on the gateway back to MT and it worked!
Other solutions may not be possible because the actual situation is a bit more complicated. The gateway IP is actually a floating IP (off a VRRP cluster) so I am not really sure where to add this static route
dst-address=0.0.0.0/0 always matches so you can as well remove that condition from the rule completely to save a few CPU cycles
unless you use the routing mark for some other purpose than to activate the src-nat, you may omit the mangle rule completely and set the same conditions directly in the nat rule:
action=masquerade should only be used when the IP address of the output interface is assigned dynamically. For static addresses, including static addresses assigned using DHCP, use action=src-nat instead. The difference is that with src-nat, all tracked connections won’t be dropped when the interface goes down for a while.
Can I trouble you with something in your answer? When you say “or masquerade if the ISP doesn’t provide you a static address” - do I have a choice not to masquerade if there is a static public IP? Thanks!
You can use a plain src-nat instead of masquerade which is a special case of src-nat which handles the consequences of dynamically changing address on existing connections. You can not exclude src-nat as such.
Thank you sindy; your replies are much appreciated.
At the moment I am testing at home with an hAP ac but the real test is when I have to set up the CCR on Tuesday. I don’t have control over the WAN side of the network unfortunately and it is making it difficult to integrate the CCR, not to mention this is my first time using Mikrotiks. The WAN side is very complex with multi-site routing (using routing protocols), redundancy (multi WAN + VRRP) etc so I may have to use mangle to separate some traffic. I’ll take your advise and simplify the FW rules (or no rules!) as much as possible.
If routing protocols are used in the existing network, your best bet is to activate the same routing protocols also on the CCR and tell the neighbor to open them at the interconnection interface. That way, all subnets available at the CCR will be propagated to the rest of the enterprise network.
The other point is coordination - if 192.168.10.0/24 exists somewhere else in the “network you don’t have control over”, you may get funny effects even if you hide it behind a NAT on your side. But if you don’t and you activate routing protocols in such case, it would likely cause an emotion explosion very quickly, as two different routers would propagate the same subnets. And even if you would be lucky now, the administrator of the other part of the network may add a conflicting range in future, with similar consequences.
You are right, I need to add our IP range to the routing network so it gets published across the whole corp network. We are allocated a /16 subnet from a Class A range and all those allocations come from a central source, so there is no conflict. The Class C range I’ve used here are only applicable to my home lab running over my fake corporate network
