I have an L2TP between two Mikrotik Routers. I have 192.168.2.0/24 on both sides of the tunnel. How do I setup the NATs to be able to communicate between the networks. I only need for 192.168.2.202 on side B communicate to 192.168.2.112 on side A.
Double natting over transport network? Rather renumber one side to different range.
A side has a lot of links already up and would be a pain to change the range. B side is a new customer and I don’t want to change all their ips. Can I just NAT customers side? The goal is for me side A ip 192.168.2.112 to be able to copy files from side B ip 192.168.2.202. Can I NAT the 192.168.2.202 to like 192.168.123.202?
Here’s some inspiration for you. Ignore the rest of that thread, because it turned out that it wasn’t a tunnel between two sites, but only a single router between two networks.
Just thinking … not tested yet …
Idea. make fake ip addresses for both ends of tunnel and use that fake addresses to route and masquarade traffic from particular LAN addresses to/from A and B routers making proper SRC NAT and/or DST-NAT to mask the origin address of packet.
A. Make sure that on A side where 192.168.2.112 is located no other device uses 192.168.2.202.
B. On B side make sure that no device uses 192.168.2.112 address from A side
C. On A side assign 192.168.2.202 to the router’s LAN interface of 192.168.2.0/24
D. On B side assign 192.168.2.112 to the router’s LAN interface of 192.168.2.0/24
E. If you talk to 192.168.2.202 on A side then router “captures” that traffic for that host which should be send to B subnet
F. If you talk to 192.168.2.112 on B side then router “captures” that traffic for that host which should be send to A subnet
So …
G. Assign eg. 10.10.10.10 address to the tunnel end on A side
H. Assign eg. 10.10.10.11 address to the tunnel end on B side
I1. On A side do SRC-NAT which all traffic from from 192.168.2.202 to 192.168.2.112 replace with 10.10.10.10 source address
I2. Set static route on A side which packets from 10.10.10.10 to 192.168.2.112 will send to B side … read it as to 10.10.10.11 IP
I3. On B side all traffic from 10.10.10.10 to 192.168.2.112 should be send to the destination without problems as router knows where 192.168.2.112 resides and where is the origin of the tunnell which is supposed to be the source of traffic.
J 1+2+3. Same SRC-NAT should be done on B side for the trafffic in the opposite direction
Voila … please remeber … it just an idea.
Sob thanks for input. I tried this. I can now ping Side A 192.168.123.1 from side B. I can also ping Side B 192.168.124.1 from side A. But if I am understanding this right, the ip on side B I am trying to get to is 192.168.2.202. I should be able to ping 192.168.124.202 right? That part is not working, or can I ping 192.168.123.112 on my A side from B.
It should work, if everything else is correct. Mainly firewall filters. If you access .12x.1, it’s on router (I assume), so it goes to input chain. But traffic for other addresses will go to forward chain. And you have to remember that NAT changes addresses, in forward chain it’s already after dstnat, but before srcnat. So packet from left .2.x to right .124.y will have these addresses in forward chain:
a) on left router: src .2.x, dst 124.y
b) on right router: src .123.x, dst 124.y
And similar in other direction.
Another problem might be if hosts in internal subnets have some other default gateways than these routers with tunnel.
Create vlans for this pc. Create vlan interface on routers, make a routing.
Have a good day!
Thanks for all your help. Sob I was able to get this working with your solution. Thanks for the information.