We have an embedded system consisting of several devices connected to router.
User can connect the system’s router to his network (system’s router WAN to his LAN).
Then he can access FTP server. We have setup dstnat to target server (one of system’s device).
This works well when subnets of system’s router and user’s router differ.
We have set “quite random” subnet range (eg. 192.168.153.0/24).
Nonetheless, there is possibility that user will have a same subnet.
Is there any possibility to setup a NAT/routes/? so user can access FTP regardless of his subnet?
I am also not sure if this is way to go, but I have tried to mark packets entering WAN interface (eth1) and then make netmap nat to change income/outcome address:
It worked in case of different subnets (the FTP server saw 192.168.17.* address). It did not work in case of same subnets (which we aim for).
I suspect that we need to configure a route back, however I do not know how.
I have tried for one particular client address (eg. 192.168.153.254) and this worked strangely:
The ftp server returned the login prompt, but login fails (like connection drops after initial handshake).
Only as a side note, in the 192.168 range you have only 256 /24 subnets.
In the 10 range you have 256*256=65536.
A collision is still possible, but it is definitely less probable.
Particularly if users use 192.168.x.0/24 ranges
Hi,
I suspect it should be possible using vrf’s. But I am not sure, and don’t know how too, sorry.
I had a trial of putting another mikrotik (a hex) in front of a similarly configured setup, and this appears to work ok.
If your main router is a high end expensive CCR or similar, this is probably not appropriate.
A bidirectional NAT (BiNat) router config
(This was applied to a default [not blank] config on a Hex as a trial)
/ip pool
add name=pool14 ranges=192.168.14.2
/ip dhcp-server
add address-pool=pool14 interface=bridge lease-time=120m name=dhcp14
/ip address
add address=192.168.14.1/30 interface=bridge network=192.168.14.0
/ip dhcp-server config
set store-leases-disk=1d
/ip dhcp-server network
add address=192.168.14.0/24 dns-server=192.168.14.1 gateway=192.168.14.1 \
netmask=32
/ip firewall nat
add action=netmap chain=srcnat dst-address=192.168.14.2 out-interface-list=\
LAN to-addresses=192.168.14.0/24
add action=netmap chain=dstnat dst-address=192.168.14.0/24 in-interface-list=\
LAN to-addresses=192.168.153.0/24
add action=dst-nat chain=dstnat dst-address-type=local in-interface-list=WAN \
to-addresses=192.168.14.2
/ip address
set [find where comment=defconf] disabled=yes;
/ip/dhcp-server
set [find where name=defconf] address-pool=pool14
Notes:
This assumes a single host (only) device behind the new router.
The host 192.168.153.x range is now available from your devices via 192.168.14.x
You may want to disable some of the ip services, and/or firewall helpers on the new router.
If the device you have has a wifi interface you might want to disable it.
You may want to put another static IP address on the BiNAT router bridge.
(to make it easier to connect too and manage from your devices)
192.168.14.1 will connect you through to the host device with 192.168.153.1
.14.x chosen as it is likely to be unused by network using 192.168.153.x
(and can be modified fairly easily)
This works well when subnets of system’s router and user’s router differ.
We have set “quite random” subnet range (eg. 192.168.153.0/24).
Nonetheless, there is possibility that user will have a same subnet.
even if those users were on the same office - as long as both routers do nat, the receiving router will only see the other router wan ip address.
example:
router a (system’s router) wan 1.1
router b, c, d (user’s router or the other end) 2.1
router a will only see 2.1 - it won’t see any ip beyond that natted router b, c, d. that goes for the clients router as well - they will only see router a wan ip 1.1. can’t see any ip beyond that.
Is there any possibility to setup a NAT/routes/? so user can access FTP regardless of his subnet?
as long as you configure both routers do src nat (wan a and wan b, c, d) and dst nat (router a wan for ftp) correctly there should be no problem. no need for marking, netmap etc.
In the same subnet, the FTP server considers the src IP address as local. (/24).
As the src-ip is local, traffic is not sent back to the router, but an ARP broadcast is sent and the server requires the mac address in order to send the traffic back to the source. From what you are describing, source to destination (client to FTP server) the traffic goes through the router, and you address it on the router appropriately.
The return traffic from the destination to the source (FTP Server to client), does not make it back to the router at all.
Best thing here IMHO would be to assign a /32 (not local to any of your subnets), and dst-nat/src-nat to that virtual IP
Thank you for your replies. I am still out of luck with it. I believe that I am missing something.
For now I think we will stay with a random subnet - and nice tip to use 10...* range .
The separate router is fast backup solution (thanks for this idea, we uses RB2011 series we may install second in case, not optimal, but working).
If somebody want to continue with similar setup, my last case was still to hide (192.168.153.222->192.168.211.222) user address (192.168.153.222) given to server (192.168.153.7):
The FTP service read connection and I think it got mislead as I hide user address with src-nat but user still sends its address explicitly (reason why to turn it off).
Also ftp server needs to be configured with external address (those given by external network DHCP - here 192.168.153.221) - as it sends it explicitly.
This configuration once worked seamlessly, but after router reboot uploading of files stopped working (download worked, both passive).
