(SOLVED) - NAT doesn't work - even following tutorial

Paternot · June 18, 2016, 2:39am

We just bought a 1100AHx2, to substitute our old router/firewall. Since this is my first time with Mikrotik, I reserved one or two months to learn the system.

The setup is this:

business intranet (10.0.2.x/24) -> ether2
ether13 (10.130.0.x/24) -> little old OpenWrt, who connects to a remote OpenVpn server.

Problem: NAT doesn't work. The OpenWrt box got its IP allright (10.130.0.10). But I see its DNS requests going out to our business intranet (10.0.2.x/24) with the original IP (10.130.0.10).

I followed the instructions at (RouterOS - RouterOS - MikroTik Documentation). The configuration of router is almost zero, as you can see by my export compact:

[admin@MikroTik] > export compact

jun/17/2016 23:36:45 by RouterOS 6.35.4

software id = VRLN-PXTA

/ip dhcp-server
add authoritative=yes disabled=no interface=ether6 name=ether6
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=ProxyConsulta ranges=10.130.0.10,10.130.0.200
/ip dhcp-server
add address-pool=ProxyConsulta authoritative=yes disabled=no interface=ether13 name=ProxyConsultaDHCP
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether1 network=192.168.88.0
add address=10.130.0.1 comment="Proxy esta nessa porta" interface=ether13 network=10.130.0.1
add address=10.60.0.1 interface=ether6 network=10.60.0.1
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether2
/ip dhcp-server network
add address=10.60.0.0/24 dns-server=10.0.2.6,10.0.2.4 gateway=10.60.0.1 netmask=24
add address=10.130.0.0/24 dns-server=10.0.2.6,10.0.2.4 gateway=10.130.0.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2
/system clock
set time-zone-name=America/Sao_Paulo
/system leds
add leds=user-led type=off
/system ntp client
set enabled=yes primary-ntp=200.160.7.186 secondary-ntp=200.192.232.8
/system resource irq rps
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
set ether6 disabled=no
set ether7 disabled=no
set ether8 disabled=no
set ether9 disabled=no
set ether10 disabled=no
set ether11 disabled=no
/system routerboard settings
set protected-routerboot=disabled

Where am I going wrong?

Paternot · June 18, 2016, 3:12am

Nevermind, I found the problem. My mistake, of course. I could erase the question, but let it here - in the hope that will help someone.

Error: I configured the network with the wrong netmask. How could I do it? Thanks to the learning curve. You see, Mikrotik works exactly the opposite way I am used: The “normal” way to me is to declare the IP address (10.130.0.1) and the network address followed by the netmask (10.130.0.0/24).

But with the web interface, You put the IP address AND the netmask (10.130.0.1/24). On the next line we declare the network address (10.130.0.0). So, my brain refused to wrap around this, and I ended declaring 10.130.0.1/32. $DEITY knows why. Probably the result of force of habit, a long day, Friday and the learning curve…

Anyway. Sorry about the post, hope it helps another newbie in the future.

Thanks,