Split NAT and Not NAT

bney · May 25, 2008, 7:11am

We are adding a new branch to our network, since we are running shy on real world IP addresses we need to nat groups of users to single real world addresses. Here is the wrinkle tho.

We are using motorola canopy for our cpe. In nat mode, canopy uses one IP for their nat public and another for the radio private, which is used for system managment. So, our requirement is that all nat public IP’s in the network 192.168.168.0/24 be natted to a single real world IP at the gateway router on the tower. This I have been able to do. Further, the radio private addresses in 172.222.11.0/24 must not be natted at all so that we can remotely access the radio units. Traffic to and from this block must pass unaltered through the router.

My question is what do I need to do to the nat configuration to exempt the radio privates.

lastguru · May 25, 2008, 12:39pm

action=accept in the nat

JJCinAZ · May 25, 2008, 4:02pm

Why not disable the NAT on the Canopy SM and do all the NAT on the Mikrotik connected to the AP? You move the client traffic to a VLAN and management stays on the native or another VLAN. This gets you around limitations in the Canopy NAT code and gives you strict access controls to the management IP’s.

bney · May 26, 2008, 5:01am

Not a bad idea. I have found some nasty limitations in Canopy NAT, its inability to work with Ventrillo for examply. I’ll give it a try. Its a brand new network leg so I cant screw up any users playing with it. Thanks for the pointer