SRCNAT Masquerade Problem

Hello. I’m having a problem with srcnat masquerade, trying to make my MT act like a common home gateway to the Internet, but I can’t seem to get it to work. Here is my network topology, starting with my ISP:


Cisco PIX 10.0.0.1----->AP 10.0.0.2----->Dlink 802.11b Bridge 10.0.0.70–

—>Mikrotik RB532 Ether1 10.0.0.71----->Ether2 (src-nat’ed) 192.168.0.1-

---->PC 192.168.0.2

Here are the relevant lines from my Mikrotik configuration:

/ interface ethernet
set ether1 name=“ether1” mtu=1500 mac-address=00:0C:42:09:36:E1 arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes
cable-settings=default mdix-enable=yes speed=100Mbps comment=“”
disabled=no
set ether2 name=“ether2” mtu=1500 mac-address=00:0C:42:09:36:E2 arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes
cable-settings=default speed=100Mbps comment=“” disabled=no

/ ip pool
add name=“dhcp_pool1” ranges=192.168.0.2-192.168.0.254
/ ip accounting
set enabled=no account-local-traffic=no threshold=256
/ ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ ip service

set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip dns
set primary-dns=72.87.48.50 secondary-dns=72.87.48.70 allow-remote-requests=no
cache-size=2048KiB cache-max-ttl=1w

/ ip address
add address=10.0.0.71/24 network=10.0.0.0 broadcast=10.0.0.255
interface=ether1 comment=“” disabled=no
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255
interface=ether2 comment=“” disabled=no

/ ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.1 scope=255 target-scope=10
comment=“” disabled=no

/ ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade comment=“” disabled=no

/ ip dhcp-server
add name=“dhcp1” interface=ether2 lease-time=3d address-pool=dhcp_pool1
bootp-support=static authoritative=after-2sec-delay disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
/ ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 comment=“”

With this configuration, my Mikrotik can ping my ISP’s Cisco PIX at 10.0.0.1, but my PC cannot. My PC can only ping as far as ether1 on the Mikrotik, which is 10.0.0.71. 10.0.0.70 cannot be pinged from the PC either.

It’s worth mentioning that my Cisco 871w Router/Firewall has the same addresses, routes, and src-nat setup, and it works fine.

Can anyone find a problem with my config and tell me what I’m doing wrong?

Thanks in advance.

Eric

The PIX requires a route to the 192.168.0.0 network.

Either manually configure one, or set the PIX and MT to use a routing protocol such as RIP.

Regards

Andrew

Andrew,
Thanks for the reply. I understand what you are saying, and appreciate your answer. However, my goal is to be able to deploy this router as a common household gateway to the Internet, and my customers aren’t going to be able to tell their ISP to change their routes.

If I were to use, say, a DLink DI-604 home Internet router, it would use it’s WAN port to the ISP (in my case, ether1 at 10.0.0.71) and it’s LAN ports to the home PC’s (in my case, ether2 at 192.168.0.x), and I would get Internet service. In this scenario, my ISP would not need to enable RIP or change it’s routes. All I would need to do is tell my

How can I duplicate this scenario with Mikrotik?

Thanks,
Eric

Eric

Apologies. I’m plainly talking rubbish here. As you’re src-natting on the MT then there’s no need for the PIX to need to know how to route to 192.168.0.0

Here’s my src-nat rule for my internal LAN:

chain=srcnat out-interface=Internet src-address=192.168.1.0/24 
     action=src-nat to-addresses=x.x.x.x to-ports=0-65535

Where x.x.x.x would be 10.0.0.71 in your case.

You probably want to use the MT as a DNS relay, in which case you need to ‘allow-external-requests’.

What do the scope and target-scope parameters in your default route definition do?

Regards

Andrew

Andrew,
I don’t know what the scope and target-scope parameters do, but I do know that you’re a genius! My configuration is now working!

Thanks ever so much,
Eric