Hello, I was trying to configure CCR 1009 (OS 6.49.10) to do just static routing for the local subnet without changing hosts’ IP, basically being a switch for the time being with the simplest configuration possible.
But it doesn’t allow packets from our local hosts (only one for now on Ether2) to even reach Ether1 interface (WAN) without adding an src-nat rule for masquerading their IP. I’ve tried adding simple firewalls, even making queues with mangle, but nothing seems to work without NAT.
The question is, is this possible and if so, how?
ISP gave a 217.147.160.32/28 segment with 217.147.160.33 gateway. The only host has IP 217.147.160.50.
Configuration as follows:
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 217.147.160.49/28 217.147.160.48 ether2
1 217.147.160.34/28 217.147.160.32 ether1
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 217.147.160.33 1
1 ADC 217.147.160.32/28 217.147.160.34 ether1 0
2 ADC 217.147.160.48/28 217.147.160.49 ether2 0
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
217.147.160.50 is outside 217.147.160.32/28 subnet (which spans from .32 to .47, first one being network address and last one being briadcast address).
Next complication is use of addresses from same subnet on different interfaces.
There are multiple ways out and which is the best largely depends on future requirements:
configure router to bridge WAN and LAN port, configure LAN hosts to use ISP’s router as their gateway. Enable “use-ip-firewall” on bridge to enforce use of firewall on router. This solution has a few drawbacks (which may or may not be relevant), e.h. you can hardly run DHCP server.
use private IP address space on LAN segment and configure all public addresses on router’s WAN interface. Then use NAT to map public addresses to LAN clients - you can use 1:1 NAT. All traffic will automatically be forced through router’s L3, so no tricks necessary to enforce firewall. Drawback is NAT (but with decent setup that’s a cosmetic issue).
configure things with public IP addresses on both sides, but enable proxy-arp on WAN interface so that router will answer to “ARP who has” requests from ISP side. This setup is not entirely trivial, addressing and netmasks are important for router to route traffic correctly.
Yes, because 217.147.160.48/28 is an internal subnet with 217.147.160.63 being a broadcast address. I just need the .50 host on that subnet reach the ISP one (.32 you’ve mentioned).
Glad you understand the request MKX, it was disjointed and goblity gook to me.
Static routes work very well on MT.
Internally they are used to let the router know a path to send packets, normally required because the subnet identified is NOT LOCAL to the router.
The router is not aware of their existence and thus the router needs to be pointed in the right direction
could be to a wireguard interface
could be to a LAN IP address which is actually also the WANIP of a router with “foreign”: subnets behind it.
So, perhaps someone can make a clear requirement statement out of the mess above… '=P
Basically what I want is for public subnet to see my internal hosts addresses. Both masquerade and netmap will change 217.147.160.50 to 217.147.160.34, which is a WAN address on my router.
Yes, both subnets have /28 mask and start at 217.147.160, that is required for now. My entire relevant config is on the first post. And just bridging WAN and LAN kinda destroys the whole idea.
Another question, does 1:1 NAT described by mkx implies that I have to assign all of my private hosts addresses to one WAN interface?
Why would you be using a public address range for your internal subnet? Far better to use one of the private lan spaces:
Class A: 10.0. 0.0 to 10.255. 255.255.
Class B: 172.16. 0.0 to 172.31. 255.255.
Class C: 192.168. 0.0 to 192.168. 255.255.
If your ISP assigns you a subnet (e.g. /28) and reserves one IP address for own use (telling you to use it as upstream gateway address), then this means that those IP addresses need to be (directly) accessible by that ISP device. Setting all of them on your router’s WAN interface allows that. 1:1 NAT doesn’t strictly rely on it since NAT is L3/L4 function while finding out MAC address carrying IP address is L2 function.
Just to make clear: I’m talking about public addresses, assigned to you by ISP. Private addresses of your servers (as indicated by @k6ccc) will only be known inside your network if your router is configured correctly.
The other possibility for ISP to give you a subnet, is to assign you an unrelated WAN address for your router. ISP router will then use that unrelated address to pass the traffic towards you. In this case you don0t have to assign all addresses to WAN interface, it’s fine to use them e.g. only in NAT config.
As I said earlier, it’s required for the task. It won’t be like this for long anyway. I tried to use a private address range, but it still did not work without masquerade (or netmap that for some reason changes src address too). I’ve tried setting up some accepting firewall rules and they changed nothing.