Not a total noob, but it’s been a long while since dealing with iptables-type of NAT, and I’m missing something plain trivial here. HW used is Mikrotik RB4011iGS+RM
The first step to get those two even to ping seem to be an issue. Connected ports are as on the picture, and the addresses of the router ports are as defined
The two NAT rules seem pretty cumbersome to me. And they possibly do only half of their job … depending on configuration of both PCs. Or they are plain wrong …
For example: the first rule will kick in when PC 192.168.0.10 (or any other actually) tries to communicate with 192.168.0.1 (router’s IP address in that particular subnet). Router will perform DST-NAT, changing destination IP address to 192.168.210.10. Mind that source IP address will remain unchanged. So destination PC will receive packet with source IP address set to 192.168.0.10. There are two potential issues here: 1) does destination PC have correct route to return packet via the router in question? And 2) does destination PC firewall allow connections from the “remote” IP subnet?
The second rule seems to be more in place … it’ll only work when connection is getting started from 192.168.210.10 and passes router (so any destination actually as long as packets pass router due to PC configuration).
So you may want to explain (in plain English) what exactly do you want to achieve here.
I thought using netmap would be a better option to do the first “absolute minimum starting point” what I’m trying to achieve, as in the end I need to do 1:1 NAT anyway.
What I want to achieve with this example is plainly to be able to communicate between those two computers. They are on a different subnet and there is no default GW in place, so they are not able to do that.
the first rule will kick in when PC 192.168.0.10 (or any other actually) tries to communicate with 192.168.0.1 (router’s IP address in that particular subnet). Router will perform DST-NAT, changing destination IP address to 192.168.210.10.
My reasoning so far is similar. When communicating with “192.168.0.1” the router changes the destination IP address to be 192.168.210.10 - which is the other computer.
Mind that source IP address will remain unchanged. So destination PC will receive packet with source IP address set to 192.168.0.10.
…aaand this is probably the reason. As stated above by the lack of default GW, there is no route back to 192.168.0.0/24 network.
…then if on computer 1 (192.168.0.10), what address do I ping to reach computer 2 at 192.168.210.10? Or if I change the computer 2 IP address to be 192.168.210.11, would it be reachable from computer 1 by pinging 192.168.0.11?
Ah, true… I’ll try that tomorrow and report back. Thanks for pointing that out.
…though I believe I tried that, that should work for a single address, right?
I don’t think it would, or maybe they can work with the alternate (IP range) syntax, though it is as clear as mud in the official Mikrotik documentation, a part of the source address seemingly remains unchanged, see this thread where sindy explains the matter: http://forum.mikrotik.com/t/netmap-vs-srcnat/143946/1
If you want a single address, probably (no netmap, only dst-nat and src.nat):
A confusing post with no complete config provided nor really any context of where the devices sits WITHIN a network.
Where are other switches, upstream user router, upstream ISP modem ( or modem/router ). Type of ISP, public private, static dynamic… etc…
There are none, only two PC’s and a RB4011 between them.
I believe it is only an experiment, some people may have a less holistic approach than you have and try building (small) walls one brick at the time, without having designed the whole cathedral, knowing in advance that they will later need to demolish those small walls and start again.
So the chap wants to connect two devices on with two different IPs with no typical LAN structure so to speak??
Its a bogus concept to me. but me not trained LOL.
Ah, sindys explanation sheds a lot of light to the matter about the addresses in the subnets.
I’m sticking with the netmap-approach, as a bit later on I need to do 1:1 subnet NAT anyway. If we think about the wiki example ( I just changed the networks, nothing else), am I right to assume that one must be sure that there are no same address digits (outside the network address)? :
If we now take my try of a “simple configuration”, from computer 1 point of view computer 2 should be found at 192.168.0.10, but it is already computer 1’s own address so I’m just pinging localhost.
That’s not a problem I need to address, I’ll just change the IP address of the second computer, but should the router port’s ip address designation now be something other - like the whole network “192.168.0.0/24” or similar?
I don’t know, I think that you should make tests to understand how it works.
Common sense (which not necessarily applies in networking, and particularly in Mikrotik networking) tells me that there should be some mechanism to avoid that, but really cannot say.
