Transparent Bridge with NAT?

nicfallenangel · February 21, 2012, 6:12pm

So this falls into the category of “Can it be done?”

We are setting up a mikrotik to handle QoS and have several devices that act as wireless bridges with internal IP addresses for the sake of argument they run on 192.168.1.x/24

The mikrotik is set up as a transparent bridge to allow client devices to get IP addresses from an external DHCP server and avoid double NAT.

Brief rundown: ether1 is the “master” port and QoS is set on the others (using Mangle and Queue trees) with all five ports bridged together. I know I can set a DHCP client on the bridge/ether1 interface and can get the information about that IP through ARP/other means. Is there a way that I can get remote access to the 192 IPs while still maintaining the transparent bridge?

Setup is as follows:
Modem ---- Mikrotik ---- wireless bridge AP(192.168.1.x/24) ---- Wireless bridge client(192.168.1.x/24) ---- CPE that gets external DHCP/internet access (69.x.x.x as an example)

dasiu · February 21, 2012, 9:59pm

yes

nicfallenangel · February 21, 2012, 10:12pm

Thanks for the reply. How?

nicfallenangel · February 24, 2012, 10:42pm

I managed to work it out. Our setup uses separate vlans to run the management and data connections. I set the data on the bridge of course, then with a proper IP on the bridge, I used a dst-nat to get from the management IP to the IPs on the data bridge. In case anyone wants to know, here’s the code I used:

Add the VLANs:

/interface vlan
add arp=enabled disabled=no interface=ether1 l2mtu=1596 mtu=1500 name=vlan1 \
    use-service-tag=no vlan-id=1
add arp=enabled disabled=no interface=ether1 l2mtu=1596 mtu=1500 name=vlan2 \
    use-service-tag=no vlan-id=2

Create the bridge and add the data vlan and other ports to it:

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    disabled=no forward-delay=15s l2mtu=1598 max-message-age=20s mtu=1500 \
    name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
    interface=vlan2 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ether2 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ether3 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ether4 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ether5 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=yes

Set IP addresses (x.x.x.x for public and y.y.y.y for local):

/ip address
add address=x.x.x.x/x disabled=no interface=vlan1 network=x.x.x.0
add address=y.y.y.y/y disabled=no interface=bridge1 network=y.y.y.0

Add NAT action to move connection from public Management port to private bridge interface:

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=x.x.x.x \
    dst-port=8081 in-interface=vlan1 protocol=tcp to-addresses=y.y.y.y \
    to-ports=80

Add gateway for public address so it properly routes:

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=x.x.x.x scope=\
    30 target-scope=10