Hi,
I’m a WISP and I’ve just purchased a RB1000 with OS 3.17.
My configuration is this:
ETH1 WAN (with 193.212.179.226/30 address for transport (gateway is .225) and 188.81.6.0/23 subnet for cunstomers)
ETH2 is the DMZ and the ip address is 188.81.6.1 (here I’ve connected the mail server 188.81.6.3 and web server 188.81.6.7)
ETH3 is the LAN for the office 192.168.200.253/24
ETH4 is the LAN for the customer 192.168.202.2/24 with other alias too
For all my customer in the ETH4 i’ve maded a 1:1 NAT like this:
I’ve not enable the masquerade because only the IP I’ve natted must go in internet.
The nat works fine and all customer can surf the web…
But there is a problem…
The customer with nat enabled (like 192.168.202.10 in this example) can’t access to the web or mail server…if I ping one of them from the address 192.168.202.10 (and from the other addresses too) i’ve no reply, but if I go on the webserver and I ping the 192.168.202.0/24 and 192.168.200.0/24 subnets I’m no problem to reach it…
from an external Pc I can reach the web server and the mail server without any problem, the trouble is only when I try to connet to it from a natted IP.
If I disable the 1:1 nat for the address 192.168.202.10 I have no access to internet but I can reach the servers without any problem…
I think it is my fault in the configuration but I can’t find it…in the nat I’ve put only the 1:1 rules like in the example, I’ve tryed many solution but nothing work…
188.81.6.0/23 is the pubblic subnet gave me by my ISP I use it to nat the local customers addresses tu pubblic one..
Like this Example…
User With 5ghz Antenna and with 192.168.202.10 Address >>>>>Mikrotik srcnat >>>> User on internet with pubblic static ip address 188.81.6.10 (if he go on http://www.ip-adress.com he see this addresses)
I’ve configured eht1 with this address:
Ip 193.212.179.226/30
GW 193.212.179.225
I don’t think that is how netmap works. You must assign the internal local users a localnet IP on eth2 (like 192.168.2.0/23), then netmap the 188.81.6.0/23 (assigned to eth1) to them.
ADD: And I think it is also a dstnat for the 1:1 mapping.
add chain=srcnat action=netmap src-address=192.168.2.1-192.168.3.254 to-addresses=188.81.6.1-188.81.7.254
add chain=dstnat action=netmap dst-address=188.81.6.1-188.81.7.254 to-addresses=192.168.2.1-192.168.3.254
Then drop the srcnat netmap and use a src-nat.
add chain=srcnat action=src-nat src-address=192.168.2.0/23 to-addresses=xxx.xxx.xxx.xxx
Change the x’s to the IP on eth1 that you want to masquerade them to.
Keep the dstnat above so the website and email requests go to the correct internal server. That is what you are doing, correct?
I guess I was not very clear. I will cover everything quickly.
You have been assigned two public IP subnets by your ISP, and they are on eth1 (193.212.179.226/30 and 188.81.6.0/23)
You want to redirect internet website and email requests for the 188. ips to internal servers on eth2.
Then you have your office on eth3 (192.168.200.0/24)
and customers on eth4 (192.168.202.0/24)
The only thing you are missing here is the IP subnet for eth2, where the internal servers are. I used 192.168.2.0/23 so you would have the same subnet mask on both public and private subnets.
Is all that correct?
ADD: The internal servers on eth2 must have a 192.168.2.x/23 or 192.168.3.x/23 ip address/netmask.
the trouble is this.
If You form america try to enter on my webmail you can do it but If I from my local lan (on eth3 or 4) want to do this I can’t…
On Eth2 the server have directly the pubblic ip and not natted ip (the network interface in configured with the 188.81.6.3/23 address and 188.81.6.1 gw)
Yes you can, but more difficult by domain name or public IP. I found it easier to modify the internal dns to change the url to a local IP, or simply use the localnet IP directly. Others on this forum are better at this part than I am.
I’m becoming crazy