Community discussions

MikroTik App
 
DotTest37
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Sun Oct 06, 2013 10:01 pm

1-to-1 NAT with state table

Thu May 12, 2016 4:01 pm

I have this use case where I need something I dont know MT can do.
Three locations, one master with a NOC software and two sites with servers.
Each location has a public IP but all internal servers use src-NAT to access the Internet.

I have to set a VPN between the NOC and each of the two sites so the NOC monitors the servers behind.
The two sites have the same private IP segments and the NOC software does not support overlapping IPs.

Talked to the NOC software people and they advised me to implement NAT at each of the two client sites so that the NOC software sees two different private networks without having to change anything on the servers.

The only requirement they have is that the NAT table is permanent at the sites, meaning that the translated IP should be always the same.
To illustrate, the IPs are like this:
NOC Public IP: 1.1.1.1
NOC Private Subnet: 192.168.100.0/24

Site 1 Public IP: 2.2.2.2
Site 1 Private Subnet: 10.0.0.1/24

Site 2 Public IP: 3.3.3.3
Site 2 Private Subnet: 10.0.0.1/24

========
I would need a translation like this:
NOC Public IP: 1.1.1.1
NOC Private Subnet: 192.168.100.0/24

Site 1 Public IP: 2.2.2.2
Site 1 Private Subnet: 10.0.0.1/24
Site 1 NAT Pool for VPN with NOC: 192.168.200.0/24
(Server 1 with IP 10.0.0.10 should always be translated to 192.168.200.10)
(Server 2 with IP 10.0.0.11 should always be translated to 192.168.200.11)
etc
etc

Site 2 Public IP: 3.3.3.3
Site 2 Private Subnet: 10.0.0.1/24
Site 2 NAT Pool for VPN with NOC: 192.168.300.0/24
(Server 8 with IP 10.0.0.10 should always be translated to 192.168.300.10)
(Server 9 with IP 10.0.0.11 should always be translated to 192.168.300.11)
etc
etc

=======

Im somewhat familiar with simplistic NAT and PAT on Mikrotik, but not sure on this one.

Thanks a lot for the help.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6673
Joined: Mon Jun 08, 2015 12:09 pm

Re: 1-to-1 NAT with state table

Thu May 12, 2016 9:52 pm

Yes you can do this with target netmap in the NAT page.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: 1-to-1 NAT with state table

Thu May 12, 2016 10:05 pm

Choose a "virtual" range for each site - e.g. 172.16.1.0/24 = site 1, 172.16.2.0/24 = site 2, etc....

I assume that the NOC's private range does not overlap the private ranges at the sites - if so, then you just extend this solution to cover the NOC addresses as well.

At the NOC router, route the virtual range to each site. The NOC devices will refer to the site devices using their "virtual" addresses.

At the site router, use netmap (as stated by Pe1chl):
action=netmap chain=dstnat dst-address=172.16.1.0/24 to-address=192.168.1.0/24 (to-address=the real internal range)
action=netmap chain=srcnat src-address=192.168.1.0/24 to-address=172.16.1.0/24 (src-address=the real internal range)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
DotTest37
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Sun Oct 06, 2013 10:01 pm

Re: 1-to-1 NAT with state table

Sat May 14, 2016 6:01 am

I just read about Netmap on the Mikrotik Wiki.
Great suggestion.
One question though, will Netmap make the NAT table static on a prefix basis?
for example, will server 10.0.0.10 will be always translated to 192.168.200.10? even if the servers came online in different order?
(We cannot have a case where one day 10.0.0.10 is translated to 192.168.200.10 and another day is translated to 192.168.200.21 because there were other servers coming online first after a general reboot)
Thanks a lot!
 
pe1chl
Forum Guru
Forum Guru
Posts: 6673
Joined: Mon Jun 08, 2015 12:09 pm

Re: 1-to-1 NAT with state table

Sat May 14, 2016 9:57 am

Yes this is just a static translation, that is why the 2 networks must have the same size.
There is no dynamic mapping table like with masquerade or src-nat.
 
DotTest37
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Sun Oct 06, 2013 10:01 pm

Re: 1-to-1 NAT with state table

Sat May 14, 2016 6:01 pm

Excellent

I have two extra MT routers, I will test it this weekend and will report back.
Thanks!
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: 1-to-1 NAT with state table

Mon May 16, 2016 5:38 pm

That's the thing about stateless NAT - if it didn't predictably do the same thing each and every time, then it wouldn't work.
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: faxxe and 26 guests