Community discussions

MikroTik App
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

how to NAT outside IP range?

Tue Sep 05, 2017 1:35 pm

Hi,

I wonder if someone can help me. Two remote sites are connected to each other via a MetroLAN VPN (i.e. an ISP has their own VPN for the two sites)

Site1 is on 10.1.1.1 and site2 is on 10.1.1.2
Site1 LAN IP's are 192.41.100.0/24
Site2 LAN IP's are 192.168.4.0/24

I can ping both routers from both sides. I can also ping network printers from both sides. But, I cannot ping, or connect to SMB (Windows shares) from Site1 to Site2. On a PC from Site2, I had to add the gateway IP, 10.1.1.2 to Eset Nod32 Endpoint Security, then I could ping 192.168.4.117 from 192.41.100.13.

But, instead of having to do this on each PC, is there a way to NAT both networks so they "appear" as local on any PC, on either side of the VPN?

I guess NAT could be used, not sure, or is there another way?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: how to NAT outside IP range?

Tue Sep 05, 2017 8:25 pm

Yes, NAT can probably help you. If you add masquerade rule for traffic from remote site (tunnel) to local, everything will appear as comming from router's internal address, i.e. from local LAN.
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

Re: how to NAT outside IP range?

Tue Sep 05, 2017 9:24 pm

Yes, NAT can probably help you. If you add masquerade rule for traffic from remote site (tunnel) to local, everything will appear as comming from router's internal address, i.e. from local LAN.
Thanx, I guessed as much, but honestly don't know what NAT rule to put in.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: how to NAT outside IP range?

Tue Sep 05, 2017 9:29 pm

E.g. this on one router and reverse on another (swap src and dst) should do the trick:
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.41.100.0/24 src-address=192.168.4.0/24
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

Re: how to NAT outside IP range?

Fri Sep 08, 2017 6:09 am

E.g. this on one router and reverse on another (swap src and dst) should do the trick:
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.41.100.0/24 src-address=192.168.4.0/24
Great, thanx for the help ;)
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

Re: how to NAT outside IP range?

Mon Sep 11, 2017 1:44 pm

Can you please help me once more?

The remote office installed a Hauwei HUAWEI B315s-936 LTE router onto the MikroTik, with IP address 192.168.4.4.

I can ping it from the remove MikroTik router (IP address 192.168.4.1), but not from our local LAN, 192.41.100.0.

I didn't see any way to specify a default gateway on the Hauwei LTE router so I'm suspecting that is the problem.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: how to NAT outside IP range?

Wed Sep 13, 2017 3:52 am

The router is probably choosing wrong source address. Set the right one 192.41.100.x (I assume .1) using src-address parameter for ping.
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

Re: how to NAT outside IP range?

Wed Sep 13, 2017 7:31 am

The router is probably choosing wrong source address. Set the right one 192.41.100.x (I assume .1) using src-address parameter for ping.
How can it probably choose the wrong source address? I only specified one subnet
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: how to NAT outside IP range?

Wed Sep 13, 2017 2:57 pm

I don't see complete config of that router, but it has more than one IP address, right? Based on first post, in addition to 192.41.100.x it should have at least 10.1.1.1. And when you try to access remote subnet from the router itself, it won't choose 192.41.100.x as source. Packets may come through VPN just fine, but then the added srcnat rule won't match, because it's for src-address=192.41.100.0/24.

Who is online

Users browsing this forum: No registered users and 44 guests