Do Nat or routing between private network

julianov · Sat Oct 14, 2017 11:42 pm

Hello All.

Before I did a question related with the NAt but that don't fix the problem. Lets me explain what I need to do and maybe you can give me and advise.

I've to implement a private network inside - connected to other private network which this last one is connected to the public network. Why this? well is a proyect but it's something that implements a pbx + softphone and this inner lan (my lan) it's think to has a mikrotik rb2011 which will implements QoS for voice and a VPN.

The mikrotik RB2011 has configured the ports ether1, ether3, ether4, ether5 with ether2 as master-port and there is on ether2 a DHCP server with this IP pool:

100.64.0.0/24 and yes it's a grade nat pool. This is because this inner LAN (my lan) is connected to an other LAN (mikrotik's ether6 ) and I dont' know what private pool IP this lan would have (so I use grade nat pool to avoid ip overlap). As it's think to can connects in a lot of place or situacion, the outside private lan can implements a network with 10.0.0.0/24 or 192.168.0.0/24 etc.

in this outside lan would be a DHCP server with this pool 10.0.0.0/24 (as example.) and just one public IP. So this outside private network has a router which implements NAT.

If I connect the mikrotik RB2011 to the outside private network by ether6, it would get a IP from 10.0.0.0/24 pool. Lets suppose it's 10.0.0.6 and the ether2 is configure as gateway with this IP 100.64.0.1.

I must implement a NAT between 10.0.0.6 and 100.64.0.1? or I must implement a router that every IP that does not belong to 100.64.0.0/24 is route to 10.0.0.0/24? the problem here is that I don't know what IP the DHCP client on port ether6 can get. It could be from a pool like 10.0.0.0/24 or 192.168.0.0/24 etc.

Could you please give me and advise? this is a code I used but it doesn't works

# oct/14/2017 13:43:07 by RouterOS 6.37.4
# software id = 818B-XRQ1
#
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether1 ] master-port=ether2
/ip pool
add name=dhcp_poolIPv4 ranges=100.64.0.2-100.64.0.254
/ip dhcp-server
add address-pool=dhcp_poolIPv4 disabled=no interface=ether2 lease-time=10h name=dhcp_IPv4
/ip address
add address=100.64.0.1/24 interface=ether2 network=100.64.0.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether6
/ip dhcp-server network
add address=100.64.0.0/24 dns-server=8.8.8.8 gateway=100.64.0.1
/ip firewall nat
add action=masquerade chain=src-nat out-interface=ether6
/routing rip interface
add interface=ether2 send=v1-2
add interface=ether6 send=v1-2

Best Regards.

JohnTRIVOLTA · Sun Oct 15, 2017 12:13 am

If you have access to Any Router, make routing , just set another nat rule with youre network.If yo have not access, respectivly setup nat on second router !
In this setup just add this rule in firewall and tell us what's happened :
/ip fi fi add chain=forward
use Terminal

julianov · Sun Oct 15, 2017 1:51 am

Thanks.

I don't have access to second router, just the mikrotik router that i'm using to implement my lan. So I can't do the routing. It still keeps the problem. I add the line code you said:

/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether1 ] master-port=ether2
/ip pool
add name=poolIPv4 ranges=100.64.0.2-100.64.0.100
/ip dhcp-server
add address-pool=poolIPv4 disabled=no interface=ether2 name=dhcp-IPv4
/ip address
add address=100.64.0.1/24 interface=ether2 network=100.64.0.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether6
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add chain=forward
/ip firewall nat
add action=masquerade chain=src-nat disabled=no out-interface=ether6

So, I think there is something wrong with the nat. The ousite private network that actually I'm connection to the mikrotik router give an ip from a 10.0.0.0/24 pool. But other can give me other IP pool

JohnTRIVOLTA · Sun Oct 15, 2017 5:50 am

When you ping 8.8.8.8 what value is there for ttl ?

julianov · Sun Oct 15, 2017 6:19 am

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 10.0.0.4: Destination host unreachable.
Reply from 10.0.0.4: Destination host unreachable.
Reply from 10.0.0.4: Destination host unreachable.
Reply from 10.0.0.4: Destination host unreachable.

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

But the router has the ip 10.0.0.6 and the gatway of the outside private network is 10.0.0.2. I don't know where that 10.0.0.4 comes from.

JohnTRIVOLTA · Sun Oct 15, 2017 6:39 am

Use ping in tool menu in winbox or in gui for ping 8.8.8.8 using interface ether6 and tell me the ttl value !

julianov · Sun Oct 15, 2017 6:48 am

55

[admin@MikroTik] > ping 8.8.8.8 interface=ether6
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 55 38ms
1 8.8.8.8 56 55 36ms
2 8.8.8.8 56 55 36ms
3 8.8.8.8 56 55 35ms
4 8.8.8.8 56 55 36ms
5 8.8.8.8 56 55 36ms
6 8.8.8.8 56 55 37ms
7 8.8.8.8 56 55 36ms
sent=8 received=8 packet-loss=0% min-rtt=35ms avg-rtt=36ms max-rtt=38ms

and this how can help to do a troubleshoot?

JohnTRIVOLTA · Sun Oct 15, 2017 7:04 am

if you have ttl=1 the packet will die on the wan interface... some ISP still use this limitation !
ОК now you try to use private network not carrier network for your lan - example: 172.16.0.0/24
Dont use master port for ether 6
remoove my firewall rule and paste this basic rules:

/ip firewall
add chain=input protocol=tcp port=22,8291,80,443
add chain=input action=protocol=icmp
add chain=input connection-state=established,related
add chain=input action=drop in-interface=ether6
add chain=forward action=fasttrack-connection connection-state=established,related
add chain=forward connection-state=established,related
add chain=forward action=drop connection-state=invalid
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether6

julianov · Sun Oct 15, 2017 6:12 pm

it keeping problem connection

There is this tutorial https://wiki.mikrotik.com/wiki/NAT_Tutorial
but there is a problem for my implementation. I don't know the Wlan ip pools and the gateway for this. So I can implement the nat using the masquerade but how can I make the route? I think now this is the problem that I'm having. The routing to the other lan.

/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether1 ] master-port=ether2
/ip pool
add name=poolIPv4 ranges=172.16.0.2-172.16.0.100
/ip dhcp-server
add address-pool=poolIPv4 disabled=no interface=ether2 name=dhcp-IPv4
/ip address
add address=172.16.0.1/24 interface=ether2 network=172.16.0.0
/ip dhcp-client
add default-route-distance=0 disabled=no interface=ether6
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add chain=input port=22,8291,80,443 protocol=tcp
add chain=input connection-state=established,related
add action=drop chain=input in-interface=ether6
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether6
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2

Maybe it's a routing problem due when I connect a pc-host to mylan and I do a ping to 8.8.8.8 I get:

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 10.0.0.4: Destination host unreachable.
Reply from 10.0.0.4: Destination host unreachable.
Reply from 10.0.0.4: Destination host unreachable.
Reply from 10.0.0.4: Destination host unreachable.

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

I don't know why there is a response from 10.0.0.4 because there is nothing connected to outside lan with that IP

Well If I do a ping to 10.0.0.4 when I host is connected to the outside lan I get reponse but in the arp table there isn't a matches for 10.0.0.4.

JohnTRIVOLTA · Sun Oct 15, 2017 6:32 pm

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2

Fix this with ether6 !

P.S. The routes are enough, you do not have to add others!
P.P.S. I want to see too:
/ip dhcp-server network print
and
/ip dhcp-server lease print detail

julianov · Sun Oct 15, 2017 7:53 pm

[admin@MikroTik] > /ip dhcp-server network print
 # ADDRESS            GATEWAY         DNS-SERVER      WINS-SERVER     DOMAIN                                                                                               
 0 172.16.0.0/32      172.16.0.1

[admin@MikroTik] > /ip dhcp-server lease print detail
Flags: X - disabled, R - radius, D - dynamic, B - blocked 
 0 D address=172.16.0.100 mac-address=A0:8C:FD:1C:5A:61 client-id="1:a0:8c:fd:1c:5a:61" address-lists="" server=dhcp-IPv4 dhcp-option="" status=bound expires-after=7m6s 
     last-seen=2m54s active-address=172.16.0.100 active-mac-address=A0:8C:FD:1C:5A:61 active-client-id="1:a0:8c:fd:1c:5a:61" active-server=dhcp-IPv4 
     host-name="LAPTOP-7DKMV28S"

# oct/15/2017 13:52:02 by RouterOS 6.37.4
# software id = 818B-XRQ1
#
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether1 ] master-port=ether2
/ip pool
add name=poolIPv4 ranges=172.16.0.2-172.16.0.100
/ip dhcp-server
add address-pool=poolIPv4 disabled=no interface=ether2 name=dhcp-IPv4
/ip address
add address=172.16.0.1/24 interface=ether2 network=172.16.0.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=clientid disabled=no interface=ether6 use-peer-ntp=no
/ip dhcp-server network
add address=172.16.0.0/32 gateway=172.16.0.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add chain=input port=22,8291,80,443 protocol=tcp
add chain=input connection-state=established,related
add action=drop chain=input in-interface=ether6
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether6
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether6

I'm seeing that dhcp-server network is having a network with /32, so I changed it to /24 but that not fixs the problem

/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether1 ] master-port=ether2
/ip pool
add name=poolIPv4 ranges=172.16.0.2-172.16.0.100
/ip dhcp-server
add address-pool=poolIPv4 disabled=no interface=ether2 name=dhcp-IPv4
/ip address
add address=172.16.0.1/24 interface=ether2 network=172.16.0.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=clientid disabled=no interface=ether6 use-peer-ntp=no
/ip dhcp-server network
add address=172.16.0.0/24 gateway=172.16.0.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add chain=input port=22,8291,80,443 protocol=tcp
add chain=input connection-state=established,related
add action=drop chain=input in-interface=ether6
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether6
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether6

[admin@MikroTik] > /ip dhcp-server network print     
 # ADDRESS            GATEWAY         DNS-SERVER      WINS-SERVER     DOMAIN                                                                                               
 0 172.16.0.0/24      172.16.0.1     
 
[admin@MikroTik] > /ip dhcp-server lease print detail
Flags: X - disabled, R - radius, D - dynamic, B - blocked 
 0 D address=172.16.0.100 mac-address=A0:8C:FD:1C:5A:61 client-id="1:a0:8c:fd:1c:5a:61" address-lists="" server=dhcp-IPv4 dhcp-option="" status=bound expires-after=6m19s 
     last-seen=3m41s active-address=172.16.0.100 active-mac-address=A0:8C:FD:1C:5A:61 active-client-id="1:a0:8c:fd:1c:5a:61" active-server=dhcp-IPv4 
     host-name="LAPTOP-7DKMV28S"

julianov · Sun Oct 15, 2017 7:57 pm

It's works!!!!!! when I changed the /32 to /24. It needed just a minute to changes the configurations.

Thank you very much John. You help me a lot. Right now I'm using the connection through RB2011.

Also, I changed the IP pool to the grade nat 100.64.0.0/24 and it's working. Do you think that I can bring any trouble? because generally it's the opossite. The private ip pool and then the grade nat pool. In this case is grade nat pool and a nat to a private pool. But with this implementation I can connect the ether6 to any private network and there wouldn't be ip overlap. So, this implementation brings portability. right?

JohnTRIVOLTA · Sun Oct 15, 2017 8:39 pm

Also, I changed the IP pool to the grade nat 100.64.0.0/24 and it's working. Do you think that I can bring any trouble? because generally it's the opossite. The private ip pool and then the grade nat pool. In this case is grade nat pool and a nat to a private pool. But with this implementation I can connect the ether6 to any private network and there wouldn't be ip overlap. So, this implementation brings portability. right?

I think that in this situation it will not be a problem to use this network. Anyway, but you did not set your DNS on the DHCP server too and make the lease time at least 24 hours /this is standard setting/!

julianov · Mon Oct 16, 2017 12:01 am

thanks john. I will do that.

Also regarding this firewall filter rules that you said before

/ip firewall
add chain=input protocol=tcp port=22,8291,80,443
add chain=input action=protocol=icmp
add chain=input connection-state=established,related
add chain=input action=drop in-interface=ether6
add chain=forward action=fasttrack-connection connection-state=established,related
add chain=forward connection-state=established,related
add chain=forward action=drop connection-state=invalid
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether6

the firs allow connection with the router from external host through that ports (22,8291,80,443)
the second allow pinging the router from external host.
the third allow a connection to what? and the fourth dissable (drop a package) to any connection that cames from a host connected (it doesn't means that is directly connected) port ether6?

and why there is a drop before an acept? it's like you are denying something that was before accepted

JohnTRIVOLTA · Mon Oct 16, 2017 10:14 am

The rules in a filter section are read in sequence for their execution. For that we first allow, and then we drop everything else!

the firs allow connection with the router from external host through that ports (22,8291,80,443) - Yes because we have drop on input chain on ether6 on rule 4 !

the second allow pinging the router from external host . - Yes ,every different kind of icmp not only ping ,the same reason - we have drop on input chain on ether6 on rule 4 !

the third allow a connection to what? Аs you translate it - пропуска пакетите на вече изградените връзки и на тези които са свързани с тях !

and the fourth dissable (drop a package) to any connection that cames from a host connected (it doesn't means that is directly connected) port ether6? - Yes drop any packet from any src address which comes on the ether6 without the protocols and ports described above!

Do Nat or routing between private network [SOLVED]

Do Nat or routing between private network

Re: Do Nat or routing between private network

Re: Do Nat or routing between private network

Re: Do Nat or routing between private network

Re: Do Nat or routing between private network

Re: Do Nat or routing between private network

Re: Do Nat or routing between private network

Re: Do Nat or routing between private network

Re: Do Nat or routing between private network

Re: Do Nat or routing between private network [SOLVED]

Re: Do Nat or routing between private network

Re: Do Nat or routing between private network

Re: Do Nat or routing between private network

Re: Do Nat or routing between private network

Re: Do Nat or routing between private network

Who is online