Page 1 of 1

Help in proper nat inside multiple subnet

Posted: Sun Nov 26, 2017 7:14 pm
by androx2k4
Hi.
I need to correctly forward a connection from a subnet to another one. In the same time the IP to be used must be the public one.
In the diagram the configuration and the nat configuration I'm using.
Immagine1.png
If the PC A try to reach the SERVER A using the public domain name is correctly forwarded.
The problem is if the PC B try to reach the server A. (the router B is a classic router with the WAN connection in the server subnet and the LAN in another subnet and the ip of router B as gateway for that subnet.
What I think is that if the PC B ask for the public IP:port the packet go out and reach the server correctly but the server reply cannot reach the subnet correctly, because the mikotik router doesn't know about the second subnet.
How can I solve it ?
thank you for the support

Re: Help in proper nat inside multiple subnet

Posted: Mon Nov 27, 2017 1:33 am
by matiaszon
Hi.
I need to correctly forward a connection from a subnet to another one. In the same time the IP to be used must be the public one.
In the diagram the configuration and the nat configuration I'm using.

Immagine1.png

If the PC A try to reach the SERVER A using the public domain name is correctly forwarded.
The problem is if the PC B try to reach the server A. (the router B is a classic router with the WAN connection in the server subnet and the LAN in another subnet and the ip of router B as gateway for that subnet.
What I think is that if the PC B ask for the public IP:port the packet go out and reach the server correctly but the server reply cannot reach the subnet correctly, because the mikotik router doesn't know about the second subnet.
How can I solve it ?
thank you for the support
I am not 100% sure, as your diagram is not made clear, but let's say for 90% I can assume, that you need this:
https://wiki.mikrotik.com/wiki/Hairpin_NAT

Re: Help in proper nat inside multiple subnet

Posted: Mon Nov 27, 2017 4:59 pm
by androx2k4
Thank you.
I read the page and I'll try it but in general I have some doubt.
Infact I implemented exactly the two rules I wrote down in the diagram
chain=srcnat action=masquerade out-interface=WAN
chain=dstnat action=dst-nat to-addresses=192.168.1.200 to-ports=80 protocol=tcp dst-port=2226 log=no log-prefix=""
and if I call the publicddns.domain.com:2226 the server respond properly without stuck. So I do not experience the point 3 of the second example
the server replies to the client's request. However, the source IP address of the request is on the same subnet as the web server. The web server does not send the reply back to the router, but sends it back directly to 192.168.1.10 with a source IP address in the reply of 192.168.1.2.

Re: Help in proper nat inside multiple subnet

Posted: Tue Nov 28, 2017 12:14 am
by matiaszon
First of all you need to correct your diagram to show us, what is connected to what, which devices is a gateway to the Internet, etc.,and what you are doing and what is the problem. Otherwise we won't be able to help you. Hairpin NAT was just a guess from my side.

Re: Help in proper nat inside multiple subnet

Posted: Tue Nov 28, 2017 10:20 am
by androx2k4
I apologies. I was thinking it was quite clear within the use of subnets address.
But in case here a more complete diagram
The mikrotik has the eth1 configured in ppoe is connected to the VDSL modem (WAN)
the eth2 is connected to a switch and server A and PC (and others)
the eth 3 is connect to a wifi AP (and the wifi is on a separate subnet .8.x )

the eth2 is the master switch port of eth 3 - eth 4 - eth5 (no bridge)

The other point is that the port from Internet are also natted (2226 -> 80)

(I have also other servers inside the 192.168.1.x network and I assume that I must replicate the rules for each one)

Immagine5.png

Re: Help in proper nat inside multiple subnet

Posted: Tue Nov 28, 2017 3:10 pm
by matiaszon
I apologies. I was thinking it was quite clear within the use of subnets address.
It wasn't, and unfortunately it is still not.
But in case here a more complete diagram
The mikrotik has the eth1 configured in ppoe is connected to the VDSL modem (WAN)
OK, that is clear.
the eth2 is connected to a switch and server A and PC (and others)
Where is that switch on diagram? Is it there, or missing? IMO it's missing and ether2 is connected to that missing switch, which is then connected to: Router B, Server A and PC A. Am I correct?
the eth 3 is connect to a wifi AP (and the wifi is on a separate subnet .8.x )
From your diagram I thought, that Router B from WAN side is 192.168.1.2 and from its LAN side is 192.168.8.1. So how MikroTik is connected to (WHAT?) on ether3 and how it works with 192.168.8.1 on Router B? What actually Router B is doing? What is its purpose?
the eth2 is the master switch port of eth 3 - eth 4 - eth5 (no bridge)
In fact, ports 2, 3, 4 and 5 are bridged. Furthermore, they have different IPs. You have to make them stand alone ports if you want to assign different IPs to them.
The other point is that the port from Internet are also natted (2226 -> 80)
That is not a big deal.
(I have also other servers inside the 192.168.1.x network and I assume that I must replicate the rules for each one)
If you want to access them from out side, then of course.
However, I can't see real connections (cables, WiFi) for the shown devices. I think I know what problem you have, but need to clarify your network. Seems like you have double NATin your network (for what reason?) and is causing problems. Need to see your network with all connections to be sure.

Re: Help in proper nat inside multiple subnet

Posted: Wed Nov 29, 2017 10:40 am
by matiaszon
I re-read your post and I think I am 99% right, that it is the router B. However, we don't know what kind of router is it and how it is configured, but this is for sure the thing which doesn't allow to use hairpin NAT.
Do you really want that router?

Re: Help in proper nat inside multiple subnet

Posted: Thu Nov 30, 2017 11:36 am
by androx2k4
Thank you for your time. (I can't see anymore the previous diagram posted but I repost an updated one).
I apologies. I was thinking it was quite clear within the use of subnets address.
It wasn't, and unfortunately it is still not.
But in case here a more complete diagram
The mikrotik has the eth1 configured in ppoe is connected to the VDSL modem (WAN)
OK, that is clear.
I don't think it is needed but in case I also put the miktorik eth1 in the DMZ of the Modem/router
the eth2 is connected to a switch and server A and PC (and others)
Where is that switch on diagram? Is it there, or missing? IMO it's missing and ether2 is connected to that missing switch, which is then connected to: Router B, Server A and PC A. Am I correct?
Yes it is correct but it is a unmanaged switch so there is no interaction with it. I clusterized all from a logic point of view.
the eth 3 is connect to a wifi AP (and the wifi is on a separate subnet .8.x )
From your diagram I thought, that Router B from WAN side is 192.168.1.2 and from its LAN side is 192.168.8.1. So how MikroTik is connected to (WHAT?) on ether3 and how it works with 192.168.8.1 on Router B? What actually Router B is doing? What is its purpose?
Router B is an AP that creates a separate subnetwork 8.x and in general doesn't need to interact with the main subnetwork 1.x . But there is some interaction at service level so I need that the PC B can make request to SERVER A
the eth2 is the master switch port of eth 3 - eth 4 - eth5 (no bridge)
In fact, ports 2, 3, 4 and 5 are bridged. Furthermore, they have different IPs. You have to make them stand alone ports if you want to assign different IPs to them. [/quote]
Yes I have no need for the moment (eventually eth3 that it is directly connected to the Wifi AP). As I understood, keeping the ports tied as a switch and not as a bridge is faster from the mikrotik throughput point of view. Right?
The other point is that the port from Internet are also natted (2226 -> 80)
That is not a big deal.
(I have also other servers inside the 192.168.1.x network and I assume that I must replicate the rules for each one)
If you want to access them from out side, then of course.
However, I can't see real connections (cables, WiFi) for the shown devices. I think I know what problem you have, but need to clarify your network. Seems like you have double NATin your network (for what reason?) and is causing problems. Need to see your network with all connections to be sure.
[/quote]

In the diagram I added red connection for the physical layer and I more correctly moved the eth1 on the wan side of the mikrotik.

I hope everything is more clear now.

Re: Help in proper nat inside multiple subnet

Posted: Thu Nov 30, 2017 12:02 pm
by androx2k4
Immagine6.png

Re: Help in proper nat inside multiple subnet

Posted: Thu Nov 30, 2017 12:38 pm
by matiaszon
I don't think it is needed but in case I also put the miktorik eth1 in the DMZ of the Modem/router
OMG, it's a total mess. So PC B is tripple NATed...!
DMZ is necessary. More convenient would be to set up modem in a bridge mode and make PPPoE connection on MikroTik, so you will get the public IP directly on PPPoE interface. What modem is that? Can you set it up in bridge mode?
Yes it is correct but it is a unmanaged switch so there is no interaction with it. I clusterized all from a logic point of view.
If you set a bridge in MikroTik and add ports 2, 3, 4 and 5 it's roughly the same like you have now, where port is a master and ports 3, 4 and 5 are slaves. Make them stand-alone ports.
Router B is an AP that creates a separate subnetwork 8.x and in general doesn't need to interact with the main subnetwork 1.x . But there is some interaction at service level so I need that the PC B can make request to SERVER A
I don't know how many devices need an access to your Server A, but I am guessing there are only a few. If I am right, it would be easier to set up Router B as a switch+AP, and configure an access to tha server for only these devices that you want.
Even better would be,if you would chnage that Router B for any MikroTik device with AP, and configure CAPsMAN on your main MikroTik router, so you can separate WiFi network to another subnet without making another NAT inside the network, and manage if and what shoud have access to your server A.
Yes I have no need for the moment (eventually eth3 that it is directly connected to the Wifi AP).
So there is another AP not mentioned on the diagram?
As I understood, keeping the ports tied as a switch and not as a bridge is faster from the mikrotik throughput point of view. Right?
Please read above - it's roughly the same as they would be bridged. There is no reason for other porst be slaves of ether2, as you want them to work separately (you assigned different addresses to them).

Re: Help in proper nat inside multiple subnet

Posted: Thu Nov 30, 2017 12:57 pm
by androx2k4
I don't think it is needed but in case I also put the miktorik eth1 in the DMZ of the Modem/router
OMG, it's a total mess. So PC B is tripple NATed...!
DMZ is necessary. More convenient would be to set up modem in a bridge mode and make PPPoE connection on MikroTik, so you will get the public IP directly on PPPoE interface. What modem is that? Can you set it up in bridge mode?
mikrotik is in PPPoe and got an other external IP address than the modem. But in the modem interface I still can see it and to be sure I also put it in DMZ. So consider it as a normal PPEO configuration and don't consider the triple nat
Yes it is correct but it is a unmanaged switch so there is no interaction with it. I clusterized all from a logic point of view.
If you set a bridge in MikroTik and add ports 2, 3, 4 and 5 it's roughly the same like you have now, where port is a master and ports 3, 4 and 5 are slaves. Make them stand-alone ports.
Router B is an AP that creates a separate subnetwork 8.x and in general doesn't need to interact with the main subnetwork 1.x . But there is some interaction at service level so I need that the PC B can make request to SERVER A
I don't know how many devices need an access to your Server A, but I am guessing there are only a few. If I am right, it would be easier to set up Router B as a switch+AP, and configure an access to tha server for only these devices that you want..
Even better would be,if you would chnage that Router B for any MikroTik device with AP, and configure CAPsMAN on your main MikroTik router, so you can separate WiFi network to another subnet without making another NAT inside the network, and manage if and what shoud have access to your server A.
About to put the Router B as a switch+AP I would like to avoid to separate the subnet. On the other end I can configure like you say adding some filtering rule on the eth3. I already ordered an CapLite and I'll setup tomorrow. But in any case I consider all this situation a case study to better understand the possible configuration (and Thanks again for your time)
Yes I have no need for the moment (eventually eth3 that it is directly connected to the Wifi AP).
So there is another AP not mentioned on the diagram?
Nope eth3 is connected to the wifiAP (the router B)
As I understood, keeping the ports tied as a switch and not as a bridge is faster from the mikrotik throughput point of view. Right?
Please read above - it's roughly the same as they would be bridged. There is no reason for other porst be slaves of ether2, as you want them to work separately (you assigned different addresses to them).
Actually I implemented this nat and they are working from outside (internet) to service

  chain=srcnat action=masquerade out-interface=pppoe-tim log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=192.168.1.200 to-ports=80 protocol=tcp dst-port=2226 log=no log-prefix=""


This is a classic nat but not the hairpin.

Re: Help in proper nat inside multiple subnet

Posted: Thu Nov 30, 2017 1:55 pm
by matiaszon
I am lost again :)
Now I start to think, that MikroTik is connected with a cable (ether3) to Router B on it's WAN. Am I right? What is the exact address of ether3 and WAN. Making a command
/ip export hide-sensitive
would help a bit.

If the above is right, and the Router B is not connected to 192.168.1.0/24 network, then you can easily make it switch+AP, assingn address 192.168.8.2 (assuming, that ether3 on MikroTik is 192.168.8.1), and then create some rules allowing and denying access to Server A. There will be no NAT inside the network then, just trafiic rules.

Re: Help in proper nat inside multiple subnet

Posted: Thu Nov 30, 2017 2:59 pm
by androx2k4
I am lost again :)
Now I start to think, that MikroTik is connected with a cable (ether3) to Router B on it's WAN. Am I right? What is the exact address of ether3 and WAN. Making a command
/ip export hide-sensitive
would help a bit.

If the above is right, and the Router B is not connected to 192.168.1.0/24 network, then you can easily make it switch+AP, assingn address 192.168.8.2 (assuming, that ether3 on MikroTik is 192.168.8.1), and then create some rules allowing and denying access to Server A. There will be no NAT inside the network then, just trafiic rules.
Router B (WIFI AP) It always been attached to eth3 on its WAN (I do not understand where I said the opposite). Exact address is what it is in the diagram (but can you see it?)192.168.1.2

/ip export hide-sensitive
# nov/30/2017 13:03:05 by RouterOS 6.40.5
# software id = V92X-9R0E
#
# model = RouterBOARD 750G r3
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.220
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 lease-time=1d name=dhcp-casa
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.0.0/20 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC6890 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 log=yes log-prefix=SSHBF protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 log=yes log-prefix=SSHBF protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 log=yes log-prefix=SSHBF protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 log=yes log-prefix=SSHBF protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 log=yes log-prefix=SSHBF protocol=tcp
add action=accept chain=input
add action=accept chain=input comment=" default  configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add chain=input comment="Accept established and related packets" connection-state=established,related
add chain=input comment="Accept all connection from local network" in-interface=ether2
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP" src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface=wan-eth1 src-address-list=NotPublic
add action=accept chain=forward comment="Accept established and related packets" connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid log-prefix=DROPinvalidpack
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=wan-eth1
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=wan-eth1 src-address-list=NotPublic
add action=drop chain=forward comment=" Drop all packets from local network to internet which should not exist in public network" dst-address-list=NotPublic in-interface=ether2 log=yes log-prefix=DROPlocal2Inte
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=ether2 log=yes src-address=!192.168.0.0/20
add action=drop chain=forward comment="Drop  new  connections  from  internet  which  are  not  dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=wan-eth1 log=yes log-prefix=++test+++
/ip firewall nat
[b]add action=masquerade chain=srcnat out-interface=pppoe-tim
add action=dst-nat chain=dstnat comment="mqtt Nodered editor" dst-port=2226 protocol=tcp to-addresses=192.168.1.220 to-ports=80[/b]
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/20
set ssh disabled=yes port=222
set api disabled=yes
set winbox address=192.168.0.0/20
set api-ssl disabled=yes

Re: Help in proper nat inside multiple subnet

Posted: Thu Nov 30, 2017 3:28 pm
by matiaszon
So there is no 192.168.8.0/24 address assigned to any of MikroTik ports. The only local address assigned on MikroTik I can see is:
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
So, if you want to keep WiFi users separated (or at least most of them), I would do the following:
1) unslave ether3 from ether2 port,
2) assign 192.168.8.1 address with 192.168.8.0/24 network to ether3,
3) set up DHCP for ether3 (gateway 192.168.8.1),
3) set up DHCP client on "Router B",
4) connect "Router B" to ether3,
5) set up filter rules describing which devices can access "server A" and which can't,
6) set up Hairpin NAT for both subnets.

Re: Help in proper nat inside multiple subnet

Posted: Thu Nov 30, 2017 3:49 pm
by androx2k4
So there is no 192.168.8.0/24 address assigned to any of MikroTik ports. The only local address assigned on MikroTik I can see is:
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
So, if you want to keep WiFi users separated (or at least most of them), I would do the following:
1) unslave ether3 from ether2 port,
2) assign 192.168.8.1 address with 192.168.8.0/24 network to ether3,
3) set up DHCP for ether3 (gateway 192.168.8.1),
3) set up DHCP client on "Router B",
4) connect "Router B" to ether3,
5) set up filter rules describing which devices can access "server A" and which can't,
6) set up Hairpin NAT for both subnets.
I cannot fully understand the point 2) because the AP-Wifi has two port: one is the WAN that it is fisically connected to the ethernet 3 of the mikrotik. The second port is the "Wifi" port that allow the connection to the router.

For the two 3) is already done and for this reason the PCB gets an IP from the APWifi in the .8.x subnet and has as gw .8.1.
The inner routing is ok and working. The WAN of the APWifi (from now let me call it WAN-B) is in the .1.x subnet. So if from the PCB I ask for 192.168.1.200:80 the service is correctly reached (the 1.1 is out of the .8.1 netmask so it is routed via GW 8.1 and when in the .1.1 it found the .1.200 and go back).
4) is physicall done
5 e 6) to be done

So why number 1) and 2)?

Re: Help in proper nat inside multiple subnet

Posted: Thu Nov 30, 2017 7:53 pm
by matiaszon
I cannot fully understand the point 2) because the AP-Wifi has two port: one is the WAN that it is fisically connected to the ethernet 3 of the mikrotik. The second port is the "Wifi" port that allow the connection to the router.

For the two 3) is already done and for this reason the PCB gets an IP from the APWifi in the .8.x subnet and has as gw .8.1.
The inner routing is ok and working. The WAN of the APWifi (from now let me call it WAN-B) is in the .1.x subnet. So if from the PCB I ask for 192.168.1.200:80 the service is correctly reached (the 1.1 is out of the .8.1 netmask so it is routed via GW 8.1 and when in the .1.1 it found the .1.200 and go back).
4) is physicall done
5 e 6) to be done

So why number 1) and 2)?
Because you don't want NAT inside your network, which is causing problems with hairpin NAT. What is that for? If you set that device in switch+AP mode it means, that you will bridge the ports LAN (which is physically connected to ether3 on MikroTik) and WiFi. This will allow you to manage whole network, even with this separated 192.168.8.0/24 subnet, from the MikroTik device. Right now MikroTik has nothing to do with NATing on that devices. Furthermore, you want to make hairpin NAT coming through that devices, and it's not even MikroTik (and you are on MikroTik forum).

Can you tell me, why do you want to keep that NAT? What is that for?

Re: Help in proper nat inside multiple subnet

Posted: Fri Dec 01, 2017 3:20 pm
by androx2k4
I cannot fully understand the point 2) because the AP-Wifi has two port: one is the WAN that it is fisically connected to the ethernet 3 of the mikrotik. The second port is the "Wifi" port that allow the connection to the router.

For the two 3) is already done and for this reason the PCB gets an IP from the APWifi in the .8.x subnet and has as gw .8.1.
The inner routing is ok and working. The WAN of the APWifi (from now let me call it WAN-B) is in the .1.x subnet. So if from the PCB I ask for 192.168.1.200:80 the service is correctly reached (the 1.1 is out of the .8.1 netmask so it is routed via GW 8.1 and when in the .1.1 it found the .1.200 and go back).
4) is physicall done
5 e 6) to be done

So why number 1) and 2)?
Because you don't want NAT inside your network, which is causing problems with hairpin NAT. What is that for? If you set that device in switch+AP mode it means, that you will bridge the ports LAN (which is physically connected to ether3 on MikroTik) and WiFi. This will allow you to manage whole network, even with this separated 192.168.8.0/24 subnet, from the MikroTik device. Right now MikroTik has nothing to do with NATing on that devices. Furthermore, you want to make hairpin NAT coming through that devices, and it's not even MikroTik (and you are on MikroTik forum).

Can you tell me, why do you want to keep that NAT? What is that for?
I see your point. The main reason is that I was developing some code for IOT devices (what else in this moment :) ) and the code use a publicdomanindame.com:portnumber to connect the server .200:realportnumber for exchanging data.
The idea is to move the IOT device in another location and they still can communicate withoute modifying the configuration. So for me the 192.168.8.x is to be considerate like an "external network" from this point of view at least for that devices.

I agree with you that in this case the ethernet3 becomes like the ppoe-wan and probably this is way the external to internal NAT connection works only for ppoe and not for the eth3.
If I deatach the eth3 from the 2-3-4-5 vistual switch it shoud act like the ppoe incoming net without any modification and I have to add this
add action=masquerade chain=srcnat out-interface=etherne3
to
add action=masquerade chain=srcnat out-interface=pppoe-tim
Of course this is without the Haripin it is only for working with a NAT from .8.x to .1.200

Right?

Re: Help in proper nat inside multiple subnet

Posted: Fri Dec 01, 2017 4:51 pm
by matiaszon
I see your point. The main reason is that I was developing some code for IOT devices (what else in this moment :) ) and the code use a publicdomanindame.com:portnumber to connect the server .200:realportnumber for exchanging data.
The idea is to move the IOT device in another location and they still can communicate withoute modifying the configuration.
So far, so good... :)
So for me the 192.168.8.x is to be considerate like an "external network" from this point of view at least for that devices.
I don't get it. This is still subnet, and behind two NATs (at the moment). So once you are trying to resolve your publicdomain.com:portnumber, it has to go through 2 routers. While we know how to make Hairpin NAT through MikroTik, we don't know anything about your second NAT, which you introduced to your local network for no reason (still can't see the point).
I agree with you that in this case the ethernet3 becomes like the ppoe-wan and probably this is way the external to internal NAT connection works only for ppoe and not for the eth3.
If I deatach the eth3 from the 2-3-4-5 vistual switch it shoud act like the ppoe incoming net without any modification and I have to add this
add action=masquerade chain=srcnat out-interface=etherne3
to
add action=masquerade chain=srcnat out-interface=pppoe-tim
Of course this is without the Haripin it is only for working with a NAT from .8.x to .1.200
Now you killed me :) I am lost completly. I thought that ether3 is connected to Router B with a cable, now I found out it is connected to the switch. So this means, that you have ether2 and ether3 connected to the same switch?

I still can't understand why do you want to keep that NAT (Router B) in your network and what is the real topology of your network (which cable goes from where to where). The best would be to talk on some communicator, but let's try here.

I assume, that ether1 is connected to your modem and works as WAN (PPPoE).
Can you tell me, where each cable goes from ether2, ether3, ether4 and ether5?

Re: Help in proper nat inside multiple subnet

Posted: Fri Dec 01, 2017 4:53 pm
by matiaszon
I see your point. The main reason is that I was developing some code for IOT devices (what else in this moment :) ) and the code use a publicdomanindame.com:portnumber to connect the server .200:realportnumber for exchanging data.
The idea is to move the IOT device in another location and they still can communicate withoute modifying the configuration.
So far, so good... :)
So for me the 192.168.8.x is to be considerate like an "external network" from this point of view at least for that devices.
I don't get it. This is still subnet, and behind two NATs (at the moment). So once you are trying to resolve your publicdomain.com:portnumber, it has to go through 2 routers. While we know how to make Hairpin NAT through MikroTik, we don't know anything about your second NAT, which you introduced to your local network for no reason (still can't see the point).
I agree with you that in this case the ethernet3 becomes like the ppoe-wan and probably this is way the external to internal NAT connection works only for ppoe and not for the eth3.
If I deatach the eth3 from the 2-3-4-5 vistual switch it shoud act like the ppoe incoming net without any modification and I have to add this
add action=masquerade chain=srcnat out-interface=etherne3
to
add action=masquerade chain=srcnat out-interface=pppoe-tim
Of course this is without the Haripin it is only for working with a NAT from .8.x to .1.200
Now you killed me :) I am lost completly. I thought that ether3 is connected to Router B with a cable, now I found out it is connected to the switch. So this means, that you have ether2 and ether3 connected to the same switch?

What I am trying to do, andI believe you too, is to let any device to use only 1 address (publicdomain.com) wherever that device is currently located (either in your local network or maybe somewhere outside).

I still can't understand why do you want to keep that NAT (Router B) in your network and what is the real topology of your network (which cable goes from where to where). The best would be to talk on some communicator, but let's try here.

I assume, that ether1 is connected to your modem and works as WAN (PPPoE).
Can you tell me, where each cable goes from ether2, ether3, ether4 and ether5?

Re: Help in proper nat inside multiple subnet

Posted: Fri Dec 01, 2017 5:39 pm
by androx2k4
I see your point. The main reason is that I was developing some code for IOT devices (what else in this moment :) ) and the code use a publicdomanindame.com:portnumber to connect the server .200:realportnumber for exchanging data.
The idea is to move the IOT device in another location and they still can communicate withoute modifying the configuration.
So far, so good... :)
So for me the 192.168.8.x is to be considerate like an "external network" from this point of view at least for that devices.
I don't get it. This is still subnet, and behind two NATs (at the moment). So once you are trying to resolve your publicdomain.com:portnumber, it has to go through 2 routers. While we know how to make Hairpin NAT through MikroTik, we don't know anything about your second NAT, which you introduced to your local network for no reason (still can't see the point).
I agree with you that in this case the ethernet3 becomes like the ppoe-wan and probably this is way the external to internal NAT connection works only for ppoe and not for the eth3.
If I deatach the eth3 from the 2-3-4-5 vistual switch it shoud act like the ppoe incoming net without any modification and I have to add this
add action=masquerade chain=srcnat out-interface=etherne3
to
add action=masquerade chain=srcnat out-interface=pppoe-tim
Of course this is without the Haripin it is only for working with a NAT from .8.x to .1.200
Now you killed me :) I am lost completly. I thought that ether3 is connected to Router B with a cable, now I found out it is connected to the switch. So this means, that you have ether2 and ether3 connected to the same switch?

What I am trying to do, andI believe you too, is to let any device to use only 1 address (publicdomain.com) wherever that device is currently located (either in your local network or maybe somewhere outside).

I still can't understand why do you want to keep that NAT (Router B) in your network and what is the real topology of your network (which cable goes from where to where). The best would be to talk on some communicator, but let's try here.

I assume, that ether1 is connected to your modem and works as WAN (PPPoE).
Can you tell me, where each cable goes from ether2, ether3, ether4 and ether5?
My fault :) I'm lost by myself. I'll think more in detail over all this thread and I'll try to clarify all the point. I'm phased out because I'm used to setup more complex network with the classic web interface, but it is the first time I'm working in an ipchain like protocol and I miss something around... my head probably :)

Re: Help in proper nat inside multiple subnet

Posted: Fri Dec 01, 2017 6:11 pm
by matiaszon
This is how I woud see your network, if you want to keep separated subnet 192.168.8.0/24

Image

Re: Help in proper nat inside multiple subnet

Posted: Fri Dec 01, 2017 6:13 pm
by matiaszon
This is how I woud see your network, if you want to keep separated subnet 192.168.8.0/24

Image
And then what you need is just to set up some filter rules, if you don't want all 192.168.8.0/24 users to see "Server A".