Community discussions

 
unietis
just joined
Topic Author
Posts: 7
Joined: Mon May 13, 2013 8:44 pm

Bypassing NAt connection [SOLVED]

Mon May 13, 2013 10:12 pm

Hello!

I'm trying out a temporary solution until the moment my ISP will give me a normal Internet connection with public ip.
My story is that our ISP isn't giving us a public ip as normal ISP would do, but instead they are giving us /24 private ip network with the nat on their side with public ip. So - right now our GW is 192.168.0.254/24

As i wanted to create other internal networks i installed RB450G and created my desired networks behind Mikrotik NAT(10.10.1.0/24 and 10.10.2.0/24) (my ISP is not willing to create static routes to my new internal networks).

My NAT configuration:
chain=srcnat out-interface=wan src-address=10.10.1.0/24 action=masquerade
chain=srcnat out-interface=wan src-address=10.10.2.0/24 action=masquerade  
and connections to the internet and to those hosts(including our internal dns), that where left in the 192.168.0.0/24 network, works fine, EXCEPT there is a lot of read/write errors and disconnections from win network shares.
For example, Pc from 10.10.1.0/24 tries to use some .doc file from "\\192.168.0.200\share" and after some time there is an error, saying that it is not possible write in this file. From WIN event viewer:
"
{Delayed Write Failed} Windows was unable to save all the data for the file \\192.168.0.200\share\test.doc; the data has been lost. This error may be caused by network connectivity issues. Please try to save this file elsewhere.
"

There are also a static routes on the hosts on 192.168.0.0/24 about 10.10.1.0/24 and 10.10.2.0/24 networks, so that they can access workstation's network shares on the new networks:
for example:
 
192.168.0.200\..\User> route add 10.10.1.0 mask 255.255.255.0 192.168.0.1 metric 2
192.168.0.200\..\User> route add 10.10.2.0 mask 255.255.255.0 192.168.0.1 metric 2
Not all the time, but sometimes they get the same errors and i think these errors are, because all the packets coming from the new networks are being NATed. but the server is not expecting packet from 192.168.0.1

Here is the graph to understand better:
Drawing1.jpg

WHAT I WANT TO ACHIEVE:
For the connections from 10.10.1.0/24 and 10.10.2.0/24 to hosts on 192.168.0./24 I want to bypass NAT that's is thought only for accessing the internet.

AND MY QUESTION TO YOU GUYS IS:

If I add these NAT rules before masquerading the new networks like this:
chain=srcnat out-interface=wan src-address=10.10.1.0/24 dst-address=192.168.0.200 action=accept
chain=srcnat out-interface=wan src-address=10.10.1.0/24 dst-address=192.168.0.210 action=accept
chain=srcnat out-interface=wan src-address=10.10.1.0/24 action=masquerade

chain=srcnat out-interface=wan src-address=10.10.2.0/24 dst-address=192.168.0.200 action=accept
chain=srcnat out-interface=wan src-address=10.10.2.0/24 dst-address=192.168.0.210 action=accept
chain=srcnat out-interface=wan src-address=10.10.2.0/24 action=masquerade
Would I bypass a NAT and would Mikrotik create a connection from 10.10.1.0/24 and 10.10.2.0/24 to addresses 192.168.0.200, 192.168.0.210 without NAT?

If there is better, easier ideas how to bypass nat rule for specific hosts, please share them with me.

Thank You!
You do not have the required permissions to view the files attached to this post.
Last edited by unietis on Fri May 17, 2013 10:02 am, edited 1 time in total.
 
Ivoshiee
Member
Member
Posts: 471
Joined: Sat May 06, 2006 4:11 pm

Re: Bypassing NAt connection (I need an opinion)

Mon May 13, 2013 10:50 pm

The 192.168.0.X/24 network is at your WAN side and as your ISP is unwilling to add any static routes to its router 192.168.0.254 then you must continue to NAT 10.10.X.Y/16 at your box. Also, go to 192.168.0.200 & 192.168.0.210 and add static routes there for 10.10.X.Y/16 to be directed to your 192.168.0.1 box. If you do not do that then any answer back from these boxes will get directed to 192.168.0.254 and that will likely just drop those. You have to add some rules to your 192.168.0.1 box to exclude destinations 192.168.0.200 & 192.168.0.210 from being NATed (your given rules may indeed do just that, try it out). That way your ISP is being left out and no NAT is involved between 192.168.0.200, 192.168.0.210 and your internal networks 10.10.X.Y/16.
 
unietis
just joined
Topic Author
Posts: 7
Joined: Mon May 13, 2013 8:44 pm

Re: Bypassing NAt connection (I need an opinion)

Mon May 13, 2013 11:59 pm

The 192.168.0.X/24 network is at your WAN side and as your ISP is unwilling to add any static routes to its router 192.168.0.254 then you must continue to NAT 10.10.X.Y/16 at your box. Also, go to 192.168.0.200 & 192.168.0.210 and add static routes there for 10.10.X.Y/16 to be directed to your 192.168.0.1 box. If you do not do that then any answer back from these boxes will get directed to 192.168.0.254 and that will likely just drop those. You have to add some rules to your 192.168.0.1 box to exclude destinations 192.168.0.200 & 192.168.0.210 from being NATed (your given rules may indeed do just that, try it out). That way your ISP is being left out and no NAT is involved between 192.168.0.200, 192.168.0.210 and your internal networks 10.10.X.Y/16.
thanks for your answer,tomorrow i will try to add these additional rules and i'll see how it goes.
 
unietis
just joined
Topic Author
Posts: 7
Joined: Mon May 13, 2013 8:44 pm

Re: Bypassing NAt connection (I need an opinion)

Tue May 14, 2013 12:27 pm

I have added the rules and it seems to be working. If all be good, i will mark this post solved.
 
unietis
just joined
Topic Author
Posts: 7
Joined: Mon May 13, 2013 8:44 pm

Re: Bypassing NAt connection [SOLVED]

Fri May 17, 2013 10:01 am

seems to be working just fine.

Who is online

Users browsing this forum: No registered users and 9 guests