Community discussions

MikroTik App
 
e2346437
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Sun Mar 12, 2006 1:35 am

SRCNAT Masquerade Problem

Wed Aug 30, 2006 2:43 am

Hello. I'm having a problem with srcnat masquerade, trying to make my MT act like a common home gateway to the Internet, but I can't seem to get it to work. Here is my network topology, starting with my ISP:


Cisco PIX 10.0.0.1----->AP 10.0.0.2----->Dlink 802.11b Bridge 10.0.0.70--

--->Mikrotik RB532 Ether1 10.0.0.71----->Ether2 (src-nat'ed) 192.168.0.1-

---->PC 192.168.0.2

Here are the relevant lines from my Mikrotik configuration:

/ interface ethernet
set ether1 name="ether1" mtu=1500 mac-address=00:0C:42:09:36:E1 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default mdix-enable=yes speed=100Mbps comment="" \
disabled=no
set ether2 name="ether2" mtu=1500 mac-address=00:0C:42:09:36:E2 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no

/ ip pool
add name="dhcp_pool1" ranges=192.168.0.2-192.168.0.254
/ ip accounting
set enabled=no account-local-traffic=no threshold=256
/ ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ ip service

set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip dns
set primary-dns=72.87.48.50 secondary-dns=72.87.48.70 allow-remote-requests=no \
cache-size=2048KiB cache-max-ttl=1w

/ ip address
add address=10.0.0.71/24 network=10.0.0.0 broadcast=10.0.0.255 \
interface=ether1 comment="" disabled=no
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 \
interface=ether2 comment="" disabled=no

/ ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.1 scope=255 target-scope=10 \
comment="" disabled=no

/ ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade comment="" disabled=no

/ ip dhcp-server
add name="dhcp1" interface=ether2 lease-time=3d address-pool=dhcp_pool1 \
bootp-support=static authoritative=after-2sec-delay disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
/ ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 comment=""

With this configuration, my Mikrotik can ping my ISP's Cisco PIX at 10.0.0.1, but my PC cannot. My PC can only ping as far as ether1 on the Mikrotik, which is 10.0.0.71. 10.0.0.70 cannot be pinged from the PC either.

It's worth mentioning that my Cisco 871w Router/Firewall has the same addresses, routes, and src-nat setup, and it works fine.

Can anyone find a problem with my config and tell me what I'm doing wrong?

Thanks in advance.

Eric
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Wed Aug 30, 2006 4:46 pm

The PIX requires a route to the 192.168.0.0 network.

Either manually configure one, or set the PIX and MT to use a routing protocol such as RIP.

Regards

Andrew
 
e2346437
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Sun Mar 12, 2006 1:35 am

Wed Aug 30, 2006 8:09 pm

The PIX requires a route to the 192.168.0.0 network.

Either manually configure one, or set the PIX and MT to use a routing protocol such as RIP.

Regards

Andrew
Andrew,
Thanks for the reply. I understand what you are saying, and appreciate your answer. However, my goal is to be able to deploy this router as a common household gateway to the Internet, and my customers aren't going to be able to tell their ISP to change their routes.

If I were to use, say, a DLink DI-604 home Internet router, it would use it's WAN port to the ISP (in my case, ether1 at 10.0.0.71) and it's LAN ports to the home PC's (in my case, ether2 at 192.168.0.x), and I would get Internet service. In this scenario, my ISP would not need to enable RIP or change it's routes. All I would need to do is tell my

How can I duplicate this scenario with Mikrotik?

Thanks,
Eric
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Thu Aug 31, 2006 12:07 am

Eric

Apologies. I'm plainly talking rubbish here. As you're src-natting on the MT then there's no need for the PIX to need to know how to route to 192.168.0.0

Here's my src-nat rule for my internal LAN:
chain=srcnat out-interface=Internet src-address=192.168.1.0/24 
     action=src-nat to-addresses=x.x.x.x to-ports=0-65535
Where x.x.x.x would be 10.0.0.71 in your case.

You probably want to use the MT as a DNS relay, in which case you need to 'allow-external-requests'.

What do the scope and target-scope parameters in your default route definition do?

Regards

Andrew
 
e2346437
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Sun Mar 12, 2006 1:35 am

Thu Aug 31, 2006 3:23 am

Eric

Apologies. I'm plainly talking rubbish here. As you're src-natting on the MT then there's no need for the PIX to need to know how to route to 192.168.0.0

Here's my src-nat rule for my internal LAN:
chain=srcnat out-interface=Internet src-address=192.168.1.0/24 
     action=src-nat to-addresses=x.x.x.x to-ports=0-65535
Where x.x.x.x would be 10.0.0.71 in your case.

You probably want to use the MT as a DNS relay, in which case you need to 'allow-external-requests'.

What do the scope and target-scope parameters in your default route definition do?

Regards

Andrew
Andrew,
I don't know what the scope and target-scope parameters do, but I do know that you're a genius! My configuration is now working!

Thanks ever so much,
Eric

Who is online

Users browsing this forum: IlCarletto, jack2020, mix359 and 170 guests