Page 1 of 1

Need Help on NAT on WAN link with Multiple Public IP

Posted: Mon May 07, 2018 5:41 pm
by learnyee
ok I am currently working on a case with a WAN link with Multiple Public IP, e.g. 1.2.3.x/29, which I would end up with 1.2.3.x1-1.2.3.x5 usable public IP.

Now I need to:

1. DEST Port NAT traffic from 0.0.0.0/0 to 1.2.3.x1 port 80, 443 to an Internal Server IP
2. All full IP DEST NAT Traffic from 0.0.0.0/0 to 1.2.3.x2 to another internal IP
3. And so on.....

how do I construct the NAT rules so that when the traffic returns, it gets SRC NAT to the correct Public IP?

PS: The situation get more complicated with 2 WAN link and PPOE dialup with multiple Public IP but I think I will ask that in another thread.

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Mon May 07, 2018 5:51 pm
by Sob
Just add dstnat rules and let connection tracking do its magic, it will work automatically. You only need to set up srcnat rules for connections initiated from internal servers to internet.

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Mon May 07, 2018 8:08 pm
by Steveocee
If the final addresses are public then you don’t need NAT.

The “LAN” devices simply become static IP routing through the routers “LAN” address.

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Tue May 08, 2018 4:23 am
by learnyee
If the final addresses are public then you don’t need NAT.

The “LAN” devices simply become static IP routing through the routers “LAN” address.
erm...dont quite get that.

how do you route through the router without any NAT as all the server has the internal IP, sitting behind the LAN Interface, and the WAN Interface has another set of Public IP?

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Tue May 08, 2018 10:52 pm
by Sob
For your dstnat rules, you need something like this:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1.2.3.x1 dst-port=80,443 protocol=tcp to-addresses=<internal server 1>
add action=dst-nat chain=dstnat dst-address=1.2.3.x2 to-addresses=<internal server 2>
And it would work correctly for incoming connections (clients would be able to connect to e.g. 1.2.3.x1:80) even if you had only this in srcnat:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=<WAN>
For outgoing connections, it would still work, i.e. processes running on server would to able to connect to resources on internet, but all would use the same source address (1.2.3.xx). Some people use it like this and it's ok according to them. Others (myself included) prefer servers to use same outgoing address as incoming. For that, just replace masquerade with:
/ip firewall nat
add action=src-nat chain=srcnat src-address=<internal server 1> to-addresses=1.2.3.x1
add action=src-nat chain=srcnat src-address=<internal server 2> to-addresses=1.2.3.x2
add action=src-nat chain=srcnat to-addresses=1.2.3.x5 comment="everything else not covered by previous rules"

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Wed May 09, 2018 10:11 pm
by Steveocee
If the final addresses are public then you don’t need NAT.

The “LAN” devices simply become static IP routing through the routers “LAN” address.
erm...dont quite get that.

how do you route through the router without any NAT as all the server has the internal IP, sitting behind the LAN Interface, and the WAN Interface has another set of Public IP?
If router has public ip of 1.1.1.2/24 on its “WAN” interface and you have been given public addresses 2.2.2.0/29 (the “WAN” address is irrelevant to you as the isp only uses it to route to your subnet)
Create bridge (effectively LAN side of your router) with ip 2.2.2.1/29
Connect servers to what would effectively be your local network
Assign 2.2.2.2-2.2.2.5 to the servers with a gateway of 2.2.2.1 and you do not need NAT. This only works if you have all public IPS.

Unless I am reading yur OP wrong?
You have a public IP and then a routed subnet?

I know my above approach works in certain situation without NAT as I have recently set 2 customers up like this on CCR and RB3011 devices like this.

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Wed May 09, 2018 11:22 pm
by Sob
For the record, I'm working with "whole /29 on WAN" scenario and honoring the request for dstnat. If the /29 is routed, then config without NAT described by Steveocee may be better solution.

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Wed May 09, 2018 11:34 pm
by samsung172
just add dst nat - with dst-address and port to fit your needs and action dst-nat to your internal ip with correct port. Also add correct protocol TCP/UDP eg eg.

let say you have 2 web servers at 10.10.10.1 and 10.10.10.2 And you have the public ip - 100.100.100.1 and 100.100.100.2 You want internal web swerver to respond to on ip each. this would be the ruleset:


/ip firewall nat
add action=dst-nat chain=dstnat dst-address=100.100.100.1 dst-port=80 protocol=tcp to-addresses=10.10.10.1 to-ports=80
add action=dst-nat chain=dstnat dst-address=100.100.100.2 dst-port=80 protocol=tcp to-addresses=10.10.10.2 to-ports=80

chain=srcnat out-interface=internet src-address=10.10.10.1 action=src-nat to-addresses=100.100.100.1 to-ports=0-65535
chain=srcnat out-interface=internet src-address=10.10.10.2 action=src-nat to-addresses=100.100.100.2 to-ports=0-65535

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Thu May 10, 2018 10:48 am
by Steveocee
For the record, I'm working with "whole /29 on WAN" scenario and honoring the request for dstnat. If the /29 is routed, then config without NAT described by Steveocee may be better solution.
Between the pair of us the OP has the answer :D

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Thu May 10, 2018 2:45 pm
by CZFan

If router has public ip of 1.1.1.2/24 on its “WAN” interface and you have been given public addresses 2.2.2.0/29 (the “WAN” address is irrelevant to you as the isp only uses it to route to your subnet)
Create bridge (effectively LAN side of your router) with ip 2.2.2.1/29
Connect servers to what would effectively be your local network
Assign 2.2.2.2-2.2.2.5 to the servers with a gateway of 2.2.2.1 and you do not need NAT. This only works if you have all public IPS.

Unless I am reading yur OP wrong?
You have a public IP and then a routed subnet?

I know my above approach works in certain situation without NAT as I have recently set 2 customers up like this on CCR and RB3011 devices like this.

If I may ask here, and it might be a very stupid question.

Lets say I am an ISP, a good one cause I only use Mikrotik :D

I want to route subnet 2.2.2.0/29 to my client that already has 1.1.1.0/29, how will I do this on Mikrotik?

Is it as simple as just adding an additional IP from 2.2.2.0/29 on my router interface (clients gateway 1.1.1.1/29), or is there more to it?

EDIT: BTW, I am also asking so anav doesn't have to :D

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Thu May 10, 2018 4:35 pm
by learnyee
/ip firewall nat
add action=src-nat chain=srcnat src-address=<internal server 1> to-addresses=1.2.3.x1
add action=src-nat chain=srcnat src-address=<internal server 2> to-addresses=1.2.3.x2
add action=src-nat chain=srcnat to-addresses=1.2.3.x5 comment="everything else not covered by previous rules"
I actually did the 1st part of it on the DST-NAT and the MAS part, the 2nd part above open up more option for me to tweak the SRC-NAT

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Thu May 10, 2018 4:42 pm
by learnyee
If the final addresses are public then you don’t need NAT.

The “LAN” devices simply become static IP routing through the routers “LAN” address.
erm...dont quite get that.

how do you route through the router without any NAT as all the server has the internal IP, sitting behind the LAN Interface, and the WAN Interface has another set of Public IP?
If router has public ip of 1.1.1.2/24 on its “WAN” interface and you have been given public addresses 2.2.2.0/29 (the “WAN” address is irrelevant to you as the isp only uses it to route to your subnet)
Create bridge (effectively LAN side of your router) with ip 2.2.2.1/29
Connect servers to what would effectively be your local network
Assign 2.2.2.2-2.2.2.5 to the servers with a gateway of 2.2.2.1 and you do not need NAT. This only works if you have all public IPS.

Unless I am reading yur OP wrong?
You have a public IP and then a routed subnet?

I know my above approach works in certain situation without NAT as I have recently set 2 customers up like this on CCR and RB3011 devices like this.
The said solution actually works for another case, if you had work with those peplink WAN load balancer and they had something called drop-in mode for WAN, this is actually the solution I used. No NAT needed from either end and it works all well. But I dont think this will work with PPOE dialup. What happened was when I dial to my ISP, it would assign an IP of 2.2.2.2 with GW of 2.2.2.1. So any IP with the DEST of 2.2.2.3-5 from internet would "pipe" through the PPOE from the ISP. I dont think I can create a bridge and add a PPOE dialer into the bridge.

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Thu May 10, 2018 4:49 pm
by learnyee

If router has public ip of 1.1.1.2/24 on its “WAN” interface and you have been given public addresses 2.2.2.0/29 (the “WAN” address is irrelevant to you as the isp only uses it to route to your subnet)
Create bridge (effectively LAN side of your router) with ip 2.2.2.1/29
Connect servers to what would effectively be your local network
Assign 2.2.2.2-2.2.2.5 to the servers with a gateway of 2.2.2.1 and you do not need NAT. This only works if you have all public IPS.

Unless I am reading yur OP wrong?
You have a public IP and then a routed subnet?

I know my above approach works in certain situation without NAT as I have recently set 2 customers up like this on CCR and RB3011 devices like this.

If I may ask here, and it might be a very stupid question.

Lets say I am an ISP, a good one cause I only use Mikrotik :D

I want to route subnet 2.2.2.0/29 to my client that already has 1.1.1.0/29, how will I do this on Mikrotik?

Is it as simple as just adding an additional IP from 2.2.2.0/29 on my router interface (clients gateway 1.1.1.1/29), or is there more to it?

EDIT: BTW, I am also asking so anav doesn't have to :D
I dont think that would works because both 2.2.2.0/29 and 1.1.1.0/29 address sit on the same Interface of your router and I dont see how the traffic can be NAT.
But if you are talking about adding 1.1.1.1/29 to your Interface and 1.1.1.2/29 to your customer router interface, then technically you can do that as long as your end and your customer end are "connected" in a way.

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Thu May 10, 2018 5:38 pm
by Sob
@CZFan: If customer is already connected and you as ISP want to give another /29 to them, it's better to really route it to them, i.e. "/ip route add dst-address=2.2.2.0/29 gateway=1.1.1.2" on your side.

If you add 2.2.2.1/29 to your router, then you waste three of eight addresses (network, gateway, broadcast) and only five can be used by customer. On top of that, you expect them to be all directly reachable on the link between you and customer. Not that it would be too hard for customer to route them anywhere else with help of proxy ARP, but it's unnecessary extra step.

If you route the whole subnet to customer, they can use all eight addresses if they want. There are different ways, they can assign them somewhere on router as /32 and use them with NAT, route them anywhere in their network, etc. Or they can just assign 2.2.2.1/29 to some of their internal interfaces and waste three addresses themselves, if they want. Important is that they have a choice. And even if they do this, the three addresses are not completely lost to them, they can still use them in limited way, because packets coming from internet don't know that the address is actually e.g. broadcast in internal network, so it's possible to use dstnat to send them somewhere else. And same for srcnat. The only problem is that machines with other 2.2.2.x/29 addresses won't be able to connect to services on what to them are network and broadcast addresses. But it's easy for customer to plan it in a way to not need this.

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Thu May 10, 2018 5:54 pm
by CZFan
Got it, thank you very much @Sob.

@anav, is it clear enough for you :D

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Fri May 11, 2018 12:44 am
by anav
Zing.................. just flew over my head but if you want to stop in on the PSD attributes thread to be wildly entertained with my EXTRA TAB questions (weight and limit) - then yes feel free to provide enlightenment. Oh and stay tuned for a VLAN/Bridge setup thread where I pose my scenario/setup and ask what is the most efficient method..................

PS. Am I allowed to give advice in the GENERAL forum. I may not have the rank to do so! ;-P

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Fri May 11, 2018 1:10 am
by samsung172
@CZFan: If customer is already connected and you as ISP want to give another /29 to them, it's better to really route it to them, i.e. "/ip route add dst-address=2.2.2.0/29 gateway=1.1.1.2" on your side.

If you add 2.2.2.1/29 to your router, then you waste three of eight addresses (network, gateway, broadcast) and only five can be used by customer. On top of that, you expect them to be all directly reachable on the link between you and customer. Not that it would be too hard for customer to route them anywhere else with help of proxy ARP, but it's unnecessary extra step.

If you route the whole subnet to customer, they can use all eight addresses if they want. There are different ways, they can assign them somewhere on router as /32 and use them with NAT, route them anywhere in their network, etc. Or they can just assign 2.2.2.1/29 to some of their internal interfaces and waste three addresses themselves, if they want. Important is that they have a choice. And even if they do this, the three addresses are not completely lost to them, they can still use them in limited way, because packets coming from internet don't know that the address is actually e.g. broadcast in internal network, so it's possible to use dstnat to send them somewhere else. And same for srcnat. The only problem is that machines with other 2.2.2.x/29 addresses won't be able to connect to services on what to them are network and broadcast addresses. But it's easy for customer to plan it in a way to not need this.
Well. It seems like we need a lession in using rfc1918 and public ip's - since the q qould differ inf its internal rfc1918 addresses or public ip's (or just the same)

IF isp 1 and isp 2 use the same internal 1918 ip's - use nat as described.

if its public ip's just let routing fix this.

Re: Need Help on NAT on WAN link with Multiple Public IP

Posted: Fri May 11, 2018 5:25 am
by Sob
Well. It seems like we need a lession in using rfc1918 and public ip's - since the q qould differ inf its internal rfc1918 addresses or public ip's (or just the same)
I have a feeling that you're trying to tell me something. But I read it several times and I'm still not sure what it is. Could you try again?