Hello,
I have my network architecture each device that has a local @IP connects to the internet with a public @IP ie
PC1: @local: 192.168.1.2 => 172.16.128.2
PC2: @local: 192.168.1.3 => 172.16.128.3
@ public: 172.16.128.0/24
@ local: 192.168.1.0/24
public gateway: 172.16.128.1
local gateway: 192.168.1.1
and that the ether1 interface 192.168.254 and the other ether2 interface takes 172.16.128.254
then in the configuration of my router I did the NAT static but the problem is that all the equipments take like @public 172.16.128.254 (ether2)
this is my config:

/ip address add interface=ether1 address=192.168.1.254/24
/ip address add interface=ether2 address=172.16.128.254/24

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether2
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.2 to-addresses=172.16.128.2
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.3 to-addresses=172.16.128.3

/ip route add dst-address=192.168.1.0/24 gateway=172.16.128.1
/ip route add dst-address=0.0.0.0/0 gateway=172.16.1.254

Help plz

Rules are processed in order, so everything just uses the first masquerade rule.

Rules are processed in order, so everything just uses the first masquerade rule.

if i do the test with the command line to discover on which public @IP connects the equipment that has the @ 192.168.1.2
> curl ipinfo.io/ip
172.16.128.254

it's wrong, i have to find 172.16.128.2

And did you follow my hint and moved the first maqeurade rule at the end of chain?

And did you follow my hint and moved the first maqeurade rule at the end of chain?

When i moved the first masquerade rule at the end of chain, the network stopped

If you have: Then it could possibly break connectivity for 192.168.1.2 and 192.168.1.3, if there's some problem with 172.16.128.2 and 172.16.128.3. But for all other sources, those two rules won't touch their packets and only the masquerade rule will be used as before.

If all public addresses are in same /24, you also need to add the new ones to router, otherwise the ISP's gateway can't reach them. And then also change the masquerade rule to: It will make sure that traffic not srcnatted by previous rules will always use the correct address and won't pick another one.

If you have:

Code: Select all

/ip firewall nat
add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.2 to-addresses=172.16.128.2
add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.3 to-addresses=172.16.128.3
add chain=srcnat action=masquerade out-interface=ether2

Then it could possibly break connectivity for 192.168.1.2 and 192.168.1.3, if there's some problem with 172.16.128.2 and 172.16.128.3. But for all other sources, those two rules won't touch their packets and only the masquerade rule will be used as before.

If all public addresses are in same /24, you also need to add the new ones to router, otherwise the ISP's gateway can't reach them. And then also change the masquerade rule to:

Code: Select all

add chain=srcnat action=src-nat out-interface=ether2 to-addresses=172.16.128.254

It will make sure that traffic not srcnatted by previous rules will always use the correct address and won't pick another one.

Thank you for your quick rep;
I deleted all the NAT rules and i repeated them by the order like you said but nothing to change (without connectivity)
the public@ is on /26 and the local@ is on /24

In that case, try a better description of public addresses.

You wrote that the main one is 172.16.128.254/24 (it's not public, but it's not the important part). But you also wrote that others are 172.16.128.2-3, which would put them in same /24 subnet. Now if you say that .254 is in /26, then .2-3 would be in different subnet and even .1 would not work as gateway, because that's not in the same /26 either. And on second look, you have one gateway in description and another in config, which is in completely different subnet too. And both routes are strange.

You don't need to share your real public addresses, write them as x.x.128.254/26, or use 172.16 prefix as you did, but keep the right part (numbers and mask) unchanged.

Also, are these three srcnat rules the only rules in srcnat chain, or are there also others?

In that case, try a better description of public addresses.

You wrote that the main one is 172.16.128.254/24 (it's not public, but it's not the important part). But you also wrote that others are 172.16.128.2-3, which would put them in same /24 subnet. Now if you say that .254 is in /26, then .2-3 would be in different subnet and even .1 would not work as gateway, because that's not in the same /26 either. And on second look, you have one gateway in description and another in config, which is in completely different subnet too. And both routes are strange.

You don't need to share your real public addresses, write them as x.x.128.254/26, or use 172.16 prefix as you did, but keep the right part (numbers and mask) unchanged.

Also, are these three srcnat rules the only rules in srcnat chain, or are there also others?

Hello,
Yes propably I have not described well to you
1- it just exists that its 3 rules of NAT there is no other
2- Yes, you are right for public IP addresses because I was not clear to detail the information, so
Local network: 192.168.1.0/24
Public network: 172.16.128.0/26
Public Gateway: 172.16.128.1
ether1: 192.168.1.254
ether2: 172.16.128.62
this is my simulation

This is wrong:
/ip route add dst-address=192.168.1.0/24 gateway=172.16.128.1
/ip route add dst-address=0.0.0.0/0 gateway=172.16.1.254

This is correct:
/ip route add dst-address=0.0.0.0/0 gateway=172.16.128.1

This is wrong:
/ip route add dst-address=192.168.1.0/24 gateway=172.16.128.1
/ip route add dst-address=0.0.0.0/0 gateway=172.16.1.254

This is correct:
/ip route add dst-address=0.0.0.0/0 gateway=172.16.128.1

yes
This is my new config

/ip address add interface=ether1 address=192.168.1.254/24
/ip address add interface=ether2 address=172.16.128.62/26

/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.2 to-addresses=172.16.128.3
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.3 to-addresses=172.16.128.4
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.4 to-addresses=172.16.128.5
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.5 to-addresses=172.16.128.6
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether2

/ip route add dst-address=0.0.0.0/0 gateway=172.16.128.1

Does it work in your environment?

Does it work in your environment?

it works but the problem is that all devices (192.168.1.2 # .3 # .4 # .5) take as public IP address 172.16.128.62
that is, NAT does not work

What ROS version do you use?

What ROS version do you use?

6.42.6

Should work, dunno. Is it emulated environment or real devices?

Should work, dunno. Is it emulated environment or real devices?

Real devices

You have common condition (out-interface=ether2) in all rules, so the only difference is src-address=192.168.1.x. As long as the connection has source address 192.168.1.x, the matching rule will be used. And since action=src-nat ends the processing, source will be changed to 172.16.128.x. I don't see how it could not work.

What are your firewall filter rules?

For a couple of seconds, set log=yes to all the rules in chain=srcnat using /ip firewall nat set [find chain=srcnat] log=yes. After that, stop logging them using /ip firewall nat set [find chain=srcnat] log=no. Then, print the logged src-nat events using /log print where topics~"firewall" and see what was actually happening there.

What are your firewall filter rules?

I don't have any rules filter

Did you change the route to new host 128.1?

This is wrong:
/ip route add dst-address=192.168.1.0/24 gateway=172.16.128.1
/ip route add dst-address=0.0.0.0/0 gateway=172.16.1.254

This is correct:
/ip route add dst-address=0.0.0.0/0 gateway=172.16.128.1

yes
This is my new config

/ip address add interface=ether1 address=192.168.1.254/24
/ip address add interface=ether2 address=172.16.128.62/26

/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.2 to-addresses=172.16.128.3
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.3 to-addresses=172.16.128.4
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.4 to-addresses=172.16.128.5
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.5 to-addresses=172.16.128.6
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether2

/ip route add dst-address=0.0.0.0/0 gateway=172.16.128.1

The addresses that will be masked are in ether2 ... But the gateway is not there ...
Remove the output interface and see if it works

This is wrong:
/ip route add dst-address=192.168.1.0/24 gateway=172.16.128.1
/ip route add dst-address=0.0.0.0/0 gateway=172.16.1.254

This is correct:
/ip route add dst-address=0.0.0.0/0 gateway=172.16.128.1

yes
This is my new config

/ip address add interface=ether1 address=192.168.1.254/24
/ip address add interface=ether2 address=172.16.128.62/26

/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.2 to-addresses=172.16.128.3
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.3 to-addresses=172.16.128.4
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.4 to-addresses=172.16.128.5
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.5 to-addresses=172.16.128.6
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether2

/ip route add dst-address=0.0.0.0/0 gateway=172.16.128.1

The addresses that will be masked are in ether2 ... But the gateway is not there ...
Remove the output interface and see if it works

Addresses that will be masqed in ether1. Gateway is a host behind ether2. All is correct.

This is wrong:
/ip route add dst-address=192.168.1.0/24 gateway=172.16.128.1
/ip route add dst-address=0.0.0.0/0 gateway=172.16.1.254

This is correct:
/ip route add dst-address=0.0.0.0/0 gateway=172.16.128.1

yes
This is my new config

/ip address add interface=ether1 address=192.168.1.254/24
/ip address add interface=ether2 address=172.16.128.62/26

/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.2 to-addresses=172.16.128.3
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.3 to-addresses=172.16.128.4
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.4 to-addresses=172.16.128.5
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether2 src-address=192.168.1.5 to-addresses=172.16.128.6
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether2

/ip route add dst-address=0.0.0.0/0 gateway=172.16.128.1

The addresses that will be masked are in ether2 ... But the gateway is not there ...
Remove the output interface and see if it works

Addresses that will be masqed in ether1. Gateway is a host behind ether2. All is correct.

If i understand, i make like this:

/ip address add interface=ether1 address=192.168.1.254/24
/ip address add interface=ether2 address=172.16.128.62/26

/ip firewall nat add chain=srcnat action=src-nat src-address=192.168.1.2 to-addresses=172.16.128.3
/ip firewall nat add chain=srcnat action=src-nat src-address=192.168.1.3 to-addresses=172.16.128.4
/ip firewall nat add chain=srcnat action=src-nat src-address=192.168.1.4 to-addresses=172.16.128.5
/ip firewall nat add chain=srcnat action=src-nat src-address=192.168.1.5 to-addresses=172.16.128.6
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1

/ip route add dst-address=0.0.0.0/0 gateway=172.16.128.1

Not exactly. You can remove out-interface from src-nat rules, but it shouldn't make any difference. Feel free to try it. But for masquerade rule, if it previously worked with ether2, then changing it to ether1 will break it.

Not exactly. You can remove out-interface from src-nat rules, but it shouldn't make any difference. Feel free to try it. But for masquerade rule, if it previously worked with ether2, then changing it to ether1 will break it.

I tried at the level of out-interface masquerade with ether1 and even by ether2 but nothing is changed, the traffic all come out on the ip address 172.16.128.62
it's like NAT does not work, I do not know why
even at the ping and ssh level I can not do them

NAT works fine for everyone, you're not that "lucky" to be the only exception.

Take few steps back, specifically look at this post. You claimed that changing the order of rules broke the connectivity. You probably don't remember it, but since you still have the same config, look at packet counters of those srcnat rules. Do they increase?

Also don't forget this:

If all public addresses are in same /26, you also need to add the new ones to router, otherwise the ISP's gateway can't reach them.