Community discussions

 
oldnick
just joined
Topic Author
Posts: 3
Joined: Wed May 15, 2019 1:40 pm

Asymmetric NAT question

Wed May 15, 2019 3:02 pm

Hi all,

I have a question regarding asymmetric 1-to-1 NAT. Is it possible with Mikrotik router?

My current test scheme below:
                     bridge_address: 10.10.10.10/32
                    192.168.0.1/24          10.0.0.1/24
                                  NAT1_Router
                               /              \
               192.168.0.10/24/                \ 10.0.0.10/24     
                  Inside_Router                  Outside_Router
                              \               /
                               \             /
                                 NAT2_Router
                    192.168.0.2/24        10.0.0.2/24
                     bridge_address: 10.10.10.10/32

Network 192.168.0.0/24 is in vlan 10.
Network 10.0.0.0/24 is in vlan 20.

My goal is:
1) Outside_Router sends packet to address 10.10.10.10 via NAT1_Router
2) NAT1_Router makes dst-nat, changing destination address 10.10.10.10 to 192.168.0.10
3) Inside_Router receives packet and sends reply back to 10.0.0.10 but not via NAT1_Router, it sends packet to NAT2_Router.
4) NAT2_Router must translate this packet back with src-nat, changing source address 192.168.0.10 to 10.10.10.10.

Problem is, NAT2_Router does not provide NAT translation for local address 192.168.0.10 to address 10.10.10.10. As a result, Outside_Router receives replies with source IP address 192.168.0.10, not 10.10.10.10.

Inside_Router configuration:
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
/ip address
add address=192.168.0.10/24 interface=vlan10 network=192.168.0.0
/ip route
add distance=1 dst-address=10.0.0.0/24 gateway=192.168.0.2
/system identity
set name=Inside_Router

NAT1_Router configuration:
/interface bridge
add name=br-nat-1
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
add interface=ether1 name=vlan20 vlan-id=20
/ip address
add address=192.168.0.1/24 interface=vlan10 network=192.168.0.0
add address=10.0.0.1/24 interface=vlan20 network=10.0.0.0
add address=10.10.10.10 interface=br-nat-1 network=3.3.3.3
/ip firewall nat
add action=netmap chain=dstnat dst-address=10.10.10.10 to-addresses=192.168.0.10
add action=netmap chain=srcnat src-address=192.168.0.10 to-addresses=10.10.10.10
/system identity
set name=NAT1_Router

NAT2_Router configuration:
/interface bridge
add name=br-nat-1
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
add interface=ether1 name=vlan20 vlan-id=20
/ip address
add address=192.168.0.2/24 interface=vlan10 network=192.168.0.0
add address=10.0.0.2/24 interface=vlan20 network=10.0.0.0
add address=10.10.10.10 interface=br-nat-1 network=10.0.0.0
/ip firewall nat
add action=netmap chain=dstnat dst-address=10.10.10.10 to-addresses=192.168.0.10
add action=netmap chain=srcnat src-address=192.168.0.10 to-addresses=10.10.10.10
/system identity
set name=NAT2_Router

Outside_Router configuration:
/interface vlan
add interface=ether1 name=vlan20 vlan-id=20
/ip address
add address=10.0.0.10/24 interface=vlan20 network=10.0.0.0
/ip route
add distance=1 dst-address=10.10.10.10/32 gateway=10.0.0.1
/system identity
set name=Outside_Router

Appreciate your help.
 
sindy
Forum Guru
Forum Guru
Posts: 3100
Joined: Mon Dec 04, 2017 9:19 pm

Re: Asymmetric NAT question

Wed May 15, 2019 3:43 pm

It should work for UDP, I'm not sure about TCP and ping. One thing is that with loose-tcp-tracking=yes, the filter in the firewall allows the first ever TCP packet seen to be other than the SYN one, another thing is whether connection-tracking permits such other-than-SYN packet to be seen by the nat table. Similar case with ICMP, I think only ping requests are handled by the nat table.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sob
Forum Guru
Forum Guru
Posts: 4073
Joined: Mon Apr 20, 2009 9:11 pm

Re: Asymmetric NAT question

Wed May 15, 2019 4:18 pm

It looks like something that conntrack won't like at all, it would probably need some stateless NAT, but I'm not sure if it's even possible in RouterOS.
 
oldnick
just joined
Topic Author
Posts: 3
Joined: Wed May 15, 2019 1:40 pm

Re: Asymmetric NAT question

Wed May 15, 2019 7:01 pm

It should work for UDP, I'm not sure about TCP and ping. One thing is that with loose-tcp-tracking=yes, the filter in the firewall allows the first ever TCP packet seen to be other than the SYN one, another thing is whether connection-tracking permits such other-than-SYN packet to be seen by the nat table. Similar case with ICMP, I think only ping requests are handled by the nat table.
Thank you sindy for your reply. Indeed, UDP traffic is NATed in this scheme and TCP and ICMP traffic is bypassed. Regarding loose-tcp-tracking option, just tried 6.44.3 version, it seems like there is no difference if loose-tcp-tracking is enabled or disabled. Anyway, thank you for your help.
 
oldnick
just joined
Topic Author
Posts: 3
Joined: Wed May 15, 2019 1:40 pm

Re: Asymmetric NAT question

Wed May 15, 2019 7:09 pm

It looks like something that conntrack won't like at all, it would probably need some stateless NAT, but I'm not sure if it's even possible in RouterOS.
Stateless NAT or connection synchronization between routers. And it seems like neither of this options is available on Mikrotik router.

Who is online

Users browsing this forum: No registered users and 88 guests