Community discussions

MikroTik App
 
Wyoming
Member Candidate
Member Candidate
Topic Author
Posts: 124
Joined: Wed Jun 09, 2004 11:43 pm
Location: Wyoming

Questions about Masquerading and NAT rules

Fri Dec 03, 2004 5:54 pm

I am trying to set up a mikrotik with may different nat and masquerading rules on it. I have a few questions about the ability of the mikrotik here.

First, what are the connection limits of the mikrotik for NAT and Masquerading.

Second, we have blocks of private IPs that need to be masqueraded to multiple public IPs. How is this accomplished?

an example would be that the block of IPs of 192.168.1.0/24 needs
to be masqueraded to X.X.1.0/28 and then 192.168.2.0/24 needs
to be masqueraded to X.X.2.0/28 and so on.

If you put multilple IPs on the interface is there a way to select which ones the masquerade rule will use?

Also we where wondering what the NAT and Masquerading connection timeouts are?

Thanks
 
User avatar
YazzY
Member Candidate
Member Candidate
Posts: 140
Joined: Fri May 28, 2004 3:26 pm
Location: Norway, Østfold
Contact:

Fri Dec 03, 2004 6:30 pm

I believe what you want is Source NAT.
You can source nat an IP or a range of them out to a specific IP on a given iface.
 
Wyoming
Member Candidate
Member Candidate
Topic Author
Posts: 124
Joined: Wed Jun 09, 2004 11:43 pm
Location: Wyoming

Thu Dec 09, 2004 2:23 am

We got the SRC-NAT rules up and running now but we are having major problems with users being able to access AIM and Secure Web sites. Anyone have any Ideas as to why that would be?

Thanks
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Thu Dec 09, 2004 9:29 am

which firmware version is in use?
i had similar problems with some pages which turned out to be caused by a particular ISP (traffic shaping)

masqerading means matching many private ip-addresses to one public ip-address.

http://www.mikrotik.com/Documentation/H ... How_dstnat
; dst-nat:
src-address=10.0.0.0/24 dst-address=192.168.250.0/24 action=nat 

; src-nat:
src-address=192.168.250.0/24 dst-address=10.1.1.0/24 action=nat 
should give a one-to-one ip-address-maping, depending on incoming dst- and src-address.

regards.
  matthias
 
User avatar
[ASM]
Member Candidate
Member Candidate
Posts: 285
Joined: Sun Jun 06, 2004 12:59 am
Location: Sofia, Bulgaria
Contact:

Thu Dec 09, 2004 11:03 am

try:
/ip firewall src-nat add src-address=192.168.1.0/24 action=nat to-dst-address=xxx.yyy.1.1-xxx.yyy.1.15
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Thu Dec 09, 2004 12:45 pm

/ip firewall src-nat add src-address=192.168.1.0/24 action=nat to-dst-address=xxx.yyy.1.1-xxx.yyy.1.15
where xxx.yyy is the public part, i'd guess.

will this provide the inbound mapping (dst-nat) automatically?

(these things are poorly documented)

regards.
  matthias
 
User avatar
[ASM]
Member Candidate
Member Candidate
Posts: 285
Joined: Sun Jun 06, 2004 12:59 am
Location: Sofia, Bulgaria
Contact:

Thu Dec 09, 2004 2:46 pm

where xxx.yyy is the public part, i'd guess.
will this provide the inbound mapping (dst-nat) automatically?
Yes. That's right
 
Wyoming
Member Candidate
Member Candidate
Topic Author
Posts: 124
Joined: Wed Jun 09, 2004 11:43 pm
Location: Wyoming

Thu Dec 09, 2004 5:36 pm

We are running on 2.8.17 code right now but I have a test box with 2.8.19 on it and we are seeing the same behavior.

We have the rules set up as follows.

We are using Mangle to mark the traffic with flow marks.

0 src-address=x.x.128.0/21 in-interface=Border action=passthrough mark-flow=mark1

1 src-address=x.x.136.0/23 in-interface=Border action=passthrough mark-flow=mark1


Then we are using scr-nat to nat the traffic.

out-interface=To 7206 flow=mark1 action=nat to-src-address=y.y.105.214-y.y.105.254


We have many rules similar to the one above for different customers.

there is no traffic shaping on this line other than the limits created by the speed of the links(2 DSL lines).

Thanks
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Thu Dec 09, 2004 8:33 pm

why so complicated? (the mangle rules)
(and i would suggest upgrading to 2.8.21)

regards.
   matthias
 
Wyoming
Member Candidate
Member Candidate
Topic Author
Posts: 124
Joined: Wed Jun 09, 2004 11:43 pm
Location: Wyoming

Thu Dec 09, 2004 8:47 pm

is there another way to group the two blocks(x.x.128.0/21 and x.x.136.0/23) together so that they are both NATed to the same block(y.y.105.214 - y.y.105.254) with out using the mangle rule?

And would my current setup cause any problems with logging into applications such AOL Instant Messanger or Secure Web sites? And if so how can I fix this.

Thanks
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Sun Dec 26, 2004 11:47 am

is there another way to group the two blocks(x.x.128.0/21 and x.x.136.0/23) together so that they are both NATed to the same block(y.y.105.214 - y.y.105.254) with out using the mangle rule?
sorry, i haven't seen this. i think its a good way to handle blocks of ip-addresses.

i will do some NAT tests in the next weeks, as we have a few noncoherent public class-c ip-blocks we'd like to map into internal ip-ranges.

btw, what's about payload using NAT with mikrotik router os? will e.g. dns requests be handled similar to cisco NAT? i.e. translating dns-data in request but not in zone transfers. this is quite important for using public DNS-servers behind NAT and one reason we still use some cisco routers.

regards,
   matthias
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Mon Dec 27, 2004 2:19 pm

groups of addresses will be controllable in 2.9, where there is the `address list`, where you can for example create a blacklist of some kind, and then just have some script enter new IP addresses there. Or you can have any other kind of address list. Wait for 2.9 (it's in the beta already i think)
No answer to your question? How to write posts
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Tue Dec 28, 2004 10:19 am

2.9 seems to become a real improvement! (if i could only install the beta;-)

anything about the NAT'd payload question?

regards,
   matthias

Who is online

Users browsing this forum: arsalansiddiqui, Google [Bot], mlaz, nocivo, saathiyabneha, safik and 69 guests