Community discussions

 
Omar010
just joined
Topic Author
Posts: 14
Joined: Thu May 02, 2019 9:51 am

NAT issue

Thu Nov 07, 2019 12:12 pm

Hello guys
i have a problem in my site with nat, the topology its very simple.
I have two cisco router one for MPLS VPN to our site's and the other one it's for the internet.
we install Mikrotik router to manage the user internet access,, so we run hotspot server on bridge.
also we don't have any fancy configuration on the mikrotik
the problem is that all traffic is getting masqueraded, we don't have issue for http and https traffic.

but we have ip phones that is getting registers from an external server on another subnet via the mpls router.
and the HQ office need few ip's to give them permission to access servers and they can't see those ip's because they are natted..

vpn router ip:10.104.104.1/22
internet router ip:10.104.104.99/22
mikrotik hotspot bridge ip : 10.104.104.9/22

please any suggestions
 
Omar010
just joined
Topic Author
Posts: 14
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Thu Nov 07, 2019 12:50 pm

and i would like to mention that if i add srnat rule above the masquerade nat pointing to the destination_list that i don't want to NAT to,
i can see in firewall connection that the source address and the reply destination address are same.
but as soon as i apply this rule i loose ping and connection to the destination.
 
sindy
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Thu Nov 07, 2019 10:43 pm

You'd have to provide a network diagram to get some useful advice, the text description doesn't express your network clearly enough.

In general, you can set exceptions from action=src-nat or action=masquerade rules (and also action=netmap and action=dst-nat rules) by either setting additional match conditions in these rules or by placing action=accept rules matching on the traffic which should not be NATed before those NATing rules.

If this hint is not sufficient to resolve your issue, post the diagram of your network and follow the suggestion in my automatic signature below.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Omar010
just joined
Topic Author
Posts: 14
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Fri Nov 08, 2019 10:21 am

Hey thanks for your reply

my network diagram is:

vpn router ip 10.104.104.1 is connected to mikrotik on ethernet 7
internet gateway router ip is 10.104.104.99 is connected to mikrotik on ethernet 8
core switch ip 10.104.104.10 is connected to mikrotik on ethernet 1
mikrotik bridge ip is 10.104.104.9
port added to the bridge is only the Lan port ether1

All Lan users default gateway is mikrotik bridge 10.104.104.9 running hotspot

static ip's to other subnets going via vpn router
default route to 10.104.104.99

only one nat rule masquerade is added to allow user access the internet.

i don't know if this is a bad way to configure mikrotik router, but I can reconfigre the router to more an appropriate way.
 
sindy
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Fri Nov 08, 2019 11:33 am

It doesn't make sense to me that you've made only ether1 an /interface bridge port but at the same time there are other IP addresses from the same subnet (presumably, you haven't shown the netmasks/prefix lengths associated to them) accessible via other etherX. So your issue may be more than the NAT alone.

So please post the configuration export so that we could tidy up your configuration before even starting to create exceptions from the masquerade rule.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Omar010
just joined
Topic Author
Posts: 14
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Fri Nov 08, 2019 12:37 pm

yes the bridge has only one interface the lan
/ip address
add address=10.104.104.23 interface=ether8 network=10.104.104.99
add address=10.104.104.9/22 interface=bridge1 network=10.104.104.0
add address=10.104.104.24 interface=ether7 network=10.104.104.1
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.104.104.0/22
/ip firewall filter
add action=return chain=hs-unauth comment="\E4\D9\C7\E3 \DD\C7\D1\D3" dst-address=192.168.208.8
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
/ip route
add distance=1 gateway=10.104.104.99
add distance=1 dst-address=10.0.0.0/8 gateway=10.104.104.1
add distance=1 dst-address=10.1.116.6/32 gateway=10.104.104.1
add distance=1 dst-address=10.1.137.0/24 gateway=10.104.104.1
add distance=1 dst-address=10.1.150.204/32 gateway=10.104.104.1
add distance=1 dst-address=10.1.165.0/24 gateway=10.104.104.1
add distance=1 dst-address=10.1.165.65/32 gateway=10.104.104.1
add distance=1 dst-address=10.1.165.140/32 gateway=10.104.104.1
add distance=1 dst-address=10.1.182.0/24 gateway=10.104.104.1
add distance=1 dst-address=10.4.16.100/32 gateway=10.104.104.1
add distance=1 dst-address=10.4.46.128/26 gateway=10.104.104.1
add distance=1 dst-address=192.168.3.54/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.3.140/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.6.0/24 gateway=10.104.104.1
add distance=1 dst-address=192.168.6.199/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.18.0/24 gateway=10.104.104.1
add distance=1 dst-address=192.168.18.37/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.18.216/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.30.0/24 gateway=10.104.104.1
add distance=1 dst-address=192.168.54.155/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.81.17/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.81.75/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.120.0/24 gateway=10.104.104.1
add distance=1 dst-address=192.168.164.0/24 gateway=10.104.104.1
add distance=1 dst-address=192.168.166.203/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.208.0/24 gateway=10.104.104.1




**if i could make this router WORK Without performing NAT it maybe my problem will go away, because both gateways are doing NAT..**
 
sindy
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Fri Nov 08, 2019 6:38 pm

Exactly what I was afraid of. In your OP, you say:
vpn router ip:10.104.104.1/22
internet router ip:10.104.104.99/22
mikrotik hotspot bridge ip : 10.104.104.9/22
but your configuration doesn't match this:
/ip address
add address=10.104.104.23 interface=ether8 network=10.104.104.99
add address=10.104.104.9/22 interface=bridge1 network=10.104.104.0
add address=10.104.104.24 interface=ether7 network=10.104.104.1
In fact you have the 10.104.104.0/22 subnet attached only to bridge1; to ether7 and ether8, you have attached /32 "subnets" with unrelated /32 addresses of the gateways.

I suspect I understand the purpose, as you want the hosts in 10.104.104.0/22 to use Mikrotik's own IP as their default gateway, and let the Mikrotik choose the "real" gateway out of 10.104.104.99 and 10.104.104.1 on its own. Which does work, but it also implies that the NAT must be done at the Tik, as without the NAT, the VPN router and the internet router would assume the other destinations within 10.104.104.0/22 to be in their own subnet, so instead of routing the responses via Tik's IP as a gateway, they would send an ARP request to get a MAC address of the destination. Except if these two routers were configured symmetrically, i.e. if they had an equivalent of
/ip address add address=10.104.104.99/32 network=10.104.104.23
/ip route add dst-address=10.104.104.0/22 gateway=10.104.104.23

in their own configuration. But I assume the latter is not the case, as otherwise you wouldn't need the NAT at Mikrotik side.

So what I write from now on assumes that the Tik-facing interfaces of the internet router and the VPN router are indeed configured with 10.104.104.99/22 and 10.104.104.1/22, respectively.

There are two ways how to adjust the Tik configuration alone to make things work without the need for a NAT rule on the Tik.

One is to keep just the single IP, 10.104.104.9/22, on the bridge, remove the two IP configurations attached to ether7 and ether8 completely, and make ether7 and ether8 member ports of the bridge as well.

This way, the first packet from the client towards each particular destination address will be sent to the Tik's 10.104.104.9 (because that's what the clients have got as a default gateway via manual config or DHCP); using its own routing table, the Tik will find out that the gateway IP for such packet is in the same subnet like the source IP of that packet, and will thus inform the sender via ICMP that it can send the packet directly to that gateway IP (.1 or .99). Most devices will understand this, make a note in their routing cache, and use the real gateway for that destination address (or rather the whole subnet matching the dst-address field of the route at Mikrotik) for some time until the note times out; then, the same cycle will repeat. So effectively, the routing table of Mikrotik will be dynamically replicated in the hosts' routing caches.

The VPN router and internet router will both have a direct L2 path to the hosts, so no NAT will be necessary at the Tik (nor possible because the bulk of the packets will bypass the L3 handling at Tik and will be just bridged between ether1 and ether7/ether8). But this also means that the IP firewall of the Tik will not be able to affect that traffic; since you mention hotspot functionality, I suspect this method may not suit your intention.

So aside of forcing bridged traffic through the IP firewall, which is possible but unusual, another way to get rid of the NAT while keeping Mikrotik in the L3 path between the two routers and the clients connected to ether1 without modifying the settings of the two other routers is to keep your IP configuration at the Tik unchanged and just set arp-proxy to yes at ether7 and ether8. This way, the internet router and VPN router will get their ARP request for any IP address from 10.104.104.0/22 responded by the Tik with its own MAC address, so they will send the packets for anything from that subnet to the Tik, and Tik will forward these packets. In this case, Mikrotik will handle all packets at L3, but you still won't need to do NAT at Tik to have the backward path from outside to any IP address in 10.104.104.0/22 working because the Tik will mimic the whole subnet towards the two routers.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Omar010
just joined
Topic Author
Posts: 14
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Fri Nov 08, 2019 8:28 pm

Thank you Sindy for making the time to reply to me.

okay this is what i will do tomorrow,
Not changing the ip addresses on the interfaces.;
add Ether 7, 8 to the bridge and enable proxy-arp on these interfaces.
and removing the masquerade rule.

I hope it works after adding this configuration.
I will come back to you tomorrow :)
 
sindy
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Fri Nov 08, 2019 9:25 pm

add Ether 7, 8 to the bridge and enable proxy-arp on these interfaces.
It seems my explanation was too complex, but I don't know how to simplify it. It's either add Ether 7, 8 to the bridge (and remove the IP addresses attached to them) or enable proxy-arp on these interfaces, not both at the same time.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Omar010
just joined
Topic Author
Posts: 14
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Sun Nov 10, 2019 7:29 pm

add Ether 7, 8 to the bridge and enable proxy-arp on these interfaces.
It seems my explanation was too complex, but I don't know how to simplify it. It's either add Ether 7, 8 to the bridge (and remove the IP addresses attached to them) or enable proxy-arp on these interfaces, not both at the same time.
hey sindy
Today i applied the configurations with no luck.
I enable proxy-arp on both interfaces and removed the masquerade rule.
from the Tik i can ping the internet and the remote locations, but the users can't ping anything. but they can authenticate with the hotspot .

then i tried to do the other one, adding both interfaces to the bridge and removing their ip's
when i apply this configurations i wasn't able to ping from the Tik both edge routers.
do you have more ideas
Thank you in advance
 
sindy
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Sun Nov 10, 2019 8:14 pm

do you have more ideas
Not before you provide the complete export of the Mikrotik configuration (anonymized, see my automatic signature below), and also relevant configuration elements from the two other routers - namely, the IP configurations of their Mikrotik-facing interfaces and of their routing tables.

I enable proxy-arp on both interfaces and removed the masquerade rule.
from the Tik i can ping the internet and the remote locations, but the users can't ping anything. but they can authenticate with the hotspot .
This suggests that the other routers could not benefit from the proxy-arp being enabled as their netmasks are not /22. So the pings from Mikrotik itself, which are always sent from the IP address attached to the interface through which they are sent, could get their responses, but the pings from the wireless users could not get their responses as packets for 10.104.104.0/22 are routed somewhere else than to Mikrotik by the other two routers.

then i tried to do the other one, adding both interfaces to the bridge and removing their ip's
when i apply this configurations i wasn't able to ping from the Tik both edge routers.
This suggests the same conclusion as above - as the other routers could not respond to pings coming from the only Mikrotik's IP address which remained active (the 10.104.104.9 one) because that address is outside the Mikrotik-facing interfaces' subnets (so their IP configuration doesn't have a /22 netmask) and so the responses were routed elsewhere.

So if you can change the configuration of those two routers, either change netmask in the IP configuration of their Mikrotik-facing interfaces to /22, or add the routes as I've suggested in my previous post (10.104.104.0/22 via 10.104.104.x). If you cannot change the configuration of those routers, you're doomed, because there is no way to set up non-NATed connections through the two links, because the same routing problem would arise.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Omar010
just joined
Topic Author
Posts: 14
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Sun Nov 10, 2019 8:47 pm

do you have more ideas
Not before you provide the complete export of the Mikrotik configuration (anonymized, see my automatic signature below), and also relevant configuration elements from the two other routers - namely, the IP configurations of their Mikrotik-facing interfaces and of their routing tables.

I enable proxy-arp on both interfaces and removed the masquerade rule.
from the Tik i can ping the internet and the remote locations, but the users can't ping anything. but they can authenticate with the hotspot .
This suggests that the other routers could not benefit from the proxy-arp being enabled as their netmasks are not /22. So the pings from Mikrotik itself, which are always sent from the IP address attached to the interface through which they are sent, could get their responses, but the pings from the wireless users could not get their responses as packets for 10.104.104.0/22 are routed somewhere else than to Mikrotik by the other two routers.

then i tried to do the other one, adding both interfaces to the bridge and removing their ip's
when i apply this configurations i wasn't able to ping from the Tik both edge routers.
This suggests the same conclusion as above - as the other routers could not respond to pings coming from the only Mikrotik's IP address which remained active (the 10.104.104.9 one) because that address is outside the Mikrotik-facing interfaces' subnets (so their IP configuration doesn't have a /22 netmask) and so the responses were routed elsewhere.

So if you can change the configuration of those two routers, either change netmask in the IP configuration of their Mikrotik-facing interfaces to /22, or add the routes as I've suggested in my previous post (10.104.104.0/22 via 10.104.104.x). If you cannot change the configuration of those routers, you're doomed, because there is no way to set up non-NATed connections through the two links, because the same routing problem would arise.
I always thought that the hotspot rules are causing to me a problems.
I'll try to check both edge routers configurations.
Thank you for your time
 
Omar010
just joined
Topic Author
Posts: 14
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Mon Nov 11, 2019 7:34 am

Both edge routers interfaces facing Mikrotik are running on VLAN5.
I didn't add any configuration on the Tik that mentions VLAN5
 
sindy
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Mon Nov 11, 2019 8:49 am

If there was a mismatch of VLAN tagging between the edge routers' ports and the Mikrotik's ports, nothing would work, with or without NAT. So I suppose that in those routers, the IP configuration for 10.104.104.x/32 is attached to the virtual VLAN interface in VLAN 5, but the Mikrotik-facing Ethernet ports are access ports to VLAN 5 so on the wire, the frames are tagless.

So what's the IP configuration of VLAN 5 in each edge router?

What brand are those edge routers, Cisco or other?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Omar010
just joined
Topic Author
Posts: 14
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Mon Nov 11, 2019 9:10 am

If there was a mismatch of VLAN tagging between the edge routers' ports and the Mikrotik's ports, nothing would work, with or without NAT. So I suppose that in those routers, the IP configuration for 10.104.104.x/32 is attached to the virtual VLAN interface in VLAN 5, but the Mikrotik-facing Ethernet ports are access ports to VLAN 5 so on the wire, the frames are tagless.

So what's the IP configuration of VLAN 5 in each edge router?

What brand are those edge routers, Cisco or other?
hey
no its working now, but traffic going to vpn is getting natted with mikrotik facing interface to vpn edge router
and the traffic going to internet is natted with mikrotik facing interface to internet router
and both edge router is performing Nat also,
its a nightmare really

yes i want to configure the Tik is to run vlan 5 only, in my Lan i only use vlan 5.
so it won't be a problem for me

both edge routers are cisco
 
sindy
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Mon Nov 11, 2019 9:18 am

Once again: what is the exact IP address configuration for vlan 5 and route configuration of the Ciscos?

Forget the vlan tagging/untagging for a moment, it is working now so don't touch it until you resolve the IP addressing and routing part.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Omar010
just joined
Topic Author
Posts: 14
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Thu Nov 14, 2019 7:25 pm

Once again: what is the exact IP address configuration for vlan 5 and route configuration of the Ciscos?

Forget the vlan tagging/untagging for a moment, it is working now so don't touch it until you resolve the IP addressing and routing part.
Hello Sindy sorry for the late reply
but I think i have good news:
first i confirmed with my ISP about my two Cisco gateways and they confirm to my that both gateways the internet and the MPLS are 10.104.104.0/22 and they on the physical interface so their's no VLAN used.
so I deleted the Tik configuration and i want to start over
this the steps i did:
1: create a bridge and give it ip with the same subnet as my gateways
2: add the three interfaces to the bridge
3: configured route to the destinations
4: configured DNS
5:did not configured NAT
after that am able to access internet and remote subnets :)

but as soon i set up hotspot server i lost access to internet and remote subnets
I CAN'T ping from Tik router google dns and also i cant ping the remote subnets, but I CAN ping both gateways

I Think am so close to solve this problem,, need help plzz
 
sindy
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Thu Nov 14, 2019 8:17 pm

I don't use the hotspot functionality, but what I know is that it is heavily dependent on /ip firewall, which means that the L3 interface through which the hotspot users connect must be a different one from the one through which the internet connection goes, so configuring the machine as a mere bridge and then indicating that very bridge as a hotspot-handled interface means that it cannot work properly.

It didn't come to my mind that the bridge used for hotspot-controlled users could be the same one where the devices which need to be accessible from other parts of the network. Is it really necessary to use the same bridge for both purposes, or you can afford to create a separate bridge for the hotspot users?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Omar010
just joined
Topic Author
Posts: 14
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Thu Nov 14, 2019 9:39 pm

I don't use the hotspot functionality, but what I know is that it is heavily dependent on /ip firewall, which means that the L3 interface through which the hotspot users connect must be a different one from the one through which the internet connection goes, so configuring the machine as a mere bridge and then indicating that very bridge as a hotspot-handled interface means that it cannot work properly.

It didn't come to my mind that the bridge used for hotspot-controlled users could be the same one where the devices which need to be accessible from other parts of the network. Is it really necessary to use the same bridge for both purposes, or you can afford to create a separate bridge for the hotspot users?
Unfortunately yeah i have to use the same subnet.
 
sindy
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Thu Nov 14, 2019 10:45 pm

In that case, back to the drawing board. The least confusing way would be to set up two /30 interconnecting subnets outside the 10.104.104.0/22 one, add a route to 10.104.104.0/22 via the respective interconnect subnet at each of the two Ciscos, and do a normal routing also at Mikrotik side.

If you instead choose the interconnecting subnets to be inside the 10.104.104.0/22 range, you do not need the routes at the Cisco side, but you need the arp=proxy-arp setting at Mikrotik side on the cisco-facing ports.

In either case, the bridge (or the single etherX port) will then be used for the local clients, and all the traffic towards outside of that bridge will go through L3 routing so correct operation of the hotspot functionality will be possible.

But I still have a doubt, as you say the hotspot clients must be on the bridge - do you have also non-hotspot clients on the same bridge or all the clients on the bridge use hotspot? Because the hotspot manual says the following:
  • automatic and transparent change any IP address of a client to a valid address;
Hotspot can work reliably only when IPv4 is used. Hotspot relies on Firewall NAT rules which currently are not supported for IPv6.
You can exclude a subrange of addresses in a subnet from hostpot handling, but it seems that a hotspot-handled client will always be NATed...
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
prestensys
just joined
Posts: 3
Joined: Fri Nov 15, 2019 11:56 am
Location: Nigeria
Contact:

Re: NAT issue

Fri Nov 15, 2019 12:20 pm

What device if issuing the IP/DHCP server? Is it the Cisco or Mikrotik?
Network, Security & Telecom hardware sales
https://prestensys.com
 
Omar010
just joined
Topic Author
Posts: 14
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Fri Nov 15, 2019 1:14 pm

In that case, back to the drawing board. The least confusing way would be to set up two /30 interconnecting subnets outside the 10.104.104.0/22 one, add a route to 10.104.104.0/22 via the respective interconnect subnet at each of the two Ciscos, and do a normal routing also at Mikrotik side.

If you instead choose the interconnecting subnets to be inside the 10.104.104.0/22 range, you do not need the routes at the Cisco side, but you need the arp=proxy-arp setting at Mikrotik side on the cisco-facing ports.

In either case, the bridge (or the single etherX port) will then be used for the local clients, and all the traffic towards outside of that bridge will go through L3 routing so correct operation of the hotspot functionality will be possible.

But I still have a doubt, as you say the hotspot clients must be on the bridge - do you have also non-hotspot clients on the same bridge or all the clients on the bridge use hotspot? Because the hotspot manual says the following:
  • automatic and transparent change any IP address of a client to a valid address;
Hotspot can work reliably only when IPv4 is used. Hotspot relies on Firewall NAT rules which currently are not supported for IPv6.
You can exclude a subrange of addresses in a subnet from hostpot handling, but it seems that a hotspot-handled client will always be NATed...
After i'm finished setting up the Tik am configuring PPTP-BCP layer 2 vpn through the MPLS router and it require's that the LAN port must be add to the bridge
thats why i assign the ip add to the bridge not to the LAN interface.

I'll give it a shot and try configuring /30 between the gateways and the Tik with a proxy-arp and see what happens.
 
Omar010
just joined
Topic Author
Posts: 14
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Fri Nov 15, 2019 1:16 pm

What device if issuing the IP/DHCP server? Is it the Cisco or Mikrotik?
In my environment we aren't using a dhcp to assign ip addresses, we use static addresses.

Who is online

Users browsing this forum: No registered users and 126 guests