Community discussions

MUM Europe 2020
 
SJB
just joined
Topic Author
Posts: 19
Joined: Sat Mar 16, 2019 7:56 pm

Double NAT , LHG R (LTE) infront of hex

Tue Dec 31, 2019 7:47 pm

Hi guys, I'm also stuck a bit with the doubel NAT issue. I run a hex as main router which is fed by 2 WAN's (PCC load balancing). One WAN is configured in the hex being a PPPoE, that's the easy part which is scrnat-ed in the hex. The other WAN comes from a LHG R (LTE) dish. This unit itself runs Mikrotik OS in which I now also srcnat. It also has a different IP range from the main hex router. As such works OK through Romon I control them both. I'd like to get rid of the double NAT however for traffic over the 4G connection.

Hex runs IP range 192.168.88.0 Gate 192.168.88.1
LHG LTE has range 192.168.77.0 gate 192.168.77.1 (no DHCP server) WAN side in hex for this side has fixed IP 192.168.77.254
Assume I could setup some passthrough on the LTE, just passing on the dynamic IP from the 4G provider and NAT-ing this in the main hex instead ?
 
Zacharias
Forum Guru
Forum Guru
Posts: 1386
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Double NAT , LHG R (LTE) infront of hex

Tue Dec 31, 2019 8:01 pm

There is passthrough available on the LTE device, take a look here https://wiki.mikrotik.com/wiki/Manual:I ... gh_Example
 
SJB
just joined
Topic Author
Posts: 19
Joined: Sat Mar 16, 2019 7:56 pm

Re: Double NAT , LHG R (LTE) infront of hex

Wed Jan 01, 2020 5:58 pm

I'm working my way trough the setup with a few questions remaining:
1/ on the LTE assume NAT: off,
2/ in the LTE APN setup: do NOT add default route.
3/ Route list now shows ether 1 reachable on both the the WAN (4g) dynamic address and the local ether1 address.
4/ must the ether 1 address on the LTE be in a different range as the Host hex ? (Host hex has 192.168.88.0 and LTE now has 192.168.77.0)
5 Assume on the host hex the DHCP client needs to have default route added ?
6/ in my mangle rules on hex I'm now not able to add a addressed route by IP number for the LTE wan (as dynamic). I need to input an interface name. This is not advised. Is this an issue.
7/ Are the filter rules on the LTE still of any use ? Imagine the filtering is now all done in the hex.

Besides these questions I haven't got it running as it screws up my mangle rules on the hex.
Any clues ?
Rules below.

Cheers

/ip firewall filter

add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=output dst-port=37 protocol=tcp
/ip firewall mangle

add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge new-connection-mark=WAN1_Conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge new-connection-mark=WAN2_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_Conn \
in-interface=bridge new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
in-interface=bridge new-routing-mark=to_WAN2 passthrough=no
add action=mark-connection chain=input in-interface=WAN1-Eolo \
new-connection-mark=WAN1_Conn passthrough=no
add action=mark-connection chain=input in-interface=WAN2-4G \
new-connection-mark=WAN2_conn passthrough=no
add action=mark-routing chain=output connection-mark=WAN1_Conn \
new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn \
new-routing-mark=to_WAN2 passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-address=78.134.90.31 \
dst-port=80 protocol=tcp to-addresses=192.168.88.200 to-ports=80
add action=masquerade chain=srcnat out-interface=WAN1-Eolo
add action=masquerade chain=srcnat out-interface=WAN2-4G
/ip route
add check-gateway=ping distance=1 gateway=WAN1-Eolo routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=WAN2-4G routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=WAN1-Eolo
add check-gateway=ping distance=2 gateway=WAN2-4G
 
SJB
just joined
Topic Author
Posts: 19
Joined: Sat Mar 16, 2019 7:56 pm

Re: Double NAT , LHG R (LTE) infront of hex

Sat Jan 04, 2020 11:18 am

Anyone , any clues ?
 
Zacharias
Forum Guru
Forum Guru
Posts: 1386
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Double NAT , LHG R (LTE) infront of hex

Sat Jan 04, 2020 7:46 pm

Anyone , any clues ?
About ? Did the passthrough worked ?
 
SJB
just joined
Topic Author
Posts: 19
Joined: Sat Mar 16, 2019 7:56 pm

Re: Double NAT , LHG R (LTE) infront of hex

Mon Jan 06, 2020 6:55 pm

Passthrough is not working yet. As said works fine withpc direct connected to lhg lte but not when attached to my hex host as wan. Might be messed up by mangle rules, as rules for this WAN have to point to a named interface versus an ip address. Given the passthrough ip is dynamic. Could this be a reason? Worst case i’ll just disable all rules and start from there.
 
User avatar
SiB
Member
Member
Posts: 367
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Double NAT , LHG R (LTE) infront of hex

Thu Jan 09, 2020 8:41 pm

Passthrough is not working yet. As said works fine withpc direct connected to lhg lte but not when attached to my hex host as wan. Might be messed up by mangle rules, as rules for this WAN have to point to a named interface versus an ip address. Given the passthrough ip is dynamic. Could this be a reason? Worst case i’ll just disable all rules and start from there.
Check this post: viewtopic.php?f=2&t=154231&hilit=passthrough#p762369 who describe a passthtough with mgmt.
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software
I will be at MUMEUROPE Prague on 26-27 march 2020
 
Zacharias
Forum Guru
Forum Guru
Posts: 1386
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Double NAT , LHG R (LTE) infront of hex

Thu Jan 09, 2020 10:22 pm

I dont really get why use VLANs for a simple passthrough...
The reason his setup is not working is most likely to a missconfiguration...
 
User avatar
SiB
Member
Member
Posts: 367
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Double NAT , LHG R (LTE) infront of hex

Fri Jan 10, 2020 1:37 am

Zacharias
I dont really get why use VLANs for a simple passthrough...
When SXTLTE3-7/LHGR with only one interface do a passthrough then we loose a connectivity via WinBox.
I use a vlans as simple way to separate passthrough interface from management who can grab internet and provide internet for himself.
Of course we have RoMON but you must have additional device to use it and you not connect directly PC and RoMON device (Maybe in future of WinBox).
.
The reason his setup is not working is most likely to a missconfiguration...
I agree.
.
.
@SJB
I'm also stuck a bit with the doubel NAT issue.
Provide us a /export from HEX, the client of internet provided from LHGR.

Passthrough is simplify the DHCP-Server who provide IP Address on particular interface. This mean the HEX must have got a DHCP-Client on interface with LHGR.

You should read more documentation at MikroTIk wiki but.. I write answers.
I'm working my way trough the setup with a few questions remaining:
1/ on the LTE assume NAT: off,
With Passthrough NAT at LHGR is not used.
In normal config the NAT is used.
.
2/ in the LTE APN setup: do NOT add default route.
WHY? In any setup you must add default route. The way can be automatical or by hand when you must use a gateway=lte1 (It's not possible to give here IP)
.
3/ Route list now shows ether 1 reachable on both the the WAN (4g) dynamic address and the local ether1 address.
When? With what config? On what device. Re-Write the Question.
Normal setup give you two routes in LHGR. Passthrough mode now show you any of route's base at lte1.
.
4/ must the ether 1 address on the LTE be in a different range as the Host hex ? (Host hex has 192.168.88.0 and LTE now has 192.168.77.0)
What? LTE interface means lte1 reach IP from your ISP. Please not write about LHGR as LTE or use "LTE device".
This is so basic... answer is YES and NO, it depends what you plan to do.
In Normal mode at LHGR he can give you adressing, or reach ONLY IP address form your dhcp-server.
Magic is with route-ing, where is access to 0.0.0.0/0, via lte1 interface or maybe by IP "shared" with hex.
This is MikroTik ROS, you can do many stuff.
.
5 Assume on the host hex the DHCP client needs to have default route added ?
Means a client of hex, yes if wish share IP address, DNS, Dhcp options, Gatewat and maybe internet too. They must be connected too and his device must have got a working dhcp-client.
.
6/ in my mangle rules on hex I'm now not able to add a addressed route by IP number for the LTE wan (as dynamic). I need to input an interface name. This is not advised. Is this an issue.
I Pass to check those, other time.
But please read, analyze, learn from this: .
7/ Are the filter rules on the LTE still of any use ? Imagine the filtering is now all done in the hex.
In normal setup the Firewall should protect you when you have got a Public IP at lte1 interface.
In Passthrough mode the firewall is not that important.
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software
I will be at MUMEUROPE Prague on 26-27 march 2020
 
SJB
just joined
Topic Author
Posts: 19
Joined: Sat Mar 16, 2019 7:56 pm

Re: Double NAT , LHG R (LTE) infront of hex

Sun Jan 12, 2020 10:58 pm

Tks Zacharias and Sib I ploughed through new insights and have got it working perfectly now.
I'bve stripped the LTEsetup as much as possible, just plain passthrough.

Only thing to my concern is my routing with respect to mangling ; on the hex which was setup with static ip's. Given the passthrough the relevant interface (4G) now has a dynamic address. I can't put a distance on this dynamic address. The static route however with the interface name still exists besides the dynamic route with dynamic IP.
Haven't figured out how this affects my bandwith balancing= if it still works,
Both scripts enclosed for those interested..
Commens wellcome.

Btw : super good advice on taking a look at the Mum presentation of Tomas Kirnak. Still have some issues on this but will post in different thread,
You do not have the required permissions to view the files attached to this post.
 
User avatar
SiB
Member
Member
Posts: 367
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Double NAT , LHG R (LTE) infront of hex

Mon Jan 13, 2020 2:37 am

SJB
Only thing to my concern is my routing with respect to mangling ; on the hex which was setup with static ip's. Given the passthrough the relevant interface (4G) now has a dynamic address. I can't put a distance on this dynamic address. The static route however with the interface name still exists besides the dynamic route with dynamic IP.
Haven't figured out how this affects my bandwith balancing= if it still works,
Sorry But I don't know what is a question.
First, you can change the dynamic route. Please play with (this DISABLE route who have distance=2):
/routing filter add chain=dynamic-in distance=2 prefix=0.0.0.0 prefix-length=0 scope=30 set-disabled=yes target-scope=10
WinBox > Routing > Filters - check and play, you can change distance/comment etc. automatically

I hope this is answer.
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software
I will be at MUMEUROPE Prague on 26-27 march 2020
 
SJB
just joined
Topic Author
Posts: 19
Joined: Sat Mar 16, 2019 7:56 pm

Re: Double NAT , LHG R (LTE) infront of hex

Sat Jan 18, 2020 10:37 pm

Hi SiB I've tried to play with the filter but don't quite understand what it actually does to get my dynamic gateway to distance 2 (which is needed for mangling).
Should I see any changes happening in the route list?
Pls advise.
 
User avatar
SiB
Member
Member
Posts: 367
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Double NAT , LHG R (LTE) infront of hex

Mon Jan 20, 2020 11:50 am

Hi SiB I've tried to play with the filter but don't quite understand what it actually does to get my dynamic gateway to distance 2 (which is needed for mangling).
Should I see any changes happening in the route list?
Pls advise.
Doc: https://wiki.mikrotik.com/wiki/Manual:R ... ng_filters
Why: to change dynamic route who are in IP > Routes > Routes tab.

1) Found dynamic rules by : /routing filter add chain=dynamic-in
2) This specific selection can be used to found your dynamic route to change : distance=2 prefix=0.0.0.0 prefix-length=0 scope=30 target-scope=10
3) Do this change on dynamic route like : set-disabled=yes
and if you set to one LTE APN give default route with distance=2 then automatical created route will be disabled

This is example but all this answers I write because you write:
Given the passthrough the relevant interface (4G) now has a dynamic address. I can't put a distance on this dynamic address.
And all that stuff can you help with change of policy who and by what WAN can send traffic.
Doing a MultiWan on main route can be done on many ways. At LHGR R the best ways is use passthrough mode and do all MultiWan on main router.
Again, full howto is on
Bandwidth-based load-balancing with failover. This presentation also covers Mangle.
This was presented at the MUM (MikroTik User Meeting) in New Orelans, USA.
Tomas Kirnak - YouTube: https://www.youtube.com/watch?v=67Dna_ffCvc&t=1s
http://mum.mikrotik.com/presentations/US12/tomas.pdf
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software
I will be at MUMEUROPE Prague on 26-27 march 2020

Who is online

Users browsing this forum: Google [Bot], Kevo and 84 guests