Hi guys, I'm also stuck a bit with the doubel NAT issue. I run a hex as main router which is fed by 2 WAN's (PCC load balancing). One WAN is configured in the hex being a PPPoE, that's the easy part which is scrnat-ed in the hex. The other WAN comes from a LHG R (LTE) dish. This unit itself runs Mikrotik OS in which I now also srcnat. It also has a different IP range from the main hex router. As such works OK through Romon I control them both. I'd like to get rid of the double NAT however for traffic over the 4G connection.
Hex runs IP range 192.168.88.0 Gate 192.168.88.1
LHG LTE has range 192.168.77.0 gate 192.168.77.1 (no DHCP server) WAN side in hex for this side has fixed IP 192.168.77.254
Assume I could setup some passthrough on the LTE, just passing on the dynamic IP from the 4G provider and NAT-ing this in the main hex instead ?
Re: Double NAT , LHG R (LTE) infront of hex
There is passthrough available on the LTE device, take a look here https://wiki.mikrotik.com/wiki/Manual:I ... gh_Example
Re: Double NAT , LHG R (LTE) infront of hex
I'm working my way trough the setup with a few questions remaining:
1/ on the LTE assume NAT: off,
2/ in the LTE APN setup: do NOT add default route.
3/ Route list now shows ether 1 reachable on both the the WAN (4g) dynamic address and the local ether1 address.
4/ must the ether 1 address on the LTE be in a different range as the Host hex ? (Host hex has 192.168.88.0 and LTE now has 192.168.77.0)
5 Assume on the host hex the DHCP client needs to have default route added ?
6/ in my mangle rules on hex I'm now not able to add a addressed route by IP number for the LTE wan (as dynamic). I need to input an interface name. This is not advised. Is this an issue.
7/ Are the filter rules on the LTE still of any use ? Imagine the filtering is now all done in the hex.
Besides these questions I haven't got it running as it screws up my mangle rules on the hex.
Any clues ?
Rules below.
Cheers
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=output dst-port=37 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge new-connection-mark=WAN1_Conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge new-connection-mark=WAN2_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_Conn \
in-interface=bridge new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
in-interface=bridge new-routing-mark=to_WAN2 passthrough=no
add action=mark-connection chain=input in-interface=WAN1-Eolo \
new-connection-mark=WAN1_Conn passthrough=no
add action=mark-connection chain=input in-interface=WAN2-4G \
new-connection-mark=WAN2_conn passthrough=no
add action=mark-routing chain=output connection-mark=WAN1_Conn \
new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn \
new-routing-mark=to_WAN2 passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-address=78.134.90.31 \
dst-port=80 protocol=tcp to-addresses=192.168.88.200 to-ports=80
add action=masquerade chain=srcnat out-interface=WAN1-Eolo
add action=masquerade chain=srcnat out-interface=WAN2-4G
/ip route
add check-gateway=ping distance=1 gateway=WAN1-Eolo routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=WAN2-4G routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=WAN1-Eolo
add check-gateway=ping distance=2 gateway=WAN2-4G
1/ on the LTE assume NAT: off,
2/ in the LTE APN setup: do NOT add default route.
3/ Route list now shows ether 1 reachable on both the the WAN (4g) dynamic address and the local ether1 address.
4/ must the ether 1 address on the LTE be in a different range as the Host hex ? (Host hex has 192.168.88.0 and LTE now has 192.168.77.0)
5 Assume on the host hex the DHCP client needs to have default route added ?
6/ in my mangle rules on hex I'm now not able to add a addressed route by IP number for the LTE wan (as dynamic). I need to input an interface name. This is not advised. Is this an issue.
7/ Are the filter rules on the LTE still of any use ? Imagine the filtering is now all done in the hex.
Besides these questions I haven't got it running as it screws up my mangle rules on the hex.
Any clues ?
Rules below.
Cheers
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=output dst-port=37 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge new-connection-mark=WAN1_Conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge new-connection-mark=WAN2_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_Conn \
in-interface=bridge new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
in-interface=bridge new-routing-mark=to_WAN2 passthrough=no
add action=mark-connection chain=input in-interface=WAN1-Eolo \
new-connection-mark=WAN1_Conn passthrough=no
add action=mark-connection chain=input in-interface=WAN2-4G \
new-connection-mark=WAN2_conn passthrough=no
add action=mark-routing chain=output connection-mark=WAN1_Conn \
new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn \
new-routing-mark=to_WAN2 passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-address=78.134.90.31 \
dst-port=80 protocol=tcp to-addresses=192.168.88.200 to-ports=80
add action=masquerade chain=srcnat out-interface=WAN1-Eolo
add action=masquerade chain=srcnat out-interface=WAN2-4G
/ip route
add check-gateway=ping distance=1 gateway=WAN1-Eolo routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=WAN2-4G routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=WAN1-Eolo
add check-gateway=ping distance=2 gateway=WAN2-4G
Re: Double NAT , LHG R (LTE) infront of hex
Anyone , any clues ?
Re: Double NAT , LHG R (LTE) infront of hex
About ? Did the passthrough worked ?Anyone , any clues ?
Re: Double NAT , LHG R (LTE) infront of hex
Passthrough is not working yet. As said works fine withpc direct connected to lhg lte but not when attached to my hex host as wan. Might be messed up by mangle rules, as rules for this WAN have to point to a named interface versus an ip address. Given the passthrough ip is dynamic. Could this be a reason? Worst case i’ll just disable all rules and start from there.
Re: Double NAT , LHG R (LTE) infront of hex
Check this post: viewtopic.php?f=2&t=154231&hilit=passthrough#p762369 who describe a passthtough with mgmt.Passthrough is not working yet. As said works fine withpc direct connected to lhg lte but not when attached to my hex host as wan. Might be messed up by mangle rules, as rules for this WAN have to point to a named interface versus an ip address. Given the passthrough ip is dynamic. Could this be a reason? Worst case i’ll just disable all rules and start from there.
Re: Double NAT , LHG R (LTE) infront of hex
I dont really get why use VLANs for a simple passthrough...
The reason his setup is not working is most likely to a missconfiguration...
The reason his setup is not working is most likely to a missconfiguration...
Re: Double NAT , LHG R (LTE) infront of hex
Zacharias
I use a vlans as simple way to separate passthrough interface from management who can grab internet and provide internet for himself.
Of course we have RoMON but you must have additional device to use it and you not connect directly PC and RoMON device (Maybe in future of WinBox).
.
.
.
@SJB
Passthrough is simplify the DHCP-Server who provide IP Address on particular interface. This mean the HEX must have got a DHCP-Client on interface with LHGR.
You should read more documentation at MikroTIk wiki but.. I write answers.
In normal config the NAT is used.
.
.
Normal setup give you two routes in LHGR. Passthrough mode now show you any of route's base at lte1.
.
This is so basic... answer is YES and NO, it depends what you plan to do.
In Normal mode at LHGR he can give you adressing, or reach ONLY IP address form your dhcp-server.
Magic is with route-ing, where is access to 0.0.0.0/0, via lte1 interface or maybe by IP "shared" with hex.
This is MikroTik ROS, you can do many stuff.
.
.
But please read, analyze, learn from this:
In Passthrough mode the firewall is not that important.
When SXTLTE3-7/LHGR with only one interface do a passthrough then we loose a connectivity via WinBox.I dont really get why use VLANs for a simple passthrough...
I use a vlans as simple way to separate passthrough interface from management who can grab internet and provide internet for himself.
Of course we have RoMON but you must have additional device to use it and you not connect directly PC and RoMON device (Maybe in future of WinBox).
.
I agree.The reason his setup is not working is most likely to a missconfiguration...
.
.
@SJB
Provide us a /export from HEX, the client of internet provided from LHGR.I'm also stuck a bit with the doubel NAT issue.
Passthrough is simplify the DHCP-Server who provide IP Address on particular interface. This mean the HEX must have got a DHCP-Client on interface with LHGR.
You should read more documentation at MikroTIk wiki but.. I write answers.
With Passthrough NAT at LHGR is not used.I'm working my way trough the setup with a few questions remaining:
1/ on the LTE assume NAT: off,
In normal config the NAT is used.
.
WHY? In any setup you must add default route. The way can be automatical or by hand when you must use a gateway=lte1 (It's not possible to give here IP)2/ in the LTE APN setup: do NOT add default route.
.
When? With what config? On what device. Re-Write the Question.3/ Route list now shows ether 1 reachable on both the the WAN (4g) dynamic address and the local ether1 address.
Normal setup give you two routes in LHGR. Passthrough mode now show you any of route's base at lte1.
.
What? LTE interface means lte1 reach IP from your ISP. Please not write about LHGR as LTE or use "LTE device".4/ must the ether 1 address on the LTE be in a different range as the Host hex ? (Host hex has 192.168.88.0 and LTE now has 192.168.77.0)
This is so basic... answer is YES and NO, it depends what you plan to do.
In Normal mode at LHGR he can give you adressing, or reach ONLY IP address form your dhcp-server.
Magic is with route-ing, where is access to 0.0.0.0/0, via lte1 interface or maybe by IP "shared" with hex.
This is MikroTik ROS, you can do many stuff.
.
Means a client of hex, yes if wish share IP address, DNS, Dhcp options, Gatewat and maybe internet too. They must be connected too and his device must have got a working dhcp-client.5 Assume on the host hex the DHCP client needs to have default route added ?
.
I Pass to check those, other time.6/ in my mangle rules on hex I'm now not able to add a addressed route by IP number for the LTE wan (as dynamic). I need to input an interface name. This is not advised. Is this an issue.
But please read, analyze, learn from this:
- Bandwidth-based load-balancing with failover. This presentation also covers Mangle.
This was presented at the MUM (MikroTik User Meeting) in New Orelans, USA.
Tomas Kirnak - YouTube: https://www.youtube.com/watch?v=67Dna_ffCvc&t=1s
http://mum.mikrotik.com/presentations/US12/tomas.pdf
In normal setup the Firewall should protect you when you have got a Public IP at lte1 interface.7/ Are the filter rules on the LTE still of any use ? Imagine the filtering is now all done in the hex.
In Passthrough mode the firewall is not that important.
Re: Double NAT , LHG R (LTE) infront of hex
Tks Zacharias and Sib I ploughed through new insights and have got it working perfectly now.
I'bve stripped the LTEsetup as much as possible, just plain passthrough.
Only thing to my concern is my routing with respect to mangling ; on the hex which was setup with static ip's. Given the passthrough the relevant interface (4G) now has a dynamic address. I can't put a distance on this dynamic address. The static route however with the interface name still exists besides the dynamic route with dynamic IP.
Haven't figured out how this affects my bandwith balancing= if it still works,
Both scripts enclosed for those interested..
Commens wellcome.
Btw : super good advice on taking a look at the Mum presentation of Tomas Kirnak. Still have some issues on this but will post in different thread,
I'bve stripped the LTEsetup as much as possible, just plain passthrough.
Only thing to my concern is my routing with respect to mangling ; on the hex which was setup with static ip's. Given the passthrough the relevant interface (4G) now has a dynamic address. I can't put a distance on this dynamic address. The static route however with the interface name still exists besides the dynamic route with dynamic IP.
Haven't figured out how this affects my bandwith balancing= if it still works,
Both scripts enclosed for those interested..
Commens wellcome.
Btw : super good advice on taking a look at the Mum presentation of Tomas Kirnak. Still have some issues on this but will post in different thread,
You do not have the required permissions to view the files attached to this post.
Re: Double NAT , LHG R (LTE) infront of hex
SJB
First, you can change the dynamic route. Please play with (this DISABLE route who have distance=2):
WinBox > Routing > Filters - check and play, you can change distance/comment etc. automatically
I hope this is answer.
Sorry But I don't know what is a question.Only thing to my concern is my routing with respect to mangling ; on the hex which was setup with static ip's. Given the passthrough the relevant interface (4G) now has a dynamic address. I can't put a distance on this dynamic address. The static route however with the interface name still exists besides the dynamic route with dynamic IP.
Haven't figured out how this affects my bandwith balancing= if it still works,
First, you can change the dynamic route. Please play with (this DISABLE route who have distance=2):
Code: Select all
/routing filter add chain=dynamic-in distance=2 prefix=0.0.0.0 prefix-length=0 scope=30 set-disabled=yes target-scope=10I hope this is answer.
Re: Double NAT , LHG R (LTE) infront of hex
Hi SiB I've tried to play with the filter but don't quite understand what it actually does to get my dynamic gateway to distance 2 (which is needed for mangling).
Should I see any changes happening in the route list?
Pls advise.
Should I see any changes happening in the route list?
Pls advise.
Re: Double NAT , LHG R (LTE) infront of hex
Doc: https://wiki.mikrotik.com/wiki/Manual:R ... ng_filtersHi SiB I've tried to play with the filter but don't quite understand what it actually does to get my dynamic gateway to distance 2 (which is needed for mangling).
Should I see any changes happening in the route list?
Pls advise.
Why: to change dynamic route who are in IP > Routes > Routes tab.
1) Found dynamic rules by : /routing filter add chain=dynamic-in
2) This specific selection can be used to found your dynamic route to change : distance=2 prefix=0.0.0.0 prefix-length=0 scope=30 target-scope=10
3) Do this change on dynamic route like : set-disabled=yes
and if you set to one LTE APN give default route with distance=2 then automatical created route will be disabled
This is example but all this answers I write because you write:
And all that stuff can you help with change of policy who and by what WAN can send traffic.Given the passthrough the relevant interface (4G) now has a dynamic address. I can't put a distance on this dynamic address.
Doing a MultiWan on main route can be done on many ways. At LHGR R the best ways is use passthrough mode and do all MultiWan on main router.
Again, full howto is on
Bandwidth-based load-balancing with failover. This presentation also covers Mangle.
This was presented at the MUM (MikroTik User Meeting) in New Orelans, USA.
Tomas Kirnak - YouTube: https://www.youtube.com/watch?v=67Dna_ffCvc&t=1s
http://mum.mikrotik.com/presentations/US12/tomas.pdf
Re: Double NAT , LHG R (LTE) infront of hex
Hello SiB. At LHGR R the best ways is use passthrough mode and do all MultiWan on main router.
how use passtrough with LHG R LTE to make load balancing ?
In PCC load balancing :
You have to make route to ping wan gateway but how make that if your gateway is dynamic and trough CGNAT (lte) ?
Actualy i can use PCC load balancing with fail over only with double NAT ?
ISP 1 => ROUTER 1 => 192.168.88.0/24 to ROUTER LOAD BALANCING
ISP 2 => ROUTER 2 => 192.168.1.0/24 to ROUTER LOAD BALANCING
not sur to be clear in my question ...
Re: Double NAT , LHG R (LTE) infront of hex
This is in documentation and I mention it few times now. Maybe I schould create new post with own All info about LTE modems.... tricks and other how to...how use passtrough with LHG R LTE to make load balancing ?
.
But PCC is not ping related but on firewall mangle and "per-connection-classifier=both-addresses-and-ports:3/2 action=mark-connection"In PCC load balancing :
You have to make route to ping wan gateway but how make that if your gateway is dynamic and trough CGNAT (lte) ?
Next that additional RouteTable should have a ping checking to be active.... .
WinBox > Routing > Filters > new rule with set-routing-mark=RouteTable-WANx and dynamic is not problem or by scripting you can do clone of any route to differ route tables.
.
But you should send to differ RouteTable-WANx who will be send connection... and you can have 10 and more ... ISP's.Actualy i can use PCC load balancing with fail over only with double NAT ?
ISP 1 => ROUTER 1 => 192.168.88.0/24 to ROUTER LOAD BALANCING
ISP 2 => ROUTER 2 => 192.168.1.0/24 to ROUTER LOAD BALANCING
.
Agree :) And should be new post :)not sur to be clear in my question ...
Re: Double NAT , LHG R (LTE) infront of hex
I don't know make routing filter...
Load balancing works good for me but with double nat and i would like make bridge mode or DMZ from isp routers to manage all on the MK router
exemple with 3 LTE connexion (download for each : 150/70/90)
Load balancing works good for me but with double nat and i would like make bridge mode or DMZ from isp routers to manage all on the MK router
exemple with 3 LTE connexion (download for each : 150/70/90)
You do not have the required permissions to view the files attached to this post.
Re: Double NAT , LHG R (LTE) infront of hex
This is a question?I don't know make routing filter...
If you receive some route from dynamic interface who are create because you use e.g. DHCP-CLIENT then you can change of policy of it in two places.
- directly in dhcp-client settings like /ip dhcp-client set add-default-route=yes default-route-distance=2
- Automatical created Route can be modify by /routing filter add chain=dynamic-in distance=2 prefix=0.0.0.0 prefix-length=0 scope=30 target-scope=10 set-disabled=no set-routing-mark=RouteTable--WANx
Re: Double NAT , LHG R (LTE) infront of hex
Thanks Sib, but i understand i'm very bad to explain the situation.
I do this drawing in attach file (I hope it's better to understand what i want)
i think my problem is on route :
i try to replace ip gateway in route list by "wan1" but internet works very slowly (sometime not) whith lots of page error on internet
Dst Adress : 0.0.0.0/0 Gateway wan1....
Thanks again for your help
I do this drawing in attach file (I hope it's better to understand what i want)
i think my problem is on route :
i try to replace ip gateway in route list by "wan1" but internet works very slowly (sometime not) whith lots of page error on internet
Dst Adress : 0.0.0.0/0 Gateway wan1....
Thanks again for your help
You do not have the required permissions to view the files attached to this post.
Re: Double NAT , LHG R (LTE) infront of hex
dad2312
.
About "i try to replace ip gateway in route list by "wan1" but" this works only with PtP tunnels and you must use dhcp-client with work with passthrough.
The SXTR/LHGR who use "passthrough mode" are just dhcp-server with his "Wan IP" giving it to your router.
Now you must receive this "WAN IP" as dhcp-client and add/create two route entry, one in @main and one in @RouteTeable--wan1.
This is normal and know problem with solution in documentation as always :) check this: Manual:IP/DHCP Client >> 6 Examples >> 6.1 Lease script example who add script to dhcp-client build-in feature.
That way when you receive IP from "ISP1" you can automatically add route into "main" and "to-wan1" and the same with ISP2 and your PCC will be works.
For you I modify the example and just create a dhcp-client at wan2 interface with this script:
and for interface wan1 just correct the one line:
If still some page have got offline and you must use F5 then please check stuff like MTU at incomming and outgoing way. Maybe just passthrough mode will fix this then I not write more about it now.
P.S. Where add script? In DHCP-Client configuration via WinBox, here:
Now it is perfect. You wait longer then normal :) This is when support is free but it's exist :). All in free time.Thanks Sib, but i understand i'm very bad to explain the situation.
I do this drawing in attach file (I hope it's better to understand what i want)
Thanks again for your help
.
About "whith lots of page error on internet" this is maybe the MTU problems but your main problem is not here. But we must ignore it for now.i think my problem is on route :
i try to replace ip gateway in route list by "wan1" but internet works very slowly (sometime not) whith lots of page error on internet
Dst Adress : 0.0.0.0/0 Gateway wan1....
About "i try to replace ip gateway in route list by "wan1" but" this works only with PtP tunnels and you must use dhcp-client with work with passthrough.
The SXTR/LHGR who use "passthrough mode" are just dhcp-server with his "Wan IP" giving it to your router.
Now you must receive this "WAN IP" as dhcp-client and add/create two route entry, one in @main and one in @RouteTeable--wan1.
This is normal and know problem with solution in documentation as always :) check this: Manual:IP/DHCP Client >> 6 Examples >> 6.1 Lease script example who add script to dhcp-client build-in feature.
That way when you receive IP from "ISP1" you can automatically add route into "main" and "to-wan1" and the same with ISP2 and your PCC will be works.
For you I modify the example and just create a dhcp-client at wan2 interface with this script:
Code: Select all
{
:local routemark "to-wan2"
:local count [/ip route print count-only where comment=$routemark]
:if ($bound=1) do={
:if ($count = 0) do={
/ip route add gateway=$"gateway-address" comment=$routemark routing-mark=$routemark
} else={
:if ($count = 1) do={
:local test [/ip route find where comment=$routemark]
:if ([/ip route get $test gateway] != $"gateway-address") do={
/ip route set $test gateway=$"gateway-address"
}
} else={
:error "Multiple routes found"
}
}
} else={
/ip route remove [find comment=$routemark]
}
}Now your LTE pasthrough device give you IP address who will be used in two route tables: main, to-wanX what give you a possibility to still use PCC or any other MultiWAN strategy.-:local routemark "to-wan2"
+:local routemark "to-wan1"
If still some page have got offline and you must use F5 then please check stuff like MTU at incomming and outgoing way. Maybe just passthrough mode will fix this then I not write more about it now.
P.S. Where add script? In DHCP-Client configuration via WinBox, here:
Re: Double NAT , LHG R (LTE) infront of hex
Thanks again SiB ! i have to be more patient....
I test that and i make a return on this post !
an other beer for SiB please !
I test that and i make a return on this post !
an other beer for SiB please !
Re: Double NAT , LHG R (LTE) infront of hex
ah ah ah !! oh oh oh !!
works great SiB !!
thank you again !!!
works great SiB !!
thank you again !!!