Community discussions

MikroTik App
 
learnyee
newbie
Topic Author
Posts: 34
Joined: Fri May 20, 2016 8:55 pm

Next-hop and NAT

Mon Jun 14, 2021 7:42 am

alright I had a network that require consolidation/revamp.

assume I have 4 subnet, 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24 all connected to Eth1-4 on a mikrotik device, with all the GW of individual subnet of 192.168.x.254/32
The Eth5 of this mikrotik device then connect to a firewall, e.g. Fortigate or Checkpoint, etc. This Eth5 has 4 VLAN that is IP with 192.168.x.253 (the VLAN is bridged with Eth1-4 individually so it reaches the IP at fortigate) connect to the Fortigate firewall of 192.168.x.252.

What I want to achieve:
1. when the traffic require to route internally, e.g. 192.168.0.25 to 192.168.1.25, it would use mikrotik device to perform the routing. No issue with that
2. But when the internal traffic require to go out of internet, it would then forward to traffic to 192.168.x.252 without any NAT/MASQ (or setting the next hop to 192.168.x.252) at the fortigate firewall. The intention of doing this is to allow the firewall to do all the reporting, threat prevention, and to use all the security feature on the fortigate firewall. How can I achieve this. At the same time, the return traffic would traverse the same path from internet ->Fortigate firewall -> Mikrotik -> device at their originating IP
3. I dont foreseen any issue if there is a direct incoming traffic to Fortigate firewall that requires DST-NAT to the internal IP, but I havent really try that yet.

Any help on this?

Lee
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Next-hop and NAT

Mon Jun 14, 2021 8:36 am

If you don't need any filtering of traffic between different subnets (which would require firewall rules), then you don't need 4 VLANs on the connection between mikrotik and fortigate. Instead you should use fifth subnet for that connection. It can have longer subnet mask if you wish, e.g. 192.168.5.0/30 with mikrotik having IP address 192.168.5.1, fortigate 192.168.5.2, network address 192.168.5.0 and broadcast address 192.168.5.3. Or you can use standard /24 subnet for that, neither of devices will care.

Then set a few static routes. On mikrotik it's easy: the only configured route is default route via gw 192.168.5.2 (it will be able to communicate with all devices in all 5 connected subnets).
On fortigate you will need 4 static routes towards subnets 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24 (you can collapse the four subnets being contiguous to 192.168.0.0/22 but you don't have to if you want to keep config more readable, the performance hit will be negligible), all using mikrotik (at 192.168.5.1) as gateway ... that's in addition to whatever upstream gateway used as default gateway.

BTW, be careful to use correct subnet masks when configuring IP addresses on mikrotik for individual LAN subnets ... you wrote it would have addresses 192.168.x.254/32 which is wrong, it should be /24 (or whatever other devices will have).
 
learnyee
newbie
Topic Author
Posts: 34
Joined: Fri May 20, 2016 8:55 pm

Re: Next-hop and NAT

Mon Jun 14, 2021 10:59 am

If you don't need any filtering of traffic between different subnets (which would require firewall rules), then you don't need 4 VLANs on the connection between mikrotik and fortigate. Instead you should use fifth subnet for that connection. It can have longer subnet mask if you wish, e.g. 192.168.5.0/30 with mikrotik having IP address 192.168.5.1, fortigate 192.168.5.2, network address 192.168.5.0 and broadcast address 192.168.5.3. Or you can use standard /24 subnet for that, neither of devices will care.
the reason I would want to use 4 VLAN to connect to the fortigate because I would not want to do the NAT on mikrotik, but the NAT would be done on Fortigate when the traffic goes out to internet.
ideally, assume a device with IP 192.168.0.10 needs to access internet, it would 192.168.0.10 -> 192.168.0.254 (GW is at mikrotik) -> 192.168.0.252 (sitting at Fortigate through the VLAN at mikrotik-eth5 connect to the same VLAN ID at the IF at fortigate) -> global NAT at fortigte -> Internet. I seriously need to try out this since I had not done this before and not sure whether it would work or not.

if based on your suggestion, it would be 192.168.0.10 -> 192.168.0.254 (GW is at mikrotik) -> 192.168.5.2 (through 192.168.5.1 at Mikrotik) -> global NAT at fortigte -> Internet
at this part [ -> 192.168.5.2 (through 192.168.5.1 at Mikrotik) -> ] ,how would I do the NAT at Mikrotik, just accept? I would want to retain the source IP so the fortigate would be able to see and report on the traffic coming from different subnet of 192.168.x.0/24 instead of all from 192.168.5.1


Lee
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Next-hop and NAT

Mon Jun 14, 2021 6:19 pm

If you follow your initial thought, you would easily run into some routing triangle problems. They would not necessarily cause any problems initially, but could cause issued that would be hard to track.

If you'd follow my suggestion, then mikrotik would just route, nothing more (no firewall no NAT). For example trace from LAN device to internet server:
  1. LAN device sends packet towards internet server (e.g. 8.8.8.8). src-address=192.168.0.10 dst-address=8.8.8.8 via gw 192.168.0.254
  2. mikrotik: inspect packet headers and route. src-address=192.168.0.10 dst-address=8.8.8.8 via gw 192.168.5.2
  3. fortigate: inspect packet, run the firewall rules, perform src-nat. src-address=<your WAN IP addr.> dst-address=8.8.8.8 via gw <upstream gateway>

On the way back:
  1. packet gets delivered to WAN interface of fortigate. Fortigate inspects it, sees it's return packet of ongoing src-natted connection. Performs inverse src-nat. src-address=8.8.8.8 dst-address=192.168.0.10
  2. fortigate: consults its routing tables, sees that destination subnet is behind gateway 192.168.5.1. src-address=8.8.8.8 dst-address=192.168.0.10 via gw 192.168.5.1
  3. mikrotik: inspect packet headers and route. According to dst-address selects egress interface and directly delivers packet to destination
 
learnyee
newbie
Topic Author
Posts: 34
Joined: Fri May 20, 2016 8:55 pm

Re: Next-hop and NAT

Mon Jun 14, 2021 8:12 pm

alright bro, that is clear and straight forward. Thanks for the help. Would test your solution on it soon


Lee

Who is online

Users browsing this forum: 4l4R1, Amazon [Bot], Bing [Bot], lurker888, NetHorror, smirgo, VinceKalloe and 95 guests