Community discussions

MikroTik App
 
kerya
just joined
Topic Author
Posts: 9
Joined: Sun Apr 19, 2020 9:31 pm

Nat of indirectly connected network

Fri Sep 03, 2021 6:26 pm

Example:
Client device (172.16.0.2/24) → (172.16.0.1/24) Mikrotik router without nat (192.168.0.2/24) → (192.168.0.1/24) Mikrotik router with NAT (Any globally routed address) → Internet
on client device default router is 172.16.0.1
on Mikrotik rouer without nat default router is 192.168.0.1
Is it possible to make a Mikrotik router with NAT to nat client’s device subnet (172.16.0.0/24) to the internet
FreeBSD PF can do this. Does Mikrotik able?

All routing if fine. Nat rules present.

I can make nat of 192.168.0.0/24 subnet from my example on Mikrotik router with nat easily. How to do this for 172.16.0.0/24?

I need masquerade for dynamic IPs.
Last edited by kerya on Wed Sep 22, 2021 2:51 am, edited 1 time in total.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Nat of indirectly connected network

Fri Sep 03, 2021 6:45 pm

Yes, you just need the correct routing & NAT rules in place.

Assuming 'Mikrotik router without nat' has a default route to 192.168.0.1, then on 'Mikrotik router with NAT' you need a static route for 172.16.0.0/24 to 192.168.0.2 and a suitable NAT rule, the one in Mikrotik default configuration applies NAT to all forward traffic leaving via the WAN interface.
 
kerya
just joined
Topic Author
Posts: 9
Joined: Sun Apr 19, 2020 9:31 pm

Re: Nat of indirectly connected network

Wed Sep 22, 2021 2:54 am

Routing is fine, nat rule exists. Unfortunately, it doesn't work. Are you able to test it with 2 devices or in chr environment?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Nat of indirectly connected network

Wed Sep 22, 2021 12:08 pm

Default SRC-NAT rule
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
should be able to properly NAT anything going out via WAN interface regardless the src-address.

If you want to get some concrete advice, post text export of main router's configuration (execute /export hide-sensitive file=anynameyouwish in terminal, fetch resulting file, open it in text editor, obfuscate any remaining sensitive information such as public IP address or serial number, and copy-paste result inside [code] [/code] environment).
 
brianchrist
newbie
Posts: 44
Joined: Mon Feb 27, 2006 4:50 pm

Re: Nat of indirectly connected network

Wed Sep 22, 2021 12:15 pm

1. make sure you can ping the 192.168.0.1 from client device (172.16.0.2)
2. make sure your traceroute to internet (ex. 8.8.8.8) go through 192.168.0.1
3. add NAT on 192.168.0.1 router
/ip firewall nat add action=masquerade chain=srcnat out-interface=<interface with public IP> src-address=172.16.0.0/24

 
kerya
just joined
Topic Author
Posts: 9
Joined: Sun Apr 19, 2020 9:31 pm

Re: Nat of indirectly connected network

Fri Sep 24, 2021 3:10 pm

1. make sure you can ping the 192.168.0.1 from client device (172.16.0.2)
2. make sure your traceroute to internet (ex. 8.8.8.8) go through 192.168.0.1
3. add NAT on 192.168.0.1 router
/ip firewall nat add action=masquerade chain=srcnat out-interface=<interface with public IP> src-address=172.16.0.0/24

This is exactly what was done. And it is doesn't work. I am going to put my config here later.

Who is online

Users browsing this forum: Google [Bot] and 59 guests