Community discussions

MikroTik App
 
ayger
just joined
Topic Author
Posts: 10
Joined: Sun Nov 20, 2011 7:44 pm

Bridge NAT or...? Suggestions welcomed.

Thu Jan 22, 2015 4:13 pm

Hi all,

This is my first technical post, so, bear with me. For sure it belongs to category "Can it be done?"


I have an interesting installation in an NGO (Non Goverment Organisation) where i'm struggling for the past few days and i ran out of ideas.

Any suggestion is more than welcomed.
I'm not looking for an A to Z solution, but rather directions and some enlightenment to accomplish the task.

I have the following layout;

Image

Location A consist of the following :

- No control on the gateway (192.168.1.1). Internet feed is for free and provider doesn't bother to proceed to extra (re)configuration (in other words that was the offer, take it or leave it)
- Mikrotik address 192.168.1.2
- Lot's of devices in the LAN served by DHCP from gateway


Location B :
- Mikrotik as router on the edge of the network
- Full access

Tasks :
- To create a VPN from site A to B through existing internet feed without reconfigure the whole network
(due to some port forwards printer redirections ,and an existing IPSEC tunnel to site C which -of course- is not documented)


Steps so far :

I've connected the gateway (192.168.1.1) on mikrotik and created a bridge in order not to interrupt normal usage of the network.

VPN from site A to site B through gateway 192.168.1.1 is working as expected.

But in order for the vpn to be accessible from the clients, i have to point mikrotik as gateway which is not desirable (several things will stop working..) For the past two days i'm struggling with documentation and experimentation but no luck.

Questions :
- Which is the best way to rewrite the gateway address in the case that destination is the vpn'd subnet??
Through bridge NAT or simple L3 firewalling and NAT? Should i continue to have the two interfaces in bridge? (what else?)



Thank you in advance,

A./
If ain't broken, dont fix it.
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Re: Bridge NAT or...? Suggestions welcomed.

Thu Jan 22, 2015 5:32 pm

Forget the 192.168.1.0/24 network. Put there your own router in between and create other number range as internal lan. Take this like your lan and the old one as wan. Make nat with masquerade. Then you can initiate tunnel from it to your second place.
 
ayger
just joined
Topic Author
Posts: 10
Joined: Sun Nov 20, 2011 7:44 pm

Re: Bridge NAT or...? Suggestions welcomed.

Fri Jan 23, 2015 10:36 am

Not exactly the answer i was hoping for, thanks anyway.
There's no chance to disable or re-configure the 192.168.1.0/24 due to number of devices (>120).

I will continue searching..
If ain't broken, dont fix it.
 
User avatar
NathanA
Forum Veteran
Forum Veteran
Posts: 801
Joined: Tue Aug 03, 2004 9:01 am

Re: Bridge NAT or...? Suggestions welcomed.

Fri Jan 23, 2015 12:50 pm

I'm not sure why jarda's suggestion is unacceptable to you? In your reply, you said "no chance to reconfigure...due to number of devices", as if you would have to run around to each of the 120+ devices you mentioned one-by-one and reconfigure their network settings by hand or something, but you also said in your first post that "lots of devices in the LAN served by DHCP from gateway". So all you do is dismantle the bridge, create a new 192.168.2.0/24 (or whatever) LAN facing the devices on the network, run DHCP, and boom: all 120+ devices get a new IP automatically. Then your MikroTik is their gateway, and you can make routing decisions directly on the MikroTik.

If that is not acceptable for whatever reason, rather than trying to get clever with bridge filter and/or bridge NAT, you could probably get away with creatively using Hotspot to insert yourself into the conversation. The way I see this working is that you would do the same thing as described above (dismantle the bridge, create a separate 192.168.2.0/24 network and IP pool, and even create a masquerade rule for src-address=192.168.2.0/24 out-interface=WAN as you would normally do), but instead of running a DHCP server, you run a DHCP relay between the "WAN" side of your MikroTik and the "LAN". Then run Hotspot on the "LAN" using the 192.168.2.0/24 IP pool, but add a walled-garden IP whitelist for 0.0.0.0/0, effectively disabling Hotspot but still leaving the "universal client" feature of Hotspot enabled.

If this works, in theory, the devices on the LAN would send a DHCP request out, which would be relayed by the MikroTik back to the 192.168.1.1 router that you have no control over, ensuring that all devices continue to get their same 192.168.1.x IPs served to them (and of course any devices with IPs set statically would still be the same). When they try to ARP for 192.168.1.1, though, Universal Client on the MikroTik will respond instead, pretending that it is 192.168.1.1 even though it's not, allowing all traffic to be intercepted by the MikroTik and allowing it to control all routing decisions. Internally within Universal Client/Hotspot, the 192.168.1.x address from the device would be NATted to a 192.168.2.x address from the IP pool, and then NATted *back* to 192.168.1.x again by your masquerade rule before being sent on to the real 192.168.1.1 router.

I haven't tested this exact scenario, but I have pulled similar tricks with Universal Client in the past. It is a very handy and flexible feature. It is unfortunate that it was as tightly integrated with Hotspot as it was in RouterOS 2.9, whereas in 2.8 and older Hotspot and UC were decoupled and usable separately...you can still use it standalone, but it's just slightly more convoluted than before (you have to use the walled-garden trick).

-- Nathan
 
ayger
just joined
Topic Author
Posts: 10
Joined: Sun Nov 20, 2011 7:44 pm

Re: Bridge NAT or...? Suggestions welcomed.

Fri Jan 23, 2015 1:02 pm

I said "not the answer i was hoping for" and maybe i didn't get it right away what jarda meant at first glance.
You are right, DCHP served lan with lot of static entries and port forwards that are beyond my control, and of course non documented, unfortunately.
I will try to be creative now with hotspot idea ;)

Thanks,

A./
If ain't broken, dont fix it.
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

Re: Bridge NAT or...? Suggestions welcomed.

Fri Jan 23, 2015 1:13 pm

What about disposal of actual router and put there yours instead?
 
User avatar
NathanA
Forum Veteran
Forum Veteran
Posts: 801
Joined: Tue Aug 03, 2004 9:01 am

Re: Bridge NAT or...? Suggestions welcomed.

Fri Jan 23, 2015 1:18 pm

Ah. Ensuring existing port-forwards continue to work is tougher. You will have to ensure that Universal Client always maps the same 192.168.2.x IP to each device (can't remember since it's been a while, but I *think* this is possible...basically, don't use an IP pool and just create a ton of static bindings), and then create individual dst-nat rules, one per IP (just run a script to bang them all out at once), So for example, this should probably work (again, haven't tested):
[admin@MikroTik] > :for x from 2 to 254 do={/ip hotspot ip-binding add address=("192.168.1." . $x) to-address=("192.168.2." . $x)}

[admin@MikroTik] > :for x from 2 to 254 do={/ip firewall nat add chain=dstnat action=dst-nat address=("192.168.1." . $x) to-addresses=("192.168.2." . $x)}
The one wildcard in this whole scheme is that I don't know if Hotspot/UC will screw with the DHCP relay or not.

Good luck,

-- Nathan

Who is online

Users browsing this forum: AndyGs, maungmaungmyatsan, sindy and 67 guests