Community discussions

MikroTik App
 
User avatar
Gomo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat Jul 24, 2021 6:41 pm

1:1 NAT configuration

Sun Apr 14, 2024 8:31 pm

Hello all,

I have a 1:1 NAT related question. I've been trying to test it out at home as I will be moving on server to a DC and need to basically know how to do it before that happens. For those purposes I've created 2 new networks (10.30.30.0/29 and 10.30.40.0/29) which should represent two public IPv4 blocks which I will use there (of course, in DC these will be outside of the RFC1918 range). I am using two MikroTik routers inside of my home network for this (as you'll see in the screenshots) and I can ping them from each side, but something seems to be missing. From MT R1 I can't ping 10.30.30.2 which is a device (raspberry pi) inside of 1:1 natted network. The raspberry has a 192.168.88.254 which was assigned by MT R2's DHCP. What am I missing here?

1.png
MT-R1
MT-R1.png
MT-R2
MT-R2.png

MT-R2 export
# 2024-04-14 19:23:39 by RouterOS 7.12.1
# software id = JYVA-SF64
#
# model = RB760iGS
# serial number = HD50802B0EP
/interface bridge
add admin-mac=18:FD:74:AA:5A:C4 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.30.30.1/29 interface=sfp1 network=10.30.30.0
add address=10.30.40.1/29 interface=sfp1 network=10.30.40.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=sfp1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=netmap chain=srcnat out-interface=sfp1 src-address=192.168.88.254 to-addresses=10.30.30.2
add action=netmap chain=dstnat dst-address=10.30.30.2 to-addresses=192.168.88.254
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=\
    fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Your help would be appreciated!
You do not have the required permissions to view the files attached to this post.
 
User avatar
vingjfg
Member
Member
Posts: 350
Joined: Fri Oct 20, 2023 1:45 pm

Re: 1:1 NAT configuration

Sun Apr 14, 2024 8:55 pm

Can you share the config for R1?

Also, you use action netmap instead of srcnat/dstnat. Be sure to understand how netmap works as it had some subtleties.
 
User avatar
Gomo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat Jul 24, 2021 6:41 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 1:24 am

From my understanding "netmap" should be the fitting option here, only difference being that I use it for single IP translation and not networks. I tried with the same configuration using destination NAT, but nothing really changed.
netmap.png
As for the R1 config, I am not comfortable exporting / sharing it as it's my main router. Anything that I didn't share via screenshot, is not configured when it comes to this "lab" setup.
You do not have the required permissions to view the files attached to this post.
 
User avatar
vingjfg
Member
Member
Posts: 350
Joined: Fri Oct 20, 2023 1:45 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 7:39 am

Sure thing.

If you look in r1, do you see an arp entry for 10.30.30.2?

If not, you need a route host in r2 for 10.30.30.2 that points to your pi. You may have to set proxy arp on the external interface as well, can't remember whether it 's needed.

If you need the commands, let me know.
 
abbio90
Member Candidate
Member Candidate
Posts: 264
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: 1:1 NAT configuration

Mon Apr 15, 2024 8:31 am

Netmap is used in overlapping cases by remapping 1:1 duplicated subnets onto virtual subnets. you can find an article of mine here where a small example is shown.
https://foisfabio.it/index.php/2023/04/ ... map-ipsec/

If you have to map 1:1 of the PC 192.168.88.254 assuming that 10.10.30.1 is a public IP you must apply the rules in this way:
/ip firewall Nat 
add chain=srcnat src-address=192.168.88.254 action=srcnat to-address 10.10.30.1
add chain=dstnat dst-address=10.10.30.1 action=dstnat to-address=192.168.88.254
Obviously 10.10.30.1 you can replace it with any IP from the /29 pool. I hope I understood the question well and gave you a correct answer
 
User avatar
Gomo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat Jul 24, 2021 6:41 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 9:46 am

Thanks for the suggestions.

I did try "dst-nat" before I even tried "netmap" but I was getting same results. I have disabled the netmap rules and configured what you suggested (except that I used 10.30.30.2, instead of 10.30.30.1 as it is assigned to the MT R2).
dst-nat.png
10.30.30.2 is still not reachable.
You do not have the required permissions to view the files attached to this post.
 
abbio90
Member Candidate
Member Candidate
Posts: 264
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: 1:1 NAT configuration

Mon Apr 15, 2024 10:19 am

if 192.168.88.254 is a PC disable the firewall or antivirus for testing.
in addition to icmp try to reach some service of 192.168.88.254 by calling it from 10.10.30.2
 
User avatar
Gomo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat Jul 24, 2021 6:41 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 10:30 am

I did not mention it but of course the 192.168.88.254 is reachable from MT R2.
 
abbio90
Member Candidate
Member Candidate
Posts: 264
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

Re: 1:1 NAT configuration

Mon Apr 15, 2024 11:35 am

go to ip firewall filter in router 2 and try disabling the drop rules one by one. Every time you disable clean the connection tracking from /ip firewall connection and see if it is a Firewall problem, I see that you have the default configuration, so the drop !LAN rule will surely give you trouble
 
User avatar
Gomo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat Jul 24, 2021 6:41 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 11:42 am

Disabling all "drop" FW rules (including the !LAN one) sadly didn't change anything.
 
User avatar
vingjfg
Member
Member
Posts: 350
Joined: Fri Oct 20, 2023 1:45 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 12:32 pm

On R1.
/ip/arp/print
Do you have an entry for 10.30.30.2?

(If you posted it in the screenshot, can't see it, resolution is too low.)
 
User avatar
Gomo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat Jul 24, 2021 6:41 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 12:44 pm

Please right click on the image and "open image in new tab", it should show it in full size.
Or use this link for the last screenshot which I attached download/file.php?id=65961
 
User avatar
vingjfg
Member
Member
Posts: 350
Joined: Fri Oct 20, 2023 1:45 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 12:48 pm

No ARP entry.

On R2:
/ip/route/add dst-address=10.30.30.2/32 gateway=192.168.88.254
And try again
 
User avatar
Gomo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat Jul 24, 2021 6:41 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 12:59 pm

Did that, unfortunately no change. (download/file.php?id=65963)

route-entry.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
vingjfg
Member
Member
Posts: 350
Joined: Fri Oct 20, 2023 1:45 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 1:12 pm

But do you have an ARP entry for 10.30.30.2 on R1?
 
User avatar
Gomo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat Jul 24, 2021 6:41 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 2:44 pm

Same as before:
[admin@MikroTik] > ip/arp/print 
Flags: D - DYNAMIC; C - COMPLETE
Columns: ADDRESS, MAC-ADDRESS, INTERFACE
#    ADDRESS         MAC-ADDRESS        INTERFACE
0 DC 10.30.30.6      2C:C8:1B:03:CE:9C  sfp1     
1 DC 192.168.88.254  B8:27:EB:31:6A:60  bridge   
2 D  10.30.30.2                         sfp1     
I don't see why I would get an ARP entry for an IP which isn't configured on the device NIC.
There's an ARP entry for 192.168.88.254, as it is to be expected.
 
User avatar
vingjfg
Member
Member
Posts: 350
Joined: Fri Oct 20, 2023 1:45 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 2:51 pm

Then on R2 you need to set the interface sfp for proxy-arp. You still need the route for 10.30.30.2/32 to 192.168.88.254.

Adapt the following line of code.
/interface/ethernet/set [find name=sfp1] arp=proxy-arp
Note that sfp1 is still present in the bridge, while being used as a L3 interface.
 
User avatar
Gomo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat Jul 24, 2021 6:41 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 2:57 pm

After changing the suggested ARP setting for "sfp1" interface, things started to work.
[admin@MikroTik] > ip/arp/print 
Flags: D - DYNAMIC; C - COMPLETE
Columns: ADDRESS, MAC-ADDRESS, INTERFACE
#    ADDRESS         MAC-ADDRESS        INTERFACE
0 DC 192.168.88.254  B8:27:EB:31:6A:60  bridge   
1 DC 10.30.30.6      2C:C8:1B:03:CE:9C  sfp1     
Without adding the suggested route. So now I'm not sure if it's needed?
 
User avatar
vingjfg
Member
Member
Posts: 350
Joined: Fri Oct 20, 2023 1:45 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 2:59 pm

By the looks of it, this is from R2. Do you have an ARP entry on R1 for 10.30.30.2?
 
User avatar
Gomo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat Jul 24, 2021 6:41 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 4:50 pm

I spoke a bit too soon. The ICMP does work, but for example SSH does not (no matter if the suggested route entry is there or not).
Yes, R1 does have an ARP entry now.

Do I need to enter the port range for my dst-nat rule? although, I thought leaving it empty would mean that all 65535 ports are included.

arp.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
vingjfg
Member
Member
Posts: 350
Joined: Fri Oct 20, 2023 1:45 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 4:59 pm

Not needed, but check whether the Pi has a firewall set locally.
 
User avatar
Gomo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat Jul 24, 2021 6:41 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 5:16 pm

The local firewall was disabled before testing. Does the highlighted log entry on R2 indicate anything?
 
User avatar
vingjfg
Member
Member
Posts: 350
Joined: Fri Oct 20, 2023 1:45 pm

Re: 1:1 NAT configuration

Mon Apr 15, 2024 5:21 pm

Both the host route and the proxy-arp are needed if you don't add a secondary IP to the interface. Adding a secondary IP is not my preferred solution but that's one that works.

Can you send a fresh export of the configuration on R2? There were a few changes and I lost track of which.
 
User avatar
Gomo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat Jul 24, 2021 6:41 pm

Re: 1:1 NAT configuration

Tue Apr 16, 2024 12:15 am

Here's the current R2 config:
# 2024-04-15 23:10:36 by RouterOS 7.12.1
# software id = JYVA-SF64
#
# model = RB760iGS
# serial number = HD50802B0EP
/interface bridge
add admin-mac=18:FD:74:AA:5A:C4 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp1 ] arp=proxy-arp
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.30.30.1/29 interface=sfp1 network=10.30.30.0
add address=10.30.40.1/29 interface=sfp1 network=10.30.40.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=sfp1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=src-nat chain=srcnat src-address=192.168.88.254 to-addresses=10.30.30.2
add action=dst-nat chain=dstnat dst-address=10.30.30.2 to-addresses=192.168.88.254
add action=src-nat chain=srcnat src-address=192.168.88.253 to-addresses=10.30.30.3
add action=dst-nat chain=dstnat dst-address=10.30.30.3 to-addresses=192.168.88.253
/ip route
add dst-address=10.30.30.2/32 gateway=192.168.88.254
add dst-address=10.30.30.3/32 gateway=192.168.88.253
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I added / connected additional client in the R2's local bridge just to confirm that the local firewall on the client isn't an issue and could confirm that. I have a "usb web server" running on 192.168.88.253 (on port TCP/8080) which is NATed to 10.30.30.3 and when attempting to reach it from R1 network, 10.30.30.3:8080 is not accessible (no matter if all FW rules on R2 are disabled or in the state which is visible in the exported config). But when attempting to reach it from R2 network, 192.168.88.253:8080 is accessible.
 
User avatar
vingjfg
Member
Member
Posts: 350
Joined: Fri Oct 20, 2023 1:45 pm

Re: 1:1 NAT configuration

Tue Apr 16, 2024 8:16 am

Almost there.
  • Bridge bridge: interface sfp1 is part of the bridge while being used as a L3 interface later. Can lead to issues, especially that bridge and sfp1 are in different interface lists.
  • Firewall chain forward: your natted traffic will go through the default rule and will not show in the stats. Add specific rules to track that.
  • Routing table: you have a dns of 1.1.1.1 set but no way to reach it. Add a default route.
Note that there was nothing in the config that I saw could, alone, explain why that's not working. Possible paths forward are:
  • Check that all the hosts on 192.168.88.0/24 got their IP from DHCP or have the correct default route.
  • Check they don't have a specific route for 10.30.30.0/24 or any other network through a different router.
  • Check that there is no other 192.168.88.1 on the same network.
After the changes, you should see the counters for the NAT and FILTER rules increment when you make attempts. This will tell you that things are getting through. If that's the case and that it still doesn't work, send me:

From the PI:
ip neigh
ip route
ip link
From the Mikrotik:
/interface/print
/ip/arp/print
To fix the points I made earlier, here are the commands. Stop here if you want to give a shot by yourself.
# Remove sfp1 from the bridge ports
/interface/bridge/port
remove [ find interface=sfp1 ]

# Add a default route
/ip/route 
add dst-address=0.0.0.0/0 gateway=10.30.30.6

# Add rules to "see" traffic coming from outside
/ip/firewall/filter
add action=accept chain=forward comment="Permit ICMP from WAN to LAN for natted addresses" \
       connection-nat-state=dstnat disabled=no in-interface-list=WAN protocol=icmp

add action=accept chain=forward comment="Permit SSH from WAN to LAN for Pi" \
       connection-nat-state=dstnat disabled=no in-interface-list=WAN protocol=tcp \
       dst-port=22 dst-address=192.168.88.254
       
add action=accept chain=forward comment="Permit HTTP from WAN to LAN for USB Srv" \
       connection-nat-state=dstnat disabled=no in-interface-list=WAN protocol=tcp \
       dst-port=8080 dst-address=192.168.88.253
              
 
User avatar
Gomo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat Jul 24, 2021 6:41 pm

Re: 1:1 NAT configuration

Tue Apr 16, 2024 9:15 am

Now looking at the config export, I have no clue why, but things clearly didn't get exported properly. There is a default route to 10.30.30.6 yet the config export didn't show it. I re-added it and now it shows in the export... strange.

Clients in 10.30.30.2 and 10.30.30.3 do have internet access (+DNS) & did yesterday as well. Default route was not the issue. I think I might be missing something on R1 or there's still some NAT issue on R2.

Clients in R1 network can ping R2 clients, and other way around as well. It's just when it comes to R1 client reaching R2 client via some specific port that it doesn't work (example http via TCP/8080).

Removing SFP1 from the bridge didn't visibly change anything, but if it's not meant to be part of it, I'll keep it that way.
Adding suggested "accept" FW rules confirms traffic flowing as expected & tracks it.
 
User avatar
vingjfg
Member
Member
Posts: 350
Joined: Fri Oct 20, 2023 1:45 pm

Re: 1:1 NAT configuration

Tue Apr 16, 2024 9:29 am

OK.

On the pi, can you send me the output of the following?
ip neigh
ip route
ip link
sudo ufw status
In R1, when 192.168.88.254 (pi) accesses the Internet, do you see the connections from 192.168.88.254? Or from 10.30.30.2? From 192.168.88.253, there is no srcnat yet so you must see the original IP, correct?
 
User avatar
Gomo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat Jul 24, 2021 6:41 pm

Re: 1:1 NAT configuration

Tue Apr 16, 2024 9:45 am

root@rpi3:~# ip neighbor
192.168.100.44 dev wlan0 lladdr d2:10:ab:b3:ae:29 STALE
192.168.100.53 dev wlan0 lladdr 1a:74:79:65:61:ba STALE
192.168.100.2 dev wlan0 lladdr b2:40:c8:09:7d:ad STALE
192.168.100.31 dev wlan0 lladdr 36:b1:f6:83:25:5f STALE
192.168.100.65 dev wlan0 lladdr de:fb:3c:3e:d4:30 STALE
192.168.88.252 dev eth0 lladdr 08:9e:01:ec:24:de STALE
192.168.100.1 dev wlan0 lladdr 2c:c8:1b:03:ce:94 STALE
192.168.88.1 dev eth0 lladdr 18:fd:74:aa:5a:c4 STALE
192.168.100.10 dev wlan0 lladdr 24:4b:fe:5b:9e:4e REACHABLE
You are seeing devices from 192.168.100.0/24 as the Pi has WiFi enabled and is connected to R1 with WiFi and R2 with LAN (this is not an issue as I had USB webserver running on 192.168.88.253 == 10.30.30.3, which was only connected with LAN to R2 and same issue could be observed)
root@rpi3:~# ip route
default via 192.168.88.1 dev eth0 proto dhcp src 192.168.88.254 metric 202
default via 192.168.100.1 dev wlan0 proto dhcp src 192.168.100.51 metric 303
192.168.88.0/24 dev eth0 proto dhcp scope link src 192.168.88.254 metric 202
192.168.100.0/24 dev wlan0 proto dhcp scope link src 192.168.100.51 metric 303
root@rpi3:~# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether b8:27:eb:31:6a:60 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DORMANT group default qlen 1000
    link/ether b8:27:eb:64:3f:35 brd ff:ff:ff:ff:ff:ff
root@rpi3:~# ufw status
Status: inactive
When Pi is accessing internet R1 sees it coming from 10.30.30.2.
R1-torch.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
vingjfg
Member
Member
Posts: 350
Joined: Fri Oct 20, 2023 1:45 pm

Re: 1:1 NAT configuration

Tue Apr 16, 2024 10:42 am

So the Pi may be a special case. Let's focus on the USB Server then.

Currently, only destination NAT is defined - can you look what happens when you try to connect to it from a computer (not the Pi) on your WIFI: torch or packet capture on R1 and R2 - R1 should see 10.30.30.3 and 192.168.100.xx, R2 on the bridge should see 192.168.88.253/192.168.100.xx - Can you see if you have traffic going both ways when you try to establish a connection?

Who is online

Users browsing this forum: iljabut, panmangr, rovinge and 40 guests