Community discussions

 
learnyee
newbie
Topic Author
Posts: 31
Joined: Fri May 20, 2016 8:55 pm

Need Help on NAT on WAN link with Multiple Public IP

Mon May 07, 2018 5:41 pm

ok I am currently working on a case with a WAN link with Multiple Public IP, e.g. 1.2.3.x/29, which I would end up with 1.2.3.x1-1.2.3.x5 usable public IP.

Now I need to:

1. DEST Port NAT traffic from 0.0.0.0/0 to 1.2.3.x1 port 80, 443 to an Internal Server IP
2. All full IP DEST NAT Traffic from 0.0.0.0/0 to 1.2.3.x2 to another internal IP
3. And so on.....

how do I construct the NAT rules so that when the traffic returns, it gets SRC NAT to the correct Public IP?

PS: The situation get more complicated with 2 WAN link and PPOE dialup with multiple Public IP but I think I will ask that in another thread.
 
Sob
Forum Guru
Forum Guru
Posts: 4628
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need Help on NAT on WAN link with Multiple Public IP

Mon May 07, 2018 5:51 pm

Just add dstnat rules and let connection tracking do its magic, it will work automatically. You only need to set up srcnat rules for connections initiated from internal servers to internet.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Need Help on NAT on WAN link with Multiple Public IP

Mon May 07, 2018 8:08 pm

If the final addresses are public then you don’t need NAT.

The “LAN” devices simply become static IP routing through the routers “LAN” address.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
learnyee
newbie
Topic Author
Posts: 31
Joined: Fri May 20, 2016 8:55 pm

Re: Need Help on NAT on WAN link with Multiple Public IP

Tue May 08, 2018 4:23 am

If the final addresses are public then you don’t need NAT.

The “LAN” devices simply become static IP routing through the routers “LAN” address.
erm...dont quite get that.

how do you route through the router without any NAT as all the server has the internal IP, sitting behind the LAN Interface, and the WAN Interface has another set of Public IP?
 
Sob
Forum Guru
Forum Guru
Posts: 4628
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need Help on NAT on WAN link with Multiple Public IP

Tue May 08, 2018 10:52 pm

For your dstnat rules, you need something like this:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1.2.3.x1 dst-port=80,443 protocol=tcp to-addresses=<internal server 1>
add action=dst-nat chain=dstnat dst-address=1.2.3.x2 to-addresses=<internal server 2>
And it would work correctly for incoming connections (clients would be able to connect to e.g. 1.2.3.x1:80) even if you had only this in srcnat:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=<WAN>
For outgoing connections, it would still work, i.e. processes running on server would to able to connect to resources on internet, but all would use the same source address (1.2.3.xx). Some people use it like this and it's ok according to them. Others (myself included) prefer servers to use same outgoing address as incoming. For that, just replace masquerade with:
/ip firewall nat
add action=src-nat chain=srcnat src-address=<internal server 1> to-addresses=1.2.3.x1
add action=src-nat chain=srcnat src-address=<internal server 2> to-addresses=1.2.3.x2
add action=src-nat chain=srcnat to-addresses=1.2.3.x5 comment="everything else not covered by previous rules"
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Need Help on NAT on WAN link with Multiple Public IP

Wed May 09, 2018 10:11 pm

If the final addresses are public then you don’t need NAT.

The “LAN” devices simply become static IP routing through the routers “LAN” address.
erm...dont quite get that.

how do you route through the router without any NAT as all the server has the internal IP, sitting behind the LAN Interface, and the WAN Interface has another set of Public IP?
If router has public ip of 1.1.1.2/24 on its “WAN” interface and you have been given public addresses 2.2.2.0/29 (the “WAN” address is irrelevant to you as the isp only uses it to route to your subnet)
Create bridge (effectively LAN side of your router) with ip 2.2.2.1/29
Connect servers to what would effectively be your local network
Assign 2.2.2.2-2.2.2.5 to the servers with a gateway of 2.2.2.1 and you do not need NAT. This only works if you have all public IPS.

Unless I am reading yur OP wrong?
You have a public IP and then a routed subnet?

I know my above approach works in certain situation without NAT as I have recently set 2 customers up like this on CCR and RB3011 devices like this.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
Sob
Forum Guru
Forum Guru
Posts: 4628
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need Help on NAT on WAN link with Multiple Public IP

Wed May 09, 2018 11:22 pm

For the record, I'm working with "whole /29 on WAN" scenario and honoring the request for dstnat. If the /29 is routed, then config without NAT described by Steveocee may be better solution.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
samsung172
Forum Guru
Forum Guru
Posts: 1186
Joined: Sat Apr 04, 2009 3:45 am
Location: Østfold - Norway
Contact:

Re: Need Help on NAT on WAN link with Multiple Public IP

Wed May 09, 2018 11:34 pm

just add dst nat - with dst-address and port to fit your needs and action dst-nat to your internal ip with correct port. Also add correct protocol TCP/UDP eg eg.

let say you have 2 web servers at 10.10.10.1 and 10.10.10.2 And you have the public ip - 100.100.100.1 and 100.100.100.2 You want internal web swerver to respond to on ip each. this would be the ruleset:


/ip firewall nat
add action=dst-nat chain=dstnat dst-address=100.100.100.1 dst-port=80 protocol=tcp to-addresses=10.10.10.1 to-ports=80
add action=dst-nat chain=dstnat dst-address=100.100.100.2 dst-port=80 protocol=tcp to-addresses=10.10.10.2 to-ports=80

chain=srcnat out-interface=internet src-address=10.10.10.1 action=src-nat to-addresses=100.100.100.1 to-ports=0-65535
chain=srcnat out-interface=internet src-address=10.10.10.2 action=src-nat to-addresses=100.100.100.2 to-ports=0-65535
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Need Help on NAT on WAN link with Multiple Public IP

Thu May 10, 2018 10:48 am

For the record, I'm working with "whole /29 on WAN" scenario and honoring the request for dstnat. If the /29 is routed, then config without NAT described by Steveocee may be better solution.
Between the pair of us the OP has the answer :D
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Need Help on NAT on WAN link with Multiple Public IP

Thu May 10, 2018 2:45 pm


If router has public ip of 1.1.1.2/24 on its “WAN” interface and you have been given public addresses 2.2.2.0/29 (the “WAN” address is irrelevant to you as the isp only uses it to route to your subnet)
Create bridge (effectively LAN side of your router) with ip 2.2.2.1/29
Connect servers to what would effectively be your local network
Assign 2.2.2.2-2.2.2.5 to the servers with a gateway of 2.2.2.1 and you do not need NAT. This only works if you have all public IPS.

Unless I am reading yur OP wrong?
You have a public IP and then a routed subnet?

I know my above approach works in certain situation without NAT as I have recently set 2 customers up like this on CCR and RB3011 devices like this.

If I may ask here, and it might be a very stupid question.

Lets say I am an ISP, a good one cause I only use Mikrotik :D

I want to route subnet 2.2.2.0/29 to my client that already has 1.1.1.0/29, how will I do this on Mikrotik?

Is it as simple as just adding an additional IP from 2.2.2.0/29 on my router interface (clients gateway 1.1.1.1/29), or is there more to it?

EDIT: BTW, I am also asking so anav doesn't have to :D
MTCNA, MTCTCE, MTCRE & MTCINE
 
learnyee
newbie
Topic Author
Posts: 31
Joined: Fri May 20, 2016 8:55 pm

Re: Need Help on NAT on WAN link with Multiple Public IP

Thu May 10, 2018 4:35 pm

/ip firewall nat
add action=src-nat chain=srcnat src-address=<internal server 1> to-addresses=1.2.3.x1
add action=src-nat chain=srcnat src-address=<internal server 2> to-addresses=1.2.3.x2
add action=src-nat chain=srcnat to-addresses=1.2.3.x5 comment="everything else not covered by previous rules"
I actually did the 1st part of it on the DST-NAT and the MAS part, the 2nd part above open up more option for me to tweak the SRC-NAT
 
learnyee
newbie
Topic Author
Posts: 31
Joined: Fri May 20, 2016 8:55 pm

Re: Need Help on NAT on WAN link with Multiple Public IP

Thu May 10, 2018 4:42 pm

If the final addresses are public then you don’t need NAT.

The “LAN” devices simply become static IP routing through the routers “LAN” address.
erm...dont quite get that.

how do you route through the router without any NAT as all the server has the internal IP, sitting behind the LAN Interface, and the WAN Interface has another set of Public IP?
If router has public ip of 1.1.1.2/24 on its “WAN” interface and you have been given public addresses 2.2.2.0/29 (the “WAN” address is irrelevant to you as the isp only uses it to route to your subnet)
Create bridge (effectively LAN side of your router) with ip 2.2.2.1/29
Connect servers to what would effectively be your local network
Assign 2.2.2.2-2.2.2.5 to the servers with a gateway of 2.2.2.1 and you do not need NAT. This only works if you have all public IPS.

Unless I am reading yur OP wrong?
You have a public IP and then a routed subnet?

I know my above approach works in certain situation without NAT as I have recently set 2 customers up like this on CCR and RB3011 devices like this.
The said solution actually works for another case, if you had work with those peplink WAN load balancer and they had something called drop-in mode for WAN, this is actually the solution I used. No NAT needed from either end and it works all well. But I dont think this will work with PPOE dialup. What happened was when I dial to my ISP, it would assign an IP of 2.2.2.2 with GW of 2.2.2.1. So any IP with the DEST of 2.2.2.3-5 from internet would "pipe" through the PPOE from the ISP. I dont think I can create a bridge and add a PPOE dialer into the bridge.
 
learnyee
newbie
Topic Author
Posts: 31
Joined: Fri May 20, 2016 8:55 pm

Re: Need Help on NAT on WAN link with Multiple Public IP

Thu May 10, 2018 4:49 pm


If router has public ip of 1.1.1.2/24 on its “WAN” interface and you have been given public addresses 2.2.2.0/29 (the “WAN” address is irrelevant to you as the isp only uses it to route to your subnet)
Create bridge (effectively LAN side of your router) with ip 2.2.2.1/29
Connect servers to what would effectively be your local network
Assign 2.2.2.2-2.2.2.5 to the servers with a gateway of 2.2.2.1 and you do not need NAT. This only works if you have all public IPS.

Unless I am reading yur OP wrong?
You have a public IP and then a routed subnet?

I know my above approach works in certain situation without NAT as I have recently set 2 customers up like this on CCR and RB3011 devices like this.

If I may ask here, and it might be a very stupid question.

Lets say I am an ISP, a good one cause I only use Mikrotik :D

I want to route subnet 2.2.2.0/29 to my client that already has 1.1.1.0/29, how will I do this on Mikrotik?

Is it as simple as just adding an additional IP from 2.2.2.0/29 on my router interface (clients gateway 1.1.1.1/29), or is there more to it?

EDIT: BTW, I am also asking so anav doesn't have to :D
I dont think that would works because both 2.2.2.0/29 and 1.1.1.0/29 address sit on the same Interface of your router and I dont see how the traffic can be NAT.
But if you are talking about adding 1.1.1.1/29 to your Interface and 1.1.1.2/29 to your customer router interface, then technically you can do that as long as your end and your customer end are "connected" in a way.
 
Sob
Forum Guru
Forum Guru
Posts: 4628
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need Help on NAT on WAN link with Multiple Public IP

Thu May 10, 2018 5:38 pm

@CZFan: If customer is already connected and you as ISP want to give another /29 to them, it's better to really route it to them, i.e. "/ip route add dst-address=2.2.2.0/29 gateway=1.1.1.2" on your side.

If you add 2.2.2.1/29 to your router, then you waste three of eight addresses (network, gateway, broadcast) and only five can be used by customer. On top of that, you expect them to be all directly reachable on the link between you and customer. Not that it would be too hard for customer to route them anywhere else with help of proxy ARP, but it's unnecessary extra step.

If you route the whole subnet to customer, they can use all eight addresses if they want. There are different ways, they can assign them somewhere on router as /32 and use them with NAT, route them anywhere in their network, etc. Or they can just assign 2.2.2.1/29 to some of their internal interfaces and waste three addresses themselves, if they want. Important is that they have a choice. And even if they do this, the three addresses are not completely lost to them, they can still use them in limited way, because packets coming from internet don't know that the address is actually e.g. broadcast in internal network, so it's possible to use dstnat to send them somewhere else. And same for srcnat. The only problem is that machines with other 2.2.2.x/29 addresses won't be able to connect to services on what to them are network and broadcast addresses. But it's easy for customer to plan it in a way to not need this.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Need Help on NAT on WAN link with Multiple Public IP

Thu May 10, 2018 5:54 pm

Got it, thank you very much @Sob.

@anav, is it clear enough for you :D
MTCNA, MTCTCE, MTCRE & MTCINE
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Need Help on NAT on WAN link with Multiple Public IP

Fri May 11, 2018 12:44 am

Zing.................. just flew over my head but if you want to stop in on the PSD attributes thread to be wildly entertained with my EXTRA TAB questions (weight and limit) - then yes feel free to provide enlightenment. Oh and stay tuned for a VLAN/Bridge setup thread where I pose my scenario/setup and ask what is the most efficient method..................

PS. Am I allowed to give advice in the GENERAL forum. I may not have the rank to do so! ;-P
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
samsung172
Forum Guru
Forum Guru
Posts: 1186
Joined: Sat Apr 04, 2009 3:45 am
Location: Østfold - Norway
Contact:

Re: Need Help on NAT on WAN link with Multiple Public IP

Fri May 11, 2018 1:10 am

@CZFan: If customer is already connected and you as ISP want to give another /29 to them, it's better to really route it to them, i.e. "/ip route add dst-address=2.2.2.0/29 gateway=1.1.1.2" on your side.

If you add 2.2.2.1/29 to your router, then you waste three of eight addresses (network, gateway, broadcast) and only five can be used by customer. On top of that, you expect them to be all directly reachable on the link between you and customer. Not that it would be too hard for customer to route them anywhere else with help of proxy ARP, but it's unnecessary extra step.

If you route the whole subnet to customer, they can use all eight addresses if they want. There are different ways, they can assign them somewhere on router as /32 and use them with NAT, route them anywhere in their network, etc. Or they can just assign 2.2.2.1/29 to some of their internal interfaces and waste three addresses themselves, if they want. Important is that they have a choice. And even if they do this, the three addresses are not completely lost to them, they can still use them in limited way, because packets coming from internet don't know that the address is actually e.g. broadcast in internal network, so it's possible to use dstnat to send them somewhere else. And same for srcnat. The only problem is that machines with other 2.2.2.x/29 addresses won't be able to connect to services on what to them are network and broadcast addresses. But it's easy for customer to plan it in a way to not need this.
Well. It seems like we need a lession in using rfc1918 and public ip's - since the q qould differ inf its internal rfc1918 addresses or public ip's (or just the same)

IF isp 1 and isp 2 use the same internal 1918 ip's - use nat as described.

if its public ip's just let routing fix this.
 
Sob
Forum Guru
Forum Guru
Posts: 4628
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need Help on NAT on WAN link with Multiple Public IP

Fri May 11, 2018 5:25 am

Well. It seems like we need a lession in using rfc1918 and public ip's - since the q qould differ inf its internal rfc1918 addresses or public ip's (or just the same)
I have a feeling that you're trying to tell me something. But I read it several times and I'm still not sure what it is. Could you try again?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 86 guests