Community discussions

 
Omar010
just joined
Topic Author
Posts: 10
Joined: Thu May 02, 2019 9:51 am

NAT issue

Thu Nov 07, 2019 12:12 pm

Hello guys
i have a problem in my site with nat, the topology its very simple.
I have two cisco router one for MPLS VPN to our site's and the other one it's for the internet.
we install Mikrotik router to manage the user internet access,, so we run hotspot server on bridge.
also we don't have any fancy configuration on the mikrotik
the problem is that all traffic is getting masqueraded, we don't have issue for http and https traffic.

but we have ip phones that is getting registers from an external server on another subnet via the mpls router.
and the HQ office need few ip's to give them permission to access servers and they can't see those ip's because they are natted..

vpn router ip:10.104.104.1/22
internet router ip:10.104.104.99/22
mikrotik hotspot bridge ip : 10.104.104.9/22

please any suggestions
 
Omar010
just joined
Topic Author
Posts: 10
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Thu Nov 07, 2019 12:50 pm

and i would like to mention that if i add srnat rule above the masquerade nat pointing to the destination_list that i don't want to NAT to,
i can see in firewall connection that the source address and the reply destination address are same.
but as soon as i apply this rule i loose ping and connection to the destination.
 
sindy
Forum Guru
Forum Guru
Posts: 3905
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Thu Nov 07, 2019 10:43 pm

You'd have to provide a network diagram to get some useful advice, the text description doesn't express your network clearly enough.

In general, you can set exceptions from action=src-nat or action=masquerade rules (and also action=netmap and action=dst-nat rules) by either setting additional match conditions in these rules or by placing action=accept rules matching on the traffic which should not be NATed before those NATing rules.

If this hint is not sufficient to resolve your issue, post the diagram of your network and follow the suggestion in my automatic signature below.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Omar010
just joined
Topic Author
Posts: 10
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Fri Nov 08, 2019 10:21 am

Hey thanks for your reply

my network diagram is:

vpn router ip 10.104.104.1 is connected to mikrotik on ethernet 7
internet gateway router ip is 10.104.104.99 is connected to mikrotik on ethernet 8
core switch ip 10.104.104.10 is connected to mikrotik on ethernet 1
mikrotik bridge ip is 10.104.104.9
port added to the bridge is only the Lan port ether1

All Lan users default gateway is mikrotik bridge 10.104.104.9 running hotspot

static ip's to other subnets going via vpn router
default route to 10.104.104.99

only one nat rule masquerade is added to allow user access the internet.

i don't know if this is a bad way to configure mikrotik router, but I can reconfigre the router to more an appropriate way.
 
sindy
Forum Guru
Forum Guru
Posts: 3905
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Fri Nov 08, 2019 11:33 am

It doesn't make sense to me that you've made only ether1 an /interface bridge port but at the same time there are other IP addresses from the same subnet (presumably, you haven't shown the netmasks/prefix lengths associated to them) accessible via other etherX. So your issue may be more than the NAT alone.

So please post the configuration export so that we could tidy up your configuration before even starting to create exceptions from the masquerade rule.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Omar010
just joined
Topic Author
Posts: 10
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Fri Nov 08, 2019 12:37 pm

yes the bridge has only one interface the lan
/ip address
add address=10.104.104.23 interface=ether8 network=10.104.104.99
add address=10.104.104.9/22 interface=bridge1 network=10.104.104.0
add address=10.104.104.24 interface=ether7 network=10.104.104.1
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.104.104.0/22
/ip firewall filter
add action=return chain=hs-unauth comment="\E4\D9\C7\E3 \DD\C7\D1\D3" dst-address=192.168.208.8
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
/ip route
add distance=1 gateway=10.104.104.99
add distance=1 dst-address=10.0.0.0/8 gateway=10.104.104.1
add distance=1 dst-address=10.1.116.6/32 gateway=10.104.104.1
add distance=1 dst-address=10.1.137.0/24 gateway=10.104.104.1
add distance=1 dst-address=10.1.150.204/32 gateway=10.104.104.1
add distance=1 dst-address=10.1.165.0/24 gateway=10.104.104.1
add distance=1 dst-address=10.1.165.65/32 gateway=10.104.104.1
add distance=1 dst-address=10.1.165.140/32 gateway=10.104.104.1
add distance=1 dst-address=10.1.182.0/24 gateway=10.104.104.1
add distance=1 dst-address=10.4.16.100/32 gateway=10.104.104.1
add distance=1 dst-address=10.4.46.128/26 gateway=10.104.104.1
add distance=1 dst-address=192.168.3.54/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.3.140/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.6.0/24 gateway=10.104.104.1
add distance=1 dst-address=192.168.6.199/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.18.0/24 gateway=10.104.104.1
add distance=1 dst-address=192.168.18.37/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.18.216/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.30.0/24 gateway=10.104.104.1
add distance=1 dst-address=192.168.54.155/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.81.17/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.81.75/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.120.0/24 gateway=10.104.104.1
add distance=1 dst-address=192.168.164.0/24 gateway=10.104.104.1
add distance=1 dst-address=192.168.166.203/32 gateway=10.104.104.1
add distance=1 dst-address=192.168.208.0/24 gateway=10.104.104.1




**if i could make this router WORK Without performing NAT it maybe my problem will go away, because both gateways are doing NAT..**
 
sindy
Forum Guru
Forum Guru
Posts: 3905
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Fri Nov 08, 2019 6:38 pm

Exactly what I was afraid of. In your OP, you say:
vpn router ip:10.104.104.1/22
internet router ip:10.104.104.99/22
mikrotik hotspot bridge ip : 10.104.104.9/22
but your configuration doesn't match this:
/ip address
add address=10.104.104.23 interface=ether8 network=10.104.104.99
add address=10.104.104.9/22 interface=bridge1 network=10.104.104.0
add address=10.104.104.24 interface=ether7 network=10.104.104.1
In fact you have the 10.104.104.0/22 subnet attached only to bridge1; to ether7 and ether8, you have attached /32 "subnets" with unrelated /32 addresses of the gateways.

I suspect I understand the purpose, as you want the hosts in 10.104.104.0/22 to use Mikrotik's own IP as their default gateway, and let the Mikrotik choose the "real" gateway out of 10.104.104.99 and 10.104.104.1 on its own. Which does work, but it also implies that the NAT must be done at the Tik, as without the NAT, the VPN router and the internet router would assume the other destinations within 10.104.104.0/22 to be in their own subnet, so instead of routing the responses via Tik's IP as a gateway, they would send an ARP request to get a MAC address of the destination. Except if these two routers were configured symmetrically, i.e. if they had an equivalent of
/ip address add address=10.104.104.99/32 network=10.104.104.23
/ip route add dst-address=10.104.104.0/22 gateway=10.104.104.23

in their own configuration. But I assume the latter is not the case, as otherwise you wouldn't need the NAT at Mikrotik side.

So what I write from now on assumes that the Tik-facing interfaces of the internet router and the VPN router are indeed configured with 10.104.104.99/22 and 10.104.104.1/22, respectively.

There are two ways how to adjust the Tik configuration alone to make things work without the need for a NAT rule on the Tik.

One is to keep just the single IP, 10.104.104.9/22, on the bridge, remove the two IP configurations attached to ether7 and ether8 completely, and make ether7 and ether8 member ports of the bridge as well.

This way, the first packet from the client towards each particular destination address will be sent to the Tik's 10.104.104.9 (because that's what the clients have got as a default gateway via manual config or DHCP); using its own routing table, the Tik will find out that the gateway IP for such packet is in the same subnet like the source IP of that packet, and will thus inform the sender via ICMP that it can send the packet directly to that gateway IP (.1 or .99). Most devices will understand this, make a note in their routing cache, and use the real gateway for that destination address (or rather the whole subnet matching the dst-address field of the route at Mikrotik) for some time until the note times out; then, the same cycle will repeat. So effectively, the routing table of Mikrotik will be dynamically replicated in the hosts' routing caches.

The VPN router and internet router will both have a direct L2 path to the hosts, so no NAT will be necessary at the Tik (nor possible because the bulk of the packets will bypass the L3 handling at Tik and will be just bridged between ether1 and ether7/ether8). But this also means that the IP firewall of the Tik will not be able to affect that traffic; since you mention hotspot functionality, I suspect this method may not suit your intention.

So aside of forcing bridged traffic through the IP firewall, which is possible but unusual, another way to get rid of the NAT while keeping Mikrotik in the L3 path between the two routers and the clients connected to ether1 without modifying the settings of the two other routers is to keep your IP configuration at the Tik unchanged and just set arp-proxy to yes at ether7 and ether8. This way, the internet router and VPN router will get their ARP request for any IP address from 10.104.104.0/22 responded by the Tik with its own MAC address, so they will send the packets for anything from that subnet to the Tik, and Tik will forward these packets. In this case, Mikrotik will handle all packets at L3, but you still won't need to do NAT at Tik to have the backward path from outside to any IP address in 10.104.104.0/22 working because the Tik will mimic the whole subnet towards the two routers.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Omar010
just joined
Topic Author
Posts: 10
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Fri Nov 08, 2019 8:28 pm

Thank you Sindy for making the time to reply to me.

okay this is what i will do tomorrow,
Not changing the ip addresses on the interfaces.;
add Ether 7, 8 to the bridge and enable proxy-arp on these interfaces.
and removing the masquerade rule.

I hope it works after adding this configuration.
I will come back to you tomorrow :)
 
sindy
Forum Guru
Forum Guru
Posts: 3905
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Fri Nov 08, 2019 9:25 pm

add Ether 7, 8 to the bridge and enable proxy-arp on these interfaces.
It seems my explanation was too complex, but I don't know how to simplify it. It's either add Ether 7, 8 to the bridge (and remove the IP addresses attached to them) or enable proxy-arp on these interfaces, not both at the same time.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Omar010
just joined
Topic Author
Posts: 10
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Sun Nov 10, 2019 7:29 pm

add Ether 7, 8 to the bridge and enable proxy-arp on these interfaces.
It seems my explanation was too complex, but I don't know how to simplify it. It's either add Ether 7, 8 to the bridge (and remove the IP addresses attached to them) or enable proxy-arp on these interfaces, not both at the same time.
hey sindy
Today i applied the configurations with no luck.
I enable proxy-arp on both interfaces and removed the masquerade rule.
from the Tik i can ping the internet and the remote locations, but the users can't ping anything. but they can authenticate with the hotspot .

then i tried to do the other one, adding both interfaces to the bridge and removing their ip's
when i apply this configurations i wasn't able to ping from the Tik both edge routers.
do you have more ideas
Thank you in advance
 
sindy
Forum Guru
Forum Guru
Posts: 3905
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Sun Nov 10, 2019 8:14 pm

do you have more ideas
Not before you provide the complete export of the Mikrotik configuration (anonymized, see my automatic signature below), and also relevant configuration elements from the two other routers - namely, the IP configurations of their Mikrotik-facing interfaces and of their routing tables.

I enable proxy-arp on both interfaces and removed the masquerade rule.
from the Tik i can ping the internet and the remote locations, but the users can't ping anything. but they can authenticate with the hotspot .
This suggests that the other routers could not benefit from the proxy-arp being enabled as their netmasks are not /22. So the pings from Mikrotik itself, which are always sent from the IP address attached to the interface through which they are sent, could get their responses, but the pings from the wireless users could not get their responses as packets for 10.104.104.0/22 are routed somewhere else than to Mikrotik by the other two routers.

then i tried to do the other one, adding both interfaces to the bridge and removing their ip's
when i apply this configurations i wasn't able to ping from the Tik both edge routers.
This suggests the same conclusion as above - as the other routers could not respond to pings coming from the only Mikrotik's IP address which remained active (the 10.104.104.9 one) because that address is outside the Mikrotik-facing interfaces' subnets (so their IP configuration doesn't have a /22 netmask) and so the responses were routed elsewhere.

So if you can change the configuration of those two routers, either change netmask in the IP configuration of their Mikrotik-facing interfaces to /22, or add the routes as I've suggested in my previous post (10.104.104.0/22 via 10.104.104.x). If you cannot change the configuration of those routers, you're doomed, because there is no way to set up non-NATed connections through the two links, because the same routing problem would arise.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Omar010
just joined
Topic Author
Posts: 10
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Sun Nov 10, 2019 8:47 pm

do you have more ideas
Not before you provide the complete export of the Mikrotik configuration (anonymized, see my automatic signature below), and also relevant configuration elements from the two other routers - namely, the IP configurations of their Mikrotik-facing interfaces and of their routing tables.

I enable proxy-arp on both interfaces and removed the masquerade rule.
from the Tik i can ping the internet and the remote locations, but the users can't ping anything. but they can authenticate with the hotspot .
This suggests that the other routers could not benefit from the proxy-arp being enabled as their netmasks are not /22. So the pings from Mikrotik itself, which are always sent from the IP address attached to the interface through which they are sent, could get their responses, but the pings from the wireless users could not get their responses as packets for 10.104.104.0/22 are routed somewhere else than to Mikrotik by the other two routers.

then i tried to do the other one, adding both interfaces to the bridge and removing their ip's
when i apply this configurations i wasn't able to ping from the Tik both edge routers.
This suggests the same conclusion as above - as the other routers could not respond to pings coming from the only Mikrotik's IP address which remained active (the 10.104.104.9 one) because that address is outside the Mikrotik-facing interfaces' subnets (so their IP configuration doesn't have a /22 netmask) and so the responses were routed elsewhere.

So if you can change the configuration of those two routers, either change netmask in the IP configuration of their Mikrotik-facing interfaces to /22, or add the routes as I've suggested in my previous post (10.104.104.0/22 via 10.104.104.x). If you cannot change the configuration of those routers, you're doomed, because there is no way to set up non-NATed connections through the two links, because the same routing problem would arise.
I always thought that the hotspot rules are causing to me a problems.
I'll try to check both edge routers configurations.
Thank you for your time
 
Omar010
just joined
Topic Author
Posts: 10
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Mon Nov 11, 2019 7:34 am

Both edge routers interfaces facing Mikrotik are running on VLAN5.
I didn't add any configuration on the Tik that mentions VLAN5
 
sindy
Forum Guru
Forum Guru
Posts: 3905
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Mon Nov 11, 2019 8:49 am

If there was a mismatch of VLAN tagging between the edge routers' ports and the Mikrotik's ports, nothing would work, with or without NAT. So I suppose that in those routers, the IP configuration for 10.104.104.x/32 is attached to the virtual VLAN interface in VLAN 5, but the Mikrotik-facing Ethernet ports are access ports to VLAN 5 so on the wire, the frames are tagless.

So what's the IP configuration of VLAN 5 in each edge router?

What brand are those edge routers, Cisco or other?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Omar010
just joined
Topic Author
Posts: 10
Joined: Thu May 02, 2019 9:51 am

Re: NAT issue

Mon Nov 11, 2019 9:10 am

If there was a mismatch of VLAN tagging between the edge routers' ports and the Mikrotik's ports, nothing would work, with or without NAT. So I suppose that in those routers, the IP configuration for 10.104.104.x/32 is attached to the virtual VLAN interface in VLAN 5, but the Mikrotik-facing Ethernet ports are access ports to VLAN 5 so on the wire, the frames are tagless.

So what's the IP configuration of VLAN 5 in each edge router?

What brand are those edge routers, Cisco or other?
hey
no its working now, but traffic going to vpn is getting natted with mikrotik facing interface to vpn edge router
and the traffic going to internet is natted with mikrotik facing interface to internet router
and both edge router is performing Nat also,
its a nightmare really

yes i want to configure the Tik is to run vlan 5 only, in my Lan i only use vlan 5.
so it won't be a problem for me

both edge routers are cisco
 
sindy
Forum Guru
Forum Guru
Posts: 3905
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT issue

Mon Nov 11, 2019 9:18 am

Once again: what is the exact IP address configuration for vlan 5 and route configuration of the Ciscos?

Forget the vlan tagging/untagging for a moment, it is working now so don't touch it until you resolve the IP addressing and routing part.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 145 guests