Community discussions

MikroTik App
 
Kazek
newbie
Topic Author
Posts: 36
Joined: Mon Feb 12, 2018 12:53 pm

1:1 NATting of /29 subnet

Thu Oct 14, 2021 6:45 pm

Hello,

This looks easy on paper but it gives me a headache. An ISP gives a /29 subnet.

Let's say 1.1.1.1/29 is a GW and port eth1 in my Mikrotik has an IP 1.1.1.2/29.

Ports eth2,3,4,5 are LAN network with multiple devices connected. I would like two of them (10.0.0.7,10.0.0.8 ) to use other IPs from the /29 range (1.1.1.3/29 and 1.1.1.4/29) and the rest of hosts to use 1.1.1.2

So in theory I add all /29 IPs to my WAN interface (so eth1 has 1.1.1.2/29, 1.1.1.3/29 and 1.1.1.4/29)
I also create two rules in NAT for each host:
/ip firewall nat add chain=dstnat dst-address=1.1.1.3 action=dst-nat to-addresses=10.0.0.7
/ip firewall nat add chain=srcnat src-address=10.0.0.7 action=src-nat to-addresses=1.1.1.3
The problem is this is not working. Am I missing something or it's not as straightforward as I think?
Last edited by Kazek on Fri Oct 15, 2021 9:53 am, edited 2 times in total.
 
sindy
Forum Guru
Forum Guru
Posts: 7915
Joined: Mon Dec 04, 2017 9:19 pm

Re: 1:1 NATting of /29 subnet

Thu Oct 14, 2021 9:14 pm

The two rules as such should do what you expect them to do.

However, the firewall rules work as a system where mutual order matters and rules in different chains must work in accord. So it is possible that these rules are shadowed by other ones, or that you do not permit dst-nated connections in forward chain in filter, ... or you may test connections to 1.1.1.2 from a client in the same LAN subnet like the server so the response from the server takes a shortcut, etc.

So post a carefully anonymized but otherwise complete export of your config (see my automatic signature below) and provide details on how you are testing.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2065
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: 1:1 NATting of /29 subnet

Fri Oct 15, 2021 1:04 pm

To add to what @sindy said, the other IPs in that prefix might not be available to you, i.e. might belong to devices on the link to you, etc...
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5896
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: 1:1 NATting of /29 subnet

Fri Oct 15, 2021 1:22 pm

Use netmap on Right Order against other rules
/ip firewall nat
[...]
add action=netmap chain=dstnat dst-address=1.1.1.3 to-addresses=10.0.0.7
add action=netmap chain=srcnat src-address=10.0.0.7 to-addresses=1.1.1.3
[...] 
add chain=srcnat action=masquerade [...]
[...]

Who is online

Users browsing this forum: Ahrefs [Bot] and 16 guests