Community discussions

MikroTik App
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

NAT to change IP addresses using dstnat on ip-range

Mon Mar 20, 2023 1:10 am

Hi,
I have 2 MT-routers (local and remote) at different locations which are connected with a WireGuard virtual network. To access the network behind the remote router (192.168.1.0/24) I cannot use the ip range in the local router as this subnet is also locally present. I thought to use another (unused) ip-range which is locally routed towards the WireGuard ip address of the remote router, where it is natted into the 192.168.1.0/24 subnet.

In the local router I added to the routing table:
/ip route
add dst-address=192.168.6.0/24 gateway=wireguard_remote_ip
The following setting in the remote router works, but is only valid for one ip destination:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.6.254 to-addresses=192.168.1.254
Because I want all remote ip addresses in the 192.168.1.0/24 range accessible through the 192.168.6.0/24 subnet, I would prefer:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.6.0/24 to-addresses=192.168.1.0/24
This apparently does not work.

What is the concept I'm missing?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NAT to change IP addresses using dstnat on ip-range

Mon Mar 20, 2023 1:58 am

I think the problem is locally, any attempt to have a destination address in the same subnet will never see the light of day of an L3 rule.
My grasp of fundamentals is weak so that is just a guess as sourcenat seems to come as a last step in traffic flow.

Why not change device needing access to a different subnet.
Why not change one of the subnet addresses at either end?
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Re: NAT to change IP addresses using dstnat on ip-range

Mon Mar 20, 2023 9:29 am

I think the problem is locally, any attempt to have a destination address in the same subnet will never see the light of day of an L3 rule.
I've also tested this with another (virtual) subnet remotely (not corresponding with any local subnet) but the effect is the same. This makes me think the problem is in the remote router. Moreover it works for a single ip-address.
Why not change device needing access to a different subnet.
Why not change one of the subnet addresses at either end?
Good points, would have been the most pragmatic solution. However on both sides these subnets cannot be modified, On the local side because the ISP has fixed it, on the remote side because the network is completely built around this subnet and it's not desirable to change the architecture.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NAT to change IP addresses using dstnat on ip-range

Mon Mar 20, 2023 2:27 pm

Check out this, fresh out of the box........
viewtopic.php?p=990947#p990947
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Re: NAT to change IP addresses using dstnat on ip-range

Mon Mar 20, 2023 2:50 pm

This looks promising @anav! It is exactly the configuration I had in mind, but I used the wrong nat-tools. Will try it out tonight.
 
mikear
newbie
Topic Author
Posts: 40
Joined: Wed Mar 23, 2022 8:08 pm
Location: Utrecht, Netherlands

Re: NAT to change IP addresses using dstnat on ip-range

Tue Mar 21, 2023 11:52 pm

Here is my solution for a simple (one way) netmap configuration, hopefully it may help others (with limited network knowledge, like me)

This is based on @anav's instruction page (brilliant work!) however I only need to initiate contact from Local to Remote therefor my setup is a bit simpler, but it works as intended:

In this example:
- the common subnet on both sides of the linked networks is: 192.168.5.0/24
- the netmap virtual network is 192.168.2.0/24

So if you need to access a remote (common) IP-address like 192.168.5.10 you need to use 192.168.2.10 (which is remotely translated into 192.168.5.10)

Local CONFIG
/ip route
add dst-address=192.168.2.0/24 gateway=wireguard_remote_ip table=main
/interface wireguard peers
add allowed-address=whichever_remote_ips_you_already_have,192.168.2.0/24 interface="WireGuard_interface_name " public-key="......"

Remote CONFIG
/ip firewall nat
add action=netmap chain=dstnat dst-address=192.168.2.0/24 to-addresses=192.168.5.0/24

Who is online

Users browsing this forum: Amazon [Bot], gonzzo, maxslug and 25 guests