Community discussions

 
tyby
just joined
Topic Author
Posts: 16
Joined: Thu Nov 10, 2011 5:03 pm
Location: Bucharest / RO

RouterOS - public subnet routed and NAT-ed to internal clients

Thu Apr 02, 2015 7:00 pm

Hi guys.

I am pretty new in RouterOS, although I have a handful of devices running as usual NAT gateways.

I need to prepare few devices, some for production (as replacement), some for backup (in case current routers fail), all based on the following setup:

- ISP public IP (link) (static)
- /29 public subnet routed by ISP through above mentioned link IP

Due to fact that link IP is changing pretty often due to ISP network upgrades / reconfigs, I need services behind router to be set-up on my own /29s.

The main scenario is following:

- ISP link IP: 1.1.1.1/24 from a 1.1.1.0/24
- gateway for link IP: 1.1.1.254
- /29 subnet: 2.2.2.0/29 routed through 1.1.1.1 above (link IP).
- /24 local subnet for clients: 192.168.x.0/24

As, from the /29 above I have 6 public IPs available for use, I need to assign those IPs for specific access to / from LAN side: ex: one for MTA, one for httpd, one for NAT access for clients.

I managed to configure the above setup (or similar) on different routers (Juniper, AT, Fortigate), using different approaches (eNat, VIPs, etc) but I don't seem to know how to start with Mikrotik, in order to map specific internal IPs to specific public IPs from routed public subnet.

The basic idea will look like this:

- NAT clients from LAN (192.168.x.100 - 192.168.x.200) will all use 2.2.2.7 as Public NAT-ed IP
- MTA in LAN (192.168.x.240) will use 2.2.2.2 as Public IP (with forwarded needed ports, like 25, 465, 995 etc)
- httpd in LAN (192.168.x.241) will use 2.2.2.3 as Public IP (with forwarded needed ports, like 80, 443 etc)
- etc

Is this doable with RouterOS? Am I using a wrong approach? Should I go with assigning public IPs to internal servers and filter packets by ACLs, and just NAT the link IPs to clients (although I wouldn't like this one very much)?

Thank you!
 
evince
Member
Member
Posts: 300
Joined: Thu Jul 05, 2012 12:11 pm
Location: Weiswampach - Luxemburg
Contact:

Re: RouterOS - public subnet routed and NAT-ed to internal clients

Fri Apr 03, 2015 12:50 pm

Hello,

Simply use NAT rules as follow :
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT clients to 2.2.2.7" src-address=\
    192.168.x.200 src-address-list=VU to-addresses=2.2.2.7
add action=src-nat chain=srcnat comment="NAT MTA" src-address=\
    192.168.x.240 src-address-list=VU to-addresses=2.2.2.2
 
tyby
just joined
Topic Author
Posts: 16
Joined: Thu Nov 10, 2011 5:03 pm
Location: Bucharest / RO

Re: RouterOS - public subnet routed and NAT-ed to internal clients

Tue Apr 07, 2015 3:30 pm

Ok evince, thanks for your quick answer.

In this case, how should I address the public subnet? Do I need to bind it to LAN interface and insert route to it?

Thank you!
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: RouterOS - public subnet routed and NAT-ed to internal clients

Tue Apr 07, 2015 4:11 pm

So if I understand this right - any given Mikrotik will need to dynamically obtain its WAN address (let's say ether1 = wan).
I assume this is DHCP.
So once a 'tik gets a DHCP lease, the server will route a specific /29 to it. Off the top of my head, I can't think of any way for the server to signal to the client what /29 it has, so I'm going to assume that must be known in advance and just configured correctly.

OK.

So you'll want to start by creating a blackhole route for the /29 on the Mikrotik.
(this keeps packets to an unused address from bouncing back and forth between the Mikrotik and 1.1.1.254 200+ times until TTL expires)


For each IP you want to use, set these rules in /ip firewall nat:
chain=dstnat dst-address=2.2.2.x action=dst-nat to-addresses=192.168.x.x
chain=srcnat src-address=192.168.x.x action=src-nat to-addresses=2.2.2.x

-- this creates a 1:1 translation both in and out, and will support hairpin NAT (one more rule is required - see below)

Finally the default NATs:
chain=srcnat src-address=192.168.x.x/24 out-interface=!ether1 action=masquerade
chain=srcnat out-interface=ether1 action=src-nat to-addresses=2.2.2.x

To protect the public IP servers, don't make the NAT rules match ports and such - keep those straightforward.
Use filter table rules to block access to the web server not on ports 80/443....

/ip firewall filter
add chain=forward dst-address=192.168.x.x protocol=tcp dst-port=80,443 action=accept
add chain=forward dst-address=192.168.x.x action=drop
Note that you should use the internal IP of the server because the forward filter is checked after the NAT is done.

Added bonus:
Since the /29 is never applied to any kind of broadcast interface, you can actually use all 8 addresses. As long as the /29 prefix is not the same as the classful network prefix, it will work. (same is true for the broadcast address)
So 10.1.29.0/29 is OK to use the .0 address because 10 is a class A network, and the natural network ID is 10.0.0.0
172.19.29.0/29 is OK as well - 172.19.0.0/16 is the classful network boundary.
192.168.29.0/29 is not OK - 192.168.29.0/24 is the classful boundary. (class C)

So if in stead of 2.2.2.x in reality you have 78.231.14.0/29 - then you can use all 8 of those for NAT and it will work perfectly.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
tyby
just joined
Topic Author
Posts: 16
Joined: Thu Nov 10, 2011 5:03 pm
Location: Bucharest / RO

Re: RouterOS - public subnet routed and NAT-ed to internal clients

Tue Apr 07, 2015 4:37 pm

ok, ZeroByte, I will take them one-by-one:

1. WAN link IP is static. In my example: 1.1.1.1 / 24 (gw 1.1.1.254). So no need for DHCP on WAN side.

2. /29 subnet is already known. Like I said: 2.2.2.0/29 routed through 1.1.1.1 above (link IP). We have 2.2.2.0 net address, 2.2.2.1 - 2.2.2.6 available IPs, 2.2.2.7 broadcast.

3. Real IP addressing in /29 is somewhat 82.79.x.x/29 (I have multiple /29 subnets, for different clients, all bounded to same ISP, so the numbering is pretty much the same.

4. I understood the ideea behind using all 8 IP's, but I tend not to do it, for future reference (I might use different approach at some point, with different hardware, in which I might need to route the subnet). In fact I am using this config for 2 client sites at the moment (different routers). However I only need a maximum of 4 IP's from subnet, of which 3 will be bounded for different servers / equipments behind the router and one for general client access.

To extend the above:
- IP's 2.2.2.2, 2.2.2.3, 2.2.2.4 for "servers" - each with it's own public IP translated
- IP 2.2.2.5 - for general client access, all through same IP.

I hope it's more clear now.

I will study more in depth your post above in the meantime! ;)

Thanks,

T
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: RouterOS - public subnet routed and NAT-ed to internal clients

Tue Apr 07, 2015 4:47 pm

I know what you mean about being hesitant to use the 0 and broadcast addresses - it just feels wrong somehow :)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
tyby
just joined
Topic Author
Posts: 16
Joined: Thu Nov 10, 2011 5:03 pm
Location: Bucharest / RO

Re: RouterOS - public subnet routed and NAT-ed to internal clients

Tue Dec 08, 2015 3:03 pm

Guys, I know that there passed a long time, but I had a very busy year behind (who didn't?!) and very small opportunity for "side projects".

Short update:

Thanks also to ZeroByte's excellent instructions, so far I managed to (changed /24 local subnet for clients: from 192.168.x.0/24 to 10.0.0.0/24, for testing considerations - 192.168.0.0/24 is my office LAN, and 0.101 address is assigned to mikrotik WAN):

- add 2.2.2.0/29 blackhole - working as expected:
/ip route 
add dst-address=2.2.2.0/29 type=blackhole
- 1:1 mapping for 2.2.2.1 address to 10.0.0.199 - working as expected
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=10.0.0.199 dst-address=2.2.2.1 
add chain=srcnat action=src-nat to-addresses=2.2.2.1 src-address=10.0.0.199


- test filter for the above mapping, allowing few MTA services to / from 10.0.0.199 - working as expected
/ip firewall filter
add chain=forward dst-address=10.0.0.199 protocol=tcp dst-port=25,110 action=accept
add chain=forward dst-address=10.0.0.199 action=drop
TO DO (will keep you posted):

1. fist of all, need to use one of 2.2.2.0/29 IP's (let's say 2.2.2.5) for masquerading multiple general LAN clients, keeping inside critical services machines (as MTA above) on their own 2.2.2.x IP.

2. later-on, and somehow trickier - this I don't have the slightest idea how: I need to assign one public IP to a specific device - it's a critical device, which needs it's own public IP - already configured, without access for changing that.

This could be done - probably easier - by routing the 2.2.2.0/29 subnet directly and assign one IP to a virtual interface to Mikrotik. Actual location setup, in fact. Moreover, the device does not need any kind of "protection" / filtering. It's a hardware device with only 2 ports opened in firmware, and those 2 ports should be accessible from anywhere. This should lead me to have all LAN clients masquerated through Link IP, which I can live with.

In case it's possible, I'd like to also have a combination of 1. and 2., as having both mappings and routing for the same /29 subnet. If you have any idea ... :D

Guys, it's still wip, and it's not "on-fire"!

I will revert, as said above!

In the meantime I wish you Happy and nice Holidays!

Thanks,

T
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: RouterOS - public subnet routed and NAT-ed to internal clients

Tue Dec 08, 2015 10:07 pm

2. later-on, and somehow trickier - this I don't have the slightest idea how: I need to assign one public IP to a specific device - it's a critical device, which needs it's own public IP - already configured, without access for changing that.
Do you mean that the device itself needs the actual public IP address configured directly on it; that it cannot operate as a private IP address with a dedicate 1:1 NAT mapping?

This is a lot easier than you think:
Create a static ARP entry for the device in IP > ARP (specify the correct MAC address and interface for the public IP)
Then create a static route for the IP address, e.g. dst=2.2.2.4/32 gateway=ether1 (or whatever interface the device lives on)

On that same ethernet interface (ether1 in this example) you'll need to set arp=proxy-arp so that the Mikrotik will answer the critical device's ARP requests for 2.2.2.1 (whatever you told it the default GW is)

Finally, in the NAT table, just make an accept rule in the srcnat chain for src-address=2.2.2.4 and an accept rule in the dstnat chain for dst-address=2.2.2.4
(basically: pass the packet without altering the source or destination addresses)

If your device will let you add 2.2.2.4 as a 'virtual IP address' or secondary IP address, then this would be the cleanest configuration on the Mikrotik - use the above "no nat" rules, but don't add the static ARP / proxy arp configurations. You would put a LAN private IP _and_ the 2.2.2.4 public IP on the device, with the Mikrotik's LAN IP as the default gateway, and then in the Mikrotik, static route 2.2.2.4/32 -> LAN IP of the device.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
tyby
just joined
Topic Author
Posts: 16
Joined: Thu Nov 10, 2011 5:03 pm
Location: Bucharest / RO

Re: RouterOS - public subnet routed and NAT-ed to internal clients

Fri Dec 11, 2015 12:51 am

Hi Zerobyte.

Thanks for quick answer.

Yes, the device itself needs (and is already configured with) a dedicated public IP (it's a serial to Ethernet converter that is linking data to one of our partner's datacenters).

It does not support virtual interface or anything else fancy that could do my job easier.

It is configured as 2.2.2.4/29 with 2.2.2.1 as gw (when relating to our testing environment above).

So I need to pass data to and from that device in a transparent way.

I will try your advice and revert. As far as I understand, the config remains the same, with only the option to throw traffic to / from 2.2.2.4 to converter.

So far (device will connect on bridge-local interface - or should I use ether1-master-local for this?!):

- add static arp:
/ip arp
add address=2.2.2.4 mac-address=00:40:9D:28:BA:95 interface=bridge-local
- create static route:
/ip route
add distance=1 dst-address=2.2.2.4/32 gateway=bridge-local
- set arp as proxy-arp on bridge-local:
 /interface bridge 
 set arp=proxy-arp
 
- accept rules for 2.2.2.4/32:
/ip firewall nat
add chain=srcnat src-address=2.2.2.4
add chain=dstnat dst-address=2.2.2.4
Will set-up some new testing ground for new config, and revert with results. Still need to use one of the public IP's as masq for LAN clients. One step at a time!

Thank you!
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: RouterOS - public subnet routed and NAT-ed to internal clients

Fri Dec 11, 2015 1:08 am

Will set-up some new testing ground for new config, and revert with results. Still need to use one of the public IP's as masq for LAN clients. One step at a time!
I strongly recommend that you get it working by way of 1:1 NAT and not the ARP/forwarding method, if possible.
Serial->IP boxes are generally pretty straightforward and shouldn't require a globally-routable IP address directly configured on the unit itself.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
tyby
just joined
Topic Author
Posts: 16
Joined: Thu Nov 10, 2011 5:03 pm
Location: Bucharest / RO

Re: RouterOS - public subnet routed and NAT-ed to internal clients

Fri Dec 11, 2015 2:08 am

Short update:

Config above proved not to work in the lab, could not ping or connect to 2.2.2.4. I was expecting that, as 2.2.2.1 (gw for public IP behind mikrotik) was initially set-up as 1:1 map to one LAN client (10.0.0.199), if you recall that :) ).

What I did:

- change 1:1 mapped IP to 2.2.2.2 : 10.0.0.197 - still not good enough
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=2.2.2.2 to-addresses=10.0.0.197
add action=src-nat chain=srcnat src-address=10.0.0.197 to-addresses=2.2.2.2
- added 2.2.2.1 as mikrotik bridge-local IP (similar to adding a virtual interface, i suppose).
/ip address
add address=2.2.2.1/32 interface=bridge-local network=255.255.255.248
From external machine (connected at WAN side of the mikrotik):

- tested ICMP, MTA ports on 2.2.2.4 (mimicks hardware equipment) - OK
- tested ICMP, some test-opened ports on 10.0.0.197 (as 2.2.2.2) - not working.

As 10.0.0.197 it's a windows virtual machine, next step was to configure windows firewall to allow it

- re-tested ICMP and test-ports on 10.0.0.197 (as 2.2.2.2) - OK.

It seems that I'm on the right track! :)

What do I have now:
- simple lab setup for mikrotik: wan (192.168.0.101/24), LAN (10.0.0.254/24) and public subnet (2.2.2.0/29), with 2.2.2.1 assigned to bridge local as gw for /29 subnet
- 1:1 masquerading for 1 LAN client (2.2.2.2 : 10.0.0.197) accepting connections and replying ;)
- packet throwing from wan side to 2.2.2.4 configured LAN-side device, device accepting connections and replying
- stable internet connection for both ordinary LAN clients and both machines above (1:1 mapped machine and public IP assigned equipment)
- a reason to go on!

What I don't have / I need:
- both 1:1 mapped machine and public IP equipment are NOT presenting to wan side servers as 2.2.2.0/29 IPs, but as mikrotik's WAN IP (192.168.0.101) - which is not good. Could it be because of way NAT is configured (especially first line):
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

add action=dst-nat chain=dstnat dst-address=2.2.2.2 to-addresses=10.0.0.197
add action=src-nat chain=srcnat src-address=10.0.0.197 to-addresses=2.2.2.2
add chain=srcnat src-address=2.2.2.4
add chain=dstnat dst-address=2.2.2.4
- still don't have the setup in which all other LAN clients are using same /29 IP for getting out - for now all are masqueraded behind mikrotik wan (ether1-gateway). I would like them to be masqueraded as 2.2.2.6.
- I am not sure that 2.2.2.1 assignement to bridge-local is correct (should it be assigned to ether2-master-local ?!)
- time

Work in progress ...

Thank you!
Last edited by tyby on Fri Dec 11, 2015 2:13 am, edited 2 times in total.
 
tyby
just joined
Topic Author
Posts: 16
Joined: Thu Nov 10, 2011 5:03 pm
Location: Bucharest / RO

Re: RouterOS - public subnet routed and NAT-ed to internal clients

Fri Dec 11, 2015 2:11 am

I strongly recommend that you get it working by way of 1:1 NAT and not the ARP/forwarding method, if possible.
Serial->IP boxes are generally pretty straightforward and shouldn't require a globally-routable IP address directly configured on the unit itself.
Yes Zerobyte, it would have been much easier and correct, too, I know. But I really don't have access to equipment config, it's out of my reach and oversight, and it's not my decision to change it. I prefer not to touch it, as there are several implications above technical ground in doing this.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: RouterOS - public subnet routed and NAT-ed to internal clients

Fri Dec 11, 2015 4:33 pm

Yes Zerobyte, it would have been much easier and correct, too, I know. But I really don't have access to equipment config, it's out of my reach and oversight, and it's not my decision to change it. I prefer not to touch it, as there are several implications above technical ground in doing this.
Well, there's the right way, and then there's working within constraints. ;)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
tyby
just joined
Topic Author
Posts: 16
Joined: Thu Nov 10, 2011 5:03 pm
Location: Bucharest / RO

Re: RouterOS - public subnet routed and NAT-ed to internal clients

Fri Dec 11, 2015 4:50 pm

Well, there's the right way, and then there's working within constraints. ;)
Yeap! 8)

Do you have any ideea regarding advertised IP to external hosts? I intend to spare some time later on it, and some tricks would help! :)

Thanks,

T
 
tyby
just joined
Topic Author
Posts: 16
Joined: Thu Nov 10, 2011 5:03 pm
Location: Bucharest / RO

Re: RouterOS - public subnet routed and NAT-ed to internal clients

Fri Mar 04, 2016 8:13 pm

Hi guys, long and busy time behind, did not have any spare for testing the above.

But as I'm pushing final config to a brand new RB3011UiAS-RM (nice piece of hardware for it's money), I started to remember my long forgotten issue.

So, if you have any idea for my last post, please don't be shy! :)

Thanks,

T

Who is online

Users browsing this forum: No registered users and 23 guests