hello to all,

I`ve been having problems to implement the Action=Netmap in mikrotik. My scenario is the following: I have 10 clients, and all of them are under the private ip address space 192.168.1.2-192.168.1.11.
If all of them want to download from rapidshare or meguapload, the conflict of the public ip address comes into the screen, because all of them are behind the nat masquerade.

If I use the configuration
ip firewall chain=srcnat src-address=192.168.1.2-192.168.1.11 action=netmap to-address=201.218.35.2-201.218.35.4

it doesn't work, is it because the netmap is exclusively 1:1 ??

but I've tried also the same configuration with
ip firewall chain=srcnat src-address=192.168.1.2-192.168.1.11 action=netmap to-address=201.218.35.2-201.218.35.11

and it doesn't worl as well....

what am I missing?

thanks for your attention

201.218.35.2-201.218.35.11

Do you have those IP addresses either directly configured on the interface the NAT'd traffic leaves through (as in, they are entries in "/ip address"), or do you have proxy ARP enabled on that interface? If not, return traffic to those IPs won't make it to the router as the upstream router can't ARP for them and doesn't know where to send the traffic.

Hey fewi,

Thanks a lot for your quick answer,

I have both ip address configured for the same interface, 201.218.35.2-201.218.35.11 for ether2, which is the one that is connected to the cisco router which gives me internet by the ISP, and the ether 2 has the ARP enabled, what can be the problem??

when I see the arp list i can see

201.218.35.2 - mac address - ether2
201.218.35.3 - another mac address - ether2
201.218.35.4 - another mac address - ether2
...so on so on...

should it be that way?
thanks for your responses

No, all ARP entries for the IPs you want to NAT to should point to the outside interface of your router (ether2). More importantly your ISP's Cisco router should show that.

it doesn't work

and it doesn't worl as well....

please describe it. maybe your router doesn't work - power it on...

what behaviour do you see with those rules?

Ok fewi, it's done.

I could do that, now i have another question,

Can I do the netmap somehow with this configuration 5:1

in other words, can I assign one ip public to one space of address like this:
201.218.35.2 netmap to 192.168.1.1-192.168.1.5 ??

thanks for your quick responses

Hello Chupaka

it worked now with the rule netmap when is 1:1
192.168.1.2-192.168.1.11 action=netmap to-address=201.218.35.2-201.218.35.4

is there any way to do the following configuration
192.168.1.2-192.168.1.5 action=netmap to-address=201.218.35.2
??

Thanks for your responses

It's my understanding that you cannot do that with netmap, but I may be wrong on that. The manual supports my theory:

netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks

http://wiki.mikrotik.com/wiki/Manual:IP ... Properties

However, you can certainly source NAT 4 IP addresses against one IP, you just can't use the netmap function.
Order is important for NAT, so make sure the rule is listed before other, more general NAT rules.

Fewi,

Thanks a looooooooot you solved my problem and helped me keep a big customer..

you rock man thanks a lot

Ok, I am struggling with same sort of setup:

Presently I have clients coming in at my LAN port with about 14 different networks. Some /24, some /25, and some /26.
Up to now all these addresses where scr-natt'd to one IP assigned to me by ISP.
Now I have obtained a /24 address range (254 addresses) that I can use to give clients fixed public IP's.

What is now the best scenario and where to look at.
I red all the manuals and some post but still have some items in need of clarifications:
I have different scenario's:
- scr-nat each local IP to public IP? Do I need to set this public IP in public interface of my router? (ip/address)
- netmap several networks to same size networks? (like local/26 get public/26 and that several times until I run out of addresses? Yet again, all addresses also to be set as IP on the public interface?
- Arrange that all clients come at the gateway with a local IP all in one /24 network so netmap translation becomes straitghtforward. In this case I have to build tunnels or something to all clients to get them one and the same network IP.
- Proxy ARP. In which scenario is this needed? And can it be dynamic or static in respect of security issues the manual mentions?

I have this 4Mb/4Mb full duplex line delivered to my gateway but even with my proven working QoS I can only get 4Mb max. traffic over this line while the provider claims I could eas server 200 clients with 3Mb on such line.
Can it be that because I still have all traffic leaving with only one public IP this limits the throughput.
They are talking about "circuits" but I can't really understand what they mean with that?

I'm splitting that up into different answers, with more detail than you probably need but that's only so that the post is useful for anyone searching the archives.

Adding addresses to interface for NAT and proxy ARP for NAT: Routers among each other (routers talking to other routers that are directly connected) talk to each other not only by IP address, but also on layer 2 because they share networks. Devices on the same network ARP for the IP address that they are to send traffic to, ARP resolves an IP address to a MAC address and then traffic is sent to that MAC address. Therefore, your router must answer with its MAC address for every IP address that it NATs a client behind it to, as the ISP router only sees the NAT'd address. If the router doesn't resolve to that address via ARP, the ISP's router doesn't know where to send return traffic as it asks "Hey, what physical device is this IP" and your router doesn't answer, so that traffic doesn't get sent to it.
There's two ways to achieve that: either add all IP addresses that the router NATs to to the interface where the address translation happens, or enable proxy ARP on the interface. You can only use proxy ARP if *every* address on the network the interface is on belongs to you, as proxy ARP essentially means "Hey, whenever you see an ARP request for an IP address on the network your current IP address is on, just claim that's you". If you share that network with other ISP customers, you'll be causing problems for them and your ISP will take action. But if that network is between just you and your ISP proxy ARP means you don't have to add every single IP you use for NAT.

If you have several /24s (and more networks on top of that) but only one public /24 you cannot use netmap for all of your address space. Netmap simply translates IP addresses 1:1 - you have more privates than publics so you cannot translate 1:1. You could, however, netmap some of your private space and PAT (1:many via src-nat on more than one private IP address) at once. I don't think there's any need to re-arrange your internal network. Just determine which customers should be NAT'd 1:1, and which can be overloaded on a single address.

There is no way that translating many customers to one address is limiting throughput. NAT is NAT, whether you 1:1 or 1:many doesn't matter for how much processing resources are used. I do think that your ISP is nuts for suggesting 3 megs to be sufficient for 200 clients, I personally think that oversubscribing customers to that point is not a good business practice - but that's all about how much bandwidth you have available and has nothing to do with NAT.

I don't know what they mean when they mention 'circuits' in this context.

I'm splitting that up into different answers, with more detail than you probably need but that's only so that the post is useful for anyone searching the archives.

Very nice, you never can have too much details, as long as they cover the subject. After reading what follows hereafter I decided to give your karma a little boost!

Adding addresses to interface for NAT and proxy ARP for NAT: Routers among each other (routers talking to other routers that are directly connected) talk to each other not only by IP address, but also on layer 2 because they share networks. Devices on the same network ARP for the IP address that they are to send traffic to, ARP resolves an IP address to a MAC address and then traffic is sent to that MAC address. Therefore, your router must answer with its MAC address for every IP address that it NATs a client behind it to, as the ISP router only sees the NAT'd address. If the router doesn't resolve to that address via ARP, the ISP's router doesn't know where to send return traffic as it asks "Hey, what physical device is this IP" and your router doesn't answer, so that traffic doesn't get sent to it.
There's two ways to achieve that: either add all IP addresses that the router NATs to to the interface where the address translation happens, or enable proxy ARP on the interface. You can only use proxy ARP if *every* address on the network the interface is on belongs to you, as proxy ARP essentially means "Hey, whenever you see an ARP request for an IP address on the network your current IP address is on, just claim that's you". If you share that network with other ISP customers, you'll be causing problems for them and your ISP will take action. But if that network is between just you and your ISP proxy ARP means you don't have to add every single IP you use for NAT.

Ok. As I am beeing told that I indeed have gained a full /24 network with 100% contentio rate it must then mean I am the owner of all addresses in that specific /24 network and thus can just use proxy arp?
Am I right?

If you have several /24s (and more networks on top of that) but only one public /24 you cannot use netmap for all of your address space. Netmap simply translates IP addresses 1:1 - you have more privates than publics so you cannot translate 1:1. You could, however, netmap some of your private space and PAT (1:many via src-nat on more than one private IP address) at once. I don't think there's any need to re-arrange your internal network. Just determine which customers should be NAT'd 1:1, and which can be overloaded on a single address.

Ok, this is interesting. Although I have several /24 and smaller network were clients are to be found, in total I have somewhat less then 200 actual users. So I can setup some smart scr-nat's for some of the networks while for instance business users, or voip users, that I can sell public addresses, I can give them fixed addresses. Just have to make sure their src-nat rule comes above the general one.

There is no way that translating many customers to one address is limiting throughput. NAT is NAT, whether you 1:1 or 1:many doesn't matter for how much processing resources are used. I do think that your ISP is nuts for suggesting 3 megs to be sufficient for 200 clients, I personally think that oversubscribing customers to that point is not a good business practice - but that's all about how much bandwidth you have available and has nothing to do with NAT.

Well, that was my point too. I told them my clients have a contractual right to download with 3Mb. In my opinion a 4Mb as a pipe is not enough to give some reasonable ratio to serve a proper service. The provider emphasized me there was no problem. And well, try to talk sense in a national (Spanish) sales guy that never heard of Mikrotik in his life and felt my business was amateuristic anyway! Now its going to prove I am right!

Now some might think: "couldn't you make that up yourselfes!" well mayby yes. But I am a self educated network operator still learning on a day to day basis and still regurlarly supriced by how things are done. So I am not the first to give lesson to a guy claiming he is in the business for years.....

I don't know what they mean when they mention 'circuits' in this context.

Neither am I. But according these guys this is a normal term used by carriers. Well, here in Spain maybe...

Tomorrow we have them over at my place again so I hope some new deals can be arranged. Thanks for your help so far. I am sure we will speak more about this...

Ok. As I am beeing told that I indeed have gained a full /24 network with 100% contentio rate it must then mean I am the owner of all addresses in that specific /24 network and thus can just use proxy arp?
Am I right?

From what you are saying, yes. But I would make sure and ask the carrier. Just tell them you are planning to enable proxy ARP on your interface, and do they see a problem with that.

Spoke with the provider earlier this week and yes, I owe full network.
At the same time talked about problems, they figured selling 3Mb to customers is out of proportion and hence the reason their 4/4 line was not enough! (they are really years behind here in Spain!) And "Mikrotik"? That must be some kind of toy equipment....
I think MT needs to do a bit more promotion in the industry because I spoke with the head of Motorola in Spain before and although he said he heard about MT he didn't think it was capable of doing anything like them! So MT has still some work at hand!

Anyway, we signed for an upgrade to 10/10M which with a backup of 2 10M adsl lines should do for the time being. Now only wait two weeks before they deliver.....

But thanks for the info so far.

Ok. As I am beeing told that I indeed have gained a full /24 network with 100% contentio rate it must then mean I am the owner of all addresses in that specific /24 network and thus can just use proxy arp?
Am I right?

From what you are saying, yes. But I would make sure and ask the carrier. Just tell them you are planning to enable proxy ARP on your interface, and do they see a problem with that.

Well, asked and they confirmed. So started to play with it. I have 7 PC's that from a office network reach the LAN interface of my main gateway.
I have 3 WAN gateways to 3 different ISP's. 2 adsl (with same gateway) and one symmetric line with the /24 network.
The one with the symmetric line and subject to address translation to public IP's is WAN1

I route all traffic for these PC's to the WAN1 which happens to the be the default gateway enabled. (The others are standby with higher cost for fail over)

Now some strange things happens:
I scr nat each IP of each PC with classifier WAN1 outgoing interface and action=scr-nat to public address.
I give then the WAN1 interface each time that address as well. In /32 format.
Now only two PC's indeed talk with the internet and torch sees their traffic going and coming.
But the other PC's stay deaf. Traffic goes out but doesn't come back it looks to me.
I tried also to put the address in /24 notification but that didn't help.

I looked in the ARP table (ARP is enabled, also tried ARP=arp-proxy, no difference) and see only the ´main´ address (which is set with the /24 notification) bond with the router's mac address. (and off course I see the other interfaces as well.)

I tried then to make a static input for the IP that I want the PC's to use that won't like to talk to the internet. But now my question is, which IP notification do I use here? /24? or /32? And which mac address? The one belonging to the ´main´?

I also tried with only the ´main´ IP address on the WAN1 interface and proxy-arp enabled. But then nothing happens any more. No more traffic to the internet except for devices going out through the default masquerade for that WAN1 interface.
I also don't see any more dynamic ARP listings come up? I would expect in ARP-proxy mode that each IP that is used by the router in the nat to have packages leaving that interface to come up in the ARP?

So, as you see, still a lot of questions..... any answers?

I also don't see any more dynamic ARP listings come up? I would expect in ARP-proxy mode that each IP that is used by the router in the nat to have packages leaving that interface to come up in the ARP?

No, because the router doesn't need itself as an entry in its ARP table. Proxy ARP ensurse that the router responds to ARP discovery by the ISP's router, so that the ISP's router can put the MAC address of your router's WAN interface into the ISP's router ARP table for the public IP address you're NAT'ing to and knows where to send traffic to.

Maybe post your NAT rules, but it may also be necessary to involve the ISP if you see traffic leaving correctly but never see return traffic.

fewi,

finally got some time to make the setup as I wanted, but its still not working according your advices...

I have all 254 ip addresses set (/32) on the WAN1 interface (and only the .2 (=main IP of my border router itself) with /24 notification.)
I have proxy-arp enabled because that should be the way to go.
And off course I have now also many src-nat rules in the firewall to src-nat local IP's towards their assigned public IP's (some indeed have two rules for two different local IP's src-nat towards only one IP)
Not all IP's are used up this way, still have some 50 left and these rules are not made in the src-nat and the IP's on the WAN interface are disabled.
Last rule in filter/NAT is a general rule that just masquerade all traffic going out via this WAN1 and not catched by one of the previous 1:1 or 2:1 src-nat rules.

I had to set all IP's on the WAN1 interface because otherwise browsing was almost impossible. Sometimes it worked, but very poor and voip/streaming date/games/log-in sessions were timed out.
So, with all users now src-natted to a public IP it looks to work fine.

But according your previous story, the setting of all addresses on the interface was not needed if "proxy-arp" was enabled? But, if I now disable an IP from a certain test PC (while I leave that src-nat rule in place) then after some time that PC looses its connection. Not immediately. Even if all connections from that PC are erased from the conn. tracker, I can still use it for some time.

But then, after some more time (10mins? Didn't measure) that PC has no more connectivity.
I can only make it work again by enabling the IP again. Immediate after the enabling of the IP for that PC (and where the src-nat rule translates to) the PC gets its connectivity back...

I also had several users complaining before they had a public IP assigned. (So basically they were `masqueraded` to the border router's main IP address) that browsing was poor, log-in sessions, skype, voip and streaming data were virtually impossible.
The moment I gave them a src-nat rule with an IP on the WAN1 interface all was fine!

And this all while the WAN1 interface has proxy-arp enabled all the time!

So, this is not so much in line with what you wrote before.

BUT: I have one router in-between that border router of mine and the next box of the ISP.
That router is a rb600 and ether1 that connects to my rb1000 (border router) and ether2 that connects to the ISP cisco box, are in a bridge. Bridge has "use IP firewall" enabled.
All this router does do is filter the traffic for QoS in the QueeTree.

Can it be that actually proxy arp in the rb1000 can't work because the Cisco box is actually physically not connected to the mac address of the rb1000. It is actually connected to the mac address of the rb600?
My idea was that bridging meant "transparent", but maybe not for mac level traffic?

(Why do I use the rb600 for the QoS? Well, I could not even make the rb1000 to connect to the Cisco box in the first place. And secondly, since I have also 2 ADSL lines coming in via WAN2 and do client Queues in the rb1000 I wanted to move the QoS outside the rb1000. I have been struggling to get both client simple Queues and the mangle prerouting filter for QoS over three incoming lines with different speeds and also policy routing (some clients only go out the ADSL lines) all in one box. It became too complex to handle and now I have two rb600's taking care of the QoS for the two different type of WAN connections of the rb1000.
One WAN (WAN1) connects to this Cisco box with symmetric line and one WAN (WAN2), connects to two attached adsl modems.
(The rb600 in-between the rb1000 and the two ADSL lines is doing QoS and the PCC load balancing over the two adsl lines. This rb600 is routed since the adsl modems attached to it do the natting.)

Please tell me your thoughts about this.

rgds

To add on the previous post,

I am not happy with the present setup. I am afraid that all these src-nat rules combined with a bunch of policy routing rules (for routing client traffic to either the ADSL lines of the symmetrical line) PLUS the mangle rules in the attached rb600 is creating some delays for traffic.

I can not really test it but have the feeling that clients that now have their src-nat rule somewhere at the bottom of the list have more delays then clients higher up.

Is there any suggestion for any better scenario to go for?

Yes. Get a /30 from your provider to connect your router to theirs and have them route the /24 directly across it. That way you can use give the public IPs directly to customers without performing any NAT for them.

That is the standard way to get public IP space from an upstream provider. You can still NAT clients that don't require a 1:1 public mapping.

Meaning I have to get a address ending with .2/30 while their router is then .1/30 and this last IP is also the default gateway for all my traffic?
Thus their router will be presented with data streams with many different local IP's (from my clients) and they have to do the net mapping?
Meaning my router is not doing any netmapping or src-nat'ing anymore?

Hmmm, I will try to contact them. See what the outcome will be....

But can you confirm that a bridged router inbetween my rb1000 and the ISP's Cisco is preventing the arp-proxy to work for the rb1000?

rgds.