Hello over there, for some days I've been working on a solution on the following case

I have network setup like this: Internet <-> Router (10.11.12.1/24) <-> MT (in Bridge Mode)< - > Switch < - > LAN Customers (10.11.12.0/24)


And this MT that is in bridge mode is actually RB750G. This is the port config on the MT


Port 1 is also connected to switch (10.11.12.5)
Port 2 - Cable from Router comes here
Port 3 - Cable to the switches is connected here
Port 2 & Port 3 are bridged so traffic between LAN customers and Router is not interrupted. Bridge has na IP Firewall enabled.
Port 4 - Ip 192.168.0.1 and is connected to web server with ip 192.168.0.2
Port 5 - empty

Here I am attaching a network diagram (sorry for this drawing, but i didn't have Visio right now)



So the question is this: how to make customers who want to talk to Web server 192.168.0.2 work.
How can I Intercept the packets going to 192.168.0.2 in the bridge and forward them to the Web server on 192.168.0.2?

Also I need connection from the Web server 192.168.0.2 to the customers.

Is direct communication between customers and Web server possible or should I NAT all the customers from 10.11.12.0/24 network with for example 10.11.112.0/24.

The Web server should not see all the customers with 1 IP address. If NAT is needed, then I will NAT every customer IP with another (netmap)


Please give me any advices.

on NAS, you should add a route to 192.168.0.0/24 via 10.11.12.5

on NAS, you should add a route to 192.168.0.0/24 via 10.11.12.5

the problem is that i do not have access to the NAS. My idea is to make customers connect to the Server by using the mikrotik ip firewall in bridge mode.

Please advise how I can reroute the traffic that is generally going to the NAS (with destionation 192.168.0.2) to go to the Content Server? It this broute or some NAT rules that i have to add?

One option is to just put the server in the same network as the customers, but this is not option since the customers can be from more than one C class network, that's why I want them to access the server on another IP address, not belonging to any of customers networks.

please, any ideas?

can i grab the traffic in the bridge that is with dst 192.168.0.2 and src-nat it with 192.168.0.1?

Actually i tried this but didn't work...
I have ip 192.168.0.1 on my interface that is connected to the content server as you can see from the diagram...

What i am doing wrong?

try this:

10x Chupaka

when i added only the rule you suggested, actually a strange think happened: When I send one ping packet from Pc that is in the network 10.11.12.0/24 to 192.168.0.2, on the 192.168.0.2 machine I received hunderds of packets with ICMP echo requests. (i am using tcpdump on 192.168.0.2 because it is on Linux)


Then I added SRC NAT rule and it was working fine. Packets were masqueraded with 192.168.0.1 and were received on the machine.

Can you actually explain what is the meaning of your rule:

without that rule packets, destined to the web-server, are sent to default gateway, 10.11.12.1, and have dst-MAC = MAC of 10.11.12.1

you need to catch those packets and redirect to router itself, so that it won't bridge, but route the packets

and... I don't know, why the heck it sends hundreds of packets %)

actually when i tried second time there was no problem with many packets... so i couldn't investigate more...


Chupaka,

actually i want to src-nat all the customers from 10.11.12.0/24 network with other network for example 10.11.112.0/24 so when they reach 192.168.0.2 i will know who is who, and i know this can be done with netmap feature.

I went through the wiki and other resources also, but i couldn't find if I need to put all the Ip addresses from 10.11.112.0/24 on the interface in order to SRC-nat (netmap) them, or not?

Can you please advise?

so just don't do IP NAT - your server should see 10.11.12.0/24 w/o it

Everything is working except when customers are with PPPoE.

Of course I enabled Use ip firewall for PPPoE, pppoe connection is not encrypted, but it seems that this rule


/interface bridge nat add chain=dstnat mac-protocol=ip dst-address=192.168.0.2/32 action=redirect

is not working for when packets are inside PPPoE.

can you give me some ideas how to change the rule so it can work for PPPoE users also?

10x in advance.

no way. it's impossible to extract packets from the tunnel and then inject them back again =)