We are looking to cut down on our IP usage by switching our clients over to a NAT configuration and offering still public IP's to those who need it and businesses. Is it possible to have both NAT and a routed IP subnet co-existing on the same interface (bridge, ethernet or wireless, We have a very mixed network infrastructure.)

Suggestions to accomplishing this without spending alot of $$ on seperating the nat and routed interfaces ?

How many Wisps out there that prefere nat over a public IP ? Smart Idea ?

We are going to move over to a MT bw management solution soon using hotspot mac authentation and radius and this is just another peice of the puzzle when going about all this. I can post more detailed networok diagram if its necessary.

Is it possible to have both NAT and a routed IP subnet co-existing on the same interface (bridge, ethernet or wireless)

Yes, of course.

Suggestions to accomplishing this without spending alot of $$ on seperating the nat and routed interfaces ?

Well, since NAT on RouterOS is strictly policy-based and not interface-based, the descision whether NAT is applied for a given packet completely depends on what's defined in /ip firewall nat, therefore you can for example use the source address of the IP packet - if it's a RFC1918 address then apply NAT, otherwise just let it pass through unmodified.

There's a small example in the RouterOS 2.9 manual in the IPsec chapter, titled IPsec Between two Masquerading MikroTik Routers that shows how to configure the NAT chain to explicitly skip certain traffic by simply accepting instead of masquerading it. In that IPsec example this is done so that traffic that will pass through the tunnel between two RFC1918 networks retains its private addresses on both ends and does not get masqueraded. You could use the same technique, or reverse the logic and only NAT traffic that is sourced from / destined to RFC1918 addresses, for example.

--Tom

Awesome ! Thank you very much> I will be setting up and testing a configuration shortly

Did my test using that reference...came up with this.

[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic

0 chain=srcnat dst-address=10.0.1.0/24 action=passthrough

1 chain=srcnat dst-address=192.168.0.0/24 action=masquerade


setup with appropriate routes for NAT and normal routing and it passed traffic like i would expect it too. I did need to change the default MT nat setting to have a dst address instead of the out interface being set. Was much simpler than I thought. We'll see how it works out in practice though!

Danke!

[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic

0 chain=srcnat dst-address=10.0.1.0/24 action=passthrough

I believe you should be using action=accept here, not action=passthrough


--Tom

Hrm...

both seam to work okay and switching between the two dont' make a difference with telnet / winbox / icmp...

by your recommendation i'll stick with the accept