Community discussions

MikroTik App
  4. RouterOS
  5. General

One to One NAT to internal customer router

Post Reply
 
alphahawk
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Fri Mar 28, 2008 6:40 pm

One to One NAT to internal customer router

Fri Mar 06, 2015 10:34 pm

I have a cloud core setup in a apartment complex. We are only given 15 public IP's from the ISP. We have 200 apartments in this hotel. I have vlan the network out and set up private ip ranges on each vlan to help the tenants get online. When I have a tenant that would like a public IP I just setup a 1 to 1 nat. In the past this has worked fine. I now have a tenant who is trying to setup his xbox one behind a router and he is complaining about a strict nat type with the above setup.
Code: Select all
/ip firewall nat
add action=src-nat chain=srcnat src-address=10.1.86.50 to-addresses=xxx.xxx.xxx.xxx
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx to-addresses=10.1.86.50

add action=masquerade chain=srcnat
I have had him even hook xbox and bypass his router and sometimes it works and sometimes it doesn't.

Any Suggestions would be appreciated.
Top
 
User avatar
rmmccann
Member Candidate
Member Candidate
Posts: 182
Joined: Tue Sep 25, 2012 11:15 pm
Location: USA

Re: One to One NAT to internal customer router

Fri Mar 06, 2015 11:00 pm

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

You could try action=netmap for both rules to see if that clears it up. That seems to be MT's built-in method for 1:1 NAT.
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: One to One NAT to internal customer router

Fri Mar 06, 2015 11:27 pm

Code: Select all
/ip firewall nat
add action=src-nat chain=srcnat src-address=10.1.86.50 to-addresses=xxx.xxx.xxx.xxx
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx to-addresses=10.1.86.50

add action=masquerade chain=srcnat
I have had him even hook xbox and bypass his router and sometimes it works and sometimes it doesn't.

Any Suggestions would be appreciated.
Basic Solution:
Does the masquerade action have a match criteria that limits it to packets going out the WAN interface?

If not, then it seems that new connections from the Internet to the user's public IP would get masqueraded to appear as if they are from the Mikrotik's internal IP address. Most users don't see this because reply packets on existing sockets don't go through the chains, state tracking maps them back automatically.

Remember that packets will go through both the source and destination NAT chains.

MacGuyver solution:
If making the masquerade rule more strict doesn't fix things, then you could always try to forward it directly to them in stead:
- Change the dstnat/srcnat rules:
-- src-address=xxx.xxx.xxx.xxx action = accept (pass the public IP through w/o NAT)
-- dst-address=xxx.xxx.xxx.xxx action = accept (ditto)
- Static route xxx.xxx.xxx.xxx/32 next-hop = LanInterfaceName
WAN interface, set arp=proxy-arp
LAN interface, set arp=proxy-arp

After doing all of that, the user can actually put their static IP address directly on their equipment, and you won't be doing any NAT for them. They should set their netmask / default GW to be the same as the Mikrotik uses.

If you want to keep other users from stealing their public IP, you can add a static ARP entry with the correct users' MAC address.
Top
 
alphahawk
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Fri Mar 28, 2008 6:40 pm

Re: One to One NAT to internal customer router

Tue Mar 10, 2015 10:25 pm


Basic Solution:
Does the masquerade action have a match criteria that limits it to packets going out the WAN interface?

If not, then it seems that new connections from the Internet to the user's public IP would get masqueraded to appear as if they are from the Mikrotik's internal IP address. Most users don't see this because reply packets on existing sockets don't go through the chains, state tracking maps them back automatically.

Remember that packets will go through both the source and destination NAT chains.
Clarification on this. So the location this is at has 212 vlans with private address on each vlan. Is there a simple masquerade rule for this?

action=masquerade chain=srcnat src-address=10.0.0.0/8

Or would I need to create a masquerade rule for each vlan?

action=masquerade chain=srcnat src-address=10.1.2.0/24

Thanks
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: One to One NAT to internal customer router

Tue Mar 10, 2015 10:56 pm

Clarification on this. So the location this is at has 212 vlans with private address on each vlan. Is there a simple masquerade rule for this?

action=masquerade chain=srcnat src-address=10.0.0.0/8

Or would I need to create a masquerade rule for each vlan?

action=masquerade chain=srcnat src-address=10.1.2.0/24

Thanks
Specific nat rules for specific customers with specific public IP mappings come first.
Then yes, one last rule for 10.0.0.0/8 will work for all 212 vlans.

Remember - all of these attributes are just "things which must be true in order to do the action of this rule"

I would personally not use the src addresses at all -
I would just say "out-interface=wan" as the only criteria.
Code: Select all
/ip firewall add chain=srcnat action=masquerade out-interface=wan
This way, vlan23 <> vlan198 does not masquerade. If such traffic happens, you would rather see the real source IP and not get a call "your router is trying to hack my laptop!!!"

To block all 212 vlans from talking to each-other in four rules:
Code: Select all
/ip firewall filter
add chain=forward action=accept connection-state=established
add chain=forward action=accept connection-state=related
add chain=forward action=accept out-interface=wan
add chain=forward action=drop
Of course, if customer in vlan38 has a server with a public IP, you'll need to create an exception after out-interface=wan rule but before action=drop rule. so that other customers can reach the server just like the rest of the internet can.
Top
 
alphahawk
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Fri Mar 28, 2008 6:40 pm

Re: One to One NAT to internal customer router

Thu Mar 12, 2015 1:10 am

MacGuyver solution:
If making the masquerade rule more strict doesn't fix things, then you could always try to forward it directly to them in stead:
- Change the dstnat/srcnat rules:
-- src-address=xxx.xxx.xxx.xxx action = accept (pass the public IP through w/o NAT)
-- dst-address=xxx.xxx.xxx.xxx action = accept (ditto)
- Static route xxx.xxx.xxx.xxx/32 next-hop = LanInterfaceName
WAN interface, set arp=proxy-arp
LAN interface, set arp=proxy-arp

After doing all of that, the user can actually put their static IP address directly on their equipment, and you won't be doing any NAT for them. They should set their netmask / default GW to be the same as the Mikrotik uses.

If you want to keep other users from stealing their public IP, you can add a static ARP entry with the correct users' MAC address.
Just incase I have to go this way the rules I assume would be

/ip firewall nat
add action=dst-nat dst-address=xxx.xxx.xxx.xxx action=accept
add action=src-nat src-address=xxx.xxx.xxx.xxx action=accept (this should be public ip correct?)

the route I am not sure how to setup.

The interfaces I already have set for proxy-arp
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: One to One NAT to internal customer router

Thu Mar 12, 2015 2:52 am

Just incase I have to go this way the rules I assume would be

/ip firewall nat
add action=dst-nat dst-address=xxx.xxx.xxx.xxx action=accept
add action=src-nat src-address=xxx.xxx.xxx.xxx action=accept (this should be public ip correct?)

the route I am not sure how to setup.

The interfaces I already have set for proxy-arp
Yes, the public IP you want to assign to the customer.
Example - say the IP is 190.0.2.22 and the interface that the customer is on is ether4:
/ip route add dst-address=190.0.2.22/32 gateway=ether4

I'm going to read back over this thread now - I don't think the MacGuyver solution is required - it's just cool because it lets the customer have the IP actually on their own gear directly.
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: One to One NAT to internal customer router

Thu Mar 12, 2015 3:51 pm

In the past this has worked fine. I now have a tenant who is trying to setup his xbox one behind a router and he is complaining about a strict nat type with the above setup.
According to the fiirst part of the discussion on this link:
http://forums.xbox.com/xbox_forums/xbox ... 57383.aspx

UPnP fixes the strict nat problem.

http://wiki.mikrotik.com/wiki/Manual:IP/UPnP

See if this helps your situation.
You could keep from turning it on everywhere by just adding the external interface and the one interface towards this customer.

Double NAT is also mentioned as a problem, so if pushing the "yes to UPnP" button doesn't fix everything, then consider how you can eliminate double NAT (if he is in fact behind 2 or more NATs, that is...)
Top
Post Reply
  4. RouterOS
  5. General