Hello all,
I'm a newbie when it comes to RouterOS / Winbox configuration (and I have only limited experience in networking), so will appreciate your help greatly.
The situation is as follows:
I want to test a NAT scenario with two external IPs being mapped directly to two internal IPs (essentially a DMZ for two devices inside my LAN).
I followed the NAT guide for Winbox from Mikrotik webpage, and my current configuration (for a single external IP) is as follows:
http://i64.tinypic.com/qrg8w0.png
http://i66.tinypic.com/10fb3wk.png
The gateway test stub (10.220.114.193) is only for testing purposes, to make 192.168 and 10.220 networks routable to each other.
What happens when I try to SSH from 10.220.114.192 to 10.220.114.190 (public_1) I end up on a router, instead of being redirected to 192.168.40.101. What am I doing wrong?
The config is as follows:
http://pastebin.com/MKVzmNJ0
Thanks in advance for your help.
Re: 1-to-1 NAT on two external addresses - cannot configure properly, please help
Hi,
First thing i noticed is:
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes
So, try to change default service port to something else ( 2222 ).
First thing i noticed is:
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes
So, try to change default service port to something else ( 2222 ).
Re: 1-to-1 NAT on two external addresses - cannot configure properly, please help
HI,
thanks for the tip - already figured out what was wrong. There's been a typo in external IP address
however, I worked a bit on the idea and got stuck once more, here's current situation:
I have two external addresses on one physical interface, both using the same gateway (10.220.114.253), they are 1-1 NAT-ed to two internal addresses (by src-nat and dst-nat instead of masquerade). Both external IPs are on the same physical interface.
However, only the 192.168.40.101 which is NAT-ed to 10.220.114.190 is connectible from the outside. 10.220.114.191 is not, and when I do traceroute from internal 192.168.40.71, it stops on the 192.168.40.2 - even though I do have created proper entries in the NAT table.
Routing table contains only one static route, that is 10.220.0.0/8 via 10.220.114.253.
I'm pretty sure I do something wrong with the network configuration, not necessarily with MikroTik - will appreciate your suggestions.
thanks for the tip - already figured out what was wrong. There's been a typo in external IP address
however, I worked a bit on the idea and got stuck once more, here's current situation:
I have two external addresses on one physical interface, both using the same gateway (10.220.114.253), they are 1-1 NAT-ed to two internal addresses (by src-nat and dst-nat instead of masquerade). Both external IPs are on the same physical interface.
However, only the 192.168.40.101 which is NAT-ed to 10.220.114.190 is connectible from the outside. 10.220.114.191 is not, and when I do traceroute from internal 192.168.40.71, it stops on the 192.168.40.2 - even though I do have created proper entries in the NAT table.
Routing table contains only one static route, that is 10.220.0.0/8 via 10.220.114.253.
I'm pretty sure I do something wrong with the network configuration, not necessarily with MikroTik - will appreciate your suggestions.
Re: 1-to-1 NAT on two external addresses - cannot configure properly, please help
Hi all,
I think I've found a solution - deleted the only static route I had and added another one, 0.0.0.0/0 via 10.220.114.253. I'm not sure why the example setup above didn't work.
I've expanded the laboratory a bit, and now I'm facing another obstacle:
The problem is, I have multiple overlapping networks here, namely 10.0.0.0/8 and 10.64.5.0/24 and 10.64.95.0/24. I've decided to separate them via NAT - using 192.168.88.0 network. The other NAT ("Red") works fine and separates another subnet.
R2 and R3 are Mikrotik routers, their respective configs:
R2 http://pastebin.com/WHgUTJcd
R3 http://pastebin.com/sqmnX1Ru
R1 is a SOHO TP-LINK MR3220, which is default GW for the machines in pink (10.0.0.0/8 subnet). It serves as an Internet gateway for them.
The problem is, I can ping 192.168.88.1 / 2 / 3 from "blue" IPs (192.168.40.71), but cannot ping 192.168.40.0 from "pink" machines - the ping is sent to their default GW (10.0.0.1 = TPLink), and it has static routes set there:
However, the tracert to 192.168.88.4 (R3 interface) stops at R2:
I can ping 192.168.88.1 from 192.168.40.71 (blue), but not the other way around. Mikrotik labeled R2 can ping 40.71 however.
I suspect I messed something up in the default GW/static routes, but honestly, I am so confused I cannot see what possibly I could have done wrong.
Any suggestions?
I think I've found a solution - deleted the only static route I had and added another one, 0.0.0.0/0 via 10.220.114.253. I'm not sure why the example setup above didn't work.
I've expanded the laboratory a bit, and now I'm facing another obstacle:
The problem is, I have multiple overlapping networks here, namely 10.0.0.0/8 and 10.64.5.0/24 and 10.64.95.0/24. I've decided to separate them via NAT - using 192.168.88.0 network. The other NAT ("Red") works fine and separates another subnet.
R2 and R3 are Mikrotik routers, their respective configs:
R2 http://pastebin.com/WHgUTJcd
R3 http://pastebin.com/sqmnX1Ru
R1 is a SOHO TP-LINK MR3220, which is default GW for the machines in pink (10.0.0.0/8 subnet). It serves as an Internet gateway for them.
The problem is, I can ping 192.168.88.1 / 2 / 3 from "blue" IPs (192.168.40.71), but cannot ping 192.168.40.0 from "pink" machines - the ping is sent to their default GW (10.0.0.1 = TPLink), and it has static routes set there:
However, the tracert to 192.168.88.4 (R3 interface) stops at R2:
I can ping 192.168.88.1 from 192.168.40.71 (blue), but not the other way around. Mikrotik labeled R2 can ping 40.71 however.
I suspect I messed something up in the default GW/static routes, but honestly, I am so confused I cannot see what possibly I could have done wrong.
Any suggestions?