Community discussions

MikroTik App
 
Abdock
Member Candidate
Member Candidate
Topic Author
Posts: 261
Joined: Sun Sep 25, 2005 10:50 pm

Bypass NAT

Wed Dec 14, 2016 5:38 pm

Hello,

My router connects to internet and a Branch office LAN, I have static routes for the Branch office, but because of the NAT rule, it does not work, if i disable the NAT rule it works with branch office connectivity but internet does not, how can i bypass so connection between 172.0.1.0/24 and 172.0.2.0/24 are not natted.

Many thanks
 
User avatar
pietroscherer
Trainer
Trainer
Posts: 170
Joined: Thu Mar 05, 2015 3:05 pm
Location: RS, Brazil
Contact:

Re: Bypass NAT

Wed Dec 14, 2016 7:45 pm

Hello,

My router connects to internet and a Branch office LAN, I have static routes for the Branch office, but because of the NAT rule, it does not work, if i disable the NAT rule it works with branch office connectivity but internet does not, how can i bypass so connection between 172.0.1.0/24 and 172.0.2.0/24 are not natted.

Many thanks
You can create a dst-address-list called, for example, "no-nat", and put on it, the destination address or network that shouldn't be natted.
In NAT rule, set the dst-address-list "no-nat".
 
Abdock
Member Candidate
Member Candidate
Topic Author
Posts: 261
Joined: Sun Sep 25, 2005 10:50 pm

Re: Bypass NAT

Thu Dec 15, 2016 2:35 pm

Thanks a lot for the help, will this take care of incoming traffic too ? as those addresses do not need nat. to branch office, from and to.
 
Abdock
Member Candidate
Member Candidate
Topic Author
Posts: 261
Joined: Sun Sep 25, 2005 10:50 pm

Re: Bypass NAT

Fri Dec 16, 2016 6:54 am

anybody with different idea ?
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Bypass NAT

Fri Dec 16, 2016 7:06 am

Tell me more about your config? Two sites? if you have two sites connected with VPN, there should be no NAT'ing.
 
Abdock
Member Candidate
Member Candidate
Topic Author
Posts: 261
Joined: Sun Sep 25, 2005 10:50 pm

Re: Bypass NAT

Fri Dec 16, 2016 8:47 am

Port 1 is Internet,
Port 2 goes to branch, this is provided by another ISP, who does not provide internet but just connection to other branches and the ip are private, 172.16.2.0/24, 172.16.3.0/24 and etc.
port 3 client. 172.16.1.0/24

I can browse internet but cannot ping the branches when nat rule is active when i deactivate the nat rule then i can ping branches but not internet

I think the nat is not in favour of the local links, hence i want to bypass this between branches connectivity.

I have ip route rules to add a static route for branch IP network.

many thanks.
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Bypass NAT

Fri Dec 16, 2016 9:25 am

In your scenario, there should be no NATs between 172.16.1.0/24 and 172.16.2.0/24 networks.

There needs to be one src nat rule that masquerades traffic going out on interface port 1 (for internet).

If you've assigned a static IP to port 2, you should assign the ip with /24 at the end. The Mikrotik will add a route for port2 saying all 172.16.2.0/24 traffic should go down port2.

First Ether3,4,5 should not be a slave of ether2. And ether3,4,5 should not be in a bridge with ether2.

Your routes should say:
0.0.0.0/0 Gateway: <IP of Internet Gateway> reachable via Ether1
172.16.1.0/24 Gateway: reachable via Ether2
172.16.2.0/24 Gateway: reachable via Ether3

Now packets on your router know that all packets destined to 172.16.2.x should go down ether3 to branch router.


on the branch router it's a little different. Ether3,4,5 SHOULD be a slave to ether2. This makes them into a switch.
Ether3 on branch router goes to ISP which connects to ether2 on your router.
0.0.0.0/0 Gateway: <IP of Internet Gateway> reachable via Ether1
172.16.2.0/24 Gateway: reachable via Ether2
172.16.1.0/24 Gateway: 172.16.2.2 reachable via Ether3 (where 172.16.2.2 is the IP you statically assigned to ether2 on your router).

Now packets on the branch router destined to 172.16.1.x should be sent to 172.16.2.2, which means they'll be dropped into your router for routing.

In your tests you can use Tools > Torch to see where pings are going.
 
Abdock
Member Candidate
Member Candidate
Topic Author
Posts: 261
Joined: Sun Sep 25, 2005 10:50 pm

Re: Bypass NAT

Fri Dec 16, 2016 8:46 pm

My scenario

Port 1 is Internet,
Port 2 10.10.10.1/30 -isp router 10.10.10.2/30 ---- other branches and the ip are private, 172.16.2.0/24, 172.16.3.0/24 and etc.
port 3 client. 172.16.1.0/24

ip route 0.0.0.0 gw of ISP
ip route 172.16.2.0/24 10.10.10.2
ip route 172.16.3.0/24 10.10.10.2

Here i do not need nat to go to 172.16.x.0 addresses as they are connected via another ISP router who does not provide internet but just branch connectivity.

many thanks,
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: Bypass NAT

Fri Dec 16, 2016 8:51 pm

Your NAT rule must be insufficiently specific.
Normally the default NAT rule has out-interface=ether1 so it would not match your traffic to ether2.
Probably you have changed that and now you have problems. Put the correct out-interface in your NAT rule.

Who is online

Users browsing this forum: CyberaxIzh, sindy and 40 guests