Dear Colleagues:
I have two mikrotik router end to end (NAT-NAT) and in between there is a DMZ. Actually, I don't want NAT on the inner one. I want to use the gateway concept in routes so DMZ and the inner network can communicate without the need for port forwarding (dst-nat).
Please, advise how to configure the inner router.
thanks a lot in advance.
Re: Two mikrotik NAT to NAT
Diagram it. A photo of a handmade drawing made by mobile phone is sufficient.
-
-
fjabakhanji
just joined
- Posts: 16
- Joined:
Re: Two mikrotik NAT to NAT
Please, find attached the diagram. Please, let me know if you need any thing more.
Thanks a lot in advance.
Thanks a lot in advance.
You do not have the required permissions to view the files attached to this post.
Re: Two mikrotik NAT to NAT
If you want to keep everything unchanged and just get rid of the NAT on the Mikrotik with 192.168.4.1 on WAN, it is enough to add a route to the Mikrotik connected to the ISP:
Code: Select all
/ip route
add dst-address=192.168.1.0/24 gateway=192.168.4.1-
-
fjabakhanji
just joined
- Posts: 16
- Joined:
Re: Two mikrotik NAT to NAT
Thanks but I want both subnets (4.x and 1.x) see each other and at the same time the users of 1.x use the gateway 4.1.
Please, advise.
BR
Please, advise.
BR
Re: Two mikrotik NAT to NAT
Hi.
I think sindy supposes that mikrotik is the gateway for 192.168.1.0/24 network. So traffic from 192.168.1.0/24 to 192.168.4.0/24 would flow through gateway.
For 192.168.4.0/24, I think gateway is internet. So you need route specify by sindy.
I think sindy supposes that mikrotik is the gateway for 192.168.1.0/24 network. So traffic from 192.168.1.0/24 to 192.168.4.0/24 would flow through gateway.
For 192.168.4.0/24, I think gateway is internet. So you need route specify by sindy.
Re: Two mikrotik NAT to NAT
Devices in 192.168.1.0/24 must have a gateway from 192.168.1.0, which is the upper 'Tik, represented by its address from that range. But the upper 'Tik is in both networks simultaneously, so its own gateway to the world is the lower 'Tik.
Lower 'Tik's gateway to the world is the ISP via the PPPoE interface, so you need an exception from that for 192.168.1.0/24, which is the route I gave, otherwise you would have to keep the NAT on upper 'Tik in place.
If you prefer something else (e.g. the devices behind the upper 'Tik to be in 192.168.4.0/24 because the connection between the two 'Tiks is a wireless one), you have to say that.
Lower 'Tik's gateway to the world is the ISP via the PPPoE interface, so you need an exception from that for 192.168.1.0/24, which is the route I gave, otherwise you would have to keep the NAT on upper 'Tik in place.
If you prefer something else (e.g. the devices behind the upper 'Tik to be in 192.168.4.0/24 because the connection between the two 'Tiks is a wireless one), you have to say that.
-
-
fjabakhanji
just joined
- Posts: 16
- Joined:
Re: Two mikrotik NAT to NAT
Thanks both of you.
Actually, what you are proposing is something I have tried a lot but never succeeded. I guess there is something which I don't understand in your scenario. For this, and in order not to intrupt the service here, I have created a similar scenario but with one mikrotik and an internet modem. Consider the internet modem is the internet edge nat. While the mikrotik is on the internal edge of the modem.
Internal IP of the modem: 192.168.1.1
External IP of the mikrotik: 192.168.1.120
Internal IP of the mikrotik: 192.168.200.1
The screen shot of the configuration of the mikrotik is attached. Please, let me know if you need something else.
I appreciate your advice.
Fawaz
Actually, what you are proposing is something I have tried a lot but never succeeded. I guess there is something which I don't understand in your scenario. For this, and in order not to intrupt the service here, I have created a similar scenario but with one mikrotik and an internet modem. Consider the internet modem is the internet edge nat. While the mikrotik is on the internal edge of the modem.
Internal IP of the modem: 192.168.1.1
External IP of the mikrotik: 192.168.1.120
Internal IP of the mikrotik: 192.168.200.1
The screen shot of the configuration of the mikrotik is attached. Please, let me know if you need something else.
I appreciate your advice.
Fawaz
You do not have the required permissions to view the files attached to this post.
Re: Two mikrotik NAT to NAT
With the modem in bridge mode and lower Mikrotik doing PPPoE and NAT to the IP provided by the ISP, it is actually simpler to configure than if the PPPoE and NAT is provided by the modem. The reason is that if you need the two LANs to reach each other without NAT between them, there is no other way than to use the exception route on the lower device (or you can use the upper device as a switch so that all local devices are in the LAN subnet of the lower device). And adding a route to the modem needs knowledge of the modem, and on many modems it is not possible at all.
So I'd recommend that you revert back to the scenario with two Mikrotiks and place here the output of /export hide-sensitive for both instead of screenshots; before posting, systematically replace every occurrence of each public IP adress you don't want to publish by a meaningful distinctive pattern like my.public.ip.1.
So I'd recommend that you revert back to the scenario with two Mikrotiks and place here the output of /export hide-sensitive for both instead of screenshots; before posting, systematically replace every occurrence of each public IP adress you don't want to publish by a meaningful distinctive pattern like my.public.ip.1.
-
-
fjabakhanji
just joined
- Posts: 16
- Joined:
Re: Two mikrotik NAT to NAT
Actually, the modem is not in bridge mode. it is pppoe client.
Anyway, I will do what you want in order to clarify everything.
Anyway, I will do what you want in order to clarify everything.
Re: Two mikrotik NAT to NAT
So you initially had three NATs stacked?Actually, the modem is not in bridge mode. it is pppoe client.
Re: Two mikrotik NAT to NAT
I was just writing a reply with that exact question. At best this is double NAT, at worse it's triple NAT. It's a mess.So you initially had three NATs stacked?Actually, the modem is not in bridge mode. it is pppoe client.
Re: Two mikrotik NAT to NAT
Hi.
- Mikrotik
- Internal
I think mikrotik is the gateway. So, any machine in 192.168.200.0/24 network can reach 192.168.1.0/24 network
The question is: does it exists a nat rule on outgoing traffic on 192.168.1.120 interface?
If yes, machines in 192.168.1.0/24 network can answer traffic form 192.168.200.0/24 network
If not, you need a route in modem that is 192.168.1.0/24 network gateway- 192.168.200.0/24 -> 192.168.1.120
- External
If you want permit traffic from 192.168.1.0/24 to 192.168.200.0/24, you need previous route in modem- 192.168.200.0/24 -> 192.168.1.120
- Internal
-
-
fjabakhanji
just joined
- Posts: 16
- Joined:
Re: Two mikrotik NAT to NAT
Dear All:
The original scenario is two nat and all are mikrotik. Then, I have created a lab scenario with an internet modem and one mikrotik and I mentioned that this is a lab and created in order not to interrupt the service.
I will send you the configuration of the original scenario soon.
BR
The original scenario is two nat and all are mikrotik. Then, I have created a lab scenario with an internet modem and one mikrotik and I mentioned that this is a lab and created in order not to interrupt the service.
I will send you the configuration of the original scenario soon.
BR
-
-
fjabakhanji
just joined
- Posts: 16
- Joined:
Re: Two mikrotik NAT to NAT
RB_SMALL_MTK_CONFIG.txt (attached) is the configuration of the mikrotik that faces the internet.
RB_BIG_MTK_CONFIG_1.txt (attached) is the configuration of the mikrotik that faces the internal network.
Thank for your feedback in advance.
RB_BIG_MTK_CONFIG_1.txt (attached) is the configuration of the mikrotik that faces the internal network.
Thank for your feedback in advance.
You do not have the required permissions to view the files attached to this post.
Re: Two mikrotik NAT to NAT
I'm sorry but that doesn't really make sense, because that contradicts the request for the networks to not be natted.Thanks but I want both subnets (4.x and 1.x) see each other and at the same time the users of 1.x use the gateway 4.1.
Please, advise.
BR
You currently have 4.4 set as default gateway for 0.0.0.0/0 on 1.x router.
You currenly have:
Code: Select all
add action=masquerade chain=srcnat I suggest you at least specify internal addresses which are being masqueraded.
Create address list with the list of IP addresses that you do not want to NAT, create an NAT accept rule above your masquerade rule with SRC address and DST address from address list that you created. It will make sure there are no natting for those networks.
Don't forget to add Accept rules for forwards in firewall (same address list as in NAT will become usefull)