Community discussions

MikroTik App
 
pkonini
just joined
Topic Author
Posts: 6
Joined: Sat Apr 09, 2016 4:05 pm

Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Sat Apr 09, 2016 4:25 pm

Let me say I have this configuration:

Mikrotik1 :
Intranet IP : 1.1.1.1
LAN IP : 192.168.2.1
Internal LAN : 192.168.2.0/24

Mikrotik2:
Intranet IP : 1.1.1.2
LAN IP : 192.168.3.1
Internal LAN : 192.168.3.0/24

What I want to achive is that all traffic from :
192.168.2.0/24 to Internal IP Address : 192.168.2.10
to be forwarded at 192.168.3.10

Actually both LANs see each other and everything is configured with routes and all.

Please anyone who could specify the rules if possible to achieve this, thnx in advance.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Sat Apr 09, 2016 4:48 pm

If you want to redirect port 80:
/ip firewall nat add action=dst-nat chain=dst-nat dst-address=192.168.2.10 dst-port=80 protocol=tcp to-address=192.168.3.10 to-port=80
 
pkonini
just joined
Topic Author
Posts: 6
Joined: Sat Apr 09, 2016 4:05 pm

Re: Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Sat Apr 09, 2016 5:06 pm

I want to forward all traffic, all ports.

Lets say I have a PC configured with two IPs:
192.168.2.10 and 192.168.3.10

I would like to move this PC from LAN
192.168.2.0/24
to 192.168.3.0/24.

And I want to make a rule that even when this PC is not in 2.x LAN all traffic should be redirected to 3.10 where it is relocated.
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1224
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Sat Apr 09, 2016 5:26 pm

...
And I want to make a rule that even when this PC is not in 2.x LAN all traffic should be redirected to 3.10 where it is relocated.
That is not possible, since the traffic inside the subnet will flow directly between hosts,and not pass through the router.
Unless you could add a route on all subnet machines telling them to reach 2.x via 3.x gateway.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10511
Joined: Mon Jun 08, 2015 12:09 pm

Re: Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Sat Apr 09, 2016 6:57 pm

...
And I want to make a rule that even when this PC is not in 2.x LAN all traffic should be redirected to 3.10 where it is relocated.
That is not possible, since the traffic inside the subnet will flow directly between hosts,and not pass through the router.
Unless you could add a route on all subnet machines telling them to reach 2.x via 3.x gateway.
This is not completely true, you can make it work by using proxy-arp.
However, when people have to ask how to do it, it is better not to use this method.
 
pkonini
just joined
Topic Author
Posts: 6
Joined: Sat Apr 09, 2016 4:05 pm

Re: Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Sun Apr 10, 2016 12:26 am

...
And I want to make a rule that even when this PC is not in 2.x LAN all traffic should be redirected to 3.10 where it is relocated.
That is not possible, since the traffic inside the subnet will flow directly between hosts,and not pass through the router.
Unless you could add a route on all subnet machines telling them to reach 2.x via 3.x gateway.
This is not completely true, you can make it work by using proxy-arp.
However, when people have to ask how to do it, it is better not to use this method.
Please bare with me for a moment, I work mainly on software's than on network issues.

It is true that the traffic will flow inside the subnet but I believe the request will also flow to the gateway since it is on that subnet. So can we create routing rules or routing policies to redirect traffic.

As a matter of fact I already implemented the rules to route traffic but only if the request is send outside of the local subnet.
Rules:
1. chain=dstnat action=dst-nat to-addresses=192.168.3.10 dst-address=192.168.2.10 log=no log-prefix=""
2. chain=srcnat action=src-nat to-addresses=192.168.2.10 src-address=192.168.3.10 log=no log-prefix=""

Is there a way to have these rules or others work from the inside subnet.

Or could you please elaborate proxy-arp?
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1224
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Sun Apr 10, 2016 1:14 am

'''
It is true that the traffic will flow inside the subnet but I believe the request will also flow to the gateway since it is on that subnet. So can we create routing rules or routing policies to redirect traffic.
...
Or could you please elaborate proxy-arp?
In regular network traffic, only the ARP requests will reach the gateway. The rest of traffic is unicast peer to peer and the switches will make sure the gateway does not see that traffic.

Proxy-arp takes advantage of that. The router will respond on behalf of a machine on another broadcast domain as it would sit on the first one. No problem with a single 2 interface router.

But how this could be done to work across the 2 routers, that I leave to the experts on the issue.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10511
Joined: Mon Jun 08, 2015 12:09 pm

Re: Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Sun Apr 10, 2016 11:44 am

Please bare with me for a moment, I work mainly on software's than on network issues.
I advise you to just renumber the machine and take the temporary pain that this causes.
When you have no true insight in networking, applying tricks is just going to bring you problems.
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Sun Apr 10, 2016 1:40 pm

NAT rules work with IF-THEN principle. In your case, you want to tell the router that IF dst-address is equal to 192.168.2.10, THEN the dst-address should be translated to 192.168.3.10. This you have configured with the rules above.

But the sad news is that the rules would not work because all traffic in the .2 subnet does not exceed the switch - they won't get to the router who can apply the dst-NAT rules.

Going forward, if the application is accessible with IP address, you need to communicate with the users on the change of IP. Or if the application is accessible through domain name then you need to change the A- record on the DNS server. If none of this apply, then u hv to take the pain reconfigure all the client system.


I hope this helps.

Regards
 
pkonini
just joined
Topic Author
Posts: 6
Joined: Sat Apr 09, 2016 4:05 pm

SOLVED - Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Sun Apr 10, 2016 5:36 pm

NAT rules work with IF-THEN principle. In your case, you want to tell the router that IF dst-address is equal to 192.168.2.10, THEN the dst-address should be translated to 192.168.3.10. This you have configured with the rules above.

But the sad news is that the rules would not work because all traffic in the .2 subnet does not exceed the switch - they won't get to the router who can apply the dst-NAT rules.

Going forward, if the application is accessible with IP address, you need to communicate with the users on the change of IP. Or if the application is accessible through domain name then you need to change the A- record on the DNS server. If none of this apply, then u hv to take the pain reconfigure all the client system.


I hope this helps.

Regards
First, thank you all for your comments and advise.

I finally succeeded to make the right configs in the router so I thought sharing it.
Maybe it will be of some use for someone else.

Good news ...., I will not have to worry for any of my local machines configs.

As I already wrote before the two rules that I had were working but only from outside of the local subnet.

Now to complete the picture you have to :
1. First remove the physical device from the local network
2. Create the IP Address you just removed as an IP Address inside the Mikrotik Router
-- This is the trick part that does it all in Mikrotik
3. Set the two NAT rules based on your IP Addresses

The command lines to create all needed should look like:
1. ip address> add address=192.168.2.10/24 interface="Your Local Interface Name"
2. ip firewall nat> add action=dst-nat chain=dstnat dst-address=192.168.2.10/32 to-addresses=192.168.3.10
3. ip firewall nat> add action=src-nat chain=srcnat src-address=192.168.3.10/32 to-addresses=192.168.2.10

You can change SRC and DST IP Addresses to your liking.

I tested this and is working like a charm.

Many thanks to a friend of mine who is a Cisco Expert but worked this out in Mikrotik also.
By the way he said that in Cisco this should be very straightforward and you just need to implement only the two rules I mentioned in my previous posts, Cisco does the rest without the need to specific create the IP Address in the router.

Thanks again and if you try enough everything has a reasonable solution!

Regards,
Petri.
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Sun Apr 10, 2016 7:31 pm

That was a smart hack. But still trying to figure out why #1 step would be omitted in Cisco environment. Considering how hosts communicates in IP environment.

These are:

1. A host makes a broadcast by asking....who is 192.168.2.10

2. Host with IP with 192.168.2.10 replies...this time it's MAC inclusive.

3. Hence packet encapsulation commences.

4. If step 2 is unsuccessful, the host point the request to the default gateway that may know the destination network.

5. If destination network is directly connected, packet are sent through the exit interface if not, it will be sent to default route of the router.

What you have successfully done is to make your router act like the host 192.168.2.10 and the router did judgement to the packet with the rules.

I am sure, a virtual interface like loopback or vlan must be created in Cisco to achieve that. You can share your friends idea wit us if possible.

Regards

Abiola
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Sun Apr 10, 2016 7:33 pm

That was a smart hack. But still trying to figure out why #1 step would be omitted in Cisco environment. Considering how hosts communicates in IP environment.

These are:

1. A host makes a broadcast by asking....who is 192.168.2.10

2. Host with IP with 192.168.2.10 replies...this time it's MAC inclusive.

3. Hence packet encapsulation commences.

4. If step 2 is unsuccessful, the host point the request to the default gateway that may know the destination network.

5. If destination network is directly connected, packet are sent through the exit interface if not, it will be sent to default route of the router.

What you have successfully done is to make your router act like the host 192.168.2.10 and the router did judgement to the packet with the rules.

I am sure, a virtual interface like loopback or vlan must be created in Cisco to achieve that. You can share your friends idea wit us if possible.

Regards

Abiola
 
pkonini
just joined
Topic Author
Posts: 6
Joined: Sat Apr 09, 2016 4:05 pm

Re: Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Tue Apr 12, 2016 11:50 pm

That was a smart hack. But still trying to figure out why #1 step would be omitted in Cisco environment. Considering how hosts communicates in IP environment.

These are:

1. A host makes a broadcast by asking....who is 192.168.2.10

2. Host with IP with 192.168.2.10 replies...this time it's MAC inclusive.

3. Hence packet encapsulation commences.

4. If step 2 is unsuccessful, the host point the request to the default gateway that may know the destination network.

5. If destination network is directly connected, packet are sent through the exit interface if not, it will be sent to default route of the router.

What you have successfully done is to make your router act like the host 192.168.2.10 and the router did judgement to the packet with the rules.

I am sure, a virtual interface like loopback or vlan must be created in Cisco to achieve that. You can share your friends idea wit us if possible.

Regards

Abiola
Well since you asked.

The logic of creating NAT Rules in Mikrotik and Cisco is different.

So in Mikrotik we have to implement those three rules in order for things to work in my case.

In Cisco, you implement one rule only for the configuration to work.
Basically Steps 2 and 3 are implemented in one rule of their own, dealing with both dstnat and srcnat.
During this kind of implementation Cisco creates on his own a virtual IP which in turn omits the need of Step 1.

Hope this helps to have a general idea.

BR,
Petri.
Last edited by pkonini on Mon Apr 18, 2016 4:17 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10511
Joined: Mon Jun 08, 2015 12:09 pm

Re: Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Wed Apr 13, 2016 12:05 am

In Cisco, you implement one rule only for the configuration two work.
Basically Steps 2 and 3 are implemented in one rule of their own, dealing with both dstnat and srcnat.
During this kind of implementation Cisco creates on his own a virtual IP which in turn omits the need of Step 1.

Hope this helps to have a general idea.
I think it is a bit different: on Cisco, proxy-arp is enabled by default (until you type "no ip proxy-arp") which
makes this work. You can enable proxy-arp on MikroTik but it is off by default.
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1224
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: SOLVED - Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Wed Apr 13, 2016 4:27 pm

...
Now to complete the picture you have to :
1. First remove the physical device from the local network
2. Create the IP Address you just removed as an IP Address inside the Mikrotik Router
-- This is the trick part that does it all in Mikrotik
3. Set the two NAT rules based on your IP Addresses
Nice solution - simple and efficient.
The only draw back is the loss of broadcast/multicast communications. So such a machine will not be e.g. able to be seen in SMB browsing.
 
pkonini
just joined
Topic Author
Posts: 6
Joined: Sat Apr 09, 2016 4:05 pm

Update Solved: Redirect LAN Traffic for an Internal LAN IP to a specific IP in a different IP Range

Mon Apr 18, 2016 4:15 pm

Some results on actual implementation of the rules:

Rule 1 - ok
Rule 2 - ok
Rule 3 - Disabled
ip firewall nat> add action=src-nat chain=srcnat src-address=192.168.3.10/32 to-addresses=192.168.2.10
- Actually I disabled this rule in mikrotik and still everything is working fine based on my desired config.

With this rule enabled the PCs on range .3.x have no access on internet and cannot resolve dns requests even though their network config is done ok. Other than internet the intranet was ok with Rule 3 enabled.

Take in consideration that internet requests on this range are redirected to .2.x range over vlan and only .2.x router has internet connection, while the other router (.3.x) is enabled only for intranet.

Not quite clear why, but there has to be something in the general vlan & routes rules configuration that makes this rule inappropriate.
 
Ximi87
just joined
Posts: 24
Joined: Sun Aug 25, 2013 1:29 pm
Location: Tirana Albania
Contact:

how to redirect all ip range traffic to one ip

Sun Oct 21, 2018 12:41 am

Hello.
I have about 500 clients. i have radiusmanager and i want to force redirect traffic to one ip that is my webserver to all client that payment has finish.

when clients expires they take another ip range. i want this ip range to force redirect to my webserver ip, and internet access it will be block. i dont want to use hotspot service. i have try to dstnat but nothing.

Who is online

Users browsing this forum: Google [Bot] and 47 guests