Community discussions

MikroTik App
 
Aghajo0n
just joined
Topic Author
Posts: 6
Joined: Sun Oct 20, 2019 9:05 pm

satic source nat not working

Sun Oct 20, 2019 9:28 pm

hello

i install mikrotik on vmware workstation with following setting :
/ip address
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0

/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2 lease-time=3d name=\
    dhcp1
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8,4.2.2.4 gateway=192.168.100.1

/ip route
add distance=1 dst.Address=0.0.0.0/0  gateway=192.168.1.1   reachable ether1
dst.Address=192.168.1.0/24  gateway=ether1 reachable
dst.Address=192.168.100.0/24  gateway=ether2   reachable
ip address 192.168.1.1 is my modem ip that have access to internet and the 192.168.100.* addresses are my local network(my client ip address is 192.168.100.200)

when i set a nat rule as following i have access to internet :
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=\
    192.168.100.200

but when i try to access internet with static source nat as following i dont have access to internet even my modem ip (192.168.1.1 requst time out) :
/ip firewall nat
add action=src-nat chain=srcnat dst-address=0.0.0.0/0 src-address=\
    192.168.100.200 to-addresses=192.168.1.20

any solution?
 
User avatar
evince
Member
Member
Posts: 355
Joined: Thu Jul 05, 2012 12:11 pm
Location: Harzé - Belgique
Contact:

Re: satic source nat not working

Mon Oct 21, 2019 10:27 am

Hello,

for your NAT rule, you need to specify your out-interface (ether1)

Regards,
 
Aghajo0n
just joined
Topic Author
Posts: 6
Joined: Sun Oct 20, 2019 9:05 pm

Re: satic source nat not working

Mon Oct 21, 2019 10:54 am

Hello,

for your NAT rule, you need to specify your out-interface (ether1)

Regards,
thank you

i also try this

still not working
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: satic source nat not working

Mon Oct 21, 2019 11:13 am

add address=192.168.1.2/24 interface=ether1 network=192.168.1.0

...

add action=src-nat chain=srcnat dst-address=0.0.0.0/0 src-address=192.168.100.200 to-addresses=192.168.1.20

Can you see a mismatch?

When setting to-addresses on src-nat, it has to be one of router's own addresses being directly reachable by upstream hop (in your case that's modem). Directly as you most probably didn't change any routing on modem.

There's an exception to previous paragraph: you can play with arp and proxy-arp settings to "hijack" some additional WAN IP addresses ... if you think you absolutely need it ... I don't think it'll do any difference in your case as modem does the NAT again and all packets from your router can have single source address, even if you used more than one src-address on your router they'll probably get translated into single WAN address regardless.
Last edited by mkx on Mon Oct 21, 2019 11:17 am, edited 1 time in total.
 
Aghajo0n
just joined
Topic Author
Posts: 6
Joined: Sun Oct 20, 2019 9:05 pm

Re: satic source nat not working

Mon Oct 21, 2019 11:15 am

add address=192.168.1.2/24 interface=ether1 network=192.168.1.0

...

add action=src-nat chain=srcnat dst-address=0.0.0.0/0 src-address=192.168.100.200 to-addresses=192.168.1.20

Can you see a mismatch?

no....
both of these ip's are in the same network (192.168.1.0/24) and have to see each other..if i even set 192.168.1.100 or any other ip in 192.168.1.0 range it must work.isn't it?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: satic source nat not working

Mon Oct 21, 2019 11:19 am

both of these ip's are in the same network (192.168.1.0/24) and have to see each other..if i even set 192.168.1.100 or any other ip in 192.168.1.0 range it must work.isn't it?

They are on the same network, but modem doesn't try to deliver both to your router ... modem asks for destination MAC via ARP request and without playing with arp settings I mentioned in (edited) comment above, router won't answer.
 
Aghajo0n
just joined
Topic Author
Posts: 6
Joined: Sun Oct 20, 2019 9:05 pm

Re: satic source nat not working

Mon Oct 21, 2019 11:31 am

both of these ip's are in the same network (192.168.1.0/24) and have to see each other..if i even set 192.168.1.100 or any other ip in 192.168.1.0 range it must work.isn't it?

They are on the same network, but modem doesn't try to deliver both to your router ... modem asks for destination MAC via ARP request and without playing with arp settings I mentioned in (edited) comment above, router won't answer.
So how can i fix this problem?
Because i am seeing a training movie and in that case the teacher set 192.168.1.50 for src-nat To address and it worked perfectly.. I don't understand what's my problem
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: satic source nat not working

Mon Oct 21, 2019 11:53 am

Because i am seeing a training movie and in that case the teacher set 192.168.1.50 for src-nat To address and it worked perfectly.. I don't understand what's my problem

As I wrote: when configuring static src-nat, it's easiest to use one of router's own addresses ... the one in correct IP subnet. In your case it's 192.168.1.2 .

Unless you play (dirty) games, you can't use just any IP address for src-nat you see fit.
 
Aghajo0n
just joined
Topic Author
Posts: 6
Joined: Sun Oct 20, 2019 9:05 pm

Re: satic source nat not working

Mon Oct 21, 2019 12:12 pm

Because i am seeing a training movie and in that case the teacher set 192.168.1.50 for src-nat To address and it worked perfectly.. I don't understand what's my problem

As I wrote: when configuring static src-nat, it's easiest to use one of router's own addresses ... the one in correct IP subnet. In your case it's 192.168.1.2 .

Unless you play (dirty) games, you can't use just any IP address for src-nat you see fit.
Yes i set To address 192.168.1.2 and it worked!
But how to play with Arp Setting?
As i already said in training movie the teacher just set To adress for example 192.168.1.50 and it worked. Without any setting for Arp Settings
I didn't know what's the problem exactly yet
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: satic source nat not working

Mon Oct 21, 2019 1:55 pm

But how to play with Arp Setting?
No offense, but I'm not going to go into this ... Let's stick to the rule that you can only configure src-nat to-address with address already belonging to router itself.

As i already said in training movie the teacher just set To adress for example 192.168.1.50 and it worked.
Probably that router was already configured with 192.168.1.50 on WAN interface. And the teacher forgot to mention this minor detail.
 
Aghajo0n
just joined
Topic Author
Posts: 6
Joined: Sun Oct 20, 2019 9:05 pm

Re: satic source nat not working

Mon Oct 21, 2019 2:46 pm

But how to play with Arp Setting?
No offense, but I'm not going to go into this ... Let's stick to the rule that you can only configure src-nat to-address with address already belonging to router itself.

As i already said in training movie the teacher just set To adress for example 192.168.1.50 and it worked.
Probably that router was already configured with 192.168.1.50 on WAN interface. And the teacher forgot to mention this minor detail.
as you mention that was the exact problem ...
Static Nat work correctly and replace the 192.168.100.1 with 192.168.1.2 and then modem ARP 192.168.1.2 and the router response with 192.168.1.2 mac address ....
but when i change To address with any other ip in network 192.168.1.x it Static Nat correctly work and replace 192.168.100.1 with that ip But when Modem ARP the ip to resolve the mac address it doesn't receive any response.(I Attached the pictures)
so changing the ARP setting isn't logical,true ?

as a result My NAT Rule was correct,and in these case :
When setting to-addresses on src-nat, it has to be one of router's own addresses being directly reachable by upstream hop (in your case that's modem)
and this is a necessary rule ?is it true ?


Capture2.PNG
Capture1.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: satic source nat not working

Mon Oct 21, 2019 3:59 pm

so changing the ARP setting isn't logical,true ?
When setting to-addresses on src-nat, it has to be one of router's own addresses being directly reachable by upstream hop (in your case that's modem)

and this is a necessary rule ?

The basic thing about routing, NATing and firewalling is this: traffic has to pass router and possibly in both directions. How to achieve this goal is then up to physical network layout and configuration. The easiest is when networks (e.g. LAN and internet) are connected to different physical interfaces, which in turn are not part of same L2 domain (e.g. bridge) and router has single IP interface in each of those networks. Then all traffic has to pass L3 layer of router.

In case of NAT, the simplest scenario implies use of router's own IP addresses in the process.

If there's another way of forcing packets through router, then the above mentioned rule about addresses with NAT doesn't hold any more. The simplest scenario where the limitation is not true is when ISP routes some IP subnet while using your router as gateway. In this case packet gets delivered to router even if router doesn't have that IP address set to its own interface.
However, if that stuff about IP subnet being routed is not true, but you still want to use multiple IP addresses (as in your case: there are 251 unused IP addresses in WAN subnet of your router), you either have to set up WAN interface with additional IP addresses (but be careful with routing rules not to screw NAT and connection tracking) or you can play with ARP (add entry to arp table with IP address you want to use and router's WAN interface MAC address ... or something like that, I didn't try it myself) to make router answer to ARP requests for that IP address. The ARP way is nicer than multi-address way since you can't screw the routing ...).

But, again, I don't see any benefit in doing it in your case ... where modem will perform NAT again to same public address ... unless you can use multiple public IP addresses on your modem?

Anyhow, it would be easier to do stuff if modem can be put into bridge mode and whatever ISP WAN stuff is terminated directly on routerboard (PPPoE, DHCP client, ...).

Who is online

Users browsing this forum: DoryIII, JohnTRIVOLTA, rn3dcx and 20 guests