Let me say I have this configuration:

Mikrotik1 :
Intranet IP : 1.1.1.1
LAN IP : 192.168.2.1
Internal LAN : 192.168.2.0/24

Mikrotik2:
Intranet IP : 1.1.1.2
LAN IP : 192.168.3.1
Internal LAN : 192.168.3.0/24

What I want to achive is that all traffic from :
192.168.2.0/24 to Internal IP Address : 192.168.2.10
to be forwarded at 192.168.3.10

Actually both LANs see each other and everything is configured with routes and all.

Please anyone who could specify the rules if possible to achieve this, thnx in advance.

If you want to redirect port 80:

I want to forward all traffic, all ports.

Lets say I have a PC configured with two IPs:
192.168.2.10 and 192.168.3.10

I would like to move this PC from LAN
192.168.2.0/24
to 192.168.3.0/24.

And I want to make a rule that even when this PC is not in 2.x LAN all traffic should be redirected to 3.10 where it is relocated.

...
And I want to make a rule that even when this PC is not in 2.x LAN all traffic should be redirected to 3.10 where it is relocated.

That is not possible, since the traffic inside the subnet will flow directly between hosts,and not pass through the router.
Unless you could add a route on all subnet machines telling them to reach 2.x via 3.x gateway.

...
And I want to make a rule that even when this PC is not in 2.x LAN all traffic should be redirected to 3.10 where it is relocated.

That is not possible, since the traffic inside the subnet will flow directly between hosts,and not pass through the router.
Unless you could add a route on all subnet machines telling them to reach 2.x via 3.x gateway.

This is not completely true, you can make it work by using proxy-arp.
However, when people have to ask how to do it, it is better not to use this method.

...
And I want to make a rule that even when this PC is not in 2.x LAN all traffic should be redirected to 3.10 where it is relocated.

That is not possible, since the traffic inside the subnet will flow directly between hosts,and not pass through the router.
Unless you could add a route on all subnet machines telling them to reach 2.x via 3.x gateway.

This is not completely true, you can make it work by using proxy-arp.
However, when people have to ask how to do it, it is better not to use this method.

Please bare with me for a moment, I work mainly on software's than on network issues.

It is true that the traffic will flow inside the subnet but I believe the request will also flow to the gateway since it is on that subnet. So can we create routing rules or routing policies to redirect traffic.

As a matter of fact I already implemented the rules to route traffic but only if the request is send outside of the local subnet.
Rules:
1. chain=dstnat action=dst-nat to-addresses=192.168.3.10 dst-address=192.168.2.10 log=no log-prefix=""
2. chain=srcnat action=src-nat to-addresses=192.168.2.10 src-address=192.168.3.10 log=no log-prefix=""

Is there a way to have these rules or others work from the inside subnet.

Or could you please elaborate proxy-arp?

'''
It is true that the traffic will flow inside the subnet but I believe the request will also flow to the gateway since it is on that subnet. So can we create routing rules or routing policies to redirect traffic.
...
Or could you please elaborate proxy-arp?

In regular network traffic, only the ARP requests will reach the gateway. The rest of traffic is unicast peer to peer and the switches will make sure the gateway does not see that traffic.

Proxy-arp takes advantage of that. The router will respond on behalf of a machine on another broadcast domain as it would sit on the first one. No problem with a single 2 interface router.

But how this could be done to work across the 2 routers, that I leave to the experts on the issue.

Please bare with me for a moment, I work mainly on software's than on network issues.

I advise you to just renumber the machine and take the temporary pain that this causes.
When you have no true insight in networking, applying tricks is just going to bring you problems.

NAT rules work with IF-THEN principle. In your case, you want to tell the router that IF dst-address is equal to 192.168.2.10, THEN the dst-address should be translated to 192.168.3.10. This you have configured with the rules above.

But the sad news is that the rules would not work because all traffic in the .2 subnet does not exceed the switch - they won't get to the router who can apply the dst-NAT rules.

Going forward, if the application is accessible with IP address, you need to communicate with the users on the change of IP. Or if the application is accessible through domain name then you need to change the A- record on the DNS server. If none of this apply, then u hv to take the pain reconfigure all the client system.


I hope this helps.

Regards

NAT rules work with IF-THEN principle. In your case, you want to tell the router that IF dst-address is equal to 192.168.2.10, THEN the dst-address should be translated to 192.168.3.10. This you have configured with the rules above.

But the sad news is that the rules would not work because all traffic in the .2 subnet does not exceed the switch - they won't get to the router who can apply the dst-NAT rules.

Going forward, if the application is accessible with IP address, you need to communicate with the users on the change of IP. Or if the application is accessible through domain name then you need to change the A- record on the DNS server. If none of this apply, then u hv to take the pain reconfigure all the client system.


I hope this helps.

Regards

First, thank you all for your comments and advise.

I finally succeeded to make the right configs in the router so I thought sharing it.
Maybe it will be of some use for someone else.

Good news ...., I will not have to worry for any of my local machines configs.

As I already wrote before the two rules that I had were working but only from outside of the local subnet.

Now to complete the picture you have to :
1. First remove the physical device from the local network
2. Create the IP Address you just removed as an IP Address inside the Mikrotik Router
-- This is the trick part that does it all in Mikrotik
3. Set the two NAT rules based on your IP Addresses

The command lines to create all needed should look like:
1. ip address> add address=192.168.2.10/24 interface="Your Local Interface Name"
2. ip firewall nat> add action=dst-nat chain=dstnat dst-address=192.168.2.10/32 to-addresses=192.168.3.10
3. ip firewall nat> add action=src-nat chain=srcnat src-address=192.168.3.10/32 to-addresses=192.168.2.10

You can change SRC and DST IP Addresses to your liking.

I tested this and is working like a charm.

Many thanks to a friend of mine who is a Cisco Expert but worked this out in Mikrotik also.
By the way he said that in Cisco this should be very straightforward and you just need to implement only the two rules I mentioned in my previous posts, Cisco does the rest without the need to specific create the IP Address in the router.

Thanks again and if you try enough everything has a reasonable solution!

Regards,
Petri.

That was a smart hack. But still trying to figure out why #1 step would be omitted in Cisco environment. Considering how hosts communicates in IP environment.

These are:

1. A host makes a broadcast by asking....who is 192.168.2.10

2. Host with IP with 192.168.2.10 replies...this time it's MAC inclusive.

3. Hence packet encapsulation commences.

4. If step 2 is unsuccessful, the host point the request to the default gateway that may know the destination network.

5. If destination network is directly connected, packet are sent through the exit interface if not, it will be sent to default route of the router.

What you have successfully done is to make your router act like the host 192.168.2.10 and the router did judgement to the packet with the rules.

I am sure, a virtual interface like loopback or vlan must be created in Cisco to achieve that. You can share your friends idea wit us if possible.

Regards

Abiola

That was a smart hack. But still trying to figure out why #1 step would be omitted in Cisco environment. Considering how hosts communicates in IP environment.

These are:

1. A host makes a broadcast by asking....who is 192.168.2.10

2. Host with IP with 192.168.2.10 replies...this time it's MAC inclusive.

3. Hence packet encapsulation commences.

4. If step 2 is unsuccessful, the host point the request to the default gateway that may know the destination network.

5. If destination network is directly connected, packet are sent through the exit interface if not, it will be sent to default route of the router.

What you have successfully done is to make your router act like the host 192.168.2.10 and the router did judgement to the packet with the rules.

I am sure, a virtual interface like loopback or vlan must be created in Cisco to achieve that. You can share your friends idea wit us if possible.

Regards

Abiola

That was a smart hack. But still trying to figure out why #1 step would be omitted in Cisco environment. Considering how hosts communicates in IP environment.

These are:

1. A host makes a broadcast by asking....who is 192.168.2.10

2. Host with IP with 192.168.2.10 replies...this time it's MAC inclusive.

3. Hence packet encapsulation commences.

4. If step 2 is unsuccessful, the host point the request to the default gateway that may know the destination network.

5. If destination network is directly connected, packet are sent through the exit interface if not, it will be sent to default route of the router.

What you have successfully done is to make your router act like the host 192.168.2.10 and the router did judgement to the packet with the rules.

I am sure, a virtual interface like loopback or vlan must be created in Cisco to achieve that. You can share your friends idea wit us if possible.

Regards

Abiola

Well since you asked.

The logic of creating NAT Rules in Mikrotik and Cisco is different.

So in Mikrotik we have to implement those three rules in order for things to work in my case.

In Cisco, you implement one rule only for the configuration to work.
Basically Steps 2 and 3 are implemented in one rule of their own, dealing with both dstnat and srcnat.
During this kind of implementation Cisco creates on his own a virtual IP which in turn omits the need of Step 1.

Hope this helps to have a general idea.

BR,
Petri.

In Cisco, you implement one rule only for the configuration two work.
Basically Steps 2 and 3 are implemented in one rule of their own, dealing with both dstnat and srcnat.
During this kind of implementation Cisco creates on his own a virtual IP which in turn omits the need of Step 1.

Hope this helps to have a general idea.

I think it is a bit different: on Cisco, proxy-arp is enabled by default (until you type "no ip proxy-arp") which
makes this work. You can enable proxy-arp on MikroTik but it is off by default.

...
Now to complete the picture you have to :
1. First remove the physical device from the local network
2. Create the IP Address you just removed as an IP Address inside the Mikrotik Router
-- This is the trick part that does it all in Mikrotik
3. Set the two NAT rules based on your IP Addresses

Nice solution - simple and efficient.
The only draw back is the loss of broadcast/multicast communications. So such a machine will not be e.g. able to be seen in SMB browsing.

Some results on actual implementation of the rules:

Rule 1 - ok
Rule 2 - ok
Rule 3 - Disabled
ip firewall nat> add action=src-nat chain=srcnat src-address=192.168.3.10/32 to-addresses=192.168.2.10
- Actually I disabled this rule in mikrotik and still everything is working fine based on my desired config.

With this rule enabled the PCs on range .3.x have no access on internet and cannot resolve dns requests even though their network config is done ok. Other than internet the intranet was ok with Rule 3 enabled.

Take in consideration that internet requests on this range are redirected to .2.x range over vlan and only .2.x router has internet connection, while the other router (.3.x) is enabled only for intranet.

Not quite clear why, but there has to be something in the general vlan & routes rules configuration that makes this rule inappropriate.

Hello.
I have about 500 clients. i have radiusmanager and i want to force redirect traffic to one ip that is my webserver to all client that payment has finish.

when clients expires they take another ip range. i want this ip range to force redirect to my webserver ip, and internet access it will be block. i dont want to use hotspot service. i have try to dstnat but nothing.