MikroTik

Posted: **Tue May 29, 2018 7:18 pm**

Dear Colleagues:

I have two mikrotik router end to end (NAT-NAT) and in between there is a DMZ. Actually, I don't want NAT on the inner one. I want to use the gateway concept in routes so DMZ and the inner network can communicate without the need for port forwarding (dst-nat).
Please, advise how to configure the inner router.
thanks a lot in advance.

Posted: **Tue May 29, 2018 7:25 pm**

Diagram it. A photo of a handmade drawing made by mobile phone is sufficient.

Posted: **Wed May 30, 2018 9:38 am**

Please, find attached the diagram. Please, let me know if you need any thing more.

Thanks a lot in advance.

Posted: **Wed May 30, 2018 12:07 pm**

If you want to keep everything unchanged and just get rid of the NAT on the Mikrotik with 192.168.4.1 on WAN, it is enough to add a route to the Mikrotik connected to the ISP:

/ip route
add dst-address=192.168.1.0/24 gateway=192.168.4.1

Posted: **Wed May 30, 2018 2:15 pm**

Thanks but I want both subnets (4.x and 1.x) see each other and at the same time the users of 1.x use the gateway 4.1.
Please, advise.
BR

Posted: **Wed May 30, 2018 3:51 pm**

Hi.
I think sindy supposes that mikrotik is the gateway for 192.168.1.0/24 network. So traffic from 192.168.1.0/24 to 192.168.4.0/24 would flow through gateway.
For 192.168.4.0/24, I think gateway is internet. So you need route specify by sindy.

Posted: **Wed May 30, 2018 4:55 pm**

Devices in 192.168.1.0/24 must have a gateway from 192.168.1.0, which is the upper 'Tik, represented by its address from that range. But the upper 'Tik is in both networks simultaneously, so its own gateway to the world is the lower 'Tik.

Lower 'Tik's gateway to the world is the ISP via the PPPoE interface, so you need an exception from that for 192.168.1.0/24, which is the route I gave, otherwise you would have to keep the NAT on upper 'Tik in place.

If you prefer something else (e.g. the devices behind the upper 'Tik to be in 192.168.4.0/24 because the connection between the two 'Tiks is a wireless one), you have to say that.

Posted: **Thu May 31, 2018 3:40 pm**

Thanks both of you.

Actually, what you are proposing is something I have tried a lot but never succeeded. I guess there is something which I don't understand in your scenario. For this, and in order not to intrupt the service here, I have created a similar scenario but with one mikrotik and an internet modem. Consider the internet modem is the internet edge nat. While the mikrotik is on the internal edge of the modem.
Internal IP of the modem: 192.168.1.1
External IP of the mikrotik: 192.168.1.120
Internal IP of the mikrotik: 192.168.200.1

The screen shot of the configuration of the mikrotik is attached. Please, let me know if you need something else.

I appreciate your advice.

Fawaz

Posted: **Thu May 31, 2018 4:19 pm**

With the modem in bridge mode and lower Mikrotik doing PPPoE and NAT to the IP provided by the ISP, it is actually simpler to configure than if the PPPoE and NAT is provided by the modem. The reason is that if you need the two LANs to reach each other without NAT between them, there is no other way than to use the exception route on the lower device (or you can use the upper device as a switch so that all local devices are in the LAN subnet of the lower device). And adding a route to the modem needs knowledge of the modem, and on many modems it is not possible at all.

So I'd recommend that you revert back to the scenario with two Mikrotiks and place here the output of /export hide-sensitive for both instead of screenshots; before posting, systematically replace every occurrence of each public IP adress you don't want to publish by a meaningful distinctive pattern like my.public.ip.1.

Posted: **Thu May 31, 2018 4:32 pm**

Actually, the modem is not in bridge mode. it is pppoe client.
Anyway, I will do what you want in order to clarify everything.

Posted: **Thu May 31, 2018 4:39 pm**

Actually, the modem is not in bridge mode. it is pppoe client.

So you initially had three NATs stacked?

Posted: **Thu May 31, 2018 4:46 pm**

Actually, the modem is not in bridge mode. it is pppoe client.
So you initially had three NATs stacked?

I was just writing a reply with that exact question. At best this is double NAT, at worse it's triple NAT. It's a mess.

Posted: **Fri Jun 01, 2018 12:40 pm**

Hi.

Mikrotik
- Internal
  I think mikrotik is the gateway. So, any machine in 192.168.200.0/24 network can reach 192.168.1.0/24 network
  The question is: does it exists a nat rule on outgoing traffic on 192.168.1.120 interface?
  If yes, machines in 192.168.1.0/24 network can answer traffic form 192.168.200.0/24 network
  If not, you need a route in modem that is 192.168.1.0/24 network gateway
  - 192.168.200.0/24 -> 192.168.1.120
- External
  If you want permit traffic from 192.168.1.0/24 to 192.168.200.0/24, you need previous route in modem
  - 192.168.200.0/24 -> 192.168.1.120

Posted: **Fri Jun 01, 2018 2:21 pm**

Dear All:

The original scenario is two nat and all are mikrotik. Then, I have created a lab scenario with an internet modem and one mikrotik and I mentioned that this is a lab and created in order not to interrupt the service.

I will send you the configuration of the original scenario soon.

BR

Posted: **Sun Jun 03, 2018 7:05 pm**

RB_SMALL_MTK_CONFIG.txt (attached) is the configuration of the mikrotik that faces the internet.
RB_BIG_MTK_CONFIG_1.txt (attached) is the configuration of the mikrotik that faces the internal network.

Thank for your feedback in advance.

Posted: **Mon Jun 04, 2018 1:27 pm**

Thanks but I want both subnets (4.x and 1.x) see each other and at the same time the users of 1.x use the gateway 4.1.
Please, advise.
BR

I'm sorry but that doesn't really make sense, because that contradicts the request for the networks to not be natted.
You currently have 4.4 set as default gateway for 0.0.0.0/0 on 1.x router.
You currenly have:

add action=masquerade chain=srcnat

without any incoming\outgoing interfaces\ip addresses, so the router masks both incoming and outgoing traffic (internal - going out, external - coming in).
I suggest you at least specify internal addresses which are being masqueraded.
Create address list with the list of IP addresses that you do not want to NAT, create an NAT accept rule above your masquerade rule with SRC address and DST address from address list that you created. It will make sure there are no natting for those networks.
Don't forget to add Accept rules for forwards in firewall (same address list as in NAT will become usefull)

MikroTik

Two mikrotik NAT to NAT

Two mikrotik NAT to NAT

Re: Two mikrotik NAT to NAT

Re: Two mikrotik NAT to NAT

Re: Two mikrotik NAT to NAT

Re: Two mikrotik NAT to NAT

Re: Two mikrotik NAT to NAT

Re: Two mikrotik NAT to NAT

Re: Two mikrotik NAT to NAT

Re: Two mikrotik NAT to NAT

Re: Two mikrotik NAT to NAT

Re: Two mikrotik NAT to NAT

Re: Two mikrotik NAT to NAT

Re: Two mikrotik NAT to NAT

Re: Two mikrotik NAT to NAT

Re: Two mikrotik NAT to NAT

Re: Two mikrotik NAT to NAT