MikroTik

Community discussions
https://forum.mikrotik.com/

Nat of indirectly connected network

https://forum.mikrotik.com/viewtopic.php?t=178179

Page 1 of 1

Nat of indirectly connected network

Posted: Fri Sep 03, 2021 6:26 pm
by kerya
Example:
Client device (172.16.0.2/24) → (172.16.0.1/24) Mikrotik router without nat (192.168.0.2/24) → (192.168.0.1/24) Mikrotik router with NAT (Any globally routed address) → Internet
on client device default router is 172.16.0.1
on Mikrotik rouer without nat default router is 192.168.0.1
Is it possible to make a Mikrotik router with NAT to nat client’s device subnet (172.16.0.0/24) to the internet
FreeBSD PF can do this. Does Mikrotik able?

All routing if fine. Nat rules present.

I can make nat of 192.168.0.0/24 subnet from my example on Mikrotik router with nat easily. How to do this for 172.16.0.0/24?

I need masquerade for dynamic IPs.

Re: Nat of indirectly connected network

Posted: Fri Sep 03, 2021 6:45 pm
by tdw
Yes, you just need the correct routing & NAT rules in place.

Assuming 'Mikrotik router without nat' has a default route to 192.168.0.1, then on 'Mikrotik router with NAT' you need a static route for 172.16.0.0/24 to 192.168.0.2 and a suitable NAT rule, the one in Mikrotik default configuration applies NAT to all forward traffic leaving via the WAN interface.

Re: Nat of indirectly connected network

Posted: Wed Sep 22, 2021 2:54 am
by kerya
Routing is fine, nat rule exists. Unfortunately, it doesn't work. Are you able to test it with 2 devices or in chr environment?

Re: Nat of indirectly connected network

Posted: Wed Sep 22, 2021 12:08 pm
by mkx
Default SRC-NAT rule
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
should be able to properly NAT anything going out via WAN interface regardless the src-address.

If you want to get some concrete advice, post text export of main router's configuration (execute /export hide-sensitive file=anynameyouwish in terminal, fetch resulting file, open it in text editor, obfuscate any remaining sensitive information such as public IP address or serial number, and copy-paste result inside [code] [/code] environment).

Re: Nat of indirectly connected network

Posted: Wed Sep 22, 2021 12:15 pm
by brianchrist
1. make sure you can ping the 192.168.0.1 from client device (172.16.0.2)
2. make sure your traceroute to internet (ex. 8.8.8.8) go through 192.168.0.1
3. add NAT on 192.168.0.1 router
/ip firewall nat add action=masquerade chain=srcnat out-interface=<interface with public IP> src-address=172.16.0.0/24

Re: Nat of indirectly connected network

Posted: Fri Sep 24, 2021 3:10 pm
by kerya
1. make sure you can ping the 192.168.0.1 from client device (172.16.0.2)
2. make sure your traceroute to internet (ex. 8.8.8.8) go through 192.168.0.1
3. add NAT on 192.168.0.1 router
/ip firewall nat add action=masquerade chain=srcnat out-interface=<interface with public IP> src-address=172.16.0.0/24

This is exactly what was done. And it is doesn't work. I am going to put my config here later.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/