Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

CG-NAT lab assistance  [SOLVED]

Post Reply
 
ShaneM
just joined
Topic Author
Posts: 4
Joined: Tue Apr 16, 2024 3:48 pm
Location: Lyle, WA
Contact:
Contact ShaneM

CG-NAT lab assistance

Mon Nov 04, 2024 2:15 am

Can anyone help me with what I'm doing wrong in my lab? I'm trying to setup/test a CG-NAT configuration which seems to be working but when I try connecting it to my ISP router in the lab I can't get out to the internet. Yes I know I'm doing multiple NAT's but I'm trying to try test the configuration in my lab before I take it out to the new location where Lumen is delivering a circuit next week.

Issues:
- Laptop cannot ping 8.8.8.8
- Router #1 cannot ping 8.8.8.8 (get "no route to host" msg)

Things that work:
- Laptop can ssh into Router #1 and #2
- From router #2 I can ping out to 8.8.8.8.

Here's the network diagram:
lab-diagram.jpg

Here's the router configs:

Router #1 Conf
----------------
Code: Select all
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus2 ] comment="Lumen WAN Port"
/interface list
add name=LAN
/ip pool
add name=cgnat-pool1 ranges=100.64.0.0/28
/ip dhcp-server
add address-pool=cgnat-pool1 interface=bridge1 name=CGNAT
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether12
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge1 list=LAN
/ip address
add address=65.58.144.2/27 interface=sfp-sfpplus2 network=65.58.144.0
add address=100.64.0.1/22 interface=bridge1 network=100.64.0.0
add address=65.58.144.6/27 interface=sfp-sfpplus2 network=65.58.144.0
/ip dhcp-server network
add address=100.64.0.0/22 dns-server=9.9.9.9,1.1.1.1 gateway=100.64.0.1 netmask=22
/ip dns
set servers=9.9.9.9,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" in-interface=sfp-sfpplus2 protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=sfp-sfpplus2 port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=sfp-sfpplus2 port=22 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=sfp-sfpplus2
/ip firewall nat
add action=netmap chain=srcnat out-interface=sfp-sfpplus2 protocol=tcp src-address=100.64.0.0/28 to-addresses=65.58.144.6 to-ports=1024-65535
add action=netmap chain=srcnat out-interface=sfp-sfpplus2 protocol=udp src-address=100.64.0.0/28 to-addresses=65.58.144.6 to-ports=1024-65535
add action=masquerade chain=srcnat out-interface=sfp-sfpplus2 src-address=100.64.0.0/22
add action=accept chain=input comment="accept ICMP" in-interface=sfp-sfpplus2 protocol=icmp
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=65.58.144.2 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
/ip ssh
set strong-crypto=yes
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

[admin@router1] > ip route print
Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 192.168.1.1 1
DAc 65.58.144.0/27 bridge1 0
0 IsH 100.64.0.0/22 65.58.144.1 1
DAc 192.168.1.0/24 ether1 0
DIcH 192.168.88.0/24 ether13 0
[admin@route1] >





Router #2 Conf
----------
Code: Select all
/interface bridge
add name=bridge1
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether13 network=192.168.88.0
add address=65.58.144.1/27 interface=bridge1 network=65.58.144.0
/ip dhcp-client
add interface=ether1
/ip dns
set servers=9.9.9.9
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add dst-address=100.64.0.0/22 gateway=65.58.155.1
/system clock
set time-zone-name=America/Los_Angeles
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

[admin@router2] > ip route print
Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC; H - HW-OFFLOADED; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 IsH 0.0.0.0/0 65.58.144.2 1
DAc + 65.58.144.0/27 sfp-sfpplus2 0
DAc 100.64.0.0/22 bridge1 0
1 IsH 192.168.1.0/24 65.58.144.2 1
DIcH 192.168.88.0/24 ether13 0
[admin@router2] >
You do not have the required permissions to view the files attached to this post.
Top
 
rplant
Long time Member
Long time Member
Posts: 542
Joined: Fri Sep 29, 2017 11:42 am

Re: CG-NAT lab assistance  [SOLVED]

Mon Nov 04, 2024 12:15 pm

Below is wrong on router1
(Needs to be .144.1)

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=65.58.144.2
Top
 
ShaneM
just joined
Topic Author
Posts: 4
Joined: Tue Apr 16, 2024 3:48 pm
Location: Lyle, WA
Contact:
Contact ShaneM

Re: CG-NAT lab assistance

Mon Nov 04, 2024 4:51 pm

Doh! Stupid typo staring me in the face. Thank you, now things seem to be working.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 25 guests
  4. RouterOS
  5. Beginner Basics