REAL --- FAKE

soleed · Sun Apr 30, 2006 1:04 am

HI
please i need help with let a ip with the real interface to access the fake (local Network) in the microtik software

proxy · Sun Apr 30, 2006 1:53 am

i don't understand your question!

soleed · Sun Apr 30, 2006 9:59 am

i don't understand your question!

Dear Proxy
I Have 2 different networks connectied thru microtik router
first network to a interface called fake with range 192.168.0.0
second network to a interface called real with range 11.11.11.0
with my configuraton in the firewall i can choose the ip in the fake range that will go connect to the real network bu i cannot make a real ip for example 11.11.11.56 from connecting to the fake network

best regards

soleed · Sun Apr 30, 2006 10:05 am

i don't understand your question!

Dear Proxy
I Have 2 different networks connectied thru microtik router
first network to a interface called fake with range 192.168.0.0
second network to a interface called real with range 11.11.11.0
with my configuraton in the firewall i can choose the ip in the fake range that will go connect to the real network bu i cannot make a real ip for example 11.11.11.56 from connecting to the fake network

best regards

valens · Sun Apr 30, 2006 8:40 pm

I think you have basic networking problem. Have you set the default route of each machine properly? What is the default route for the real network machine? Maybe you can try to do trace route to see where the traffic go.

soleed · Sun Apr 30, 2006 9:53 pm

dear valens
yes i use the default gateway for both network the microtik ip depend on interface

valens · Mon May 01, 2006 6:02 am

paste your config here

soleed · Mon May 01, 2006 7:29 pm

dear valens

[admin@Active] > int
[admin@Active] interface> pr
Flags: X - disabled, D - dynamic, R - running
 #    NAME                         TYPE             RX-RATE    TX-RATE    MTU
 0  R Fake                         ether            0          0          1500
 1  R Real                         ether            0          0          1500
[admin@Active] > int
[admin@Active] interface> pr
Flags: X - disabled, D - dynamic, R - running
 #    NAME                         TYPE             RX-RATE    TX-RATE    MTU
 0  R Fake                         ether            0          0          1500
 1  R Real                         ether            0          0          1500
[admin@Active] ip firewall mangle> pr
Flags: X - disabled, I - invalid, D - dynamic
 0   chain=prerouting action=passthrough

do u need any other configuration i have too many filters in my firewall

valens · Mon May 01, 2006 8:34 pm

1. Your Firewall filter no 0 is really weird.

2. Do you have any NAT/MASQ rules? Maybe there are some missconfig there.

soleed · Mon May 01, 2006 8:59 pm

[admin@Active] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8082

1 chain=srcnat action=masquerade
[admin@Active] ip firewall nat>

soleed · Mon May 01, 2006 9:16 pm

soleed · Mon May 01, 2006 9:17 pm

valens · Tue May 02, 2006 11:07 am

Yes, your masq filter is wrong...

soleed · Tue May 02, 2006 11:53 am

PLEASE can you provide the good conf.

valens · Tue May 02, 2006 7:49 pm

If you just want to make network A ping network B with a router in between, :

1. Turn off all firewall rule and NAT
2. Set gateway (default) of client computer to IP on the router on each interface.

wildbill442 · Tue May 02, 2006 8:44 pm

It sounds like he's trying to do DST-NAT.

To NAT a "real" or publicly routeable IP address to an internal "fake" private side address..

The masquerade rule would be as follows:

/ip firewall nat add chain=srcnat out-interface=WAN src-address=192.168.0.0/24 action=masquerade comment="masquerade" disabled=no

Now if you want someone to access an internal server that has an IP address of say 192.168.0.20 and the public address is say 11.11.11.56, you need to create a dst-nat rule. Which would look like this:

/ip firewall nat add chain=dstnat dst-address=11.11.11.56 action=dst-nat to-addresses=192.168.0.20 to-ports=80 comment="http server" \
    disabled=no

Hope this helps.

soleed · Wed May 03, 2006 12:10 am

did not work man i give the 11.11.11.56 access to 192.168.0.216 its a web server no replay even there is no ping

wildbill442 · Wed May 03, 2006 8:40 am

Is 11.11.11.56 added to the WAN interface, or "REAL" as you have it labeled?

soleed · Wed May 03, 2006 4:26 pm

dear the ip range 11.11.11.0/24 is in the real interface and 192.168.0.0/24 is on the fake interface

janisk · Wed May 03, 2006 4:48 pm

soleed pleace be so kind and DO READ

NAT
http://www.mikrotik.com/docs/ros/2.9/ip/nat

IP addressing and routing
http://www.mikrotik.com/docs/ros/2.9/ip/address

that way you could understand these things better. pleace make it clear what you want in terms we all use here and then come and ask questions and we will kindly answer.

soleed · Wed May 03, 2006 10:23 pm

thanks i read it
now how can you help

wildbill442 · Wed May 03, 2006 10:59 pm

Soleed,

the IP address that you are trying to NAT to the internal network must be assigned to the WAN or "real" interface (you can have more than one IP assigned to a single interface).

Remove the to-ports=80 that was incorrect, instead replace it with 0-65535 that will forward all requests going to 11.11.11.56 to your internal address 192.168.0.216. so to recap.. the command would look like this:

/ip firewall nat add chain=dstnat dst-address=11.11.11.56 action=dst-nat to-addresses=192.168.0.216 to-ports=0-65535 comment="http server" \
    disabled=no

remove the old rule that was forwarding to port 80.

You could forward just port 80, by appending the previous command like so:

/ip firewall nat add chain=dstnat dst-address=11.11.11.56 dst-port=80 action=dst-nat to-addresses=192.168.0.216 to-ports=80 comment="http server" \    disabled=no

soleed · Sat May 06, 2006 3:26 pm

im trying pinging 192.168.0.216 from a public interface and getting timed out
and every think as you told me

soleed · Sun May 07, 2006 10:35 am

man my laptop is 11.11.11.50 the microtik real intefrace ip 11.11.11.56 the fake mikrotik ip is 192.168.0.254 the internal web server ip 192.168.0.216
and my laptop gateway is 11.11.11.56 and i did all the configuration you give me
but sorry NO PING

wildbill442 · Tue May 09, 2006 7:36 pm

man my laptop is 11.11.11.50 the microtik real intefrace ip 11.11.11.56 the fake mikrotik ip is 192.168.0.254 the internal web server ip 192.168.0.216
and my laptop gateway is 11.11.11.56 and i did all the configuration you give me
but sorry NO PING

Well can you ping 192.168.0.216 from the Mikrotik? Maybe the 192.168.0.216 host has a firewall blocking ICMP echo requests.. Maybe you have a filter in the mikrotik firewall blocking ICMP echo.. You're doing something wrong and unless you post your configuration I can't help you any further.

REAL --- FAKE

REAL --- FAKE

Who is online