[Mikrotik] Routing question about Public and Private IP's on gateway router

Josh Luthman josh at imaginenetworksllc.com
Sun Sep 26 00:46:21 CDT 2010


Masquerade is srcnat'ing it.

The problem is that the public are too, right? If so then some nat rule is
doing it.
On Sep 26, 2010 1:33 AM, "Jeromie Reeves" <jreeves at 18-30chat.net> wrote:
> On Sat, Sep 25, 2010 at 10:05 PM, Christopher Tyler <chris at mowisp.com>
wrote:
>> We have another network but with an ImageStream and it's setup
essentially
>> the same way. /30 on the WAN, and a /24 and a /25 on the LAN side.  All
>> working properly.  Based on what I had set up in it, I was pretty sure
that
>> I had it all correct in the MikroTik as well, after all, routing is
routing.
>>  From what you are all asking/telling me, I think I'm right.  This issue
is
>> not with my configuration in the MikroTik, it's something else.
>>
>> This is the only srcnat rule and it's the first rule as well, there are a
>> few dstnat rules on there to redirect old no longer existing DNS servers,
>> and a redirect for non-payment, but that is all, and they are all tied to
>> specific ports.
>>
>> /ip firewall nat export
>> add action=masquerade chain=srcnat comment="Default NAT Rule (PRIVATE
IP)" \
>>    disabled=no out-interface=WAN src-address=!xxx.xxx.xxx.0/22
>
> src-address will be the ip range you want to NAT. in this case, it
> will be everything not matching x.x.x.0/22. to-address is the address
> you want it to look like it comes from. You have no to-address, so it
> automatically picks the IP on your out-interface. Add a
> to-address=x.x.x.x to change the address it comes from. If looking to
> do 1:1 add the block
>
>>
>> So as far as you all can tell, I have it set up correctly.  This should
be
>> working properly (other than the private IP's which I know how to fix
now).
>>
>> Is there a possibility that this is something that our upstream is doing
in
>> their Cisco?  If so, is there something that I can ask them to change to
>> make the public IP's report properly?
>>
>> Christopher Tyler
>> Total Wireless Communications, LLC
>>
>> On 09/25/2010 08:44 PM, Jeromie Reeves wrote:
>>>
>>> Another NAT rule, or the one you have is triggering on them too.
>>> What does this look like, /ip firewall nat export
>>>
>>>
>>> On Sat, Sep 25, 2010 at 6:36 PM, Christopher Tyler<chris at mowisp.com>
>>>  wrote:
>>>>
>>>> Ahh.... That makes sense for the private IP's, and I'll have to set
that
>>>> up.
>>>>  But why would the public's, which should not even be touched by NAT,
be
>>>> showing up as our /30 instead of the actual IP address?
>>>>
>>>> Christopher Tyler
>>>> Total Wireless Communications, LLC
>>>>
>>>> On 09/25/2010 11:55 AM, Jeromie Reeves wrote:
>>>>>
>>>>> You need a to-address on there, or it will assume the IP on the WAN
>>>>> port.
>>>>>
>>>>> On Sat, Sep 25, 2010 at 9:39 AM, Christopher Tyler<chris at mowisp.com>
>>>>>  wrote:
>>>>>>
>>>>>> Sorry about that, my mistake.  I typed<private>    in the email and
it
>>>>>> should
>>>>>> have been<public>.  Only the private IPs are being masqueraded not
the
>>>>>> public, and that was always the case.
>>>>>>
>>>>>> The rule is "!<public>" not "!<private>" as in not the _public_ IP
>>>>>> block.
>>>>>>
>>>>>> This is what I should have wrote in the email:
>>>>>> /ip firewall nat
>>>>>> add action=masquerade chain=srcnat\
>>>>>> disabled=no out-interface=WAN src-address=!xxx.xxx.0.0/22
>>>>>>
>>>>>> Where xxx is our _public_ IP block.
>>>>>>
>>>>>> Christopher Tyler
>>>>>> Total Wireless Communications, LLC
>>>>>>
>>>>>> On 09/25/2010 01:33 AM, Josh Luthman wrote:
>>>>>>>
>>>>>>> Masquerade the private addresses, not the public.
>>>>>>
>>>>>> _______________________________________________
>>>>>> Mikrotik mailing list
>>>>>> Mikrotik at mail.butchevans.com
>>>>>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>>>>>
>>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>>>>> RouterOS
>>>>>>
>>>>> _______________________________________________
>>>>> Mikrotik mailing list
>>>>> Mikrotik at mail.butchevans.com
>>>>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>>>>
>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>>>> RouterOS
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Mikrotik mailing list
>>>> Mikrotik at mail.butchevans.com
>>>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>>>
>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>>> RouterOS
>>>>
>>> _______________________________________________
>>> Mikrotik mailing list
>>> Mikrotik at mail.butchevans.com
>>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>>
>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>> RouterOS
>>>
>>>
>> _______________________________________________
>> Mikrotik mailing list
>> Mikrotik at mail.butchevans.com
>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>
>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
>>
> _______________________________________________
> Mikrotik mailing list
> Mikrotik at mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.butchevans.com/pipermail/mikrotik/attachments/20100926/56ae1e6c/attachment.html>


More information about the Mikrotik mailing list