[Mikrotik] Routing question about Public and Private IP's on gateway router

Christopher Tyler chris at mowisp.com
Sun Sep 26 12:00:19 CDT 2010


Masquerade does not have a 'to-address' option, so for the private IP's 
what would the correct action be?

/ip nat firewall
add action=src-nat chain=srcnat disabled=no out-interface=WAN\
     src-address=172.19.0.0/24 to-addresses=xxx.xxxx.xxx.xxx

-OR-

/ip nat firewall
add action=netmap chain=srcnat disabled=no out-interface=WAN\
     src-address=172.19.0.0/24 to-addresses=xxx.xxxx.xxx.xxx

Christopher Tyler
Total Wireless Communications, LLC

On 09/26/2010 12:32 AM, Jeromie Reeves wrote:
> On Sat, Sep 25, 2010 at 10:05 PM, Christopher Tyler<chris at mowisp.com>  wrote:
>> We have another network but with an ImageStream and it's setup essentially
>> the same way. /30 on the WAN, and a /24 and a /25 on the LAN side.  All
>> working properly.  Based on what I had set up in it, I was pretty sure that
>> I had it all correct in the MikroTik as well, after all, routing is routing.
>>   From what you are all asking/telling me, I think I'm right.  This issue is
>> not with my configuration in the MikroTik, it's something else.
>>
>> This is the only srcnat rule and it's the first rule as well, there are a
>> few dstnat rules on there to redirect old no longer existing DNS servers,
>> and a redirect for non-payment, but that is all, and they are all tied to
>> specific ports.
>>
>> /ip firewall nat export
>> add action=masquerade chain=srcnat comment="Default NAT Rule (PRIVATE IP)" \
>>     disabled=no out-interface=WAN src-address=!xxx.xxx.xxx.0/22
>
> src-address will be the ip range you want to NAT. in this case, it
> will be everything not matching x.x.x.0/22.  to-address is the address
> you want it to look like it comes from. You have no to-address, so it
> automatically picks the IP on your out-interface. Add a
> to-address=x.x.x.x to change the address it comes from. If looking to
> do 1:1 add the block
>
>>
>> So as far as you all can tell, I have it set up correctly.  This should be
>> working properly (other than the private IP's which I know how to fix now).
>>
>> Is there a possibility that this is something that our upstream is doing in
>> their Cisco?  If so, is there something that I can ask them to change to
>> make the public IP's report properly?
>>
>> Christopher Tyler
>> Total Wireless Communications, LLC
>>
>> On 09/25/2010 08:44 PM, Jeromie Reeves wrote:
>>>
>>> Another NAT rule, or the one you have is triggering on them too.
>>> What does this look like, /ip firewall nat export
>>>
>>>
>>> On Sat, Sep 25, 2010 at 6:36 PM, Christopher Tyler<chris at mowisp.com>
>>>   wrote:
>>>>
>>>> Ahh.... That makes sense for the private IP's, and I'll have to set that
>>>> up.
>>>>   But why would the public's, which should not even be touched by NAT, be
>>>> showing up as our /30 instead of the actual IP address?
>>>>
>>>> Christopher Tyler
>>>> Total Wireless Communications, LLC
>>>>
>>>> On 09/25/2010 11:55 AM, Jeromie Reeves wrote:
>>>>>
>>>>> You need a to-address on there, or it will assume the IP on the WAN
>>>>> port.
>>>>>
>>>>> On Sat, Sep 25, 2010 at 9:39 AM, Christopher Tyler<chris at mowisp.com>
>>>>>   wrote:
>>>>>>
>>>>>> Sorry about that, my mistake.  I typed<private>      in the email and it
>>>>>> should
>>>>>> have been<public>.  Only the private IPs are being masqueraded not the
>>>>>> public, and that was always the case.
>>>>>>
>>>>>> The rule is "!<public>" not "!<private>" as in not the _public_ IP
>>>>>> block.
>>>>>>
>>>>>> This is what I should have wrote in the email:
>>>>>> /ip firewall nat
>>>>>> add action=masquerade chain=srcnat\
>>>>>> disabled=no out-interface=WAN src-address=!xxx.xxx.0.0/22
>>>>>>
>>>>>> Where xxx is our _public_ IP block.
>>>>>>
>>>>>> Christopher Tyler
>>>>>> Total Wireless Communications, LLC
>>>>>>
>>>>>> On 09/25/2010 01:33 AM, Josh Luthman wrote:
>>>>>>>
>>>>>>> Masquerade the private addresses, not the public.
>>>>>>
>>>>>> _______________________________________________
>>>>>> Mikrotik mailing list
>>>>>> Mikrotik at mail.butchevans.com
>>>>>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>>>>>
>>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>>>>> RouterOS
>>>>>>
>>>>> _______________________________________________
>>>>> Mikrotik mailing list
>>>>> Mikrotik at mail.butchevans.com
>>>>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>>>>
>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>>>> RouterOS
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Mikrotik mailing list
>>>> Mikrotik at mail.butchevans.com
>>>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>>>
>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>>> RouterOS
>>>>
>>> _______________________________________________
>>> Mikrotik mailing list
>>> Mikrotik at mail.butchevans.com
>>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>>
>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>> RouterOS
>>>
>>>
>> _______________________________________________
>> Mikrotik mailing list
>> Mikrotik at mail.butchevans.com
>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>
>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
>>
> _______________________________________________
> Mikrotik mailing list
> Mikrotik at mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
>
>


More information about the Mikrotik mailing list