dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4910
share rss forum feed


viperm
Carpe Diem
Premium
join:2002-07-09
Winchester, CA

Masquerading / natting a single IP or subnet

Mikrotik OS

I am able to do a 1-1 nat just fine to a specific internal and external public ip.

My question is how do you do a masquerade / srcnat for a block of internal Ip's to another public ip not being used for 1-1 nat?

Can it be done?

Say I want a group of users that are not paying for a 1-1 nat for a public IP and I want them to be part of the group that shares a single public ip, how would I do that?

Seems when I enable masquerade it takes the 1-1 nat people and shoots them out the same shared IP as well instead of the respective 1-1 ip assigned to them?

Thanks
--
»www.accelwireless.com
ComTrain Certified Tower Climber.
Wireless and IT consultant.
Proficient in Mikrotik


bburley

join:2010-04-30
Cold Lake, AB

I have done this with MikroTik.

Add a srcnat rule before your main masquerade rule if used.

In the MikroTik it is;

chain=srcnat action=src-nat to-addresses=[Public IP]
src-address-list=[Internal_Group_IP_Address_list]
out-interface=[WAN Interface]

In my case, the IP address list is populated with selected IP addresses from different subnets(towers). I also have 1-1 NAT for selected IP's (appears before group NAT) as well as the last rule which does masquerade to a separate public IP for everyone else not listed in the first rules.

It all works perfect!



viperm
Carpe Diem
Premium
join:2002-07-09
Winchester, CA

Okay cool I think I see it now. YOu said different subnets from different towers? are you just bridged to those other towers or fully routed? if routed how are you set up to pass those different IPs. Static routes routes on your core router or OSPF on all of them?

I have one tik now but am putting another one at the main tower and had planned using OSPF on those two Tiks.

I have my public Ip's on my WAN port of my main tick I cant put them inside of my network as I dont have a /30 from my upstream to route them over. I have a /29 of IP's thats it so I have to keep them on the Wan port until my other provider is up and running then I will have a /24 of public and a /30 for transport of those IP's and then I can have the /24 broken up and routeable from within my network. I.E. multiple subnets of that /24 on different towers..
--
»www.accelwireless.com
ComTrain Certified Tower Climber.
Wireless and IT consultant.
Proficient in Mikrotik


bburley

join:2010-04-30
Cold Lake, AB

The towers are routed (without NAT) and I am still using static routes. The internal IP's are available on the LAN side of the core router. I have a /30 and a /28 and just do 1-1 NAT to provide public IP's and have no issues.



Semaphore
Premium
join:2003-11-18
101010
kudos:1
reply to viperm

OSPF with MT is another story that you'll have fun with.... You may want to think about a flat segment with Spanning Tree.


DRIVE71

join:2005-06-08
reply to viperm

When my /24 ran out I started doing this. I just added the new private network(s) to OSPF and the routes propagated through. The privates are routed all the way back to the core. Then I just added a src-nat rule to the core router. On each tower router, I just added another IP pool so when the publics run out on a particular tower, they get a priavte IP instead. Good temporary fix till I get more IP's.

add action=src-nat chain=srcnat comment="NAT Customers with Non Public addresses" disabled=no out-interface="Public - ether05" src-address=10.10.0.0/21 to-addresses="Public IP of your choice"
 

By the way, nice tower site (in the other thread) :)

j2sw

join:2006-05-02
Williamsport, IN
reply to viperm

We do a 1:MANY nat at each pop.

»www.mtin.net/blog/11-nat-setup-w···ikrotik/
Just substitue the 192 (private) for a subnet instead of a single ip.

The only catch is if you are providing publics you will have to burn two public IP addresses. 1 will be for your true public customers. The other will be for the 1:MANY nat customers. If not you will run into port issues.
--
»www.mtin.net/blog
»j2sw.mtin.net/blog



viperm
Carpe Diem
Premium
join:2002-07-09
Winchester, CA
reply to viperm

Cant I do just this? I tried it and it seems to work for anyone in the DHCP pool 200-254

chain=srcnat action=masquerade src-address=10.0.3.200-10.0.3.254 out-interface=ether1 Inet feed

Then a 1-1 nat for the static customers.


bburley

join:2010-04-30
Cold Lake, AB

It should be ok, but it is important to be careful of the order of your rules.

The most specific rules (1-1 nat) should be first, followed by broader or more general rules.

For example, if 10.0.3.215 needed a 1-1 nat, it would work without changing the IP range in the rule you showed, providing the new rule appeared first or before your example rule.

My last rule is not specific. Anyone who doesn't match a previous rule gets masqueraded to a single "catch-all" public IP.



viperm
Carpe Diem
Premium
join:2002-07-09
Winchester, CA

I agree I was just playing around with it and got this combo to work I will adjust as needed the order in which it needs to be to work properly..