TransWikia.com

NAT several subnets with same IP range to a single interface

Super User Asked by JotaBe on December 21, 2021

I have the following problem: a customer have several LANs, for example LAN1, and LAN2 with the same private IP ranges (192.168.10.x), and I need to monitor all the networks.

I have name three interfaces of the router like this: LAN1, LAN2 and MONITOR

What I need to do is a one-to-one NAT from LAN1 to MONITOR,and other from LAN2 to MONITOR. The NAT configuration should look like this:

I need to be able to access from MONITOR to LAN1, and from MONITOR to LAN2. In the monitor I can use any range I want. To make the example easy to read, let’s suppose I have the 10.0.0.0/16 in MONITOR LAN. So, what I need to do is to hide the private addresses of LAN1 and LAN2, like this:

  • LAN1 ip address 192.168.10.0/24 hidden as 10.0.1.0/24
  • LAN2 ip address 192.168.10.0/24 hidden as 10.0.2.0/24

In this way I can access the machine 192.168.10.23 on LAN1 using the address 10.0.1.23, and the machine 192.168.10.23 (same IP) on LAN2 using the address 10.0.2.23 (note the mapping 10.0.1.x for LAN1, 10.0.2.x for LAN2)

I need to define a NAT for LAN1 like this

/ip firewall nat add chain=dstnat dst-address=10.0.1.0/24 
  action=netmap to-addresses=192.168.10.0/24

/ip firewall nat add chain=srcnat src-address=192.168.10.0/24 
  action=netmap to-addresses=10.0.1.0/24

(Obviously for LAN2, I use a similar NAT definition)

So far so good. If I use this NAT definition for LAN1, everything works as expected.

The problem is when I define the NAT for the second LAN. I have tried bridging, routing with mangled packets, using VLANs… but none of my configurations give me the expected results. For example, if I ping 192.168.1.23 the pings sometimes arrive the machine 19.168.10.23 on LAN1, and other occassions I get the pings from the machine with the same IP on LAN2. On other occassions the routes fail (there’s some problem with them).

I don’t mind if i have to use routing or bridging. I don’t mind what IPs I use on the MONITOR LAN, but what I cannot do is to change the IPS on LAN1 and LAN2.

In a few words, what I need is to assign a NAT from MONITOR interface to LAN1 interface for 10.0.1.0/24 to 192.168.10.0/24, and another NAT from MONITOR interface to LAN2 for 10.0.2.0/24 to 192.168.10.0/24. I have not been able to separate the traffic for both “channlels”, because of the repeated IPs on LAN1 and LAN2.

Do you have any idea of how I can achieve it?

One Answer

Let's go to a easy solution: I understand that your router is 192.168.10.0/24, so :

/ip firewall nat add chain=srcnat src-address=10.0.2.0/24 dst-address=10.0.1.0/24 action=src-nat to-addresses="router-IP-192.168.10.x/24" /ip firewall nat add chain=srcnat src-address=10.0.1.0/24 dst-address=10.0.2.0/24 action=dst-natp to-addresses="router-IP-192.168.10.x/24"

Make sure that all of PC/Servers have set Router-ip default gateway

Answered by gilito on December 21, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP