I understand. Try clearing the conn table? Hit me at gtalk [email protected] or aim iam8up101 On Sep 26, 2010 2:53 AM, "Christopher Tyler" <[email protected]> wrote: > Josh, if you have a few minutes to actually log in and see for yourself, > I can hit you off list with a user/pass/ip and you can take a look at it > for yourself. There is no srcnat rule, or dstnat rule for that matter, > that should be affecting the public IP block. Not trying to be > argumentative, especially since you are trying to help, but I've looked > several times and there is nothing there. > > Christopher Tyler > Total Wireless Communications, LLC > > On 09/26/2010 12:46 AM, Josh Luthman wrote: >> Masquerade is srcnat'ing it. >> >> The problem is that the public are too, right? If so then some nat rule is >> doing it. >> On Sep 26, 2010 1:33 AM, "Jeromie Reeves"<[email protected]> wrote: >>> On Sat, Sep 25, 2010 at 10:05 PM, Christopher Tyler<[email protected]> >> wrote: >>>> We have another network but with an ImageStream and it's setup >> essentially >>>> the same way. /30 on the WAN, and a /24 and a /25 on the LAN side. All >>>> working properly. Based on what I had set up in it, I was pretty sure >> that >>>> I had it all correct in the MikroTik as well, after all, routing is >> routing. >>>> From what you are all asking/telling me, I think I'm right. This issue >> is >>>> not with my configuration in the MikroTik, it's something else. >>>> >>>> This is the only srcnat rule and it's the first rule as well, there are a >>>> few dstnat rules on there to redirect old no longer existing DNS servers, >>>> and a redirect for non-payment, but that is all, and they are all tied to >>>> specific ports. >>>> >>>> /ip firewall nat export >>>> add action=masquerade chain=srcnat comment="Default NAT Rule (PRIVATE >> IP)" \ >>>> disabled=no out-interface=WAN src-address=!xxx.xxx.xxx.0/22 >>> >>> src-address will be the ip range you want to NAT. in this case, it >>> will be everything not matching x.x.x.0/22. to-address is the address >>> you want it to look like it comes from. You have no to-address, so it >>> automatically picks the IP on your out-interface. Add a >>> to-address=x.x.x.x to change the address it comes from. If looking to >>> do 1:1 add the block >>> >>>> >>>> So as far as you all can tell, I have it set up correctly. This should >> be >>>> working properly (other than the private IP's which I know how to fix >> now). >>>> >>>> Is there a possibility that this is something that our upstream is doing >> in >>>> their Cisco? If so, is there something that I can ask them to change to >>>> make the public IP's report properly? >>>> >>>> Christopher Tyler >>>> Total Wireless Communications, LLC >>>> >>>> On 09/25/2010 08:44 PM, Jeromie Reeves wrote: >>>>> >>>>> Another NAT rule, or the one you have is triggering on them too. >>>>> What does this look like, /ip firewall nat export >>>>> >>>>> >>>>> On Sat, Sep 25, 2010 at 6:36 PM, Christopher Tyler<[email protected]> >>>>> wrote: >>>>>> >>>>>> Ahh.... That makes sense for the private IP's, and I'll have to set >> that >>>>>> up. >>>>>> But why would the public's, which should not even be touched by NAT, >> be >>>>>> showing up as our /30 instead of the actual IP address? >>>>>> >>>>>> Christopher Tyler >>>>>> Total Wireless Communications, LLC >>>>>> >>>>>> On 09/25/2010 11:55 AM, Jeromie Reeves wrote: >>>>>>> >>>>>>> You need a to-address on there, or it will assume the IP on the WAN >>>>>>> port. >>>>>>> >>>>>>> On Sat, Sep 25, 2010 at 9:39 AM, Christopher Tyler<[email protected]> >>>>>>> wrote: >>>>>>>> >>>>>>>> Sorry about that, my mistake. I typed<private> in the email and >> it >>>>>>>> should >>>>>>>> have been<public>. Only the private IPs are being masqueraded not >> the >>>>>>>> public, and that was always the case. >>>>>>>> >>>>>>>> The rule is "!<public>" not "!<private>" as in not the _public_ IP >>>>>>>> block. >>>>>>>> >>>>>>>> This is what I should have wrote in the email: >>>>>>>> /ip firewall nat >>>>>>>> add action=masquerade chain=srcnat\ >>>>>>>> disabled=no out-interface=WAN src-address=!xxx.xxx.0.0/22 >>>>>>>> >>>>>>>> Where xxx is our _public_ IP block. >>>>>>>> >>>>>>>> Christopher Tyler >>>>>>>> Total Wireless Communications, LLC >>>>>>>> >>>>>>>> On 09/25/2010 01:33 AM, Josh Luthman wrote: >>>>>>>>> >>>>>>>>> Masquerade the private addresses, not the public. >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Mikrotik mailing list >>>>>>>> [email protected] >>>>>>>> http://www.butchevans.com/mailman/listinfo/mikrotik >>>>>>>> >>>>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>>>>> RouterOS >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> Mikrotik mailing list >>>>>>> [email protected] >>>>>>> http://www.butchevans.com/mailman/listinfo/mikrotik >>>>>>> >>>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>>>> RouterOS >>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> Mikrotik mailing list >>>>>> [email protected] >>>>>> http://www.butchevans.com/mailman/listinfo/mikrotik >>>>>> >>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>>> RouterOS >>>>>> >>>>> _______________________________________________ >>>>> Mikrotik mailing list >>>>> [email protected] >>>>> http://www.butchevans.com/mailman/listinfo/mikrotik >>>>> >>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>> RouterOS >>>>> >>>>> >>>> _______________________________________________ >>>> Mikrotik mailing list >>>> [email protected] >>>> http://www.butchevans.com/mailman/listinfo/mikrotik >>>> >>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >> RouterOS >>>> >>> _______________________________________________ >>> Mikrotik mailing list >>> [email protected] >>> http://www.butchevans.com/mailman/listinfo/mikrotik >>> >>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >> RouterOS >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL:< http://www.butchevans.com/pipermail/mikrotik/attachments/20100926/56ae1e6c/attachment.html > >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://www.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS >> >> > _______________________________________________ > Mikrotik mailing list > [email protected] > http://www.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.butchevans.com/pipermail/mikrotik/attachments/20100926/1f26a0a7/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://www.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
