RUTX08 1 to 1 NAT on entire subnet

Hello,

I have read a lot of topics on this site already but i have not found a definitive solution to my problem yet.

I have multiple networks with the same ip adresses (172.16.0.0/24). I want to add a router (RUTX08) to each of these networks, after which is want te set up NAT on every router to translate to another ip range (10.128.x.0/24).

i have checked out these posts:

&

&
the wiki on 1 to 1 nat

But I cannot get it to work.

i have tried to add the following to the firewall custom rules:
iptables -t nat -I PREROUTING -s 10.128.1.0/24 -j NETMAP --to 172.16.0.0/24
iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -j NETMAP --to 10.128.1.0/24

However, I am not able to ping from, for example, 10.128.1.59 to 10.128.1.58 (which is a device with ip address 172.16.0.58 on the LAN of the RUTX08).

Do you have some suggestions on what i should do?

Thank you in advance.

Hello,

Do you have a route to 10.128.1.58 in this case from 10.128.1.59? When you ping, does it actually get routed to RUTX08? What is your topology?

You can install tcpdump and check if pings are reaching the WAN interface on RUTX08:

opkg update
opkg install tcpdump
tcpdump -i eth1 icmp

Kind Regards,

Hi,

I think there might be some problems with assigning the correct IP Addresses to the WAN and LAN port.
See the picture below of what I am trying to achieve. I think it is very similar to the problem in this post.

1 to 1 NAT network741×577 10.7 KB

Each network will have its own router to do the NAT.

I am able to ping to the WAN port of the router from the 10.128.0.0/16 network.

Do I have to add static routes to the router as well? Maybe i messed up the firewall settings already, I might start with a fresh factory reset of the RUTX08. Do I need to change the zone settings?
I had added the LAN interface to the forward of destination and source of the WAN zone.
Does the Masquerading flag needs to be set on or off? I am guessing off…

Hello,

Could you please try one of the following IPtables rule sets (or both)?:

#ROUTER 10.128.1.x

iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -d 10.128.0.0/16 -j NETMAP --to 10.128.1.0/24
iptables -t nat -I PREROUTING -s 10.128.0.0/16 -j NETMAP --to 172.16.0.0/24

#ROUTER 10.128.2.x

iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -d 10.128.0.0/16 -j NETMAP --to 10.128.2.0/24
iptables -t nat -I PREROUTING -s 10.128.0.0/16 -j NETMAP --to 172.16.0.0/24


#ROUTER 10.128.3.x

iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -d 10.128.0.0/16 -j NETMAP --to 10.128.2.0/24
iptables -t nat -I PREROUTING -s 10.128.0.0/16 -j NETMAP --to 172.16.0.0/24

#ROUTER 10.128.1.x

iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -d 10.128.2.0/24 -j NETMAP --to 10.128.1.0/24
iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -d 10.128.3.0/24 -j NETMAP --to 10.128.1.0/24
iptables -t nat -I PREROUTING -s 10.128.2.0/24 -j NETMAP --to 172.16.0.0/24
iptables -t nat -I PREROUTING -s 10.128.3.0/24 -j NETMAP --to 172.16.0.0/24

#ROUTER 10.128.2.x

iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -d 10.128.1.0/24 -j NETMAP --to 10.128.2.0/24
iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -d 10.128.3.0/24 -j NETMAP --to 10.128.2.0/24
iptables -t nat -I PREROUTING -s 10.128.1.0/24 -j NETMAP --to 172.16.0.0/24
iptables -t nat -I PREROUTING -s 10.128.3.0/24 -j NETMAP --to 172.16.0.0/24

#ROUTER 10.128.3.x

iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -d 10.128.1.0/24 -j NETMAP --to 10.128.2.0/24
iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -d 10.128.2.0/24 -j NETMAP --to 10.128.2.0/24
iptables -t nat -I PREROUTING -s 10.128.1.0/24 -j NETMAP --to 172.16.0.0/24
iptables -t nat -I PREROUTING -s 10.128.2.0/24 -j NETMAP --to 172.16.0.0/24

Let me know how it goes.

Kind Regards,

Thank you for your assistance thus far. However, it is not working yet.

Maybe my question is not defined correctly.

What I basically want the RUTX08 to do is to perform the same function as a MOXA NAT-102 device would do. link to moxa nat-102

In their manual the following image is included:

image1131×681 109 KB

My exact plan:
I have network (NW1) with a PLC with ip address 172.16.0.100/24 and some kind of server with ip 172.16.0.1/24 and a rutx with lan ip address 172.16.0.254.
and another network (NW2) with a PLC with ip address 172.16.0.100/24 and another server with ip 172.16.0.1/24 and a rutx with lan ip address 172.16.0.254.

I want to reach both PLC’s and servers from 1 computer in a different network 10.128.0.0/16.

Now I want NW1 to be translated to 10.128.1.0 and NW2 to be translated to 10.128.2.0. My idea is that, when both routers are set up correctly for NATting, i can ping to 10.128.1.100, and get a response from the PLC in NW1. That PLC will not know that the ping request was sent by a device in the 10.128.x.x network, it will think it is coming from a 172.16.1.x ip address.

I think that is where the problem occurs. But my knowledge of iptables and so on is too little to fully comprehend the problem I am facing. How does the PLC for example know to which ip the ping(icmp) packet has to be returned to?

I found this link which clarifies the pre and post routing a little bit, but it does provide me with enough knowledge to find my pain point.

Some side info: At the moment I only have 1 RUT connected to 1 PLC (172.16.0.100) through the LAN interface (172.16.0.254) and I am trying to ping that PLC from my computer (10.128.1.128) through the WAN interface (10.128.1.254). Maybe I have also made a mistake in forwarding the traffic between the LAN and WAN interface. This could be done using iptables as well I think.
So what I am looking for at this moment: Which rules to enter in the iptables and correctly forwarding/routing WAN to LAN and vice versa in order to ping that PLC.

Thanks a lot for taking the time to look into my problem! At least I am learning

I think the network traffic is not correctly transferred between the LAN and the WAN.
I am now trying to ping 172.16.0.100 from the 10.128.0.0 network by using the following rule. But I cannot get it to work

iptables -t nat -A PREROUTING -d 10.128.1.100 -i eth1 -j DNAT --to-destination 172.16.0.100                                                                   

Hello,

Since you are connected directly through WAN, how did you configure your PC? Does it have a default gateway towards RUTX’s WAN IP?

Try inserting the rule instead of appending:

iptables -t nat -I PREROUTING -d 10.128.1.100 -i eth1 -j DNAT --to-destination 172.16.0.100

Check your IPtables rules via the following command and make sure that only necessary rules are in the table:

iptables -nv -L -t nat

Do these work?:

Install and run TCPDump as I have mentioned previously to see that packets are coming in and if they are translated properly.

Kind Regards,

Hello,

Thank you very much for your assistance!
I have now got a working setup.

I had some problems with the gateways. I entered the appropriate gateway addresses on both sides of the router, i.e. WAN and LAN side.

I set the WAN port to 10.128.254.254/16 and the LAN address to 172.16.0.65/16 (because this was already set as gateway in the LAN device I was using).

Then I configured the firewall to pass all traffic between WAN and LAN, and switch off masquerading.

The I added the following NAT rules to the firewall:

iptables -t nat -I PREROUTING -d 10.128.0.0/17 -i eth1 -j NETMAP --to 172.16.0.0/17
iptables -t nat -I POSTROUTING -s 172.16.0.0/17 -o eth1 -j NETMAP --to 10.128.0.0/17

I used 10.128.0.0/17 so that the WAN gateway address is out of range of the NAT rule.

Now I can ping 10.128.0.60, and get a response from the LAN device with ip address 172.16.0.60.

Using tcpdump has also helped!
Thanks!

This topic was automatically closed after 15 days. New replies are no longer allowed.