Hey folks, I’m currently working with a CCR1009 and a Cisco switching stack. We have 4 VLANs on the network, and if a device is configured on a VLAN it can ping its gateway, however cannot access the internet if a source NAT rule is configured using a specific public IP. If it is configured as a masquerade, it works using the primary IP for outbound NAT. What could I be missing? Thanks, CH Sent from my iPhone
Is that 'specific public IP' actually configured on the internet interface? OR Is there a route installed on the 'internet peer' router for that 'specific public ip' address? Cheers!
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Christopher Hawker Sent: Thursday, 2 December 2021 2:04 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] VLANing on a CCR1009
Hey folks,
I’m currently working with a CCR1009 and a Cisco switching stack. We have 4 VLANs on the network, and if a device is configured on a VLAN it can ping its gateway, however cannot access the internet if a source NAT rule is configured using a specific public IP. If it is configured as a masquerade, it works using the primary IP for outbound NAT.
What could I be missing?
Thanks, CH
Sent from my iPhone _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi,
if a source NAT rule is configured using a specific public IP. Are you sure the specific public IP's are actually configured correctly on the WAN? e.g. can you ping one of the additional IP from external if you allow ICMP?
Andrew -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Christopher Hawker Sent: Thursday, 2 December 2021 11:04 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] VLANing on a CCR1009 Hey folks, I’m currently working with a CCR1009 and a Cisco switching stack. We have 4 VLANs on the network, and if a device is configured on a VLAN it can ping its gateway, however cannot access the internet if a source NAT rule is configured using a specific public IP. If it is configured as a masquerade, it works using the primary IP for outbound NAT. What could I be missing? Thanks, CH Sent from my iPhone _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Is the VLAN in a VRF? Table route rules? Inbound route to second IP? (As in traffic definitely getting to this router?) Also correct table for other rules? (Could there be an input or output rule blocking or not allowing traffic with that IP? Often I find doing a no interface capture for the private and public IP’s can be helpful as you will capture 3x each packet as it comes in, goes through internal, and goes out the other side. So if it’s a firewall rule dropping it in a chain in the middle you would see which packet does it disappear from. Others may have better ideas. Regards Alexander Alexander Neilson Neilson Productions Limited 021 329 681 alexander@neilson.net.nz
On 2/12/2021, at 16:06, Christopher Hawker <email@chrishawker.com.au> wrote:
Hey folks,
I’m currently working with a CCR1009 and a Cisco switching stack. We have 4 VLANs on the network, and if a device is configured on a VLAN it can ping its gateway, however cannot access the internet if a source NAT rule is configured using a specific public IP. If it is configured as a masquerade, it works using the primary IP for outbound NAT.
What could I be missing?
Thanks, CH
Sent from my iPhone _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (4)
-
Alexander Neilson
-
Andrew Oakeley
-
Christopher Hawker
-
Mike Everest