You have a tough set of criteria to make things both seamless AND with zero-touch on the customer's site. If you have your own VPN appliance at the customer's site then this is pretty simple:ĭo 1:1 netmap at the customer edge - use 10.x.x.x addressing on your side of the NAT, so each customer has a unique IP from your perspective.Į.g. customer 1 is 10.0.1.0/24, customer 2 is 10.0.2.0/24 - if they need multiple ranges, then simply assign them to customers as needed. Try to keep them as contiguous as possible - so if a customer has 4 different subnets on their side, assign 10.0.4.0/22 to that customer so that you only need one route statement on your side.Īt the CPE do 1:1 mapping with the netmap action in the nat table. Packets going out into the customer's LAN should just get masqueraded to whatever IP the vpn appliance has, so the customer's network doesn't need to worry about your management network's IP addressing. Their network will route back to your device because it has an IP that's already a part of their network. Srcnat / out-interface=customer-interface action=masqueradeĭstnat / in-interface=mgmt-vpn dst-address=10.0.2.0/24 action=netmap to-addresses=192.168.1.0/24ĭstnat / in-interface=mgmt-vpn dst-address=10.0.3.0/24 action=netmap to-addresses=192.168.32.0/24 So the nat table of the CPE appliance might look like this: That's all that needs to be done in the office router. In the customer router, that is where you put the netmap rules:Ĭhain=srcnat out-interface=gre1-b action=netmap src-address=192.168.0.0/24 to-address=10.0.2.0/24Ĭhain=dstnat in-interface=gre1-b action=netmap dst-address=10.0.2.0/24 to-address=192.168.0.0/24ĭone. so long as your management source is never 192.168.0.0/24 then you'll never have any issues. On your side of the link, just refer to each customer's device by its 10.0.x.x IP. Since the office is, and you never use at the customers' sites, all routing will work as needed. If a customer DOES have a network and you can't convince them to re-number, then you'll need to put a masquerade rule on the office router in their GRE interface:Ĭhain=srcnat out-interface=gre3-C action=masquerade.įYI netmap is a stateless 1:1 translation technique. A packet will just get the src or dst address changed as it passes through the router. There will be no state map added for this, so you have to have two rules when using netmap - one for each direction through the router. Its primary use is for address migration, but it also lets you do something like this where an entire range of addresses is mapped to another range due to addressing conflicts.In this part of MikroTik training, we will focus on one of the most essential MikroTik configs. Despite the variety of dynamic routing protocols, it is still faster, easier and more efficient to use static routers in small networks. Static Route:Īs the name implies, the main task is routing, and the rest of the features are actually extras provided by the manufacturer. Since MikroTik are a versatile router, the routing part is also very complete. In this part of the MikroTik training, we will focus solely on configuring the MikroTik router. The routing is divided into static and dynamic parts.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |