Problems with routing over 2 subnets.

[cr4sh]

I have another problem.
I have two networks (separated from each other, connected via VPN). One is a subnet 192.168.7.0/24 and goes out to the world through router 192.168.7.1 and external IP 7.7.7.7.
The other is an external IP 6.6.6.6 and subnet 192.168.6.0/24.
I have a FreeBSD router connected to this subnet with an external interface address of 192.168.6.100 and defaultGW on 192.168.6.1, and an internal interface address of 192.168.2.1 which NATs my 192.168.2.0/24 subnet.
Computers from the 192.168.2.0 subnet can see computers on the 192.168.7.0 subnet, but not vice versa.
In other words, computers from the 192.168.7.0 subnet cannot see the 192.168.2.0 subnet.
Pings to computer 192.168.6.100 from the 192.168.7.0 subnet work.
Please advise on what I need to do (I suspect NAT), but I have been working on this since yesterday and have run out of ideas.


SUBNET 192.168.7.0/24 --- {internal : 192.168.7.1} [Mikrotik router] {external : 7.7.7.7} --------------- INTERNET -------------- {external : 6.6.6.6} [Mikrotik router] {internal : 192.168.6.1} --- {external : 192.168.6.100}[FreeBSD]{internal : 192.168.2.1} ----- SUBNET 192.168.2.0/24

 

[SirDice]

Please advise on what I need to do (I suspect NAT)

Yeah, remove the NAT completely, there's no use for it if you can connect everything with routing properly set up. NAT should be used as a last resort (if you can't fix it with routing alone).

I have a FreeBSD router connected to this subnet with an external interface address of 192.168.6.100 and defaultGW on 192.168.6.1, and an internal interface address of 192.168.2.1 which NATs my 192.168.2.0/24 subnet.

Why did you use NAT here?

 

[cr4sh]

Both Mikrotiks are Provider hardware, and provider set up a VPN over internet that connetcts 192.168.7 and 192.168.6 together. I get from it 192.168.6.100 (is binated 1:1 with the 6.6.6.6 IP). This FreeBSD need to be here so, its a gw to internet for 192.168.2.0/2

 

[SirDice]

Both Mikrotiks are Provider hardware, and provider set up a VPN over internet that connetcts 192.168.7 and 192.168.6 together.

That's fine. That looks to be in order. I assume all hosts in 192.168.6.0/24 can connect to all hosts in 192.168.7.0/24 and vice versa?

I get from it 192.168.6.100 (is binated 1:1 with the 6.6.6.6 IP).

This I don't understand. Why, how and where is this NAT happening?

 

[cr4sh]

1. Yes. 6.0 and 7.0 can connect.
2. My provider give me one ip on internal interface (IP 192.168.6.100 with redirected all ports from external IP to this, DMZ) and this is on my external interface of FreeBSD. And my whole network have 192.168.2.0/24 is on internal interface of FreeBSD.

 

[SirDice]

My provider give me one ip on internal interface (IP 192.168.6.100 with redirected all ports from external IP to this, DMZ)

You don't need this unless you want to run some services on 192.168.6.100 that need to be accessible from the internet. Depending on the services you typically don't want to use a BINAT here. If you have a web service for example you only redirect the incoming connections to port 80 from the internet.

 

[cr4sh]

You don't need this unless you want to run some services on 192.168.6.100 that need to be accessible from the internet. Depending on the services you typically don't want to use a BINAT here. If you have a web service for example you only redirect the incoming connections to port 80 from the internet.

Sorry, I explained it wrong. I don't do BINAT at all. It's the provider who does a 1:1 redirection from an external IP to 192.168.6.100.This is done so that I have a pseudo-external IP address. I'm doing a regular NAT for the 192.168.2.0/24 subnet so that computers have internet access.

 

[SirDice]

It's the provider who does a 1:1 redirection from an external IP to 192.168.6.100.This is done so that I have a pseudo-external IP address.

Why do you think you need a pseudo-external IP address on that host? Just have them remove it. You really don't need it unless you want to run some very specific services on that 192.168.6.100 host. That BINAT also exposes the whole host directly to the wild internet, usually not what you want to do.

I'm doing a regular NAT for the 192.168.2.0/24 subnet so that computers have internet access.

So this is a second NAT that's done? Where did you configure this? Have the provider add a static route on the Microtik (the one with the external 6.6.6.6), it needs a static route for 192.168.2.0/24 with a gateway address of 192.168.6.100. The 6.6.6.6 Microtik router needs to know where it can find 192.168.2.0/24. Then also have them configure the NAT on the microtik to NAT both 192.168.6.0/24 and 192.168.2.0/24 to the internet (it's probably configured to only NAT 192.168.6.0/24 to the internet).

 

[cr4sh]

I can't change anything on the provider's equipment. I can set up routing on the hosts in the 192.168.7.0/24 subnet to route traffic to the 192.168.2.0/24 subnet through 192.168.6.100, but it doesn't change anything. I still have no communication.
On FreeBSD i have in pf.conf

ext_if="vr1"
prv_if="vr0"
prv_class="192.168.2.1/24"

nat on $ext_if inet from $prv_class to any -> 192.168.6.100

 

[SirDice]

I can set up routing on the hosts in the 192.168.7.0/24 subnet to route traffic to the 192.168.2.0/24 subnet through 192.168.6.100, but it doesn't change anything.

Don't need it. 192.168.7.0/24 has a default gateway that already moves that traffic in the right direction. Routing only cares about the next hop, not the whole chain.

On FreeBSD i have in pf.conf

This effectively 'hides' the entire 192.168.2.0/24 network from the rest of the network.

 

[cr4sh]

So we set up routing from 192.168.6.1 to 192.168.2.0 through 192.168.6.100. Is there any other way to do this without interfering with the provider's settings?

 

[SirDice]

Is there any other way to do this without interfering with the provider's settings?

Not properly. The 6.6.6.6 router just needs to be configured correctly. Then you can dispense of the NAT on the FreeBSD host that hides the 192.168.2.0/24 network.

You could add a redirect on the FreeBSD to redirect (PF's rdr) traffic to a certain port to a specific host in 192.168.2.0/24, but that's all you could do.

 

[cr4sh]

Ok, thanks. I try to conntact with my provider.