Community discussions

MikroTik App
  4. RouterOS
  5. General

No NAT with routing marks

Post Reply
 
hydroksyde
just joined
Topic Author
Posts: 19
Joined: Fri May 31, 2013 11:54 pm

No NAT with routing marks

Mon Aug 12, 2013 5:06 am

Hi Guys,

Completely lost as to what I'm doing wrong here. I have 2 PPPoE connections, prima and seconda. What I want to do is:

-Connections initiated from internal network route through prima
-Connections initiated from prima route through prima
-Connections initiated from seconda route through seconda

But when I set up routing with routing marks, NAT doesn't work anymore for some reason. Any pointers as to what I'm doing wrong?

Relevant config:
Code: Select all
/interface bridge
add l2mtu=1586 name="Guest LAN Bridge"
add l2mtu=1590 name="Hotspot DMZ Bridge"
add l2mtu=1586 name="Office LAN Bridge"
/interface ethernet
set 0 disabled=yes name="Port 1 WAN"
set 1 name="Port 2 Radius Server Port"
set 2 name="Port 3 To AT Switch"
set 3 name="Port 4 PPPoE WAN"
set 4 name="Port 5 PPPoE WAN 2"
/interface pppoe-client
add disabled=no interface="Port 4 PPPoE WAN" name="PPPoE WAN prima" password=\
    xxxxxxxx user=xxxx1@isp.net
add disabled=no interface="Port 5 PPPoE WAN 2" name="PPPoE WAN seconda" \
    password=xxxxxxxx user=user=xxxx1@isp.net
/interface vlan
add interface="Port 3 To AT Switch" l2mtu=1586 name="Guest LAN" vlan-id=3
add interface="Port 3 To AT Switch" l2mtu=1586 name="Office LAN" vlan-id=1
/ip address
add address=192.168.253.254/24 interface="Hotspot DMZ Bridge" network=\
    192.168.253.0
add address=192.168.254.254/24 interface="Office LAN Bridge" network=\
    192.168.254.0
add address=192.168.251.1/24 interface="Guest LAN Bridge" network=\
    192.168.251.0
/ip firewall filter
add action=drop chain=input comment="Traffic to router" connection-state=\
    invalid
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input comment="Administration from local LAN" in-interface=\
    "Office LAN Bridge" src-address=192.168.254.0/24
add action=drop chain=input comment="And drop everything else"
add action=drop chain=forward comment="Routed Traffic" connection-state=\
    invalid
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward comment="Accept traffic from internal networks" \
    in-interface="Office LAN Bridge"
add chain=forward in-interface="Guest LAN Bridge" out-interface=\
    "PPPoE WAN prima"
add chain=forward in-interface="Hotspot DMZ Bridge" out-interface=\
    "PPPoE WAN prima"
add action=drop chain=forward comment="And throw out everything else"
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Routing mark for connections originating from internet connection prima" \
    connection-state=new in-interface="PPPoE WAN prima" new-connection-mark=\
    prima
add action=mark-connection chain=prerouting comment=\
    "Packet marks for connections originating locally" connection-state=new \
    in-interface="Guest LAN Bridge" new-connection-mark=prima
add action=mark-connection chain=prerouting connection-state=new \
    in-interface="Hotspot DMZ Bridge" new-connection-mark=prima
add action=mark-connection chain=prerouting connection-state=new \
    in-interface="Office LAN Bridge" new-connection-mark=prima
add action=mark-routing chain=prerouting connection-mark=prima \
    new-routing-mark=prima-route passthrough=no
add action=mark-routing chain=prerouting comment=\
    "Catch all for packets with no connection mark - default to prima" \
    connection-mark=no-mark new-routing-mark=prima-route passthrough=no
add action=mark-connection chain=prerouting comment="Packet marks for connecti\
    ons originating from internet connection seconda" connection-state=new \
    in-interface="PPPoE WAN seconda" new-connection-mark=seconda
add action=mark-routing chain=prerouting connection-mark=seconda \
    new-routing-mark=seconda-route passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT traffic on WAN interface" \
    out-interface="PPPoE WAN prima"
add action=masquerade chain=srcnat comment="NAT traffic on WAN interface" \
    out-interface="PPPoE WAN seconda"
/ip route
add distance=1 gateway="PPPoE WAN prima" routing-mark=prima-route scope=\
    255
add distance=1 gateway="PPPoE WAN seconda" routing-mark=seconda-route scope=\
    255
add distance=1 gateway="PPPoE WAN prima" scope=255
Top
 
Rudios
Forum Veteran
Forum Veteran
Posts: 973
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: No NAT with routing marks

Mon Aug 12, 2013 10:36 am

What do you exactly mean by "NAT does not work"?
Is the RouterBoard used for DNS? If so you should also allow port 53 from the Guest and Hotspot network on your input chain.
Top
 
hydroksyde
just joined
Topic Author
Posts: 19
Joined: Fri May 31, 2013 11:54 pm

Re: No NAT with routing marks

Tue Aug 13, 2013 11:42 pm

I don't use hotspot for the guest network, it's just a WIFI network firewalled off from everything but the internet. And the routerboard does not do DNS. And "Hotspot DMZ" is actually just a DMZ for our public facing RADIUS server (yeah, wasn't my idea...)

What I mean by "NAT doesn't work" is that packets go out to the internet with their RFC1918 addresses as their source (instead of their route-able public IP), so nothing works.
Top
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: No NAT with routing marks

Wed Aug 14, 2013 4:31 pm

if you set out interfaces for NAT rules, that should be enough to nat everything, however you have to ensure that incoming connection on WAN interfaces goes out the same interface it came in, so you have to mark these connections and packets with specific mark, to force them out the same way they came in.
Top
 
hydroksyde
just joined
Topic Author
Posts: 19
Joined: Fri May 31, 2013 11:54 pm

Re: No NAT with routing marks

Sun Aug 18, 2013 11:34 pm

Apparently not. I made this config with only one interface, in an x86 VM. NAT doesn't work... if I take the routing mark off, it goes.
Code: Select all
> # aug/14/2013 09:47:57 by RouterOS 6.2
 # software id = A1GI-IAU3
 #
 /interface ethernet
 set 0 name=ether1_LAN speed=1Gbps
 set 1 name=ether2_WAN speed=1Gbps
 set 2 speed=1Gbps
 /interface wireless security-profiles
 set [ find default=yes ] supplicant-identity=MikroTik
 /ip hotspot user profile
 set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
     mac-cookie-timeout=3d
 /ip pool
 add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.200
 /ip dhcp-server
 add address-pool=dhcp_pool1 disabled=no interface=ether1_LAN name=dhcp1
 /tool user-manager customer
 add backup-allowed=yes disabled=no login=admin password="" \
     paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no \
     permissions=owner signup-allowed=no time-zone=-00:00
 /ip address
 add address=192.168.1.254/24 interface=ether1_LAN network=192.168.1.0
 /ip dhcp-client
 add add-default-route=no dhcp-options=hostname,clientid disabled=no
 interface=\
     ether2_WAN
 /ip dhcp-server network
 add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
 /ip dns
 set allow-remote-requests=yes
 /ip firewall mangle
 add action=mark-routing chain=prerouting new-routing-mark=test
 /ip firewall nat
 add action=masquerade chain=srcnat out-interface=ether2_WAN to-addresses=\
     10.1.2.1
 /ip route
 add distance=1 gateway=192.168.90.254 routing-mark=test
 /system identity
 set name=CPE
 /system lcd
 set contrast=0 enabled=no port=parallel type=24x4
 /system lcd page
 set time disabled=yes display-time=5s
 set resources disabled=yes display-time=5s
 set uptime disabled=yes display-time=5s
 set packets disabled=yes display-time=5s
 set bits disabled=yes display-time=5s
 set version disabled=yes display-time=5s
 set identity disabled=yes display-time=5s
 set ether1_LAN disabled=yes display-time=5s
 set ether2_WAN disabled=yes display-time=5s
 set ether3 disabled=yes display-time=5s
Top
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: No NAT with routing marks

Mon Aug 19, 2013 2:48 pm

when configuration is not working, can you give us output of '/ip route print' and '/ip address print'
Top
 
hydroksyde
just joined
Topic Author
Posts: 19
Joined: Fri May 31, 2013 11:54 pm

Re: No NAT with routing marks

Tue Aug 20, 2013 10:26 am

Code: Select all
[admin@CPE] > ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.90.254            1
 1 ADC  192.168.1.0/24     192.168.1.254   ether1_LAN                0
 2 ADC  192.168.90.0/24    192.168.90.114  ether2_WAN                0
Code: Select all
[admin@CPE] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   192.168.1.254/24   192.168.1.0     ether1_LAN                               
 1 D 192.168.90.114/24  192.168.90.0    ether2_WAN
Top
Post Reply

Who is online

Users browsing this forum: adwlodaro, nescafe2002, patrikg, pegaz28 and 106 guests
  4. RouterOS
  5. General