failing to masquerade on VLAN interface

is there limitation to masquerade on VLAN interface?

VLAN 100 is facing towards LAN and VLAN 1000 on WAN.

LAN has ip 10.100.21.220/24 and its trying to

A client machine is trying to reach to internet but failing.

/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=vlan1000 src-address-list=InternalSubnet


Full config snipset

/interface bridge
add admin-mac=F4:1E:57:51:6A:51 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp28-1 ] comment=WAN
set [ find default-name=sfp28-2 ] comment=WAN
/interface vlan
add comment=Mgmt interface=bridge name=vlan100 vlan-id=100
add comment=WAN interface=bridge name=vlan1000 vlan-id=1000
/interface list
add name=WAN
/ip pool
add name=dhcp_pool0 ranges=10.100.21.220-10.100.21.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan100 lease-time=7h30m name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether1
add bridge=bridge comment=defconf interface=qsfp28-1-1
add bridge=bridge comment=defconf interface=qsfp28-1-2
add bridge=bridge comment=defconf interface=qsfp28-1-3
add bridge=bridge comment=defconf interface=qsfp28-1-4
add bridge=bridge comment=defconf interface=qsfp28-2-1
add bridge=bridge comment=defconf interface=qsfp28-2-2
add bridge=bridge comment=defconf interface=qsfp28-2-3 pvid=100
add bridge=bridge comment=defconf interface=qsfp28-2-4 pvid=100
add bridge=bridge comment=defconf interface=sfp28-1 pvid=1000
add bridge=bridge comment=defconf interface=sfp28-2 pvid=1000
add bridge=bridge comment=defconf interface=sfp28-3
add bridge=bridge comment=defconf interface=sfp28-4 pvid=100
add bridge=bridge comment=test interface=sfp28-5 pvid=100
add bridge=bridge comment=test interface=sfp28-6 pvid=100
add bridge=bridge comment=test interface=sfp28-7 pvid=100
add bridge=bridge comment=test interface=sfp28-8 pvid=100
add bridge=bridge comment=defconf disabled=yes interface=ether1
/interface ethernet switch l3hw-settings
set autorestart=yes
/interface bridge vlan
add bridge=bridge untagged=sfp28-1,sfp28-2 vlan-ids=1000
/interface ethernet switch
set 0 l3-hw-offloading=yes qos-hw-offloading=yes
/interface ovpn-server server
add mac-address=FE:7E:F7:37:45:60 name=ovpn-server1
/ip address
add address=192.168.2.102/24 comment=defconf interface=ether1 network=192.168.2.0
add address=90.152.xx.xx/29 interface=vlan1000 network=90.152.xx.xx
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=10.100.21.0/24 dhcp-option-set=test dns-server=10.255.11.1,8.8.4.4,8.8.8.8 gateway=10.100.21.254 ntp-server=10.255.11.1
/ip dhcp-server option sets
add name=test options=*2,AIWS
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=10.100.21.0/24 list=InternalSubnet


/ip firewall filter
add action=accept chain=forward comment="Accept all chains"
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established
add action=accept chain=input comment="Accept to related connections" connection-state=established,related
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust the limit as needed" icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" in-interface=vlan1000
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=vlan1000 src-address-list=InternalSubnet
/ip ipsec policy
add dst-address=10.255.11.0/24 peer=fortigate proposal=fortigate-enm src-address=10.100.21.0/24 tunnel=yes
add dst-address=10.255.11.0/24 peer=fortigate proposal=fortigate-enm src-address=10.105.21.0/24 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=90.152.35.137 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=new
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.or
add address=3.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/tool sniffer
set file-name=test filter-interface=sfp28-4

Thanks.

If your router supports L3HW NAT, you need to turn off lw-hw-offloading on the two WAN ports, while enabling them on the rest of the ports. Before making the change on the ports, l3-hw-offloading on the switch chip must be turned off first. Afterward it has to be re-enabled.

And you also need to correctly configure the fasttrack rule on the forward chain.

Here is the relevant example from the docs https://help.mikrotik.com/docs/spaces/ROS/pages/62390319/L3+Hardware+Offloading#L3HardwareOffloading-Inter-VLANRoutingwithUpstreamPortBehindFirewall/NAT

Hi, I turned off lw-offloading on two WAN ports NAT works now but when I enable fasttrack rule throughput is very low in kilobytes.

add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“Accept all chains” connection-state=established,related

What am I doing wrong here?

You need to check whether your device has L3HW support for NAT and FastTrack. There’s a couple of tables near the bottom of that page I linked above that categorize the devices. Only those with DX4000 and DX8000 switch chip, and the CCR and RDS devices support that.

If that not supported, then on your fasttrack rule you will need to set hw-offload=no.