Guest network srcnat not working

btong · September 6, 2018, 2:21pm

Hi,

I am trying to configure srcnat for a wireless AP which is connected to ether2. Clients are on 192.168.100.0/24 whilst the LAN is behind ether1 on 192.168.192.0/24. Srcnat is needed on guest traffic to NAT to an alternative outside IP than LAN traffic. LAN traffic is masqueraded on the public IP of sfp1.

The current config for NAT is as follows:

/ip firewall nat
add action=masquerade chain=srcnat comment="NAT for 192.168.192.172/23" out-interface=sfp1-uplink src-address=\
    192.168.192.0/23
add action=src-nat chain=srcnat comment="Guest Network NAT" log=yes out-interface=sfp1-uplink src-address=192.168.100.0/24 \
    to-addresses=xxx.xx.xx.132

I can see some traffic on the guest network but clients are unable to connect to any Internet resources. If I change the srcnat to masquerade this works, but the requirement is for the guest traffic to have a different outside address.

Sob · September 6, 2018, 3:22pm

Stupid question, router does have this xxx.xx.xx.132 address assigned to itself (it’s not somewhere else) and it’s real address you got from ISP, right? If so, it should work. Do you have any hits on srcnat rule? If not, traffic can be blocked in forward chain.