I have been using RouterOS for years now but never needed to do masquerading before and now when I’m trying to get it to work I fail miserably. I’m very greatful for any help in solving what is propably a real newbie problem.
vlan100 is the bridge to my ISP so my primary static route looks like this:
0.0.0.0/0 172.30.0.1
vlan79 is my c-net of public IP-addresses.
vlan101 is the new network I’m trying to set up. It’s a class b network of private IP addresses which I intend to use for internal communication primarily. I do, however, have the need to provide internat access for hosts on this network so I turned to RouterOS’ masquerading features for this.
I set up a rule under NAT for this which, at the moment, looks like this:
;;; Do masquerading for VLAN101
chain=srcnat action=masquerade src-address=10.1.0.0/16
I have tried to add both vlan79 and vlan100 as the out interface but nothing works.
I have the routerOS dhcp service running on vlan101 and it hands out IP addresses just fine. I cannot, however, ping the RouterOS vlan101 interface from the clients which I am able to do with the vlan79 interface from clients on vlan79.
It will translate LAN addresses to the ip assigned to vlan100 (172.130.0.2).
If that doesn’t work, you should post “/ip firewall nat” and “/ip firewall filter”. It would not hurt to post “/ip address” also.
And explain vlan79 too. How does that interface fit into this? Are those public ips forwarded from your ISP through vlan100?
Why are you using vlan instead of the ether interfaces?
vlan79 is, as you guessed, public IP:s routed by my ISP through vlan100.
The reason I’m using VLAN:s instead of assigning the IP:s directly to interfaces is that I have way more networks than interfaces. Vlan79 is just one of 10 different public c-nets but I wanted to keep my question as neat and simple ass possible so I left them out since they don’t really matter to this.
I realized that I had forgotten to add a static route for VLAN101 so I added that and now I can ping the VLAN101 interface on the RouterOS machine from VLAN101 clients on the network. Still no luck with masquerading though. I will have to get back to you on the configs as they are quite complex and I need to edit them first. Tried to add out-interface=vlan100 though and that didn’t help.