Hello everyone!
Some traffic won’t reach a masquerade rule, which is my problem. To separate 2 routing tables, I’m using a VRF. In essence, I want to route all traffic from a few devices on several subnets through a firewall appliance (which doesn’t appear to handle multiple green interfaces) before it reaches the internet. Due to the firewall appliance’s limitations, I wanted to employ a CHR as a middleman. I have deactivated NAT on the firewall appliance because I want to be able to src-nat based on the source IP. Here is a configuration export from the CHR and a semblance of a diagram:
# feb/17/2023 13:46:27 by RouterOS 7.7
# software id =
#
/interface bridge
add name=bridge_Client_1
add name=bridge_Client_2
add name=bridge_Client_3
add name=bridge_Client_4
add name=bridge_IPFire_LAN
add name=bridge_IPFire_WAN
add name=bridge_WAN
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1_WAN
set [ find default-name=ether2 ] disable-running-check=no name=ether2_ipfire_WAN
set [ find default-name=ether3 ] disable-running-check=no name=ether3_ipfire_LAN
set [ find default-name=ether4 ] disable-running-check=no name=ether4_Client_1
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip vrf
add interfaces="bridge_IPFire_LAN,bridge_Client_1,bridge_Client_2,bridge_Client_3,bridge_Client_4" name=vrf_exc
/interface bridge port
add bridge=bridge_WAN interface=ether1_WAN
add bridge=bridge_IPFire_WAN interface=ether2_ipfire_WAN
add bridge=bridge_IPFire_LAN interface=ether3_ipfire_LAN
add bridge=bridge_Client_1 interface=ether4_Client_1
/interface list member
add interface=ether1_WAN list=WAN
add interface=bridge_WAN list=WAN
/ip address
add address=10.172.172.1/30 interface=bridge_IPFire_WAN network=10.172.172.0
add address=10.172.173.2/30 interface=bridge_IPFire_LAN network=10.172.173.0
add address=10.10.10.1/30 interface=bridge_Client_1 network=10.10.10.0
add address=10.10.10.5/30 interface=bridge_Client_2 network=10.10.10.4
/ip dhcp-client
add add-default-route=no interface=bridge_WAN
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface-list=WAN \
src-address=10.10.10.0/30
add action=masquerade chain=srcnat log=yes out-interface-list=WAN \
src-address=10.10.10.4/30
add action=masquerade chain=srcnat comment="MASQ fro IPFire" \
out-interface-list=WAN src-address=10.172.172.2
add action=dst-nat chain=dstnat comment="IPFire MGMT" dst-port=444 \
in-interface-list=WAN protocol=tcp to-addresses=10.172.172.2
add action=dst-nat chain=dstnat comment="IPFire MGMT" dst-port=22 \
in-interface-list=WAN protocol=tcp to-addresses=10.172.172.2
add action=masquerade chain=srcnat log=yes out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.172.173.1@vrf_exc \
pref-src="" routing-table=vrf_exc scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=10.10.10.0/24 gateway=10.172.172.2 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.80.1 routing-table=main \
suppress-hw-offload=no
As you can see from these 2 pictures, the traffic seems to be routed correctly. My only issue is that it doesn’t hit any of the masquerade rules.
I’m not sure what I’m doing wrong. If I can help with any more information, please let me know.
Thank you!