Hi! I’m using mikrotik router with 2 different isp(autoswitching beetwen them using distance of default route). Also it is used as ovpn server. You can see simplified network schematics in the attachment. To give my internal network(192.168.1.0/24) access to the internet, i’m using this rule for masquarading
, as seen, it hasn’t nor out interface nor dst-address set up. Everything is working fine, but i want to know could something be wrong because of that? And if it could be what exactly? Thanks
I am not 100% sure but I dont think that missing the ‘normal’ components such as out-interface= our out-interface-list= is a problem
Using destination address is something folks do when configuring DESTINATION NAT not source nat generally speaking.
standard default format for both static or dynamic is created for this very purpose and also covers most wan setups.
add chain=srcnat action=masquerade out-interface-list=WAN,
For static/fixed wanips, the format is typically
add chain=srcnat action=src-nat out-interface=ethX to-addresses=WAN_IP
Normally one doesnt have to identify any of the LAN subnets!!
For example on my router I have lets say 15 subnets and two wans.
I have two source nat rules
add chain=srcnat action=masquerade out-interface=vlanISP, (fiber via vlan).
add chain=srcnat action=masquerade out-interface-list=ether2-ISP (straight cable),
I could have used the default rule but I thought it best to separate them for clarity to myself and the reader.
As per properties of masquerade, it’ll behave as follows:
Will NAT all traffic from LAN towards both ISPs.
will not NAT traffic from ovpn clients and ovpn network in any direction - neither LAN nor ISPs nor ovpn client/network
Depending on your requirements this may or may not be what you want.
Perhaps you could create WAN interface list (if you removed it), add both interfaces facing ISPs to it … and go with the default masquerade rule which includes out-interface-list=WAN.
Unrelated: personally I’d try not to have LAN and ovpn network overlap (LAN is subset of ovpn network). Unless, again, your very special use case allows/requires it.
Overlap is needed because some clients are android and apple devices, they should get access to other clients(another mikrotik routers) networks, but mikrotik’s ovpn implementation doesn’t include pushing routes to clients. Settings routes manually on mobile devices is also problematic, you need root access or jailbreak.
but it is also NATs traffic from LAN towards VPN network i checked that, trying to get access to network BEFORE one of the clients(it is mikrotik router behind huawei gpon modem, needed access to that modem). I succeeded but yes, lan to vpn is also NATed with this setup. But i don’t think this is a problem
You can’t push additional routes, you can however control the netmask of the initial route created upon connection to cover multiple suitably aligned subnets.
Settings routes manually on mobile devices is also problematic, you need root access or jailbreak.
It doesn’t, just specify them in the client .ovpn configuration file.
