Masquerading to different VLANs

kaji · October 18, 2011, 12:28pm

Hello all,

Greetings to all… This is my first post in this community.

I am using RouterBoard 1100 series.

I have 4 private IP networks:

172.16.1.0/24
172.16.2.0/24
172.16.3.0/24
172.16.4.0/24

These networks need to be masqueraded to public IP addresses assigned to a single port of Mikrotik with different VLAN IDs.

I have two different VLANs (100 and 200) for the masquerading.

IP address xx.xx.xx.aa , xx.xx.xx.bb, xx.xx.xx.cc belong to VLAN 100.

IP address yy.yy.yy.aa belongs to VLAN 200.

Please help me so that I can achieve the following:

Network 172.16.1.0/24, 172.16.2.0/24 and 172.16.3.0/24 should be masqueraded to VLAN 100 (IP: xx.xx.xx.aa, xx.xx.xx.bb, xx.xx.xx.cc respectively) in order to access the internet.

Network 172.16.4.0/24 should be masqueraded to VLAN 200 (IP: yy.yy.yy.aa) in order to access the internet.

Thanks in advance

Feklar · October 18, 2011, 4:06pm

Specify an out interface with the NAT rule. Also make sure you mark for routing in the mangle chain so the router knows what route to use when forwarding the traffic.

kaji · October 19, 2011, 2:40am

Thanks for the reply…

Any example will be highly appreciated… I am very new with Mikrotik.

Feklar · October 19, 2011, 3:54pm

Here is one method to go about it. Basically you are defining an address list for use in Mangle to determine what link you want connections to go out of. Then in NAT you are specifying what IP address you want connections to be NATed out of. In Mangle you are marking connections inside of the router so it knows what route to use when forwarding the traffic, and you are making sure you have the appropriate routing mark in your tables. This is basically policy based routing, and there are likely a few other ways to go about it too.

/ip firewall address list
add address=172.16.1.0/24 disabled=no list=VLAN_100
add address=172.16.2.0/24 disabled=no list=VLAN_100
add address=172.16.3.0/24 disabled=no list=VLAN_100
add address=172.16.4.0/24 disabled=no list=VLAN_200
/ip firewall nat
add action=src-nat to-address=xx.xx.xx.aa out-interface="VLAN 100" src-address=172.16.1.0/24
add action=src-nat to-address=xx.xx.xx.bb out-interface="VLAN 100" src-address=172.16.2.0/24
add action=src-nat to-address=xx.xx.xx.cc out-interface="VLAN 100" src-address=172.16.3.0/24
add action=src-nat to-address=yy.yy.yy.aa out-interface="VLAN 200" src-address=172.16.4.0/24
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new disabled=no new-connection-mark=VLAN100_connection passthrough=yes src-address=VLAN_100
add action=mark-connection chain=prerouting connection-state=new disabled=no new-connection-mark=VLAN200_connection passthrough=yes src-address=VLAN_200
add action=mark-routing chain=prerouting connection-mark=VLAN100_connection disabled=no new-routing-mark=to_VLAN100 passthrough=no src-address-list=VLAN_100
add action=mark-routing chain=prerouting connection-mark=VLAN200_connection disabled=no new-routing-mark=to_VLAN200 passthrough=no src-address-list=VLAN_200
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xx.xx.xx.1 routing-mark=to_VLAN100
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=yy.yy.yy.1 routing-mark=to_VLAN200