mikrotik NAT

johnfx · April 27, 2015, 3:57am

Hello!

I need help to config NAT on ccr-1009.
I have 10.200.x.x/18 for clients,
172.18.0.100 as managment,
141.x.x.x as gateway
188.x.x.x as external ip-addresses for clients,

see config,
something is wrong…

#
/interface bonding
add link-monitoring=none mode=802.3ad name=bo-ex slaves=ether1,ether2,ether3,ether4
add link-monitoring=none mode=802.3ad name=bo-loc slaves=ether5,ether6,ether7,ether8
/interface vlan
add interface=bo-loc name=vlan-800-bo-loc vlan-id=800
add interface=bo-loc name=vlan-3800-bo-loc vlan-id=3800
add interface=bo-ex name=vlan-3900-bo-ex vlan-id=3900
/ip address
add address=10.220.0.0/18 interface=bo-loc network=10.220.0.0
add address=188.x.x.x/24 interface=bo-ex network=188.x.x.0
add address=172.18.0.100/24 interface=vlan-800-bo-loc network=172.18.0.0
add address=141.x.x.122/30 interface=vlan-3800-bo-loc network=141.x.x.120
add address=141.x.x.126/30 interface=vlan-3900-bo-ex network=141.x.x.124
/ip firewall address-list
add address=10.220.0.0/18 list=p-108
add address=188.x.x.0/24 list=p-108
/ip firewall filter
add chain=input connection-state=established,related
add chain=input src-address-list=p-108
add chain=input src-address=172.18.0.0/16
add chain=input src-address=192.168.0.0/16
add action=drop chain=input
add chain=forward connection-state=established,related
add chain=forward src-address-list=p-108
add chain=forward src-address=172.18.0.0/16
add action=drop chain=forward
/ip firewall mangle
add action=mark-connection chain=prerouting log=yes new-connection-mark=c-108 src-address-list=p-108
add action=mark-packet chain=prerouting connection-mark=c-108 new-packet-mark=p-108
add action=mark-routing chain=prerouting new-routing-mark=r-108 src-address-list=p-108
add action=mark-routing chain=prerouting dst-address-list=p-108 new-routing-mark=r-108
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=r-107 src-address-list=p-107
add action=mark-routing chain=prerouting disabled=yes dst-address-list=p-107 new-routing-mark=r-107
/ip firewall nat
add action=src-nat chain=srcnat comment=108 out-interface=vlan-3900-bo-ex src-address-list=p-108 to-addresses=188.x.x.0/24
add action=masquerade chain=srcnat out-interface=vlan-3900-bo-ex
/ip firewall service-port
set ftp disabled=yes
/ip route
add distance=1 gateway=141.x.x.125 routing-mark=r-108
add disabled=yes distance=1 gateway=141.x.x.125 routing-mark=r-108
add distance=5 gateway=172.18.0.1

Chupaka · April 27, 2015, 1:20pm

also, it’s better to NAT all traffic on uplink interface, so remove ‘src-address-list=’ from your nat rule