Mode-Config Placement in NAT Rules

091 · July 2, 2021, 3:52pm

I have IKEv2 NordVPN configured with mode-config which dynamically generates a NAT rule:

/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=LAN use-responder-dns=no

My problem is that I have other NAT rules in place and this newly created dynamic rule gets creted as the first rule and because of this some other NATs don’t work.
For everything to work as expected, the mode-config dynamic rule has to be the 3rd rule:

[admin@MIKROTIK] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; No NAT for Site-to-Site IPSec
      chain=srcnat action=accept src-address=10.1.1.0/24 dst-address=192.168.77.0/24 log=no log-prefix="" 

 1    ;;; NAT for ISP Network
      chain=srcnat action=src-nat to-addresses=192.168.1.100 src-address=10.1.1.0/24 dst-address=192.168.1.0/24 log=no log-prefix="" 

 2  D ;;; ipsec mode-config
      chain=srcnat action=src-nat to-addresses=10.6.0.15 src-address-list=LAN dst-address-list=!LAN 

 3    ;;; Default Inside NAT
      chain=srcnat action=src-nat to-addresses=192.168.1.100 out-interface=ether1 log=no log-prefix=""

Is there a way to automate this without me manually moving it every time NordVPN reconnects?

rextended · July 2, 2021, 4:08pm

Mmm… let me see

probably a script than automate the “moving up” (alias move after the disabled passtrough rule existing only for point where put the rule)

is feasible.

rextended · July 2, 2021, 4:22pm

search tag # rextended automove NAT rule placeholder

Paste this on terminal

/ip firewall nat
add action=passthrough chain=srcnat comment="placeholder for ipsec mode-config" disabled=yes
/system scheduler
add interval=10m name="automove_ipsec_mode-config" policy=read,write start-date=jul/02/2021 start-time=00:00:00 \
    on-event="/ip firewall nat\r\nmove [find where comment=\"ipsec mode-config\"] [find where comment=\"placeholder for ipsec mode-config\"]"

place the “placeholder” with winbox on the right position, the ipsec dynamic entry is moved before that position.

Is scheduled every 10 minutes but you can set at any time you want.

what is executed inside the scheduler:

/ip firewall nat
move [find where comment="ipsec mode-config"] [find where comment="placeholder for ipsec mode-config"]

091 · July 3, 2021, 7:18am

It’s working as expected, thank you.