Dear All,
Before i add other accounts every thing is ok....
when i add new route msn disccount after 5 min
Interface:
Flags: D - dynamic, X - disabled, R - running, S - slave
NAME TYPE MTU
0 R Real ether 1500
1 R Real2 ether 1500
2 R Realg1 ether 1500
3 R Realg2 ether 1500
4 R Fake ether 1500
5 R Dilink ether 1500
6 R Volcano ether 1500
7 R Facebook ether 1500
8 R Real8 ether 1500
9 DR pppoe-in 1480
10 DR pppoe-in 1480
11 DR pppoe-in 1480
12 DR pppoe-in 1480
13 DR pppoe-in 1480
14 DR pppoe-in 1480
15 DR pppoe-in 1480
16 DR pppoe-in 1480
17 DR pppoe-in 1480
18 DR pppoe-in 1480
19 DR pppoe-in 1480
20 DR pppoe-in 1466
-- [Q quit|D dump|down]
Many thx,
How do you have the srcnat/masquerade set for that interface? Masquerade works good if one ip on an interface, but with two, you should use action=src-nat.
If you routed this network, check that 10.10.10.x is routed back to this router from 192.168.30.1 router. Is that what you are doing?
[admin@DS new] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=10.10.10.0/27
1 chain=srcnat action=masquerade src-address=10.10.10.32/27
2 chain=srcnat action=masquerade src-address=10.10.10.96/27
3 chain=srcnat action=masquerade src-address=10.10.10.64/27
4 chain=srcnat action=masquerade src-address=10.10.10.128/27
5 chain=srcnat action=masquerade src-address=10.10.10.160/27
6 chain=srcnat action=masquerade src-address=10.10.10.192/27
7 chain=srcnat action=masquerade src-address=10.10.10.224/27
plz send me steps for srcnat/masquerade
You really should use the routing-marks to do the src-nat. I’ll give you an example, but I can’t see the ips assigned to your Real8 interface, so if the ip is not 192.168.1.150, replace with the correct ip. Must be the same subnet as the GroupA gateway. The rest GroupX’s should be about the same.
/ip firewall nat
add chain=srcnat action=src-nat routing-mark=GroupA to-addresses=192.168.1.150
Then remove all the masquerades.
You will probably want to add a default srcnat for the default route also.
[admin@DS new] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=10.10.10.0/27
1 chain=srcnat action=masquerade src-address=10.10.10.32/27
2 chain=srcnat action=masquerade src-address=10.10.10.96/27
3 chain=srcnat action=src-nat to-addresses=192.168.23.150
routing-mark=Group D
4 chain=srcnat action=src-nat to-addresses=192.168.34.150
routing-mark=Group D
5 chain=srcnat action=masquerade src-address=10.10.10.128/27
6 chain=srcnat action=masquerade src-address=10.10.10.160/27
7 chain=srcnat action=masquerade src-address=10.10.10.192/27
8 chain=srcnat action=masquerade src-address=10.10.10.224/27
[admin@DS new] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE
0 A S 0.0.0.0/0 reachable 192.168.0.1 1 Realg1
1 A S 0.0.0.0/0 reachable 192.168.25.1 1 Volcano
2 A S 0.0.0.0/0 reachable 192.168.1.1 1 Real
3 A S 0.0.0.0/0 reachable 192.168.34.1 1 Realg2
reachable 192.168.23.1 Realg2
4 A S 0.0.0.0/0 reachable 192.168.26.1 1 Dilink
5 A S 0.0.0.0/0 reachable 192.168.27.1 1 Facebook
6 A S 0.0.0.0/0 reachable 192.168.11.1 1 Real2
7 A S 0.0.0.0/0 reachable 192.168.36.1 1 Real8
8 ADC 10.10.10.0/24 10.10.10.1 0 Real
It should look like this:
0 chain=srcnat action=src-nat to-addresses=192.168.1.150
routing-mark=GroupA
1 chain=srcnat action=src-nat to-addresses=192.168.11.150
routing-mark=GroupB
2 chain=srcnat action=src-nat to-addresses=192.168.0.150
routing-mark=GroupC
3 chain=srcnat action=src-nat to-addresses=192.168.34.150
routing-mark=GroupD
4 chain=srcnat action=src-nat to-addresses=192.168.25.150
routing-mark=GroupE
5 chain=srcnat action=src-nat to-addresses=192.168.26.150
routing-mark=GroupF
6 chain=srcnat action=src-nat to-addresses=192.168.27.150
routing-mark=GroupG
7 chain=srcnat action=src-nat to-addresses=192.168.36.150
routing-mark=GroupH
8 chain=srcnat action=src-nat to-addresses=192.168.1.150
I took the spaces out of the routing-mark names. Just my preference. I also added a default. Add a default route (no routing-mark) to match
/ip route
add gateway=192.168.1.1
No masquerades at all.
ADD: I don’t see a routing-mark that uses 192.168.23.1 as a gateway. ??
I will be more specific about why no packets. That routing-mark (GroupD) srcnat is never evaulated. The order in this list is important. The NAT routine finds the 10.10.10.32/27 masquerade rule first, and that is it. It never goes any farther down the list to get to the src-nat rules.
plz look at the circle this is my idea to add tow ip to one interface
Exactly like the others. Set a routing-mark (like GroupJ). You need to decide what ips go through it, just like the others. Then:
/ip route
add gateway=192.168.23.1 routing-mark=GroupJ
/ip firewall nat
add chain=srcnat action=src-nat to-addresses=192.168.23.150 routing-mark=GroupJ
Move the srcnat above the default srcnat (without a routing mark), like with:
move 9 8
Ip Route
3 A S 0.0.0.0/0 reachable 192.168.34.1 1 Realg2
reachable 192.168.23.1 Realg2
Ip firewall nat
2 chain=srcnat action=src-nat to-addresses=192.168.34.150 routing-mark=Group D
where 23.1 ??
It looks like the route is there already. Does it have a routing mark?
/ip route print detail
If it does not have a routing-mark, add the gateway entry above with the routing-mark.
The srcnat you must move. It will be added at the bottom of the list.
ADD: It appears you entered that default route as a load balancing gateway, like maybe
/ip route
add gateway=192.168.34.1,192.168.23.1
If so, add each gateway separately with its own routing-mark, then remove the old one.
DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE
0 A S 0.0.0.0/0 reachable 192.168.0.1 1 Realg1
1 A S 0.0.0.0/0 reachable 192.168.25.1 1 Volcano
2 A S 0.0.0.0/0 reachable 192.168.1.1 1 Real
3 A S 0.0.0.0/0 reachable 192.168.34.1 1 Realg2
reachable 192.168.23.1 Realg2
4 A S 0.0.0.0/0 reachable 192.168.26.1 1 Dilink
5 A S 0.0.0.0/0 reachable 192.168.27.1 1 Facebook
6 A S 0.0.0.0/0 reachable 192.168.11.1 1 Real2
7 A S 0.0.0.0/0 reachable 192.168.36.1 1 Real8
8 ADC 10.10.10.0/24 10.10.10.1 0 Real
there is internet but the traffic from one account
Is that the output of “/ip route print detail”? I don’t think so, but if it is, there are no routing-marks on any routes. And you have not corrected the load balancing on the Realg2 interface.
There may be only one interface getting traffic. That depends on your clients ip addresses. If they all are using one routing mark, then that is the route/srcnat they will use.
will u plz send me deitails : Route,Nat and Mangle rules
mant thxx,
All this is based on your mangle rules. I don’t know what your goal is. I was trying to get the setup you selected working.
I have given you the nat rules already, all based on the routing-marks you had entered in “/ip route”. If you are going to use routing marks, you should use them on the gateway (/ip route) and the srcnat (/ip firewall nat). This setup allows you to simply change a routing mark assignment, and everything follows along. No need to modify the routes or srcnats.
These are the correct entries for these routes. Enter these, then remove the rule currently #3.
/ip route
add gateway=192.168.23.1 routing-mark=GroupJ
add gateway 192.168.34.1 routing-mark=GroupD
FYI: I do this to help you learn how to do it, not to do it for you. I collect money for that! 
ok no problemmmmmmmmmmmmmmmmmmmmm
this my msn chat: slaimanroumie@hotmail.com
My email address is in my user profile. Email me from your hotmail account and we can discuss it.
No. Leave off the Networks. part. And please don’t post my email address on the open forum. Every email spider in the world will have it in no time. In the user profile, they would need to login to get it.
tim (at) prolectron.com
