Multiple WAN links with NAT/masquerade for private subnets

maticomp · October 24, 2014, 9:00am

Hello!

Since it is my first post here, let me say hello to all of you and thank you for this wonderful resource of helpful topics. The forum has already helped me multiple times.

We have a RB1100AHx2 here at our company and we stumbled upon a problem I did not expect and I have no idea how to resolve.

We have four private subnets attached to ether1-ether5 with IP ranges 10.1-5.0.0/16

/ip address
add address=10.5.0.1/16 disabled=no interface=ether5 network=10.5.0.0
add address=10.4.0.1/16 disabled=no interface=ether4 network=10.4.0.0
add address=10.3.0.1/16 disabled=no interface=ether3 network=10.3.0.0
add address=10.2.0.1/16 disabled=no interface=ether2 network=10.2.0.0
add address=10.1.0.1/16 disabled=no interface=ether1 network=10.1.0.0

and we have four independent WAN links on ether6-ether11 with their IP addresses assigned using DHCP from the upstream ISP

/ip dhcp-client
add add-default-route=yes default-route-distance=0 disabled=no interface=ether6 use-peer-dns=yes use-peer-ntp=yes
add add-default-route=yes default-route-distance=0 disabled=no interface=ether7 use-peer-dns=yes use-peer-ntp=yes
add add-default-route=yes default-route-distance=0 disabled=no interface=ether8 use-peer-dns=yes use-peer-ntp=yes
add add-default-route=yes default-route-distance=0 disabled=no interface=ether9 use-peer-dns=yes use-peer-ntp=yes
add add-default-route=yes default-route-distance=0 disabled=no interface=ether10 use-peer-dns=yes use-peer-ntp=yes

/ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                               
 0   10.5.0.1/16        10.5.0.0        ether5                                                                                                                                                  
 1   10.4.0.1/16        10.4.0.0        ether4                                                                                                                                                  
 2   10.3.0.1/16        10.3.0.0        ether3                                                                                                                                                  
 3   10.2.0.1/16        10.2.0.0        ether2                                                                                                                                                  
 4   10.1.0.1/16        10.1.0.0        ether1                                                                                                                                                  
 5 D 85.89.181.234/24   85.89.181.0     ether7           
 6 D 85.89.182.234/24   85.89.182.0     ether8
 7 D 85.89.183.234/24   85.89.183.0     ether9
 8 D 85.89.184.234/24   85.89.184.0     ether10
 9 D 85.89.185.234/24   85.89.185.0     ether11

all WAN links are up and from the router we can ping using any of them:

ping interface=ether7 google.com 
HOST                                     SIZE TTL TIME  STATUS                                                                                                                                  
77.237.27.16                               56  60 6ms  
(...)
ping interface=ether8 google.com 
HOST                                     SIZE TTL TIME  STATUS                                                                                                                                  
77.237.27.16                               56  60 6ms  
(...)
(... for other links)

however, when we specify the source address only, but not interface, only one address from the lot works

ping src-address=85.89.181.234 google.com               
HOST                                     SIZE TTL TIME  STATUS                                                                                                                                  
77.237.27.48                               56  60 7ms  
(...)
ping src-address=85.89.182.234 google.com
HOST                                     SIZE TTL TIME  STATUS                                                                                                                                  
(... for other links)

What we want is to NAT each private subnet to each WAN link, so ether1 subnet uses ether7 WAN link, ether2 subnet uses ether8 WAN link and so on. No complex routing spanning one or more WAN links depending on traffic type, just plain 1:1 map between subnet and WAN link with masquerade.

We tried:

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=ether7 src-address=10.1.0.0/16
add action=masquerade chain=srcnat disabled=no out-interface=ether8 src-address=10.2.0.0/16
add action=masquerade chain=srcnat disabled=no out-interface=ether9 src-address=10.3.0.0/16
add action=masquerade chain=srcnat disabled=no out-interface=ether10 src-address=10.4.0.0/16
add action=masquerade chain=srcnat disabled=no out-interface=ether11 src-address=10.5.0.0/16

but to no avail. With such config a lucky network gets their share, but four others do not. When we force masquerade to a single WAN link as below:

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=ether7 src-address=10.1.0.0/16
add action=masquerade chain=srcnat disabled=no out-interface=ether7 src-address=10.2.0.0/16
add action=masquerade chain=srcnat disabled=no out-interface=ether7 src-address=10.3.0.0/16
add action=masquerade chain=srcnat disabled=no out-interface=ether7 src-address=10.4.0.0/16
add action=masquerade chain=srcnat disabled=no out-interface=ether7 src-address=10.5.0.0/16

everything works fine and everyone got the access to the internet.

Could you please point me towards what could be a problem? Maybe we should mark the packets somehow and the problem is that outgoing packets go through the correct interface, but fail to return properly?

The same problem persists when we limit the case to two links (ether1-ether2 with masquerade to ether7-ether8). We also tried using src-nat with explicit outgoing IP address instead of masquerade, but it did not help.

Is the config we want to achieve possible at all? We would very much like to have all links functional, and for the past few weeks we all stick to the single WAN with others being physically disabled due to the problem.

We are completely lost here.

Thanks a lot for any help!

Mateusz

deem · October 24, 2014, 11:33am

You MUST help your router with a routing decision, he should be confused with 5 equal default routes.

Use 5 simple masquerades (without src-address)
Use 5 “mark routing” in mangle prerouting chain with appropriate src-address > dst-address
Use 5 ip routes with appropriate marks from 2)

maticomp · October 24, 2014, 11:37am

Thanks!

I will experiment with that. It’s not easy, since it’s a production environment and I can’t just go and tinker with the box as I please

I’ve just found http://wiki.mikrotik.com/wiki/PCC and it seems I might be able to use a similar scenario, but instead of matching by PCC filters, use src-addresses as a match to help the routing decisions.

After I try to accomplish the config I will post my results. Thank you!