Hi Everyone,

Mikrotik is new for me and I am learning it day by day. I am using it in the MPLS environment where we don’t do NAT normally because all traffic from the different sites go to central Firewall for NAT and then go to the internet.

I have a unique requirement in which I have to perform the NAT for one destination which is in the MPLS network and only for DATA LAN source. Details are as under

1. source will be data LAN which is 192.168.1.0/24
2. destination will be 100.100.100.100 in the MPLS network
3. NAT on bridge loopback interface with IP add 1.1.1.1 (1.1.1.1 has reachability to the 100.100.100.100 and both devices can ping each other.)

I want to perform the Policy base NAT I have achieved this success in Cisco multiple times. but on Mikrotik, it is not working.

I have done following steps on Mikrotik

Define the source list and destination list
perform source nat on the Mikrotik
enable connection tracking

If I add source and destination list or marking then NAT stops and when I am removing these nat works fine but for all destinations, while I want it only for a single destination.

if you have any solution then please share.

Regards
Sameer

It’s usually good idea to share non-working config and have someone spot the problem, rather than have them inventing the whole thing from scratch.

I will upload the configurationion

Following are the configurations:-

Interfaces details along with IP addresses

ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; defconf
192.168.1.1/24 192.168.1.0 DATA-VLAN-1
1 10.10.10.14/30 10.10.10.12 ether10
2 172.16.143.96/32 172.16.143.96 Loopback150
3 10.210.32.1/24 10.210.32.0 VOICE-VLAN-20
4 1.1.1.1/24 1.1.1.0/24 Loopback200
5 D 10.10.10.251/32 10.10.10.254 pppoe-wan

Mangle rule for marking

ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; 3CX-NAT-MARKING
chain=prerouting action=mark-routing new-routing-mark=3CX-DATA-NAT-MARKING passthrough=no src-address=192.168.1.0/24 dst-address=100.100.100.100 log=no log-prefix=""

1 X ;;; Test-2
chain=prerouting action=mark-packet new-packet-mark=SRV-3CX passthrough=yes src-address-list=DATA-LAN dst-address-list=3CX-SRV log=no log-prefix=""

2 X ;;; Rule-2
chain=prerouting action=mark-routing new-routing-mark=Marking-1 passthrough=no src-address-list=DATA-LAN dst-address-list=3CX-SRV connection-mark=Marking-1 log=no log-prefix=""

NAT RULES Currently all rules are disabled

ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; MAT-FOR-3XC-SRV-FROM-DATA-SUBNET
chain=srcnat action=masquerade routing-mark=3CX-DATA-NAT-MARKING src-address=192.168.1.0/24 dst-address=100.100.100.100 out-interface=Loopback200 out-bridge-port=Loopback200 log=no log-prefix=""

1 X ;;; Test-2
chain=srcnat action=masquerade routing-mark=Marking-1 connection-mark=Marking-1 out-interface=ether10 packet-mark="" log=no log-prefix=""

2 X chain=srcnat action=src-nat to-addresses=1.1.1.1 src-address=192.168.1.0/24 out-interface=ether10 log=no log-prefix=""

Please let me know if you need any other output from the router.

I don’t know what’s with the marking, you shouldn’t need it for this. As for srcnat, first one looks wrong because of out-interface and out-bridge-port, second one can’t work when it looks for non-existent connection mark, and third one is closest to what you described you want. If you add destination address as another condition, it should probably be ok:

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 dst-address=100.100.100.100 action=src-nat to-addresses=1.1.1.1

You can replace src-address=192.168.1.0/24 with src-address-list=DATA-LAN if DATA-LAN list contains 192.168.1.0/24.

should I use out-interface ?

Probably not, unless you’d have some special config (e.g. some policy routing where this traffic can use different routes and outgoing interfaces, and you’d need NAT for only one).