NAT with asterisks in traceroute

busty · November 7, 2017, 12:55am

Hello,
i have 2 WAN connections and i set basic masquerade NAT for both but now when i try to trace any outside IP address i receive asterisks on both my WAN connections. is there any option to have my router normally listed?

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0    chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=WAN1 log=no log-prefix=""
 1    chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=WAN2 log=no log-prefix=""
[admin@MikroTik] >

[admin@MikroTik] > ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
 0 A S  dst-address=0.0.0.0/0 gateway=192.168.7.1 gateway-status=192.168.7.1 reachable via  WAN1 check-gateway=ping distance=1 scope=10 target-scope=10
        routing-mark=to_ISP1
 1   S  dst-address=0.0.0.0/0 gateway=10.10.10.1 gateway-status=10.10.10.1 reachable via  WAN2 check-gateway=ping distance=20 scope=20 target-scope=20
        routing-mark=to_ISP1
 2 A S  dst-address=0.0.0.0/0 gateway=10.10.10.1 gateway-status=10.10.10.1 reachable via  WAN2 check-gateway=ping distance=1 scope=10 target-scope=10
        routing-mark=to_ISP2
 3   S  dst-address=0.0.0.0/0 gateway=192.168.7.1 gateway-status=192.168.7.1 reachable via  WAN1 check-gateway=ping distance=10 scope=20 target-scope=20
        routing-mark=to_ISP2
 4 ADC  dst-address=10.10.10.0/24 pref-src=10.10.10.81 gateway=WAN2 gateway-status=WAN2 reachable distance=0 scope=10
 5 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.218 gateway=LAN gateway-status=LAN reachable distance=0 scope=10
 6 ADC  dst-address=192.168.7.0/24 pref-src=192.168.7.10 gateway=WAN1 gateway-status=WAN1 reachable distance=0 scope=10
[admin@MikroTik] >

if i understand it correctly there are some discrepancies in routing because when i remove PCC everything is normal.

Anumrak · November 7, 2017, 12:11pm

Your marked your routes to ISP’s, but you didn’t mangle your LAN interface in output chain with new routing marks and didn’t mangle packets back from outside in input chain with new connections marks.

ip fire mangle
add chain=output action=mark-routing new-routing-mark=ISP 1 passthrough=no connection-mark=ISP 1
add chain=input action=mark-connection new-connection-mark=ISP 1 passthrough=no dst-address=“your global IP” in-interface=“your ISP interface”

busty · November 7, 2017, 1:49pm

Thank you
I have tried to add your advices to my setup but just one (line 6) was different from your advise. i have tried several input setup settings for WAN1 but none of them is working
i’ve configured it per PCC manual at mikrotik documentation page https://wiki.mikrotik.com/wiki/Manual:PCC

 0  D comment=special dummy rule to show fasttrack counters chain=prerouting action=passthrough
 1  D comment=special dummy rule to show fasttrack counters chain=forward action=passthrough
 2  D comment=special dummy rule to show fasttrack counters chain=postrouting action=passthrough
 3    chain=prerouting action=accept dst-address=192.168.7.0/24 in-interface=LAN log=no log-prefix=""
 4    chain=prerouting action=accept dst-address=10.10.10.0/24 in-interface=LAN log=no log-prefix=""
 5    comment=XY overwrite PCC chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes src-address=192.168.1.99 dst-address-type=!local in-interface=LAN log=no log-prefix=""
 6    chain=input action=mark-connection new-connection-mark=WAN1_conn passthrough=no dst-address=192.168.7.10 in-interface=WAN1 log=no log-prefix=""
 7    comment=outside to inside mark WAN1 chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes connection-mark=no-mark in-interface=WAN1 log=no log-prefix=""
 8    comment=outside to inside mark WAN2 chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes connection-mark=no-mark in-interface=WAN2 log=no log-prefix=""
 9    comment=outside to inside mark WAN3 chain=prerouting action=mark-connection new-connection-mark=WAN3_conn passthrough=yes connection-mark=no-mark in-interface=WAN3 log=no log-prefix=""
10 X  comment=outside to inside mark WAN4 chain=prerouting action=mark-connection new-connection-mark=WAN4_conn passthrough=yes connection-mark=no-mark in-interface=WAN4 log=no log-prefix=""
11    comment=inside to outside hash mark WAN1 chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=LAN per-connection-classifier=both-addresses:4/0 log=no log-prefix=""
12    comment=inside to outside hash mark WAN1 chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=LAN per-connection-classifier=both-addresses:4/2 log=no log-prefix=""
13    comment=inside to outside hash mark WAN2 chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=LAN per-connection-classifier=both-addresses:4/1 log=no log-prefix=""
14    comment=inside to outside hash mark WAN3 chain=prerouting action=mark-connection new-connection-mark=WAN3_conn passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=LAN per-connection-classifier=both-addresses:4/3 log=no log-prefix=""
15 X  comment=inside to outside hash mark WAN4 chain=prerouting action=mark-connection new-connection-mark=WAN4_conn passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=LAN per-connection-classifier=both-addresses:5/3 log=no log-prefix=""
16    comment=inside to outside route mark WAN1 chain=prerouting action=mark-routing new-routing-mark=to_ISP1 passthrough=yes connection-mark=WAN1_conn in-interface=LAN log=no log-prefix=""
17    comment=inside to outside route mark WAN2 chain=prerouting action=mark-routing new-routing-mark=to_ISP2 passthrough=yes connection-mark=WAN2_conn in-interface=LAN log=no log-prefix=""
18    comment=inside to outside route mark WAN3 chain=prerouting action=mark-routing new-routing-mark=to_ISP3 passthrough=yes connection-mark=WAN3_conn in-interface=LAN log=no log-prefix=""
19 X  comment=inside to outside route mark WAN4 chain=prerouting action=mark-routing new-routing-mark=to_ISP4 passthrough=yes connection-mark=WAN4_conn in-interface=LAN log=no log-prefix=""
20    comment=inside to outside route mark WAN1 chain=output action=mark-routing new-routing-mark=to_ISP1 passthrough=yes connection-mark=WAN1_conn log=no log-prefix=""
21    comment=inside to outside route mark WAN2 chain=output action=mark-routing new-routing-mark=to_ISP2 passthrough=yes connection-mark=WAN2_conn log=no log-prefix=""
22    comment=inside to outside route mark WAN3 chain=output action=mark-routing new-routing-mark=to_ISP3 passthrough=yes connection-mark=WAN3_conn log=no log-prefix=""
23 X  comment=inside to outside route mark WAN4 chain=output action=mark-routing new-routing-mark=to_ISP4 passthrough=yes connection-mark=WAN4_conn log=no log-prefix=""

output from traceroute

traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
 1  192.168.2.1 (192.168.2.1)  0.552 ms  0.346 ms  0.297 ms
 2  192.168.99.1 (192.168.99.1)  0.490 ms  0.680 ms  0.451 ms
 3  * * * - my router
 4  192.168.7.1 (192.168.7.1)  9.569 ms  4.346 ms  4.928 ms
 5 <output omitted>

Anumrak · November 7, 2017, 2:32pm

You have too many chains here. Try to save that config and add just few rules only for marking that two gateways.

busty · November 7, 2017, 11:18pm

comment=inside to outside route mark WAN1 chain=output action=mark-routing new-routing-mark=to_ISP1 passthrough=no connection-mark=WAN1_conn log=no log-prefix=""

i removed all output chains and everything is working normally.

Thanks