Natting

mahmoudkoubeissi · February 13, 2014, 11:25am

Hi;

i’m trying to do a source nat for a TOS number or connection or packet but the nat is not working ;

if anyone can help me to do a src nat for a TOS number or packet or connection byte .

Thanks.

rickfrey · February 13, 2014, 5:02pm

Can you post an example of what you are trying to do? When you say:

i’m trying to do a source nat for a TOS number or connection or packet

Are you suggesting that anyone of those three things can be the means to identify the traffic to be NAT’d?

From the host, through the router, and out to the Internet, what are you trying to accomplish?

mahmoudkoubeissi · February 17, 2014, 12:51pm

Hi;

ip firwamle mangle postroute tcp dst port 443 connection bytes:500000-0 action:change DSCP(TOS) New TOS:30

ip firwale nat srnat DSP(TOS) :30 action :src-nat to addresses:141.105.81.45

I’m in the same rb 110ah*2 trying to do this natting :

1- In the Mangle this Packet and bytes are counting but in the nat nothing is happen.Is this mean this mean i can’t nat the TOS number ?

Regards;

rickfrey · February 18, 2014, 8:33pm

I tried it without the connection bytes and this worked:

/ip firewall mangle
add action=change-dscp chain=postrouting dst-port=443 new-dscp=30 passthrough=no protocol=tcp

/ip firewall nat
add action=masquerade chain=srcnat disabled=yes dscp=30 out-interface=ether1

mahmoudkoubeissi · February 19, 2014, 11:26am

Hi;

Trying to do this natting with layer 7:

Code:
/ip firewall mangle
add action=change-dscp chain=postrouting layer 7 protocol=googlevideo.com new-dscp=30 passthrough=no protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes dscp=30 out-interface=ether1

Also not workin, if you have any solution for this problem ?

Best Regards;

rickfrey · February 19, 2014, 3:50pm

I’m not really sure why you are trying to do this However, you are trying to combine too many things at once. Don’t try to use the Layer 7 and the DSCP at the same time. Use one and then limit the results with another rule. That will make troubleshooting much easier

mahmoudkoubeissi · February 20, 2014, 9:57am

Hi;

My goal is to do a NAT for layer 7 or tcp connection byte .

EX:
ip firewall nat
add action=masquerade chain=srcnat disabled=yes Layer 7=video.google out-interface=ether1

Is This Possible ?

Best Regards;

rickfrey · February 20, 2014, 3:06pm

Yes, it is, but you might have to “mark” the Layer 7 first. For example, use the layer 7 matcher to set a packet mark in Mangle and then use the NAT rule to NAT everything with that packet mark.