I have installed a small network in WDS mode, with an OmniTik AP and SXT’s as station-WDS. I also have several camera hosts connected to the OmniTik ether ports, as well as a Sextant bridge. All interfaces (wlan and ether ports) are on a common bridge – with the exception of the ether4 gateway.
The network works well within the local LAN, but no host behind the router (on the bridge) is getting NAT’ed to the WAN gateway. Of course, I have the Bridge Settings set to use the IP-Firewall, and have a Masquerade NAT rule set on the ether4 gateway interface, as you’ll see below.
There must be a simple reason this is not working. I’ve reviewed the Routerboard packet processing diagrams, and I can’t see why this is not going through the NAT firewall.
I’ve also attached screen pics of the firewall rules I put in to detect packet traffic and IP addresses going out the ether4 gateway.
[admin@MikroTik-main-shopAP] /ip firewall> export
jan/23/2013 20:57:41 by RouterOS 5.22
software id = STL7-573C
/ip firewall connection tracking
set enabled=no generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=“default configuration” disabled=no protocol=icmp
add action=accept chain=input comment=“default configuration” connection-state=established disabled=no
add action=accept chain=input comment=“default configuration” connection-state=related disabled=no
add action=drop chain=input comment=“default configuration” disabled=yes in-interface=ether1
add action=add-dst-to-address-list address-list=“forwarded ether4 dest list” address-list-timeout=0s chain=
forward disabled=no out-interface=ether4-gateway
add action=add-src-to-address-list address-list=“forwarded ether4 src list” address-list-timeout=0s chain=
forward disabled=no out-interface=ether4-gateway
add action=add-dst-to-address-list address-list=“outbound dest list” address-list-timeout=0s chain=output
disabled=no out-interface=ether4-gateway
add action=add-src-to-address-list address-list=“outbound source list” address-list-timeout=0s chain=output
disabled=no out-interface=ether4-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=no out-interface=ether4-gateway
to-addresses=xxx.xxx.xxx.xxx
add action=dst-nat chain=dstnat comment=“forward port 8808 connections to Milestone Server” disabled=no
dst-port=8808 protocol=tcp to-addresses=192.168.88.100 to-ports=8808
add action=dst-nat chain=dstnat comment=“forward port 8081 connections to Milestone Mobile Server” disabled=
no dst-port=8081 protocol=tcp to-addresses=192.168.88.100 to-ports=8081
add action=dst-nat chain=dstnat comment=“forward port 61180 connections to Dude on Milestone Server”
disabled=no dst-port=61180 protocol=tcp to-addresses=192.168.88.100 to-ports=61180
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
[admin@MikroTik-main-shopAP] /ip firewall> nat
[admin@MikroTik-main-shopAP] /ip firewall nat> export
jan/23/2013 20:58:46 by RouterOS 5.22
software id = STL7-573C
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=no out-interface=ether4-gateway
[admin@MikroTik-main-shopAP] /ip firewall nat> export
jan/23/2013 20:58:46 by RouterOS 5.22
software id = STL7-573C
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=no out-interface=ether4-gateway
to-addresses=xxx.xxx.xxx.xxx
add action=dst-nat chain=dstnat comment=“forward port 8808 connections to Milestone Server” disabled=no
dst-port=8808 protocol=tcp to-addresses=192.168.88.100 to-ports=8808
add action=dst-nat chain=dstnat comment=“forward port 8081 connections to Milestone Mobile Server” disabled=
no dst-port=8081 protocol=tcp to-addresses=192.168.88.100 to-ports=8081
add action=dst-nat chain=dstnat comment=“forward port 61180 connections to Dude on Milestone Server”
disabled=no dst-port=61180 protocol=tcp to-addresses=192.168.88.100 to-ports=61180
[admin@MikroTik-main-shopAP] /interface bridge> export
jan/23/2013 21:01:01 by RouterOS 5.22
software id = STL7-573C
/interface bridge
add admin-mac=00:0C:42:E8:4D:xx ageing-time=5m arp=enabled auto-mac=no disabled=no forward-delay=15s l2mtu=
1598 max-message-age=20s mtu=1500 name=bridge1-wds priority=0x8000 protocol-mode=rstp
transmit-hold-count=6
/interface bridge port
add bridge=bridge1-wds disabled=no edge=auto external-fdb=auto horizon=none interface=ether2-master-local
path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1-wds disabled=no edge=auto external-fdb=auto horizon=none interface=ether1 path-cost=10
point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
[admin@MikroTik-main-shopAP] /interface> export
jan/23/2013 21:01:36 by RouterOS 5.22
software id = STL7-573C
/interface bridge
add admin-mac=00:0C:42:E8:4D:xx ageing-time=5m arp=enabled auto-mac=no disabled=no forward-delay=15s l2mtu=
1598 max-message-age=20s mtu=1500 name=bridge1-wds priority=0x8000 protocol-mode=rstp
transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 mac-address=00:0C:42:E8:4D:xx
mtu=1500 name=ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598
mac-address=00:0C:42:E8:4D:xx master-port=none mtu=1500 name=ether2-master-local poe-out=off speed=
100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598
mac-address=00:0C:42:E8:4D:xx master-port=ether2-master-local mtu=1500 name=ether3-slave-local poe-out=
off speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598
mac-address=00:0C:42:E8:4D:xx master-port=none mtu=1500 name=ether4-gateway poe-out=off speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598
mac-address=00:0C:42:E8:4D:xx master-port=ether2-master-local mtu=1500 name=ether5-to-WiFi poe-out=
auto-on speed=100Mbps
Thanks for the help…
