Hi,
I’ve a problem with Mangle / Policy Based Routing and SRC-NAT and i hope someone can help me.
It seems that for me - that SRC-NAT is’t working correctly in my Setup.
I’m using a hAP lite (a Mikrotik-Gift from MUM) with Router OS 6.30.2.
Bridge and WLAN are disabled.
Behind the Router is a Server with the IP-Address 192.168.88.254 , the Router’s address is 192.168.88.10.
In my Config are two “Internet-Gateways” :
ether1-gateway - configured to use DHCP , without NAT - connect to my internal Network
voipVPN - a PPTP-Tunnel , configured with SRC-NAT.
My wish is, that all external Traffic from 192.168.88.254 goes trough the voipVPN-Tunnel.
[admin@MikroTik] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name="ether1-gateway" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=2028 mac-address=E4:8D:8C:89:0D:44 fast-path=yes
last-link-up-time=aug/04/2015 05:52:46 link-downs=0
1 R name="ether2-master-local" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=2028 mac-address=E4:8D:8C:89:0D:45 fast-path=yes
last-link-up-time=aug/04/2015 05:52:47 link-downs=0
2 RS name="ether3-slave-local" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=2028 mac-address=E4:8D:8C:89:0D:46 fast-path=yes
last-link-up-time=aug/04/2015 05:52:46 link-downs=0
3 S name="ether4-slave-local" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=2028 mac-address=E4:8D:8C:89:0D:47 fast-path=yes
link-downs=0
4 X name="wlan1" default-name="wlan1" type="wlan" mtu=1500 actual-mtu=1500 l2mtu=1600 mac-address=E4:8D:8C:89:0D:48 fast-path=yes link-downs=0
5 R name="voipVPN" type="pptp-out" mtu=1400 actual-mtu=1400 fast-path=no last-link-down-time=aug/04/2015 05:57:59 last-link-up-time=aug/04/2015 05:58:02
link-downs=5
[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=voipVPN gateway-status=voipVPN reachable distance=1 scope=30 target-scope=10 routing-mark=voip
1 ADS dst-address=0.0.0.0/0 gateway=192.168.6.62 gateway-status=192.168.6.62 reachable via ether1-gateway distance=1 scope=30 target-scope=10
vrf-interface=ether1-gateway
2 ADC dst-address=192.168.6.0/26 pref-src=192.168.6.8 gateway=ether1-gateway gateway-status=ether1-gateway reachable distance=0 scope=10
3 ADC dst-address=192.168.35.17/32 pref-src=27.100.18.32 gateway=voipVPN gateway-status=voipVPN reachable distance=0 scope=10
4 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.10 gateway=ether2-master-local gateway-status=ether2-master-local reachable distance=0 scope=10
[admin@MikroTik] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=forward action=change-mss new-mss=1410 passthrough=yes tcp-flags=syn protocol=tcp out-interface=all-ppp tcp-mss=1411-65535 log=no log-prefix=""
1 D chain=forward action=change-mss new-mss=1360 passthrough=yes tcp-flags=syn protocol=tcp in-interface=all-ppp tcp-mss=1361-65535 log=no log-prefix=""
2 chain=prerouting action=mark-connection new-connection-mark=voipcon passthrough=yes connection-state=new src-address=192.168.88.254
dst-address=!192.168.0.0/16 log=no log-prefix=""
3 chain=prerouting action=mark-packet new-packet-mark=voippack passthrough=yes connection-mark=voipcon log=no log-prefix=""
4 chain=prerouting action=mark-routing new-routing-mark=voip passthrough=yes packet-mark=voippack log=no log-prefix=""
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=voipVPN log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=voipVPN connection-mark=voipcon log=no log-prefix=""
2 chain=srcnat action=masquerade routing-mark=voip out-interface=voipVPN log=no log-prefix=""
If i check the stats, i see a Gap.
[admin@MikroTik] > /ip firewall mangle print stats ; /ip firewall nat print stats
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
0 D forward change-mss 0 0
1 D forward change-mss 0 0
2 prerouting mark-connection 0 0
3 prerouting mark-packet 583 845 1 028
4 prerouting mark-routing 583 845 1 028
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
0 srcnat masquerade 2 668 23
1 srcnat masquerade 0 0
2 srcnat masquerade 0 0
[admin@MikroTik] >
If i check the Traffic inside the PPTP-Tunnel with the PacketSniffer / Wireshark , i see that some outgoing Packets are not SRC-NAT (means that the Source-IP is still 192.168.88.254).
Has anybody an Idea what i made wrong ?
Thank you very much,
Joerg