problem with netmap and dst-nat!!

nitrium · July 7, 2008, 5:01am

Hi, I use RouterOS 2.9.51 and since i have 2 main gateways i got some problem with my public ips! For example, a client of mine with a real public ip netmapped to his natted ip wont have outside access anymore since i added policy routes for my two links! I know its probably a routing problem and i missplaced some route rule but im not figuring out exactly what i missplaced. Here is some of my config:

DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE

0 ADC 10.0.0.0/16 10.0.0.254 APs
1 ADC 10.1.3.0/24 10.1.3.1 LAN
2 ADC 10.1.4.0/24 10.1.4.1 LAN
3 ADC 11.0.0.0/16 11.0.0.253 APs
4 ADC 172.16.1.0/24 172.16.1.1 APs
5 ADC 172.16.2.0/24 172.16.2.1 APs
6 ADC 172.16.3.0/24 172.16.3.1 APs
7 ADC 172.17.1.0/24 172.17.1.1 APs
8 ADC 172.17.2.0/24 172.17.2.1 APs
9 ADC 172.17.3.0/24 172.17.3.1 APs
10 ADC 172.17.4.0/24 172.17.4.1 APs
11 ADC 172.17.5.0/24 172.17.5.1 APs
12 ADC 172.17.6.0/24 172.17.6.1 APs
13 ADC 189.30.21.48/29 189.30.21.50 WAN-1MB
14 ADC 192.168.0.0/24 192.168.0.1 LAN
15 ADC 200.163.176.232/29 200.163.176.235 WAN-2MB

16 A S ;;; Gateway Default
0.0.0.0/0 r 200.163.176.233 1 WAN-2MB
r 189.30.21.49 WAN-1MB
17 A S 0.0.0.0/0 r 189.30.21.49 WAN-1MB
18 A S 0.0.0.0/0 r 200.163.176.233 WAN-2MB
19 S 0.0.0.0/0 r 189.30.21.49 2 WAN-1MB
20 A S 0.0.0.0/0 r 189.30.21.49 WAN-1MB

and i also have mangle rules with routing marks!!!

and some route rules as follows:

0 dst-address=189.30.21.48/29 interface=WAN-1MB action=lookup table=rota2

1 dst-address=20.163.176.232/29 interface=WAN-2MB action=lookup table=rota3

rota2 routing mark as you can see redirect packets to 189.30.21.49 route
rota3 redirect to 200.163.176.233

i will place some of my nat rules here for a full info about my config:

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Posto do Carlinhos TV
chain=dstnat action=dst-nat to-addresses=172.17.5.13 to-ports=2001 dst-port=2001 protocol=tcp

1 ;;; E-Mule Ismael
chain=dstnat action=dst-nat to-addresses=172.16.1.47 to-ports=4671 dst-port=4671 protocol=tcp

2 ;;; E-Mule Gelson
chain=dstnat action=dst-nat to-addresses=10.0.0.3 to-ports=4670 dst-port=4670 protocol=tcp

3 ;;; E-Mule Caixa
chain=dstnat action=dst-nat to-addresses=172.17.1.20 to-ports=4664 dst-port=4664 protocol=tcp
ipv4-options=no-source-routing

4 X ;;; aciab teste
chain=dstnat action=dst-nat to-addresses=10.0.0.130 to-ports=5900 dst-port=5900 protocol=tcp

5 X chain=dstnat action=dst-nat to-addresses=10.0.0.130 to-ports=1433 dst-port=1433 protocol=tcp

6 ;;; E-Mule Fabiano Pasch
chain=dstnat action=dst-nat to-addresses=172.16.3.21 to-ports=4669 dst-port=4669 protocol=tcp

7 ;;; E-Mule Robson
chain=dstnat action=dst-nat to-addresses=172.16.2.20 to-ports=4667 dst-port=4667 protocol=tcp

8 ;;; E-Mule Ganso
chain=dstnat action=dst-nat to-addresses=10.0.0.103 to-ports=4668 dst-port=4668 protocol=tcp

9 ;;; E-Mule Bruno
chain=dstnat action=dst-nat to-addresses=172.16.1.10 to-ports=4672 dst-port=4672 protocol=tcp

10 ;;; E-Mule Posto Carlinhos
chain=dstnat action=dst-nat to-addresses=10.0.0.86 to-ports=4685 dst-port=4685 protocol=tcp

11 ;;; Bloqueio de clientes n o cadastrados. Para liberar, cadastrar na address list: liberados
chain=dstnat action=accept dst-port=53 protocol=udp packet-mark=bloqueia

12 chain=dstnat action=dst-nat to-addresses=200.163.176.234 to-ports=85 packet-mark=bloqueia

13 chain=dstnat action=dst-nat to-addresses=200.163.176.234 to-ports=86 packet-mark=avisos

14 ;;; Redireciona determinados clientes para quadro de aviso. Para isso, cadastrar na address list: aviso
chain=dstnat action=dst-nat to-addresses=200.163.176.234 to-ports=85 packet-mark=avisos
src-address-list=avisos

15 ;;; Regra para ips da classe 200.163.176.232/29 rotearem por esta classe
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535
dst-address=200.163.176.232/29

16 chain=srcnat action=src-nat to-addresses=189.30.21.50 to-ports=0-65535 dst-address=189.30.21.48/29

17 ;;; ACIAB IP V lido
chain=dstnat action=netmap to-addresses=10.0.0.130 to-ports=0-65535 dst-address=200.163.176.236

18 chain=srcnat action=netmap to-addresses=200.163.176.236 to-ports=0-65535 src-address=10.0.0.130

19 ;;; RB532 - IP valido.
chain=dstnat action=netmap to-addresses=10.0.1.253 to-ports=0-65535 dst-address=200.163.176.235

20 chain=srcnat action=netmap to-addresses=200.163.176.235 to-ports=0-65535 src-address=10.0.1.253

21 X ;;; RB153 - IP V lido
chain=dstnat action=netmap to-addresses=11.0.0.254 to-ports=0-65535 dst-address=189.30.21.51

22 X chain=srcnat action=netmap to-addresses=189.30.21.51 to-ports=0-65535 src-address=11.0.0.254

23 ;;; Proxy
chain=dstnat action=redirect to-ports=3128 dst-port=80 protocol=tcp
src-address-list=Proxy Redirection dst-address-list=!proxy-exception

24 ;;; Imposto de Renda
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=3456 dst-port=3456 protocol=tcp
src-address-list=rede-brnet

25 ;;; ICMS
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=8017 protocol=tcp
src-address-list=Redes Clientes

26 ;;; Caixa Federal
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=2631 protocol=tcp
src-address-list=Redes Clientes

27 X ;;; RADIUS
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=1812 protocol=udp
src-address-list=Redes Clientes

28 ;;; E-Mail
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=25 protocol=tcp

29 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=110 protocol=tcp

30 ;;; FTP
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=20-21 protocol=tcp

31 ;;; Banricompras
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=500 protocol=udp

32 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=10000 protocol=udp

33 ;;; Winbox
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=8291 protocol=tcp
src-address-list=Redes Clientes

34 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=20561 protocol=tcp

35 ;;; ACIAB
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=5900 protocol=tcp

36 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=1433 protocol=tcp

37 ;;; MSN
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=1863 protocol=tcp

38 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=1863 protocol=udp

39 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=6891-6901
protocol=udp

40 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=6891-6901
protocol=tcp

41 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=5190 protocol=udp

42 ;;; Cabal Online
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=38100-38130
protocol=tcp src-address-list=Redes Clientes

43 ;;; Ping
chain=srcnat action=src-nat to-addresses=189.30.21.50 to-ports=0-65535 protocol=icmp

44 ;;; MU
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=44405 protocol=tcp
src-address-list=Redes Clientes

45 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=55901 protocol=tcp
src-address-list=Redes Clientes

46 ;;; Regra para redirecionar HTTPS para link 2Mb
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=443 protocol=tcp
src-address-list=Redes Clientes

47 X ;;; Regra NAT 01 - Habilitar estas regras se somente link de 2mb estiver funcionando.
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535

48 ;;; Regra NAT 02 - Habilitar estas regras link de 1mb estiver funcionando. Desabilitar Regra NAT 01
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=80 protocol=tcp

49 ;;; P2P
chain=srcnat action=src-nat to-addresses=189.30.21.50 to-ports=0-65535 routing-mark=rota2

50 chain=srcnat action=src-nat to-addresses=189.30.21.50 to-ports=0-65535

51 X ;;; Regra NAT 03 - Habilitar estas regras se somente link de 1mb estiver funcionando.
chain=srcnat action=src-nat to-addresses=189.30.21.50 to-ports=0-65535
src-address-list=Redes Clientes

any clues of why my dst-nat rules dont work anymore and ppl outside my ISP wont get access to public ips on my clients neither e-mule high id work with proper dst-nat rules but worked before my 2 gateway config!!!

Thx ppl...