RB1100AH NAT issue (?)

RouterOS General
1

Hello ! My name is Santiago and I’m from Argentina, so sorry me for my bad english :slight_smile: Said that, now I can introduce to my problem:

We have a RB1100 working on this topology:

WAN <—> Fortigate 172.16.250.254/29 <----> 172.16.250.253/29 P10 RB1100 172.16.0.0/24 <----> VLAN Switch <—> Users

Routes
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 172.16.250.254 1
1 S 0.0.0.0/0 200.85.183.173 1
2 X S 0.0.0.0/0 200.89.129.193 20
3 ADC 1.1.1.1/32 172.16.0.254 Cliente Centro 0
4 ADC 1.1.1.2/32 172.16.0.254 Cliente Cipolletti 0
5 ADC 10.0.0.0/24 10.0.0.1 ether9 0
6 A S 10.8.0.0/24 172.16.0.15 1
7 ADC 172.16.0.0/24 172.16.0.254 vlan 200 0
8 ADC 172.16.1.0/24 172.16.1.254 vlan 300 0
9 A S 172.16.5.0/24 Cliente Centro 1
10 A S 172.16.6.0/24 Cliente Cipolletti 1
11 ADC 172.16.30.0/26 172.16.30.62 vlan 550 0
12 ADC 172.16.30.64/26 172.16.30.126 vlan 500 0
13 ADC 172.16.250.248/29 172.16.250.253 ether10 0
14 A S 192.168.3.0/24 172.16.0.146 1
15 ADC 200.85.183.172/30 200.85.183.174 ether8 0

We want to take out Fortigate from the equation, so I configure a second WAN link directly on the Mitrotik (Port :sunglasses:

PROBLEM
When I switch the default gateway to the new one, Internet access is gone.

SITUATION
I can ping from LAN to new WAN address (200.85.183.174)
I can’t ping from LAN to new WAN gateway address (200.85.183.173)
I can access Mtik from LAN and ping my local gateway (172.15.0.254)
I can ping from Internet to WAN address (200.85.183.174)
I can ping from Internet to WAN gateway address (200.85.183.173)

I’ve torch the new WAN interface and I see that packets coming from Internet cant reach me =/

I have done the SRCNAT masquerada rule in this way:

  • Chain=SRCNAT
    Action=Masquerade
    Out. Interface= eth8 (where I setup new WAN)
2

Hi,

your routing table shows, that 172.16.250.254 is still the active default gateway.
I guess the active default gateway should be 200.85.183.173?

Try disabling port 10 (to your Fortigate) and/or the default route using 172.16.250.254.

Another thing to consider: Did you adapt your firewall rules to for example allow ICMP from your new WAN IP?

Ape

3

Routing table didn’t show 172.16.250.254 as active. I managed to resolve it in a strange way (?):

In “Connections” on Firewall menu I wasn’t seeing any connections (BTW) so I put “Tracking” to on and Wallah!!
I couldn’t found anything on forums regards this issue, but its “reproducible”.

Today I’m starting a new fight:

Loadbalanceing with FO and properly configured firewall filters.

4

Hi.

Yes, that’s right. You need to enable connection tracking in order to have NAT working.

It’s not an issue, it’s a feature: Connection tracking needs additional resources, like CPU and RAM, so it’s up to you to enable or disable it. In order to build a stateful firewall or to use NAT it must be enabled of course. In RouterOS (>= 6.0) connection tracking’s default is “auto”, so it’s automatically active when you use features which depend on connection tracking.

For assistance regarding firewall rules, search the board, there are many threads which can guide you through the basics.

Ape