Routing and NAT with Mangle Rules.. no go?

RouterOS General
1

have a quick question.





I am natting 5 IP addresses



Ip firewall nat



0

chain=dstnat in-interface=eth2_outside dst-address=xx.79.169.22

protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.234

to-ports=8080



1

chain=srcnat src-address=192.168.1.234 protocol=tcp action=src-nat

to-addresses=xx.79.169.22 to-ports=0-65535



2
chain=dstnat in-interface=eth2_outside dst-address=xx.79.169.19

protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.231

to-ports=8080



3

chain=srcnat src-address=192.168.1.231 protocol=tcp action=src-nat

to-addresses=xx.79.169.19 to-ports=0-65535



4

chain=dstnat in-interface=eth2_outside dst-address=xx.79.169.21

protocol=tcp action=dst-nat to-addresses=192.168.1.232 to-ports=80



5
chain=srcnat src-address=192.168.1.232 protocol=tcp action=src-nat

to-addresses=xx.79.169.21 to-ports=0-65535



6

chain=dstnat in-interface=eth2_outside dst-address=xx.79.169.23

protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.233

to-ports=8080



7
chain=srcnat src-address=192.168.1.233 protocol=tcp action=src-nat

to-addresses=xx.79.169.23 to-ports=0-65535



8

chain=dstnat in-interface=eth2_outside dst-address=xx.79.169.30

protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.235

to-ports=80



9

chain=srcnat src-address=192.168.1.235 protocol=tcp action=src-nat

to-addresses=xx.79.169.30 to-ports=0-65535





The problem I have is also need to route traffic for the internal VPN on 10.0.0.0/24 to 192.168.1.1 (VPN gateway device)



So we have





VPN 10.0.0.0/24

|

|

192.168.1.1/24 VPN GW device

|

|

Switch---------MT 192.168.1.2/24

| |

| |

| Internet IP space xx.79.169.0/27

|

Computers 192.168.1.0/24 gw at 192.168.1.2





When traffic comes from 192.168.1.1 as src-adddress of 10.0.0.24 and hits the computers at 192.168.1.21 for example. The MT at 192.168.1.2 see the NAT rules and does not route the traffic properly.



I have tried setting a mangle rule for dst-address 10.0.0.0/24 so it can route back properly and not hit the NAT rules.





[admin@MikroTik] ip firewall mangle add action=mark-routing new-routing-mark=nonat chain=prerouting
[admin@MikroTik] ip route> add gateway=192.168.1.1 routing-mark=notnat
[admin@MikroTik] ip route rule> add dst-address=10.0.0.0/24 table=notnat action=lookup
[admin@MikroTik] ip route rule> print
Flags: X - disabled, I - invalid
0 sdst-address=10.0.0.0/24 action=lookup table=notnat
[admin@MikroTik] ip route rule>


This does not seem to work and the traffic appears to be hitting the NAT rules still.



I have tried a few other things and still no go. I just put 2.9.30 up as well. still no change.



Any ideas?



Thanks

Tim

2

Can you put NAT rules in at the top of the chain the perform ‘return’ action if they are coming from the source nets / interfaces that you dont want to nat ? Dump them out of the NAT chain early to bypass nat for them ?

Sam

3

I dont know. I figured marking the dst-address with a routing-mark to be routed in prerouting would get them to route before the nat rules. It is not the src or interface I am trying to route by but the dst-address that they want to get to, the vpn traffic.

4

Clients need a route on them that indicates that the 10.0.0.0 network is behind the 192.168.1.1 gateway.

Regards

Andrew