Getting some additional capacity for the network and have a second ISP coming into the core router.
All is well except for a couple nagging issues that are keeping me from moving traffic to the new services.
The main problem is I am unable to perform NAT on a couple of private subnets using the new ISP publics.
Below is essentially what is taking place. All OSPF adjancencies are formed and routes are present on any tower router.
I am testing the process with a VPN subnet I have setup and use a srcnat rule to make the VPN my drain. I can ping IP addresses but resolving host addresses does not happen. Makes one think its DNS but I switch the public IP from 4.4.4.0/29 to 2.2.2.0/29 and all is fine.
I can apply a 4.4.4.0/29 public IP to a host inside the network and it routes out fine. However, the mangle rule I have set to mark ISP2 traffic appears to be working (bytes/packets are counting) but I never see the connection marks listed in the firewall connections list.
What additional rule do I need to apply to the src-nat rule to make this new subnet usable for the Nat’d internal subnets?
Thanks
That mangle rule has passthrough=yes so check that it isn’t being overwritten by a later rule.
If you are using routing marks also make sure that you have an entry in the routing table with that same routing mark routing back to the non-NATed source address.
Thanks for replying CelticComms
The mangle rule is the only one in the table.
As far as the routing table, here is what I have for the two default routes:
Since I am already doing a mangle on any of the /25 IP’s from the subnet, the 2nd routing table for traffic from the ISP is accounted for and a policy can be made against it.
The 10.255.255.0 subnet is just the test VPN subnet I made for testing. Adding this rule and changing the SRCNAT rule in the firewall for the isp2 IP I wanted to use allowed me to NAT correctly now.
The rule looks like the alternate way of achieving what you were originally doing with mangle. However your routing table default route entry for ISP2 looks wrong:
/ip route
add comment=“Default route for anything marked as isp2” disabled=no distance=
1 dst-address=0.0.0.0/0 gateway=198.x.x.x routing-mark=Showme scope=30
target-scope=10I would have expected the routing mark here to be “isp2” (matching the mangle rule) and not “Showme”.
That is just a typo. It is isp2.
As I understand it. It works (how I have it setup) by marking the packets destined to the ISP2 public subnet. The default route is just there as a pointer for where to go once I make a routing rule for whatever LAN subnet or IP I want to send to ISP2. Now, I will cross my fingers and make a couple more rules for the other two production subnets I want to move to the new ISP.
Is my thinking correct or should I approach it another way? Maybe not even have the default route at firewall -NAT and just add destination 0.0.0.0/0 to the route rule.
I’ll tool around with it.
