Simple NAT between 2 gateways with address lists

Zapnologica · October 17, 2010, 8:12am

Hi guys,

I am trying to let half my computers use one gateway and th other half annother gateway,

I read the wiki and a few how to’s and it seemed pretty simple. but mine is not working.

I have gateway 1,2

then i created a ip list with all the ips i want to go through one gateway and all the ips for gateway2.

i then created two static routes with routing mark gat1 and gat2

Then i went to mangle and created a prerouting , with sourcelist (gateway1) and then i mark the route with gat1

Have i done it wrong under firewall?

Cause from what i can see, it is only working for uploading? and not downloading?

PLease can u help me?

Zapnologica · October 18, 2010, 7:54pm

Ok i hae been playing around and i have realised that its only not working on the PPPOE accounts.

IT works when ur gateway is ether2, but not when ur gateway is pppoe_1

Why is this?

Im thinking maybe the “prerouting” function is not catching the pppoe traffic as pppoe enterfaces may inter the routing proccess at a diff phase?

is prerouting right?

Zapnologica · November 1, 2010, 2:07pm

hows it guys,

can some one please help me?

I am trying to add route marks to my internet route but when i do the internet does not work?

I am simple marking the routing mark from a ip list?

then u just put the route mark under your route?

vk7zms · November 2, 2010, 9:57am

Are both of your internet connections delivered by PPPoE, and are they per chance from the same ISP, and have the same default gateway?

Zapnologica · November 2, 2010, 10:17am

one is pppoe
and one is lan

not same isp

vk7zms · November 2, 2010, 9:51pm

What you have described should work easily. Are you sure it isn’t working? Are you seeing traffic hitting both mangle rules?

can you post your mangle rules and route list?

Zapnologica · November 3, 2010, 3:31pm

I have 2 static routes:

lan : routemark:lan
pppoe: routemark:pppoe

peopel under pppoe get no internet?

Zapnologica · November 3, 2010, 3:39pm

27   ;;; lan route mark
     chain=prerouting action=mark-routing new-routing-mark=lan 
     passthrough=yes src-address-list=pack3 

28   ;;; pppoe  route mark
     chain=prerouting action=mark-routing new-routing-mark=pppoe 
     passthrough=yes src-address-list=pack2

Skype still works though, not internet???

vk7zms · November 3, 2010, 10:50pm

you stated in your first post that the static default routes were using routing marks gat1 and gat2 but the mangle rules are marking the two groups as “lan” or “pppoe” - they will need to match up with each other to make it work.

Do you have a src-nat rule for each group specifying the outgoing interface?

Zapnologica · November 4, 2010, 11:40am

i changed them to make more sense on the forum.

I just redid it, i delete the original config as it was not working.

Do you have a src-nat rule for each group specifying the outgoing interface?

Nope?
what am i meant to do with that?

vk7zms · November 4, 2010, 10:25pm

In order for PC’s on the inside of your network to access the internet through either connection, you will have to do some sort of src-nat on each interface. The simplest type of src-nat for this application is masquerade.

If for instance your internal network address was 192.168.0.0/24, you might use rules such as these

1 chain=srcnat action=masquerade src-address=192.168.0.0/24 out-interface=pppoe-out1
2 chain=srcnat action=masquerade src-address=192.168.0.0/24 out-interface=ether1-LAN

You mentioned the clients being directed out the LAN interface were working and the clients being directed out the PPPoE interface were not. Is it possible that you have another router between the LAN interface and your ISP that is already doing src-nat/masquerade?

The other possibility that springs to mind is that your client PC’s are using a DNS server that belongs the the ISP you are accessing via your LAN port. If this is the case, client PC’s being redirected out the ISP you are running PPPoE to, would not be able to reach the DNS server, and hence not be able to resolve any domain names.

This may account for why Skype works, but nothing else appears to (I don’t think skype relies on DNS to work). You can easily check this by doing traceroute to external IP address instead of host name.

If this is your issue, you could rectify this by running a caching DNS on the Mikrotik router and changing your DHCP scope to hand out the LAN ip address of your Mikrotik router as the DNS server for your internal network.

Zapnologica · November 5, 2010, 5:37am

Ok,

I have masquerade on the router, I have not put in any interface names ( so it should just do it on all and any of the interfaces that it needs too?

I have googles dns server 8.8.8.8 in the mikrotik and all my clients use mikrotik as their dns server?

The lan one does have a modem upstream.

I see your logic to my problem but i have tried the same thing? its odd.

I was thinking is it not maybe marking the route in the worn place? Dont pppoe interfaces come into the router at a diff tstage in the routing process to physical interfaces?

fewi · November 6, 2010, 2:04pm

Post your actual configuration instead of describing it, together with a topology drawing.