I would like some assistance trying to get source NAT working with the RB750gr3. I’m fairly new to Mikrotik so I’ve probably made a simple mistake.
Here’s a network diagram showing the setup:
https://i.imgur.com/NBEE1ho.png
TLDR: outgoing traffic from servers 10.10.15.1 or 10.10.115.1 is not getting translated to 10.100.200.x
We have a private connection to a 3rd party provider at two different sites. The provider is upgrading their network and we needed to purchase new routers that support BGP, as our existing site routers do not (at least not without expensive licences).
I bought two of the RB750gr3’s as they seemed perfect for our purposes. The plan was that we would set up a GRE tunnel between the two Mikrotik routers over our internal network to advertise routes via BGP. This will provide failover across the sites; if our primary site link is down, it could route across the GRE tunnel and use the secondary link without manual intervention. So far the BGP and GRE is all working.
The provider issued us particular IP addresses that we must use to connect to their system; other addresses are blocked by their firewall. So we need to translate our server’s IP address to one of the provider’s specified addresses using source NAT. The connection is outgoing from us; the provider does not initiate connections to us. So I don’t believe we need to set up destination NAT.
I have added these specified addresses (10.100.200.x) to the Bridge interface on the routers, and am advertising them with BGP. Provider confirms they have a BGP route to these addresses.
On the router terminal, I can ping to the provider server if I specify the source address eg ‘ping 10.x.x.x src-address=10.100.200.1’ When I try to do the same from the server, the translation doesn’t work and the pings time out. The provider tech says they can see the firewall blocking the connection as they are coming in on the wrong IP address (10.10.15.1) This is happening at both sites.
If I try to ping from the server to the SDWAN router’s LAN IP - 10.10.20.2 - I can see the srcnat rule is activating - it shows up in the Mikrotik web interface under IP > Firewall > Connections, and on the NAT page the counter increases.
I still can’t ping from our server to any other addresses on the providers network, yet I can ping from the router to other addresses if I specify the src-address.
Here is the firewall/NAT configuration of the primary site router:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,new,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat src-address=10.10.15.1 to-addresses=10.100.200.1
add action=src-nat chain=srcnat src-address=10.10.115.1 to-addresses=10.100.200.2
As we don’t want to filter or block any packets (this isn’t connected to the internet) I have disabled any default ‘block’ firewall rules. I have also disabled the default masquerade NAT rule, as I understand it, it isn’t required in this case. I could be wrong though!
I would appreciate any assistance with getting the NAT translation rules working for the server IP’s 