Src-nat and Mangle with PBR

DuffMan · October 12, 2016, 10:09am

Hi,
I am trying to solve a problem that seems fairly basic to me.
I have 1 Router RB3011
It has 2 Wan connections.
Lets give them IP’s: connection1: 1.1.1.1 connection 2: 1.1.1.50
Each IP has a wan subnet on it, the one has a /29 and the other a /30
connection 1: 2.2.2.0/29 connection 2: 2.2.2.12/30

I have three 0.0.0.0/0 routes, one has routing mark “to connection1” with the gateway of wan1, the other has routing mark “to connection2” with gateway of wan2 and the last one has no routing mark for anything that is left, to wan1 also.

I have a Mangle rule with mark routing that looks at src address and decided to which wan connection it needs to go so src: 2.2.2.0/29 dst !2.2.2.0/29 mark routing “to connection1” and src 2.2.2.12/30 dst !2.2.2.12/30 mark routing “to connection2”
This worked well for sending the traffic out of each wan connection for each subnet.

Up to this point something else was doing nat for me, but now i want to run nat on the router.
So i added the lan subnet, and i added srcnat rules for traffic, lets say 192.168.0.0/24 srcnat 2.2.2.1
This also works and i can see if I change the srcnat rule my wan ip changes by going to ipchicken.com

Problem is if I try and set my wan ip as 2.2.2.13, i can’t get out anymore, because my traffic is exiting via wan1 and not via wan2 like it should.
I am guessing the reason for this is because the mangle rule that looks at the source address and tries to match it to 2.2.2.12/30 is no longer being triggerred to mark my connection becayse my source ip address is 192.168.0.10, so i get no routing mark, then i get source natted and my source ip changes to 2.2.2.13, but I am already set to leave via wan1. Hence no connection.

I can confirm this by adding a tempoary mangle rule to say src address 192.168.0.10 mark routing “to connection2” and my connection works fine.

I want to decide which wan ip I get at src nat and do not want to have to duplicate each rule in mangle also, is this possible, or the only way is to have the src nat rule set the wan ip, and then again under mangle.

This also causes problem if i try to dst nat from a wan ip to a internal address because the return connection leaves via the wrong wan and so doesn’t get routed correctly.

Thanks
Duffman

DuffMan · October 12, 2016, 10:38pm

So I managed to solve this problem sort off. At least improved the situation.
I decided to mark connection on incoming connections on each wan connection, that way all incoming connections will leave via the correct wan interface. This meant all port fowards (dst nat) leaves correctly and started working.
It was then a lot simpler to use a simple mangle rule with address list to match my mangle outgoing traffic to my source nat rule.
It still would have been nice to just be able to set the source IP with a source nat rule and the router will know which interface it should leave on, but i guess this is not possible due to the order of things in Mikrotik.

I did try and read the packetflow wiki article but it looks super complicated.