Src-NAT doesnot work for some destination

sharptop · March 8, 2017, 11:52am

Hi All!
I am newbie in mikrotik and have some issue with SrcNAT in firewall.
I have 2 connects to Intermet by PPPoE - pppoe-out1 and pppoe-out2. I created some rules for work with it in firewall mangle

[admin@MikroTik] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D chain=forward action=change-mss new-mss=1440 tcp-flags=syn protocol=tcp out-interface=all-ppp tcp-mss=1441-65535 

 1  D chain=forward action=change-mss new-mss=1360 tcp-flags=syn protocol=tcp in-interface=all-ppp tcp-mss=1361-65535 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 3  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 4  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 

 5    chain=input action=mark-connection new-connection-mark=cin-ISP1 passthrough=yes connection-mark=no-mark in-interface=pppoe-out1 log=no 

 6    chain=input action=mark-connection new-connection-mark=cin-ISP2 passthrough=no connection-mark=no-mark in-interface=pppoe-out2 log=no 

7    chain=prerouting action=mark-routing new-routing-mark=ISP2-sip passthrough=no dst-address=10.1.246.2 log=no log-prefix="" 

8    chain=output action=mark-routing new-routing-mark=route-ISP1 passthrough=no connection-mark=cin-ISP1 

9    chain=output action=mark-routing new-routing-mark=route-ISP2 passthrough=no connection-mark=cin-ISP2 

10    chain=prerouting action=mark-routing new-routing-mark=LAN-out-ISP1 passthrough=no protocol=tcp dst-address=!192.168.0.0/16 dst-address-type="" in-interface=bridge 
      dst-port=80,443,110,25,2345,500,22,1122,995,8728,8729,8291 log=no log-prefix="" 

11    chain=prerouting action=mark-routing new-routing-mark=LAN-out-udp passthrough=no routing-mark=!ISP2-sip protocol=udp dst-address=!192.168.0.0/16 dst-address-type="" in-interface=bridge 
      dst-port=500,2345,53,5060,5061 log=no log-prefix="" 

12    chain=prerouting action=mark-routing new-routing-mark=LAN-out-ISP2 passthrough=no dst-address=!192.168.0.0/16 dst-address-type="" in-interface=bridge log=no log-prefix=""

I also created routing rules for this mangle

[admin@MikroTik] > /ip route print detail   
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=3 scope=30 target-scope=10 routing-mark=route-ISP1 

 1   S  dst-address=0.0.0.0/0 gateway=pppoe-out2 gateway-status=pppoe-out2 reachable distance=5 scope=30 target-scope=10 routing-mark=route-ISP1 

 2 A S  dst-address=0.0.0.0/0 gateway=pppoe-out2 gateway-status=pppoe-out2 reachable check-gateway=ping distance=3 scope=30 target-scope=10 routing-mark=route-ISP2 

 3   S  dst-address=0.0.0.0/0 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=5 scope=30 target-scope=10 routing-mark=route-ISP2 

  4 A S  dst-address=0.0.0.0/0 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable check-gateway=ping distance=3 scope=30 target-scope=10 routing-mark=LAN-out-ISP1 

 5   S  dst-address=0.0.0.0/0 gateway=pppoe-out2 gateway-status=pppoe-out2 reachable distance=5 scope=30 target-scope=10 routing-mark=LAN-out-ISP1 

  6 A S  dst-address=0.0.0.0/0 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable check-gateway=ping distance=3 scope=30 target-scope=10 routing-mark=LAN-out-udp 

 7 A S  dst-address=0.0.0.0/0 gateway=pppoe-out2 gateway-status=pppoe-out2 reachable distance=3 scope=30 target-scope=10 routing-mark=LAN-out-ISP2 

8   S  dst-address=0.0.0.0/0 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=5 scope=30 target-scope=10 routing-mark=LAN-out-ISP2 

11 A S  dst-address=10.1.246.2/32 gateway=ether8-ISP2 gateway-status=ether8-ISP2 reachable check-gateway=ping distance=1 scope=30 target-scope=10 

12 ADC  dst-address=10.48.118.128/25 pref-src=10.48.118.153 gateway=ether8-ISP2 gateway-status=ether8-ISP2 reachable distance=0 scope=10 

15 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge gateway-status=bridge reachable distance=0 scope=10

I want to connect from my lan (192.168.88.0/24) to 10.1.246.2 (this addres is in ISP2 network) and I created rule for NAT but it does not work

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=src-nat to-addresses=10.48.118.153 routing-mark=ISP2-sip dst-address=10.1.246.2 log=yes log-prefix="" 

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade routing-mark=LAN-out-ISP2 src-address=192.168.0.0/16 dst-address=!10.1.246.2 out-interface=pppoe-out2 log=no log-prefix="" 

 2    chain=srcnat action=masquerade routing-mark=route-ISP2 src-address=192.168.0.0/16 dst-address=!10.1.246.2 out-interface=pppoe-out2 log=no log-prefix="" 

 3    chain=srcnat action=masquerade to-addresses=X.X.X.X routing-mark=LAN-out-udp protocol=udp src-address=192.168.0.0/16 dst-address=!10.1.246.2 out-interface=pppoe-out1 log=no log-prefix="" 

 4    chain=srcnat action=masquerade routing-mark=LAN-out-udp src-address=192.168.0.0/16 dst-address=!10.1.246.2 out-interface=pppoe-out1 log=no log-prefix="" 

 5    chain=srcnat action=masquerade routing-mark=LAN-out-ISP1 src-address=192.168.0.0/16 dst-address=!10.1.246.2 out-interface=pppoe-out1 log=no log-prefix=""

Internet works fine but rule for SIP does not work.
I see in log this (I created mangle for postrouting for check this) :

16:43:55 firewall,info postrouting: in:(none) out:ether8-ISP2, src-mac 00:0c:29:35:4e:a1, proto ICMP (type 8, code 0), 192.168.88.50->10.1.246.2, NAT 192.168.88.50->10.1.246.2, len 84
16:43:55 firewall,info postrouting: in:(none) out:ether8-ISP2, src-mac 00:0c:29:35:4e:a1, proto ICMP (type 8, code 0), 192.168.88.50->10.1.246.2, NAT 192.168.88.50->10.1.246.2, len 84
16:43:56 firewall,info postrouting: in:(none) out:ether8-ISP2, src-mac 00:0c:29:35:4e:a1, proto ICMP (type 8, code 0), 192.168.88.50->10.1.246.2, NAT 192.168.88.50->10.1.246.2, len 84
16:43:56 firewall,info postrouting: in:(none) out:ether8-ISP2, src-mac 00:0c:29:35:4e:a1, proto ICMP (type 8, code 0), 192.168.88.50->10.1.246.2, NAT 192.168.88.50->10.1.246.2, len 84
16:43:57 firewall,info postrouting: in:(none) out:ether8-ISP2, src-mac 00:0c:29:35:4e:a1, proto ICMP (type 8, code 0), 192.168.88.50->10.1.246.2, NAT 192.168.88.50->10.1.246.2, len 84
16:43:57 firewall,info postrouting: in:(none) out:ether8-ISP2, src-mac 00:0c:29:35:4e:a1, proto ICMP (type 8, code 0), 192.168.88.50->10.1.246.2, NAT 192.168.88.50->10.1.246.2, len 84
16:43:58 firewall,info postrouting: in:(none) out:ether8-ISP2, src-mac 00:0c:29:35:4e:a1, proto ICMP (type 8, code 0), 192.168.88.50->10.1.246.2, NAT 192.168.88.50->10.1.246.2, len 84
16:43:58 firewall,info postrouting: in:(none) out:ether8-ISP2, src-mac 00:0c:29:35:4e:a1, proto ICMP (type 8, code 0), 192.168.88.50->10.1.246.2, NAT 192.168.88.50->10.1.246.2, len 84
16:43:58 firewall,info postrouting: in:(none) out:ether8-ISP2, src-mac 00:0c:29:35:4e:a1, proto UDP, 192.168.88.50:5060->10.1.246.2:5060, len 433

What should I to do to resolve this issue?
Version RouterOS is 6.37.4

dharmikshah8928 · July 19, 2018, 4:58pm

Hello,

Facing same issue, even not getting src-mac for all pppoe interface for in interface.