SRC NAT for output chain??

riaanmaree · April 18, 2013, 6:51am

Have have recently been assigned public IPs to our network and are using them for customers. We are still using a lot of private IPs inside our network, especially between highsites.

We have a SRC NAT rule to still Masquerade all traffic leaving our network and coming from the internal private IPs. So this NATs everything but our Public IPs.

We also have local loopback IPs assigned to a bridge interface (no ports added to bridge) for OSPF and BGP to work better.

What we would like to do is to have all traffic originating from the router (DNS requests, RADIUS communication, etc) that leaves our network to srcnat (come from) the public IP assigned on the loopback interface. How can we do this without effecting traffic passing through the router (forward chain) from other towers?

The main reason why we want to do this is because our RADIUS servers are hosted outside of our network. When adding all our towers/routers to the RADIUS server, you have to specify the source IP address so disconnect packets can be sent back to the router when a customer reach their service limit or get suspended for not paying. So having a single public IP for each tower where RADIUS communication comes from is the ideal solution.

janisk · April 18, 2013, 7:39am

you should be able to mark packets in mangle output chain and then src-nat them to address you like based on that mark you set up.

riaanmaree · April 18, 2013, 7:34pm

Oh yes! That’ll work. Thanks!

ozzyBLR · October 23, 2020, 7:44am

Could you please provide a more detailed solution? I’m currently facing the same issue. I’ve created a mangle rule to mark traffic on the output chain. With the logging turned on I can see the mangle rule catching the traffic. Then I try to create a src-nat rule to catch the marked traffic and change its source address but nothing happens.

Sob · October 23, 2020, 2:15pm

That srcnat needs only one condition (connection-mark=), so that’s hard to mess up. Also don’t forget that order of rules matters, they are processed from top to bottom and first matching one is used.

ozzyBLR · October 29, 2020, 5:55am

Yeah, mangle rule and src-nat seem to be working fine. The torch tool shows me that i receive responses to my substitutional address. But they’re not being translated back to the original address.
I think i’d better start a new topic concerning my issue. Cause there’re some configurational aspects that might affect the situation.