nano94
October 5, 2018, 9:32am
1
I have a question regarding NAT rules.
The current setup on our router is using mangle to use booth external ip adresses with the same gateway.
1 chain=prerouting action=mark-connection new-connection-mark=conWan2 passthrough=yes in-interface=ether6-net5
2 chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1 in-interface=local
3 chain=prerouting action=mark-routing new-routing-mark=wan2 passthrough=no connection-mark=conWan2 in-interface=local
4 chain=output action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1
5 chain=output action=mark-routing new-routing-mark=wan2 passthrough=no connection-mark=conWan2. .242/26 ether1 (routing-mark wan1) and 88.. .244/26 ether6-net5 (routing-mark wan2)
Now, I want that a few vms should be able to reach the WWW via srcnat.
It will only work if I set the following rule:
But it will use the external ip: 88.. .242
This vm is our mail-proxy and have to use .242 as outgoing ip, and another vm should use .244
If I set a outgoing interface it will not work. But dst-nat incoming is working fine. So booth ips are reachable outside.
I've received an mail form mikrotik support, but currently it won't work.
Sob
October 5, 2018, 1:28pm
2
One thing is not clear to me, are both .242 and .244 in same subnet? If so, I don’t know why you have two WAN interfaces, instead of both addresses on just one. Then you wouldn’t need to do anything with routing. Or is it two independent accounts from same ISP and same subnet is only coincidence?
Anyway, if you want to force outgoing connections from some internal address to use specific WAN, just give them correct mark:
/ip firewall mangle
add chain=prerouting src-address=192.168.1.21 connection-mark=no-mark new-connection-mark=conWan2
It needs to go before route mangling rules. Also, if your addresses are static, it’s better to use src-nat instead of masquerade:
/ip firewall nat
add chain=srcnat action=src-nat out-interface=ether6-net5 to-addresses=88.**.**.244
nano94
October 6, 2018, 8:46am
3
Thank you!
nano94
October 6, 2018, 8:53am
4
I’ve tried this and set the following rules to use WAN1 88.. .244
/ip firewall mangle
/ip firewall nat add chain=srcnat action=src-nat to-addresses=88.. .244 out-interface=ether1 log=no log-prefix=“”
But the vm 192.168.1.4 still cannot reach or ping a server in WWW like 8.8.8.8
nano94
October 6, 2018, 11:51am
5
I’ve tried this and set the following rules to use WAN1 88.. .244
/ip firewall mangle
/ip firewall nat add chain=srcnat action=src-nat to-addresses=88.. .244 out-interface=ether1 log=no log-prefix=“”
But the vm 192.168.1.4 still cannot reach or ping a server in WWW like 8.8.8.8
One thing is not clear to me, are both .242 and .244 in same subnet? If so, I don’t know why you have two WAN interfaces, instead of both addresses on just one. Then you wouldn’t need to do anything with routing. Or is it two independent accounts from same ISP and same subnet is only coincidence?
Anyway, if you want to force outgoing connections from some internal address to use specific WAN, just give them correct mark:
/ip firewall mangle
add chain=prerouting src-address=192.168.1.21 connection-mark=no-mark new-connection-mark=conWan2
It needs to go before route mangling rules. Also, if your addresses are static, it’s better to use src-nat instead of masquerade:
/ip firewall nat
add chain=srcnat action=src-nat out-interface=ether6-net5 to-addresses=88.**.**.244
Sob
October 6, 2018, 3:01pm
6
That sounds strange. Do you mean that they require you to use different MAC address for each IP address?
Unless there’s typo somewhere, according to your first post, you have:
WAN1: .242, ether1
But now you’re trying to use .244 with WAN1.
nano94
October 6, 2018, 10:52pm
7
Hi,
Yes, that’s correct they provide for each IP another MAC address. The router os is running on a kvm hypervisor.
And this was my fault. Wan1 is .244. And wan2 .242
That sounds strange. Do you mean that they require you to use different MAC address for each IP address?
Unless there’s typo somewhere, according to your first post, you have:
WAN1: .242, ether1
But now you’re trying to use .244 with WAN1.
Sob
October 7, 2018, 11:53pm
8
Did the srcnat rule get any hits?
Try to show your routes (/ip route export).
nano94
October 8, 2018, 7:50am
9
Hi, no hits. I can see traffic on the accept mangle rule but no traffic on the src-nat rule.
Following the routes.
add distance=1 gateway=88.**.**.193%ether1 routing-mark=wan1
add distance=1 gateway=88.**.**.193%ether6-net5 routing-mark=wan2
add distance=1 gateway=88.**.**.193
If i add an src-nat rule without an out-interface to dst-address 0.0.0.0/0 i can reach the WWW and ping but only via the wan2 address. If i try your example nothing works.
Sob
October 8, 2018, 5:10pm
10
Do you have rules in this order and not the other way around?
/ip firewall mangle
...
add chain=prerouting src-address=192.168.1.4 connection-mark=no-mark new-connection-mark=conWan1
...
add chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1 in-interface=local
...
nano94
October 8, 2018, 7:01pm
11
For 192.168.1.4 i currently have dst-nat rules for incomming traffic, only. Their working correct via wan2 ip.
Additionally i only have created the rules provides by you:
6 chain=prerouting src-address=192.168.1.4 connection-mark=no-mark
7 chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1 in-interface=local
But the vm still cannot ping.
Following a plot of all my nat and mangle rules:
/ip firewall mangle> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-connection new-connection-mark=conWan1 passthrough=yes in-interface=ether1
1 chain=prerouting action=mark-connection new-connection-mark=conWan2 passthrough=yes in-interface=ether6-net5
2 chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1 in-interface=local
3 chain=prerouting action=mark-routing new-routing-mark=wan2 passthrough=no connection-mark=conWan2 in-interface=local
4 chain=output action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1
5 chain=output action=mark-routing new-routing-mark=wan2 passthrough=no connection-mark=conWan2
6 chain=prerouting src-address=192.168.1.4 connection-mark=no-mark
7 chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1 in-interface=local
NAT:
/ip firewall nat pr
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 X chain=srcnat action=masquerade out-interface=*F00004 log=no log-prefix=""
2 X chain=srcnat action=accept out-interface=*F00001 log=no log-prefix=""
3 X chain=srcnat action=masquerade out-interface=*F00001 log=no
4 X chain=srcnat action=accept out-interface=*F00004 log=no
5 ;;; required for DNS-lookup for AD
chain=srcnat action=masquerade src-address=192.168.1.7 dst-address=8.8.8.8 log=no
6 X chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.7 out-interface=ether1 log=no
7 ;;; required for DNS-lookup for AD
chain=srcnat action=masquerade src-address=192.168.1.7 dst-address=213.**.**.98 log=no
8 chain=srcnat action=masquerade src-address=192.168.1.7 dst-address=1.1.1.1 log=no log-prefix=""
9 chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.11 dst-address=88.**.**.229 out-interface=ether1 dst-port=6556 log=no
log-prefix=""
10 chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.11 dst-address=88.**.**.90 out-interface=ether1 dst-port=6556 log=no
log-prefix=""
11 chain=srcnat action=masquerade protocol=icmp src-address=192.168.1.11 dst-address=88.**.**.229 log=no log-prefix=""
12 chain=srcnat action=masquerade protocol=icmp src-address=192.168.1.11 dst-address=88.**.**.90 log=no log-prefix=""
13 chain=dstnat action=dst-nat to-addresses=192.168.1.7 to-ports=389 protocol=tcp src-address=138.**.**.247 dst-address=88.**.**.244
in-interface=ether1 dst-port=62389 log=no log-prefix=""
14 chain=dstnat action=dst-nat to-addresses=192.168.1.21 to-ports=26 protocol=tcp src-address=85.**.**.188 dst-address=88.**.**.244
in-interface=ether1 dst-port=226 log=no log-prefix=""
15 ;;; rz-infpmg01_for_updates
chain=srcnat action=masquerade protocol=icmp src-address=192.168.1.21 dst-address=0.0.0.0/0 log=no log-prefix=""
16 ;;; rz-infpmg01_for_updates
chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.21 dst-address=0.0.0.0/0 log=no log-prefix=""
17 ;;; IMAP4
chain=dstnat action=dst-nat to-addresses=192.168.1.4 to-ports=143 protocol=tcp dst-address=88.**.**.242 in-interface=ether6-net5 dst-port=143
log=no log-prefix=""
18 ;;; SMTP
chain=dstnat action=dst-nat to-addresses=192.168.1.3 to-ports=25 protocol=tcp dst-address=88.**.**.242 in-interface=ether6-net5 dst-port=25
log=no log-prefix=""
19 ;;; POP3
chain=dstnat action=dst-nat to-addresses=192.168.1.4 to-ports=110 protocol=tcp dst-address=88.**.**.242 in-interface=ether6-net5 dst-port=110
log=no log-prefix=""
20 ;;; HTTPS
chain=dstnat action=dst-nat to-addresses=192.168.1.4 to-ports=443 protocol=tcp dst-address=88.**.**.242 in-interface=ether6-net5 dst-port=443
log=no log-prefix=""
21 ;;; HTTP
chain=dstnat action=dst-nat to-addresses=192.168.1.4 to-ports=80 protocol=tcp dst-address=88.**.**.242 in-interface=ether6-net5 dst-port=80
log=no log-prefix=""
22 ;;; MDM
chain=dstnat action=dst-nat to-addresses=192.168.4.6 to-ports=9383 protocol=tcp dst-address=88.**.**.242 in-interface=ether6-net5
dst-port=9383 log=no log-prefix=""
23 ;;; Intranet-Extern
chain=dstnat action=dst-nat to-addresses=192.168.100.2 to-ports=8080 protocol=tcp dst-address=88.**.**.242 in-interface=ether6-net5
dst-port=8080 log=no log-prefix=""
24 ;;; IMAP4 SSL
chain=dstnat action=dst-nat to-addresses=192.168.1.4 to-ports=993 protocol=tcp dst-address=88.**.**.242 in-interface=ether6-net5 dst-port=993
log=no log-prefix=""
25 ;;; POP3 SSL
chain=dstnat action=dst-nat to-addresses=192.168.1.4 to-ports=995 protocol=tcp dst-address=88.**.**.242 in-interface=ether6-net5 dst-port=995
log=no log-prefix=""
26 ;;; SMTP authenticated
chain=dstnat action=dst-nat to-addresses=192.168.1.4 to-ports=587 protocol=tcp dst-address=88.**.**.242 in-interface=ether6-net5 dst-port=587
log=no log-prefix=""
27 X chain=srcnat action=masquerade src-address=148.1.1.0/24 out-interface=ether1 log=no log-prefix=""
28 ;;; NAT flk-mailfilter01 outgoing
chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.3 dst-address=0.0.0.0/0 out-interface=ether6-net5 log=no log-prefix=""
29 ;;; NAT flk-mailfilter01 outgoing
chain=srcnat action=masquerade protocol=udp src-address=192.168.1.3 dst-address=0.0.0.0/0 log=no log-prefix=""
30 ;;; NAT flk-mailfilter01 outgoing
chain=srcnat action=masquerade protocol=icmp src-address=192.168.1.3 dst-address=0.0.0.0/0 out-interface=ether6-net5 log=no log-prefix=""
Rule 28-30 is working for outgoing traffic, but only with ether6-net5. If i select here ether1 (wan1) it stops working.
Do you have rules in this order and not the other way around?
/ip firewall mangle
...
add chain=prerouting src-address=192.168.1.4 connection-mark=no-mark new-connection-mark=conWan1
...
add chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1 in-interface=local
...
Sob
October 8, 2018, 8:04pm
12
Masquerade/srcnat rules with out-interface condition only apply if the outgoing connection is routed through given interface. But whether it happens or not is decided elsewhere, and it looks like it doesn’t happen now.
The mangle rule I gave you had also “new-connection-mark=conWan1”, which is missing in mangle rule #6 you posted. I don’t know if perhaps print command didn’t show it (it’s usually better to use export intead of print), but make sure it’s there, because it’s what takes care of correct routing (together with #7 ). You can also move #6 before #2 and then you wouldn’t need duplicate #7 . And of course if you mark routing for 192.168.1.4, masquerade rule for 192.168.1.3 won’t apply to it anyway.
It also looks to me that you could replace all your masquerade rules with just:
/ip firewall nat
chain=srcnat action=masquerade out-interface=ether1
chain=srcnat action=masquerade out-interface=ether6-net5
or:
/ip firewall nat
chain=srcnat action=src-nat to-addresses=88.**.**.244 out-interface=ether1
chain=srcnat action=src-nat to-addresses=88.**.**.242 out-interface=ether6-net5
What you have now seems like it’s meant as kind of firewall, what can go where, which is a little unusual approach.
nano94
October 9, 2018, 10:58am
13
Thanks.
As information, i do not want that each server from network 192.168.1.0/24 is able to use src-nat to WWW so only a few vms like 192.168.1.4, 192.168.1.3, 192.168.1.7 with icmp and tcp should be allowed.
Which rules should i create now?
Temporarily I can disable all src-nat rules to test.
Masquerade/srcnat rules with out-interface condition only apply if the outgoing connection is routed through given interface. But whether it happens or not is decided elsewhere, and it looks like it doesn’t happen now.
The mangle rule I gave you had also “new-connection-mark=conWan1”, which is missing in mangle rule #6 you posted. I don’t know if perhaps print command didn’t show it (it’s usually better to use export intead of print), but make sure it’s there, because it’s what takes care of correct routing (together with #7 ). You can also move #6 before #2 and then you wouldn’t need duplicate #7 . And of course if you mark routing for 192.168.1.4, masquerade rule for 192.168.1.3 won’t apply to it anyway.
It also looks to me that you could replace all your masquerade rules with just:
/ip firewall nat
chain=srcnat action=masquerade out-interface=ether1
chain=srcnat action=masquerade out-interface=ether6-net5
or:
/ip firewall nat
chain=srcnat action=src-nat to-addresses=88.**.**.244 out-interface=ether1
chain=srcnat action=src-nat to-addresses=88.**.**.242 out-interface=ether6-net5
What you have now seems like it’s meant as kind of firewall, what can go where, which is a little unusual approach.
Sob
October 10, 2018, 5:41pm
14
I think I understand what you’re trying to do with those srcnat rules. But if you want to block some traffic, the usual (and I’d say more logical) way is to really block it in forward chain. I don’t know what you have there, but if you’re not blocking unwanted traffic, it means that it still goes out, keeps 192.168.1.x as source and is eventually dropped who knows where. But it’s not the problem here, you can think about it later.
For current problem:
/ip firewall mangle> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-connection new-connection-mark=conWan1 passthrough=yes in-interface=ether1
1 chain=prerouting action=mark-connection new-connection-mark=conWan2 passthrough=yes in-interface=ether6-net5
<--- move it here -------------------+
2 chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1 in-interface=local |
3 chain=prerouting action=mark-routing new-routing-mark=wan2 passthrough=no connection-mark=conWan2 in-interface=local |
4 chain=output action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1 |
5 chain=output action=mark-routing new-routing-mark=wan2 passthrough=no connection-mark=conWan2 |
6 chain=prerouting src-address=192.168.1.4 connection-mark=no-mark --- take this, add "new-connection-mark=conWan1" --+
7 chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1 in-interface=local <-- delete this
Add this:
/ip firewall nat
chain=srcnat src-address=192.168.1.4 action=masquerade out-interface=ether1
chain=srcnat src-address=192.168.1.4 action=masquerade out-interface=ether6-net5
Don’t forget to decide if you want 192.168.1.3 or 192.168.1.4 and use same address for mangle rule and srcnat rules.
Then try to connect outside and see what happens. If it still won’t work, there could also be some rule in forward chain interfering.
nano94
October 20, 2018, 9:06am
15
Hey,
i don’t get it to work. May you have time for a short TeamViewer session?
I think I understand what you’re trying to do with those srcnat rules. But if you want to block some traffic, the usual (and I’d say more logical) way is to really block it in forward chain. I don’t know what you have there, but if you’re not blocking unwanted traffic, it means that it still goes out, keeps 192.168.1.x as source and is eventually dropped who knows where. But it’s not the problem here, you can think about it later.
For current problem:
/ip firewall mangle> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-connection new-connection-mark=conWan1 passthrough=yes in-interface=ether1
1 chain=prerouting action=mark-connection new-connection-mark=conWan2 passthrough=yes in-interface=ether6-net5
<--- move it here -------------------+
2 chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1 in-interface=local |
3 chain=prerouting action=mark-routing new-routing-mark=wan2 passthrough=no connection-mark=conWan2 in-interface=local |
4 chain=output action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1 |
5 chain=output action=mark-routing new-routing-mark=wan2 passthrough=no connection-mark=conWan2 |
6 chain=prerouting src-address=192.168.1.4 connection-mark=no-mark --- take this, add "new-connection-mark=conWan1" --+
7 chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1 in-interface=local <-- delete this
Add this:
/ip firewall nat
chain=srcnat src-address=192.168.1.4 action=masquerade out-interface=ether1
chain=srcnat src-address=192.168.1.4 action=masquerade out-interface=ether6-net5
Don’t forget to decide if you want 192.168.1.3 or 192.168.1.4 and use same address for mangle rule and srcnat rules.
Then try to connect outside and see what happens. If it still won’t work, there could also be some rule in forward chain interfering.
nano94
November 23, 2018, 1:23pm
16
Hey,
6 chain=prerouting src-address=192.168.1.4 connection-mark=no-mark — take this, add “new-connection-mark=conWan1” --+
new-connection-mark isn’t available here. Also, I’ve set-up a new router and still have the same issue.
Is anyone able to assist here?
I think I understand what you’re trying to do with those srcnat rules. But if you want to block some traffic, the usual (and I’d say more logical) way is to really block it in forward chain. I don’t know what you have there, but if you’re not blocking unwanted traffic, it means that it still goes out, keeps 192.168.1.x as source and is eventually dropped who knows where. But it’s not the problem here, you can think about it later.
For current problem:
/ip firewall mangle> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-connection new-connection-mark=conWan1 passthrough=yes in-interface=ether1
1 chain=prerouting action=mark-connection new-connection-mark=conWan2 passthrough=yes in-interface=ether6-net5
<--- move it here -------------------+
2 chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1 in-interface=local |
3 chain=prerouting action=mark-routing new-routing-mark=wan2 passthrough=no connection-mark=conWan2 in-interface=local |
4 chain=output action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1 |
5 chain=output action=mark-routing new-routing-mark=wan2 passthrough=no connection-mark=conWan2 |
6 chain=prerouting src-address=192.168.1.4 connection-mark=no-mark --- take this, add "new-connection-mark=conWan1" --+
7 chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=conWan1 in-interface=local <-- delete this
Add this:
/ip firewall nat
chain=srcnat src-address=192.168.1.4 action=masquerade out-interface=ether1
chain=srcnat src-address=192.168.1.4 action=masquerade out-interface=ether6-net5
Don’t forget to decide if you want 192.168.1.3 or 192.168.1.4 and use same address for mangle rule and srcnat rules.
Then try to connect outside and see what happens. If it still won’t work, there could also be some rule in forward chain interfering.
