Hi,

My ccr has multiple public ip addresses on multiple ethernet ports. I m trying to src-nat my vlan 100 to 193.xxx.xxx.169, on out interface 11 without any luck.

ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

1 ;;; wan
193.xxx.xxx.161/26 193.xxx.xxx.128 ether12
8 10.0.100.1/24 10.0.100.0 vlan100
13 193.xxx.xxx.169/26 193.xxx.xxx.128 ether11

ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic

3 ;;;
chain=srcnat action=src-nat to-addresses=193.xxx.xxx.169 src-address=10.0.100.0/24 out-interface=ether11 log=yes log-prefix=""
5 ;;; Vlan0 NAT to public
chain=srcnat action=src-nat to-addresses=193.xxx.xxx.161 src-address=192.168.0.0/24 out-interface=ether12 log=no log-prefix=""


If i try to ping google the output interface is ether 12 and not ether 11

20:53:14 firewall,info forward: in:vlan100 out:ether12, src-mac 00:03:d6:03:7d:c7, proto ICMP (type 8, code 0), 10.0.100.14->8.8.8.8, len 84


How can i correct this problem ?

Steve

If both public addresses are from same subnet and they use the same default gateway, as it seems to be the case here, then this is not how it’s done. When you put them on different ports, you’re creating unnecessary problems. It could be forced to work this way, i.e. make an artificial dual WAN setup, but it doesn’t help you in any way. Just use one common WAN interface, assign both addresses to it and it will work fine with srcnat rules like yours (only with fixed out-interface for one).

Thank you for your input. But how could i force diff. ports to be used ? Do i need to use some sort of pcc/nth??

Do you need for some specific reason that the traffic from VLAN 100 really goes through a different physical WAN in both directions, or it is enough for you that it would be src-nated to a specific address?

i just like to segment my traffic, on ports aswell, and honestly its bugging me that it doesn t work. On a simple linux gateway it s easy to do this. So any tips forcing this ?

It is easy to modify the rules so that the to-addresses for src-nat is chosen according to the original source address of the packet.

It is a bit more complex to make Mikrotik use different physical ports in a controlled way to access the same subnet, because you need to

• set another default gateway:

/ip route add
gateway=193.XXX.XXX.XXX%ether12 routing-mark=vlan100

• use a routing rule to send packets with source addresses from the subnet of vlan100 through that gateway

/ip route rule
add src-address=10.0.100.0/24 action=lookup-only-in-table table=vlan100

Depending on your overall configuration, you may need to set up additional routes or exceptional route rules to make packets from 10.0.100.0/24 reach local destinations, as the way described above, anything from vlan100 will be routed outside.

Ok, how do you this on simple Linux gateway?

Correct me if I’m wrong, but from what you described, there are 193.xxx.xxx.161/26 and 193.xxx.xxx.169/26, so two addresses from same subnet (if it’s two different subnets, then you failed to mask your addresses correctly). If you put each on different interface, you create overlapping subnets, that’s not right thing to do. I assume that default gateway is the same for both. But even it it wasn’t and there were two, both would have to be in same subnet. And how can the router know, if it should look for the right one on ether11 or ether12? It can’t, so it will just pick one.

If you really want to, you can do forced dual WAN setup like this:

/ip route
add dst-address=0.0.0.0/0 gateway=193.xxx.xxx.x%ether11 routing-mark=wan1
add dst-address=0.0.0.0/0 gateway=193.xxx.xxx.x%ether12 routing-mark=wan2

And then the usual connection and route marking like with regular dual WAN setup. I see no benefit in doing so, but as some people say “why take an easy way when there’s a hard way”. I guess it’s more fun sometimes.

@Sob, give a try to routing rules. Their abilities are limited as compared to mangle rules so they can be used in a limited number of scenarios, but on the other hand, they work even with fasttracking.

I know about routing rules, I use them sometimes, but they are not the first thing that comes to my mind, so it’s likely that I’m not using them to their full potential. And fastrack doesn’t excite me, because lets say the hardware is getting more powerful faster than internet speed is going up, so I didn’t really need it yet.