SRCNAT with multiple WAN IP addresses (>2)

anuser · November 30, 2018, 11:26am

Hello,

I´m running CAPSMAN based forwarding wifi with one single /16 subnet for the wifi clients (VLAN 1000). The clients get SRCNATed to 2 public IP addresses. There´s no problem with that setup.
Now I wanted to add 2 more public IP addresses which fails. Routing to those 4 public IP addresses works without any problems. NAT doesn´t work at all.

So 4 VLANs

add interface=bridge-fuer-uplink name=vlan2081 vlan-id=2081
add interface=bridge-fuer-uplink name=vlan2082 vlan-id=2082
add interface=bridge-fuer-uplink name=vlan2083 vlan-id=2083
add interface=bridge-fuer-uplink name=vlan2084 vlan-id=2084

DHCP server for the clients

/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 disabled=no interface=vlan1000 lease-time=8h10m name=dhcp1

Subnet for the clients:

add address=10.40.0.240/16 interface=vlan1000 network=10.40.0.0

public IP addresses for the clients

/ip address
add address=19.1.108.2/30 interface=vlan2081 network=19.1.108.0
add address=19.1.108.6/30 interface=vlan2082 network=19.1.108.4
add address=19.1.108.10/30 interface=vlan2083 network=19.1.108.8
add address=19.1.108.14/30 interface=vlan2084 network=19.1.108.12

SRCNAT for the 4 parts of the /16 subnet:

/ip firewall nat
add action=src-nat chain=srcnat routing-table=main src-address=10.40.0.0/18 to-addresses=19.1.108.2
add action=src-nat chain=srcnat routing-table=main src-address=10.40.64.0/18 to-addresses=19.1.108.6
add action=src-nat chain=srcnat routing-mark=main src-address=10.40.128.0/18 to-addresses=19.1.108.10
add action=src-nat chain=srcnat routing-table=main src-address=10.40.192.0/18 to-addresses=19.1.108.14

Routing is done with OSPF at WAN site.

dst-address=0.0.0.0/0 
gateway=19.1.108.1,19.1.108.5,19.1.108.9,19.1.108.13
gateway-status=
19.1.108.1 reachable via  vlan2081,
19.1.108.5 reachable via  vlan2082,
19.1.108.9 reachable via  vlan2083,
19.1.108.13 reachable via  vlan2084,

distance=110 scope=20 target-scope=10 route-tag=1 ospf-metric=11 ospf-type=external-type-2

SRCNAT works with the frist two NAT rules. For the 3rd and 4th rule the counters stay at “0”. The client itself gets the IP address from the 3rd or 4th range, it can ping the gateway 10.40.0.240. That´s all. No NAT afterwards.

Do I miss something? Shouldn´t SRCNAt work like this with multiple WAN IP addresses? Any hints would be great.

anav · November 30, 2018, 1:04pm

/ip firewall nat
add action=src-nat chain=srcnat routing-table=main src-address=10.40.0.0/18 to-addresses=19.1.108.2
add action=src-nat chain=srcnat routing-table=main src-address=10.40.64.0/18 to-addresses=19.1.108.6
add action=src-nat chain=srcnat routing-**mark=**main src-address=10.40.128.0/18 to-addresses=19.1.108.10
add action=src-nat chain=srcnat routing-table=main src-address=10.40.192.0/18 to-addresses=19.1.108.14

Not sure if that is the root cause of your problem but it may be a start.
I dont have a sweet clue about your setup, its beyond my limited knowledge.

anuser · November 30, 2018, 10:41pm

Nice, let´s try with the right one.

Redmor · December 1, 2018, 5:54pm

Make two interface list WAN1 and WAN2 with respective vlans.
Set NAT with out interface list WAN1 or WAN2 and masquerade

anav · December 1, 2018, 6:24pm

If dynamic
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan1-eth1
add action=masquerade chain=srcnat out-interface=wan2-eth2
add action=masquerade chain=srcnat out-interface=wan3-eth3
add action=masquerade chain=srcnat out-interface=wan4-eth4

If static (coming in on one WAN interface)
add action=src-nat chain=srcnat out-interface=wanISP-ethx to-addresses:wan1IP
add action=src-nat chain=srcnat out-interface=wanISP-ethx to-addresses:wan2IP
add action=src-nat chain=srcnat out-interface=wanISP-ethx to-addresses:wan3IP
add action=src-nat chain=srcnat out-interface=wanISP-ethx to-addresses:wan4IP

Keep in mind this simply denotes which public IP will replace the private IP.
Remember this doesn’t route them to the right outgoing WANIP address it simply instructs the routers in this case, which LANS, VLANS private IPs, should be translated by which public IP.

I suppose if the routing for your config already sends specific LAN traffic to specific WANIPs, the static rules above should work.
I do not know what advantage would be gained by specifying source address in the source nat rules, and hoping someone can point that out??