Trouble with the place-before option in ip firewall nat

stevethegreek · November 3, 2012, 12:48pm

I have a newly purchased RB750GL:

[admin@mikrotik2] /system license> /system routerboard print
       routerboard: yes
             model: "750GL"
     serial-number: "2CFA0119D664"
  current-firmware: "2.35"
  upgrade-firmware: "2.34"
[admin@mikrotik2] /system license> /system license print
    software-id: "****-****"
  upgradable-to: v7.x
         nlevel: 4
       features:

I’m migrating my firewall config from a dedicated linux machine to the RB750GL, and am having some issues with a bit of code that dynamically adds an entry to the beginning of the nat chain. The extra nat entry is added through use of an ssh command from a linux host. I have traced the problem to be the place-before option (this appears as an option on the command line, but not documented in the wiki). Here’s what I’m doing:

Works:

[user1@admin1 bin]# ssh admin@mikrotik2 /ip firewall nat add chain=dstnat src-mac-address=18:20:32:EC:B9:59 in-interface=vlan60 action=accept comment=192.168.60.201

Fails:

[user1@admin1 bin]# ssh admin@mikrotik2 /ip firewall nat add chain=dstnat src-mac-address=18:20:32:EC:B9:59 in-interface=vlan60 action=accept place-before=0 comment=192.168.60.201
sequential access failure, item list changed (11)

When running the command from the RB750 itself, it works:

[admin@mikrotik2] /ip firewall nat> /ip firewall nat add chain=dstnat src-mac-address=18:20:32:EC:B9:59 in-interface=vlan60 action=accept place-before=0 comment=192.168.60.201
[admin@mikrotik2] /ip firewall nat> print chain=dstnat
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; 192.168.60.201
     chain=dstnat action=accept in-interface=vlan60 src-mac-address=18:20:32:EC:B9:59

I have created a script file and running it directly from the console works (/import test.rsc), but running it non-interactively fails (ssh mikrotik /import test.rsc).

I’d love to hear any ideas on how to get this working - either using the place-before option, or some more ingenious (or possibly blindingly obvious) method.

Regards,

Steve

jandafields · November 3, 2012, 6:22pm

You can’t use rule numbers like that in a script, because the system doesn’t know what rule is what number until it prints them… and it doesn’t do that in a script or non-interactively.

You need to use the “find” command.

Here is a thread to get you started in the right direction…
http://forum.mikrotik.com/t/firewall-mangle-place-before/22167/1

stevethegreek · November 4, 2012, 8:20pm

Many thanks for the quick response and understood. Will give that a go…

stevethegreek · November 4, 2012, 9:24pm

This seems to do the trick:

:global guestip;
:local guestmac [/ip arp get [find address=$guestip] mac-address];
/ip firewall nat add chain=dstnat src-mac-address=$guestmac in-interface=vlan60 action=accept comment=$guestip place-before=[find comment="guest VLAN insert point"];

So, I define the guestip as a global variable, call the script above, and all is well.

Many thanks again

jandafields · November 4, 2012, 9:54pm

That’s great, glad you got it working!!!