Two questions about src.nat and routing

BrainTrance · August 25, 2022, 6:08pm

Two routers are in router mode. Router1 (CPE) is connected to Router2 (Home AP) through wlan.

In this topology:

device <------------> Router1 <----------------> Router2.
          ethernet                 wireless
          (ether2)                  (wlan)

How can we forward all traffic from ether2 to wlan and vice versa?
How can we change the source address of the packets entering Router1 (from ether2) in order to exit the Router1 (from wlan) with the new source address?
Visually:

device <------------> Router1 <----------------> Router2.
        src.address            NEW src.address

mkx · August 25, 2022, 6:55pm

Default config of typical SoHo MT device extensively uses two interface lists: LAN and WAN. Typical config is to have ether1 as WAN, but in your case WAN interface is probably wlan1. The rest of interfaces are made part of bridge which in turn is member of LAN interface list.
The remaining task is to configure wlan1 interface into mode=station and configure DHCP client on wlan1 interface.

BrainTrance · August 25, 2022, 8:31pm

Ok wlan1 is in station mode, with a DHCP client running on it and out of any bridge interface.
In order for ether2 traffic to be forwarded to wlan1 what should I do?

mkx · August 26, 2022, 5:21am

As I wrote: take care of proper interface list membership. If it still doesn’t work, post exported configuration of “Router 1” for inspection (in terminal window run command /export hide-sensitive file=anynameyouwish, fetch resulting file off device, open it with text editor, obfuscate any remaining sensitive data such as serial number or wifi password and post it inside [__code] [/code] tags).

BrainTrance · August 26, 2022, 9:28am

jan/02/1970 00:04:28 by RouterOS 6.49.6

software id = WG5K-W2S0

model = RB941-2nD

serial number = HBM07SBR5MJ

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC
country=greece disabled=no frequency=2472 installation=indoor ssid=
MikroTik-Router
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik
unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.4
/ip dhcp-server
add address-pool=dhcp disabled=no name=dhcp1
add address-pool=dhcp disabled=no interface=ether1 name=dhcp2
/interface bridge port
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
/interface list member
add interface=wlan1 list=WAN
add list=LAN
add list=LAN
/ip address
add address=192.168.88.1/24 network=192.168.88.0
add address=172.31.92.9/24 interface=ether1 network=172.31.92.0
/ip dhcp-client
add disabled=no interface=wlan1
/ip dhcp-server network
add address=172.31.92.0/24 gateway=172.31.92.9 netmask=24
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip firewall nat
add action=src-nat chain=srcnat out-interface-list=WAN to-addresses=
172.31.92.1
add action=masquerade chain=srcnat out-interface-list=WAN
/system identity
set name=hAP

BrainTrance · August 26, 2022, 4:43pm

Ok I think I finally made it! Thank you

mkx · August 26, 2022, 7:33pm

I’m glad it works for you.

A few remarks on config you posted above:

set [ find default=yes ] authentication-types=> wpa-psk,> wpa2-psk group-ciphers=\

tkip,> aes-ccm mode=dynamic-keys supplicant-identity=MikroTik
unicast-ciphers=> tkip,> aes-ccm

Nowdays it’s hardly necessary to support WPA authentication. Same goes for TKIP cyphering.

/interface list member

add interface=wlan1 list=WAN
add > interface=bridge > list=LAN
add list=LAN
/ip address
add address=192.168.88.1/24 network=192.168.88.0
add address=172.31.92.9/24 interface=ether1 network=172.31.92.0

Addressing in general is a mess in posted config. 192.168.88.1/24 above is hanging in thin air (no interface associated, if thst should be your LAN, set interface=bridge) while 172.31.92.9/24 is set on slave port (of bridge) which is not correct either. After you decide about which subnet address is a keeper, remove the surplus network definition in /ip dhcp-server network .

/ip firewall nat

add action=src-nat chain=srcnat out-interface-list=WAN to-addresses=
172.31.92.1
add action=masquerade chain=srcnat out-interface-list=WAN

The first rule will do the work. However, the address it’s using as new src-address, is not defined elsewhere in configuration and chances are it’s wrong (or can become wrong if upstream DHCP server serves another lease). In your use case (dynamic WAN address) it’s better to use the second rule, to make it active you have to remove the first one.

Overall your router is not secured at all. So if you can’t trust both LAN and “WAN” devices not to try to play tricks on your router, you should configure some firewall filter rules. Default filter rule set would be a very good starting point since you fixed the interface list membership.

As precaution, before doing any other configuration changes, backup your current config so you can go back if reconfiguration fails big time. When doing changes, enter safe mode, apply change and if it’s OK, exit safe mode. If change breaks your management connection while safe mode is active, ROS will automatically revert changes made while in safe mode. It is important to exit safe mode before manually closing management session (log-out).