We use simple scenario - we simply use chain=srcnat, outgoing-interface=public and finally action=masquarade. Works like a charm. But now we would like to have two gates, as we’ve got two ISP lines. So far, let’s forget bonding and failover. Let’s say we want to use one ISP for some of our subnets, and other ISP for other subnets.
My understanding is, that I have to use source nat, without masquarading? I tried something, but it did not seem to work. Any example here?
When I want to get public IP to some internal network interface, is it sufficient to define DST nat on ISP machine, and srcnat on our internal machine, as shown in docs? No routing involved?
As you can see src-nat is after any of “routing-decision” action, so I assume, when you are using your src-nat, it is already determined through what port it would go out.
Try to use mark-routing action in the mangle in the chain prerouting, and then set these marks for specific gateways
Uh, NAT is done after routing decision? that is strange no? You have packet arriving to your local interface. Now it looks into routing table what to do and if there would be no masquarading involved first imo, packet would not get thru … because imo only after masquarading to output interface network IP, it knows the gateway, no? But maybe I am just seeing it the wrong way.
What I simply want to achieve is to have two gateways to our ISPs, no bonding yet, no fail-over yet, no troble with marking packets for routing purposes, just simply deciding, which interface (networks) are masquaraded to what destination network …
I simply want to “masquarade” eth1 to wlan1 and eth2 to wlan2. I can’t use simple chain=srcnat, outgoing interface=wlan1, action=masquarade, as everything will be masquaraded to that interface.
So perhaps without defining outgoing interface, I could use source address and destination address parameters to achieve what I want - simply to have eth1 masquaraded to wlan1 and eth2 masquaraded to wlan2?
OK, let’s assume packet-marking is next level of my excercise (although that should not be difficult too), I just wonder if anything like following would work?
So that it would masquarade selectively upon source address to corrent outgoing interface? Maybe I could even use in-interface instead of src-address in my case … just wonder if above rules would work as I epxect?
Then we will add specific gateways for thos marks:
/ip route add gateway=9.9.9.9 routing-mark=client1 // 9.9.9.9 GW of the first ISP
/ip route add gateway=8.8.8.8 routing-mark=client2 // 8.8.8.8 GW of the second ISP
Why not? What are the fields of source adress, dst address there for then? OK, maybe I start to understand a bit after all. The thing is, I can’t somehow “imagine”, what NAT does with the packet under the hood. Does it just change src/dst address accordingly? Well, so NAT has nothing to do with “routing packets” here or there, right? It just takes packets on some interface and rewrites their adressess, no routing, forwarding, whatsover, right?
So it all depends upon how routing is defined. Your example, using mangle is not difficult to understand, I will do it according to your suggestion.
btw - any good book on routing techniques as your suggestion?
What are the fields of source adress, dst address there for then? OK, maybe I start to understand a bit after all. The thing is, I can’t somehow “imagine”, what NAT does with the packet under the hood. Does it just change src/dst address accordingly? Well, so NAT has nothing to do with “routing packets” here or there, right? It just takes packets on some interface and rewrites their adressess, no routing, forwarding, whatsover, right?
I just re-read docs and chain=srcnat has following explanation to it: