Hi All,
I am having some trouble getting NAT masquerade to work with a VRF. I have a VPLS PW interface with the public range routed to it using a VRF. I have setup src-nat to mask from the LAN subnet outbound on the VPLS PW interface within the VRF. I have setup the NAT rules to include the routing mark, however I continue to not get any hits on the rule.
thanks.
I take it you’re following this tutorial?
http://wiki.mikrotik.com/wiki/Internet_access_from_VRF_with_NAT
No i wasn’t, thanks for the link!
OK so upon looking over that WIKI article properly it is irrelevant to what I am trying to do, so just to clarify:
I have a VPLS interface that has an Internet address on it within a VRF, I then have a VLAN interface using private addressing with a host on the VLAN also within the VRF. I have a dst-nat rule that port forwards to the host on the LAN the result being I should be able to access this host from the Internet via the routers address port “x”. The issue is that the dst-nat works and then the host responds with a packet but the router is dropping the packet before it gets out over the src-nat
NAT
0 ;;; Port Forward to Trinity printer for Internet printing
chain=dstnat action=dst-nat to-addresses=192.168.90.254 to-ports=6310
protocol=tcp dst-address=x.x.x.x routing-mark=TrinityInternet
dst-port=6310
1 ;;; NAT Printer to Internet
chain=srcnat action=masquerade out-interface=VPE-10001-B
VRF
0 routing-mark=TrinityInternet
interfaces=VPE-10001-B,Eth2-Vlan50-Printer,Eth2-Vlan610-Wlan1,Eth2-
Vlan611-Wlan2
Interfaces
1 R ;;; Fa0/1 Comms-C2950
ether2 ether 1500 1524
2 ether3 ether 1500 1524
3 ether4 ether 1500 1524
4 ether5 ether 1500 1524
5 ether6 ether 1500 1524
6 ether7 ether 1500 1524
7 ether8 ether 1500 1524
8 ether9 ether 1500 1524
9 R ;;; Loopback for routing protocols
lo0 bridge 1500 65535
10 R ;;; Management VLAN
Eth2-Vlan600-Mgmt vlan 1500 1520
11 R ;;; Signup WLAN VLAN
Eth2-Vlan610-Wlan1 vlan 1500 1520
12 R ;;; Secure WLAN VLAN
Eth2-Vlan611-Wlan2 vlan 1500 1520
13 R ;;; TrinityCollege Printer
Eth2-Vlan50-Printer vlan 1500 1520
14 R ;;; Management/data
ether1.601 vlan 1500 1520
15 R ;;; Loopback - Temp for remote access to printer
lo1 bridge 1500 65535
16 R VPE-10001-B vpls 1500 1500
Addresses
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.60.4.1/32 10.60.4.1 10.60.4.1 lo0
1 10.60.14.11/23 10.60.14.0 10.60.15.255 ether1.601
2 10.60.2.1/28 10.60.2.0 10.60.2.15 Eth2-Vlan600-Mgmt
3 192.168.90.1/24 192.168.90.0 192.168.90.255 Eth2-Vlan50-Printer
4 210.x.x.2/30 210.x.x.0 210.x.x.3 VPE-10001-B
5 172.16.1.1/24 172.16.1.0 172.16.1.255 Eth2-Vlan610-Wlan1
OK, I have tested further by routing a public subnet across the VRF and assigned an address from this range to the host on the LAN. I am able to ping the routers address on this subnet however the router is dropping the ICMP request on the return trip from the host across the router… I am guessing something about the VRF or routing mark is the problem.
I’m always happy when someone reads the howto’s I’ve done 
Did you remember to make the correct MANGLE? Return traffic does not automatically go into the correct VRF, so you need to use /ip firewall mangle to make sure the traffic ends back in the VRF.
Hmm, I did have a mangle rule in place based on that logic, however was not getting any hits on it and MikroTik support told me to remove it.
I will put the mangle rules back on and post an update.
Thanks!
So still no luck with the mangle rules… Tried to add the routing mark using the VLAN interface inbound, global interface, src-addr & dst-addr… still dont get any hits:
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=Internet
passthrough=yes src-address=192.168.90.0/24
1 chain=prerouting action=mark-routing new-routing-mark=Internet
passthrough=yes in-interface=Eth2-Vlan611-Wlan2
2 chain=prerouting action=mark-routing new-routing-mark=Internet
passthrough=yes src-address=210.x.x.64/26
VLAN 611 is where the host I am trying to reach is on, which has the subnet of 210.x.x.64/26
Any input is greatly appreciated!
/ip firewall address-list
add address=10.0.0.0/8 list=LAN_addresses
add address=192.168.0.0/16 list=LAN_addresses
add address=100.64.0.0/10 list=LAN_addresses
/ip firewall mangle
add action=mark-routing chain=prerouting comment=“mark-routing:main (LAN)” src-address-list=!LAN_addresses dst-address-list=LAN_addresses
new-routing-mark=main passthrough=yes
/routing rule routing-mark=main action=lookup table=main
thats all
otherwise responses will not reach
this is a bug in ROSv7 that needs to be fixed…
fallback to main routing-table is not working…
Same here heard vrf with version7 is flaky…
That resolved issue for me in ver 7.4
Return traffic from internet to correct VRF
[admin@fw-up-1.networklab.local] > /ip/firewall/mangle/print
8 ;;; Returning traffic to vrf
chain=prerouting action=mark-connection new-connection-mark=VRF_TRAFFIC_OUT passthrough=no
src-address-list=SRC_NAT_NET log=no log-prefix=""
9 chain=prerouting action=mark-routing new-routing-mark=sdwan_vrf_1 passthrough=no
connection-mark=VRF_TRAFFIC_OUT in-interface=WAN-eth1 log=no log-prefix=""
[admin@fw-up-1.networklab.local] >
flaky. lots of packet loss.
VRF needs improvement
Do you know which it is ? I am looking on release notes in router and I don’t see vrf fixes.
*) firewall - fixed “in-interface-list” matcher when VRF is used;
but; its still broken somehow IMO
we experience lots of random packet loss when VRF is used.
good news and bad news together
do not use address-lists. use in-interface-list. it will work
using address-lists currently causes routing-loop ; in and out interface becomes WAN interface..
we have been droping WAN to WAN connections in forward chain. thats how we found the issue..
must be fixed by mikrotik ASAP
thanks volkirik, did you sent a supout report to MT ??
nope. they are not friendly IMO.
I would rather wait for somebody else to report it.
Ahh you have bystander complex!!!
https://escholarship.org/content/qt7rj7808m/qt7rj7808m_noSplash_5914a334284d46026077d9b42718e505.pdf?t=krnpwg
Luckily, I am not as lazy, nor lacking in moral fortitude and have passed the info along. 
whatever