I have following setup:

CRS326 --- CCR1009 --- RB2011 --- internet

CCR1009 is bridging one network that spans between CRS326 and RB2011 (which is wifi network). RB2011 is router in this network there's DNS server connected to it. CCR doesn't have an IP address in this network. It just performs bridging.

There's NAT for DNS servers so that no matter what DNS server user specifies, it's always redirected to DNS server connected to RB2011. I like to have possibly synchronized configs so I have 1:1 the same NAT rules on CCR and RB, regardless fact that CCR does not actively participate in this network routing.

When I'm performing NAT in this bridge on CCR it doesn't forward packets (on bridge level). I have bridge firewall enabled. Here's what exactly happens if NAT on CCR is enabled:

1. CCR gets packet from 192.168.4.6 to 8.8.8.8
2. CCR changes dst IP to 192.168.10.9
3. CCR doesn't forward packet any further. The same happens if I perform NAT to 192.168.4.6.

If I disable NAT on CCR bridge it does forward packets. My question is - why doing NAT breaks forwarding if router doesn't have addressing on bridge. I somewhat understand it because changing destination IP can potentially turn bridging into routing and considering router has no IP in this bridge it can't perform routing but does NAT always turn bridging into routing? Is there any way to fix it (other than disabling NAT) like for example specifying 192.168.0.0/24 address for bridge (so that it's not functional IP address just indication of network on bridge or something similar)?

My guess is slightly other phenomenon. When CCR is only bridging, it only cares about MAC addresses and it learns them by switching performing switching tasks (layer2 network). If it starts to NAT packets, it suddenly doesn't know where to send the just NATed packet. It is quite obvious it should do ARP request to learn MAC address of new destination ... and it should have default gateway configured as well in case NATed address is not local.

So yes, as NAT is layer3 operation, box doing it should be part of a layer3 network.

So yes, as NAT is layer3 operation, box doing it should be part of a layer3 network.

I blacklisted in-interface-list with unaddressed bridges from NAT to prevent NATing on unaddressed bridges. But another question is - how about mangle and PBR? Does assigning routing mark also force routing? I wonder simply because my current infrastructure doesn't really allow me to test it (I use PBR only for management network). At the moment I also blacklisted those bridges from assigning routing mark in mangle but I wonder if it's necessary operation or assigning routing mark to bridged packet is nop.

I'd say that any operation that requires external (to the L3 switch or whatever you call it) L3 information can not be done on unaddressed device (or part of one). I guess assigning routing mark is OK, but routing based on routing mark is ... ah, well, routing is L3 operation after all. PBR has routing in it's name. I guess you could use mangle on L2, but it is more usable on L3 ...

Is there any way to fix it (other than disabling NAT) like for example specifying 192.168.0.0/24 address for bridge (so that it's not functional IP address just indication of network on bridge or something similar)?

Yes, you don't need an IP address but only a route that will direct ARP requests towards the correct interface.

Yes, you don't need an IP address but only a route that will direct ARP requests towards the correct interface.

Unfortunately it doesn't work. Router already has address in 192.168.10.0/24 network as it's management one. It only doesn't have address in 192.168.4.0/24. NAT makes either 8.8.8.8 -> 192.168.10.9 or 8.8.8.8 -> 192.168.4.1 depending on src ip list. I added both networks in /ip route but it didn't solve the problem.