Community discussions

MikroTik App
 
Matthiastik
newbie
Topic Author
Posts: 40
Joined: Wed Apr 25, 2018 1:31 am

Basic masquerade

Tue Apr 07, 2020 8:51 pm

Good Evening,

Question about srcnat and masquerade ...

NAT rules:

First rule:
chain=srcnat, out interface list=WAN, Action=Masquerade where WAN is a list containing interface PPPoE-ISP1 and Ether2-ISP2( using DHCP client to Cable modem)
Second Rule
chain=srcnat, out interface=PPPoE-ISP1 and Action=Masquerade
Third rule:
chain=srcnat, out interface=Ether2-ISP2, Action=Masquerade

Second and third rules is not really necessary but today it saved me when i tried to make my router a bit more secure !

Added src address=192.168.10.0/24 to rule 1 but traffic will now flow thru rule 2 and 3 how come ?,

LAN IP range with DHCP server is 192.168.10.0/24 and router at IP 192.168.10.1.

Thank you
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Basic masquerade

Tue Apr 07, 2020 10:41 pm

Can you kindly post exact configuration in text? You can get it by running command /ip firewall nat export in a terminal ...
 
Matthiastik
newbie
Topic Author
Posts: 40
Joined: Wed Apr 25, 2018 1:31 am

Re: Basic masquerade

Tue Apr 07, 2020 11:38 pm

Here are the 3 lines i talked about ...

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=\
pppoe-ISP1
add action=masquerade chain=srcnat ipsec-policy=out,none \
out-interface=ether2-ISP2

this is without the src adress since the packet counter stopped for rule 1 and incrementing for rule 2 and 3 that is different internet services and separated
unlike rule 1 using interface list named WAN where i include both interfaces that is PPPoE-ISP1 and ether2-ISP2 ...

the lines that follows are hairpin and dest nat rules for Webservers and so on and all is working ...




Thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic masquerade

Wed Apr 08, 2020 12:25 am

Who knows what you are doing since you refuse to post a config. Glad its working for you though. :-)
 
Matthiastik
newbie
Topic Author
Posts: 40
Joined: Wed Apr 25, 2018 1:31 am

Re: Basic masquerade

Wed Apr 08, 2020 12:48 am

Who knows what you are doing since you refuse to post a config. Glad its working for you though. :-)
When i enable login on the rule1 i see

my public IP 216.x.x.x ping to google as expected and as well traffic from ip 192.168.10.x out but
as well on ether2-ISP2 interface i see 192.168.1.64 mikrotik IP address obtain form cable modem along with traffic 192.168.10.x ...

do i need to add my public IP address of ISP1 or PPPoE client along with internal Ip address 192.168.10.x?? and ip addresss assigned for ISP2 on rule 1?


sorry a lots of questions ...

thank you
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic masquerade

Wed Apr 08, 2020 2:22 am

/export hide-sensitive file=anynameyouwish
 
Matthiastik
newbie
Topic Author
Posts: 40
Joined: Wed Apr 25, 2018 1:31 am

Re: Basic masquerade

Wed Apr 08, 2020 5:09 am

/export hide-sensitive file=anynameyouwish
This is the output and some things edited that i think will just make this thread long with lines of Destnat to webserver, IP cameras, ssh server etc removed.

# apr/07/2020 20:10:38 by RouterOS 6.46.4
/interface bridge
add auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-GLOBAL
set [ find default-name=ether2 ] name=ether2-iNFINITUM
set [ find default-name=ether3 ] name=ether3-LAN

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-GLOBAL name=\
pppoe-GlobalPCNet user=XXXXXX

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip firewall layer7-protocol
add name=NOPERMITIDO regexp="^.+(facebook.com|youtube.com|netflix.com|mercadol\
ibre.com|twitter.com|amazon.com|amazon.com.mx|instagram.com|facebook|snapc\
hat.com).*\$"
/ip pool
add name=dhcp_pool0 ranges=192.168.10.25-192.168.10.100
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge lease-time=1h name=\
dhcp1
/interface bridge port
add bridge=bridge interface=ether3-LAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-GlobalPCNet list=WAN
add comment=defconf interface=ether2-iNFINITUM list=WAN
/ip address
add address=216.x.x.x/28 interface=ether1-GLOBAL network=216.x.x.x
add address=192.168.10.1/24 interface=ether3-LAN network=192.168.10.0

/ip dhcp-client
add disabled=no interface=ether2-iNFINITUM

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,208.67.220.123,9.9.9.9


/ip firewall filter
add action=accept chain=input comment="allow all" in-interface-list=WAN \
protocol=icmp
add action=drop chain=forward comment="NO JUNK" dst-port=80,443 \
layer7-protocol=NOPERMITIDO out-interface-list=WAN protocol=tcp \
src-address=192.168.10.2-192.168.10.100
add action=drop chain=forward comment="NO JUNK" dst-port=80,443 \
layer7-protocol=NOPERMITIDO out-interface-list=WAN protocol=udp \
src-address=192.168.10.2-192.168.10.100
add action=drop chain=input comment="deny dns" dst-port=53 in-interface-list=\
WAN protocol=tcp
add action=drop chain=input comment="deny dns" dst-port=53 in-interface-list=\
WAN protocol=udp

add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log-prefix=Invalid-
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment=PPPOE out-interface-list=WAN
add action=masquerade chain=srcnat comment=PPPOE out-interface=\
pppoe-GlobalPCNet
add action=masquerade chain=srcnat comment=PPPOE ipsec-policy=out,none \
out-interface=ether2-iNFINITUM


/ip route
add comment=secondary distance=2 gateway=192.168.1.254 routing-mark=ISP2-OUT
add comment="EMAIL Priority 1" distance=3 gateway=8.8.4.4 routing-mark=\
ISP2-OUT target-scope=40
add comment="EMAIL priority 2" distance=6 gateway=8.8.8.8 routing-mark=\
ISP2-OUT target-scope=40
add check-gateway=ping comment=ISP1 distance=1 gateway=8.8.8.8 target-scope=\
40
add check-gateway=ping comment=ISP2 distance=2 gateway=8.8.4.4 target-scope=\
40
add comment="validate secondary" distance=1 dst-address=8.8.4.4/32 gateway=\
192.168.1.254
add comment="validate primary" distance=1 dst-address=8.8.8.8/32 gateway=\
216.x.x.x

Thank you for the help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic masquerade

Wed Apr 08, 2020 3:31 pm

Understood, but there is a real cook way of handling length.
See the line below the title with BOLD and Underline?
To the right of that is symbol/icon which is a BLACK SQUARE with WHITE SQUARE BRACKETS.
Thats the code icon. Just highlight the code with that function and you get the following result.........

(1) The obvious error
/ip address
add address=192.168.10.1/24 interface=eth3-LAN network=192.168.10.0
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
(2) Cleaned up order of firewall rules (input ones in proper order, forward ones in proper order) you can mix and match input and forward but its horrible to read and understand that way.
(3) Duplicate rules............ Just keep the default one in green!
- add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
- add action=accept chain=input comment="allow all" in-interface-list=WAN \
protocol=icmp
(4) Redundant rules...... If your dropping everything not coming from the wan
"add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
"
then you dont need the following rules as they are already being blocked...............
"add action=drop chain=input comment="deny dns" dst-port=53 in-interface-list=\
WAN protocol=tcp
add action=drop chain=input comment="deny dns" dst-port=53 in-interface-list=\
WAN protocol=udp
"
(5) Dont quite understand your Source Nat masquerade rules........... but understand you have two ISPs.
Assuming they are on different modems..... Are any of them fixed static WANIPs or both dynamic??
(6) Didnt look at routing.
(7) I only see one of the ISPs having the entry under /IP address ???
....
Here is the code using the code blocks and cleaned up as discussed above.
# apr/07/2020 20:10:38 by RouterOS 6.46.4
/interface bridge
add auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-GLOBAL
set [ find default-name=ether2 ] name=ether2-iNFINITUM
set [ find default-name=ether3 ] name=ether3-LAN

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-GLOBAL name=\
pppoe-GlobalPCNet user=XXXXXX

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip firewall layer7-protocol
add name=NOPERMITIDO regexp="^.+(facebook.com|youtube.com|netflix.com|mercadol\
ibre.com|twitter.com|amazon.com|amazon.com.mx|instagram.com|facebook|snapc\
hat.com).*\$"
/ip pool
add name=dhcp_pool0 ranges=192.168.10.25-192.168.10.100
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge lease-time=1h name=\
dhcp1
/interface bridge port
add bridge=bridge interface=ether3-LAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-GlobalPCNet list=WAN
add comment=defconf interface=ether2-iNFINITUM list=WAN
/ip address
add address=216.x.x.x/28 interface=ether1-GLOBAL network=216.x.x.x
add address=192.168.10.1/24 interface=bridge network=192.168.10.0

/ip dhcp-client
add disabled=no interface=ether2-iNFINITUM

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,208.67.220.123,9.9.9.9


/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
+++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log-prefix=Invalid-
add action=drop chain=forward comment="NO JUNK" dst-port=80,443 \
layer7-protocol=NOPERMITIDO out-interface-list=WAN protocol=udp \
src-address=192.168.10.2-192.168.10.100
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" \
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment=PPPOE out-interface-list=WAN
add action=masquerade chain=srcnat comment=PPPOE out-interface=\
pppoe-GlobalPCNet
add action=masquerade chain=srcnat comment=PPPOE ipsec-policy=out,none \
out-interface=ether2-iNFINITUM

/ip route
add comment=secondary distance=2 gateway=192.168.1.254 routing-mark=ISP2-OUT
add comment="EMAIL Priority 1" distance=3 gateway=8.8.4.4 routing-mark=\
ISP2-OUT target-scope=40
add comment="EMAIL priority 2" distance=6 gateway=8.8.8.8 routing-mark=\
ISP2-OUT target-scope=40
add check-gateway=ping comment=ISP1 distance=1 gateway=8.8.8.8 target-scope=\
40
add check-gateway=ping comment=ISP2 distance=2 gateway=8.8.4.4 target-scope=\
40
add comment="validate secondary" distance=1 dst-address=8.8.4.4/32 gateway=\
192.168.1.254
add comment="validate primary" distance=1 dst-address=8.8.8.8/32 gateway=\
216.x.x.x
 
Matthiastik
newbie
Topic Author
Posts: 40
Joined: Wed Apr 25, 2018 1:31 am

Re: Basic masquerade

Wed Apr 08, 2020 5:34 pm

Understood, but there is a real cook way of handling length.
See the line below the title with BOLD and Underline?
To the right of that is symbol/icon which is a BLACK SQUARE with WHITE SQUARE BRACKETS.
Thats the code icon. Just highlight the code with that function and you get the following result.........

(1) The obvious error
/ip address
add address=192.168.10.1/24 interface=eth3-LAN network=192.168.10.0
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
(2) Cleaned up order of firewall rules (input ones in proper order, forward ones in proper order) you can mix and match input and forward but its horrible to read and understand that way.
(3) Duplicate rules............ Just keep the default one in green!
- add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
- add action=accept chain=input comment="allow all" in-interface-list=WAN \
protocol=icmp
(4) Redundant rules...... If your dropping everything not coming from the wan
"add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
"
then you dont need the following rules as they are already being blocked...............
"add action=drop chain=input comment="deny dns" dst-port=53 in-interface-list=\
WAN protocol=tcp
add action=drop chain=input comment="deny dns" dst-port=53 in-interface-list=\
WAN protocol=udp
"
(5) Dont quite understand your Source Nat masquerade rules........... but understand you have two ISPs.
Assuming they are on different modems..... Are any of them fixed static WANIPs or both dynamic??
(6) Didnt look at routing.
(7) I only see one of the ISPs having the entry under /IP address ???
....
Here is the code using the code blocks and cleaned up as discussed above.
# apr/07/2020 20:10:38 by RouterOS 6.46.4
/interface bridge
add auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-GLOBAL
set [ find default-name=ether2 ] name=ether2-iNFINITUM
set [ find default-name=ether3 ] name=ether3-LAN

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-GLOBAL name=\
pppoe-GlobalPCNet user=XXXXXX

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip firewall layer7-protocol
add name=NOPERMITIDO regexp="^.+(facebook.com|youtube.com|netflix.com|mercadol\
ibre.com|twitter.com|amazon.com|amazon.com.mx|instagram.com|facebook|snapc\
hat.com).*\$"
/ip pool
add name=dhcp_pool0 ranges=192.168.10.25-192.168.10.100
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge lease-time=1h name=\
dhcp1
/interface bridge port
add bridge=bridge interface=ether3-LAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-GlobalPCNet list=WAN
add comment=defconf interface=ether2-iNFINITUM list=WAN
/ip address
add address=216.x.x.x/28 interface=ether1-GLOBAL network=216.x.x.x
add address=192.168.10.1/24 interface=bridge network=192.168.10.0

/ip dhcp-client
add disabled=no interface=ether2-iNFINITUM

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,208.67.220.123,9.9.9.9


/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
+++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log-prefix=Invalid-
add action=drop chain=forward comment="NO JUNK" dst-port=80,443 \
layer7-protocol=NOPERMITIDO out-interface-list=WAN protocol=udp \
src-address=192.168.10.2-192.168.10.100
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" \
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment=PPPOE out-interface-list=WAN
add action=masquerade chain=srcnat comment=PPPOE out-interface=\
pppoe-GlobalPCNet
add action=masquerade chain=srcnat comment=PPPOE ipsec-policy=out,none \
out-interface=ether2-iNFINITUM

/ip route
add comment=secondary distance=2 gateway=192.168.1.254 routing-mark=ISP2-OUT
add comment="EMAIL Priority 1" distance=3 gateway=8.8.4.4 routing-mark=\
ISP2-OUT target-scope=40
add comment="EMAIL priority 2" distance=6 gateway=8.8.8.8 routing-mark=\
ISP2-OUT target-scope=40
add check-gateway=ping comment=ISP1 distance=1 gateway=8.8.8.8 target-scope=\
40
add check-gateway=ping comment=ISP2 distance=2 gateway=8.8.4.4 target-scope=\
40
add comment="validate secondary" distance=1 dst-address=8.8.4.4/32 gateway=\
192.168.1.254
add comment="validate primary" distance=1 dst-address=8.8.8.8/32 gateway=\
216.x.x.x
I will answer as i go along,

yes i have 2 ISP one is Global PCNet that is providing me with static IP upon configuring PPPoE client in router
but their gateway changes every 2 months and i have to edit the route too keep updates with their changes.

My back up internet service INFINITUM will jump in if main internet service Global PCNet that fails every 2 weeks with
interruption of 1 hours each time and I am using Recursive creating the fail over tactics checking for Global PCNet against 8.8.8.8
and backup service Infinitum against 8.8.4.4 to check if that one is up as well and i am using backup internet or INFINITUM
for traffic like email, Dropbox since main Service is low and mainly for their web server.

The backup internet service or INFINITUM is on port 2 and connected to their DSL modem with Dynamic IP and local IP address
of 192.168.1.64 assigned to Mikrotik and DSL modems IP address is always 192.168.1.254.

Do not see the box and underline you are referring to but let me make changes step by step. and i get back to you if you do not mind.

first rule i think is the only one i made and the rest is default but let me check and please explain me more about the input, forward order
that you say is a mess and what order do you have in your firewall ...to understand since most of the firewalls are default if i am not mistaken

Thank you Very much for all your help will look into that and sorry for making your work harder
but i appreciate your help and time spent, thank you
Last edited by Matthiastik on Wed Apr 08, 2020 6:43 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic masquerade  [SOLVED]

Wed Apr 08, 2020 6:09 pm

Okay so main ISP is kinda dynamic in that gateway changes (thus shall assume masquerade action is best for that ISP).
Okay so back-up ISP is a fixed static wanip doesnt change (thus shall assume scr-nat action is best for that ISP)

Suggesting
From
/ip firewall nat
add action=masquerade chain=srcnat comment=PPPOE out-interface-list=WAN
add action=masquerade chain=srcnat comment=PPPOE out-interface=\
pppoe-GlobalPCNet
add action=masquerade chain=srcnat comment=PPPOE ipsec-policy=out,none \
out-interface=ether2-iNFINITUM
To
/ip firewall nat
add chain=srcnat action=masquerade out-interface=pppoe-GlobalPCNet
add chain=srcnat action=src-nat out-interface=eth2-iNFINTUM to-address=192.168.1.64 (assuming that is the wanip given to the MT)

Who is online

Users browsing this forum: BioMax, mbovenka, PBondurant, valeb and 47 guests