Hello,

i dont understand why the following firewall nat rule doesnt work:

The ethernet interface to my upstream connection is named "ISP_UP". The external ip address on the outgoing interface is. lets say, 42.23.1.15/30, my internal, RFC1918 net is 192.168.1.0/24

So, for configuring outgoing SRC-NAT from my rb2011 outwards i did use the following rule:

add action=src-nat chain=srcnat comment="Outgoing NAT" src-address=\
192.168.1.0/24 to-addresses=42.23.1.15 out-interface=ISP_UP

THIS RULE DIDNT WORK?! But when i remove the "out-interface" from the rule

add action=src-nat chain=srcnat comment="Outgoing NAT" src-address=\
192.168.1.0/24 to-addresses=42.23.1.15

it does work. Similiar problem with the dst-nat rule. I did use

add action=dst-nat chain=dstnat comment="ssh from extip to linux-server" dst-address=42.23.1.15 \
dst-port=1234 protocol=tcp to-addresses=192.168.1.2 to-ports=22

This rule does work, but off course it will also nat internal connections to ssh to the external ip of router, which is quite unpractical. Therefore i added the incoming interface to the nat rule like this

add action=dst-nat chain=dstnat comment="ssh from extip to linux-server" dst-address=42.23.1.15 \
dst-port=1234 protocol=tcp to-addresses=192.168.1.2 to-ports=22 in-interface=ISP_UP

and hoped nat will only be used for external conections from the internet. But it still nats all connections going to the linux servers ssh port.

So, what i did get wrong about the "out-interface" and "in-interface"?

cheers,

TychoX

Instead of using src-nat, using masquerade might be more appropriate to your setup. Something like (not tested):

What interface is that IP on? I'm guessing you have a PPP client running, and the out interface is technically that routed interface, not the physical one it resides on.

Hi,

Instead of using src-nat, using masquerade might be more appropriate to your setup. Something like (not tested):

Code: Select all

add action=masquerade chain=srcnat src-address=192.168.1.0/24 out-interface=ISP_UP

with the "masquerade" action i had the problem that it did take the private ip assigned to a bridge on that router instead of the publc ip from the /30 transfer net going to the isp. Which of course didnt work...

Does anyone know how the "masquerade" action selects the src-ip for masquerading? I coudlnt find anything about this in the documentation.

cheers,

Tycho

Hi Feklar,

What interface is that IP on? I'm guessing you have a PPP client running, and the out interface is technically that routed interface, not the physical one it resides on.

the public ip is on an ethernet interface with a /30 transfer net to the isp.

cheers,

Tycho

Instead of using src-nat, using masquerade might be more appropriate to your setup. Something like (not tested):

Code: Select all

add action=masquerade chain=srcnat src-address=192.168.1.0/24 out-interface=ISP_UP

with the "masquerade" action i had the problem that it did take the private ip assigned to a bridge on that router instead of the publc ip from the /30 transfer net going to the isp. Which of course didnt work...

Does anyone know how the "masquerade" action selects the src-ip for masquerading? I coudlnt find anything about this in the documentation.

masquerade used the outbound interface to select the outbound IP address -so it if picked a bridge maybe this the interface your traffic is leaving via (from the point of view of the router) and so perhaps this is why route original src-nat rule was not working...

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

masquerade - replace source address of an IP packet to IP determined by routing facility.

That is something i don't understand but i myself am getting no speed for the internet. Last night it was working very slow, but today when i returned and started the modem after keeping my surfboard, i never got anything. Everything is working the connection says that there is no speed. i have no idea what to do?

Hi Cupis,

Does anyone know how the "masquerade" action selects the src-ip for masquerading? I coudlnt find anything about this in the documentation.

masquerade used the outbound interface to select the outbound IP address -so it if picked a bridge maybe this the interface your traffic is leaving via (from the point of view of the router) and so perhaps this is why route original src-nat rule was not working...

Thx, i never thought an "outgoing" interface placed within a bridge could force the bridge to itself become the outgoing interface But i did remove all the routers interfaces from bridge-groups and the NAT rule still didnt work as long as i had the "out-interface" clause in the src-nat rule.

May it be that this problems originates because the "ISP-Interface" had been in a bridge group?

It did take me quite some time figuring out that the "masquerade" action did take the private address of the bridge back then as i cant trace/sniff after the outbound interface. Any hints on how to best debug this in router os?

thx,

Tycho

You can observe the effect of a src NAT or masquerade command on the traffic leaving the egress interface. If you ping something like 8.8.8.8 and then look for the icmp traffic you will see the source address being used. Note that if you change the applicable src NAT rule also stop and restart your ping command. In fact I usually change the ping target too backwards and forwards to avoid any confusion caused by connection tracking.

I suggest uploading all your current NAT entries - or better still output from /export compact.

Does anyone know how the "masquerade" action selects the src-ip for masquerading? I coudlnt find anything about this in the documentation.

masquerade used the outbound interface to select the outbound IP address -so it if picked a bridge maybe this the interface your traffic is leaving via (from the point of view of the router) and so perhaps this is why route original src-nat rule was not working...

Thx, i never thought an "outgoing" interface placed within a bridge could force the bridge to itself become the outgoing interface But i did remove all the routers interfaces from bridge-groups and the NAT rule still didnt work as long as i had the "out-interface" clause in the src-nat rule.

May it be that this problems originates because the "ISP-Interface" had been in a bridge group?

Once the interface has been removed from the bridge-group, or the bridge has been removed, then it should not be affecting any new connections. I think it is time to go back to basics - can you explain your setup (interfaces, IP addresses) and what you are trying to do? Where does the bridge interface come into things? Do you original rules work if you use the bridge-interface instead of ISP_UP?