Hello, everyone!

I need to rewrite packets coming through the bridge. I prefer not to use NAT for this, as i want connection be otherwise transparent. My question: is it possible with RouterOS?

my network setup:

G (gateway, dhcp server, 10.0.0.10)
A (lan, 10.0.0.150)
B (lan, 10.0.0.151)
R (routerboard 951g 2HnD)

normally A and B are connected to G like this:

A <-> G <-> B

, but we insert R between G and B:

A <-> G <-> R <-> B

all packets from and to B are just passed transparently through R, except for packets to A which are redirected to some other host (say C, 10.0.0.152). Packets from C coming to B via R are also rewritten, so they appear originating from A.

I am a newbie in networking, so any suggestions are welcome.

You could use a bridge and set it to use the IP Firewall. If you are changing source or destination IP addresses on the packets then you are doing a form of NAT regardless of whether it is carried out on a bridge or not.

Thanks for the reply. However i have not been able to make it work. I tried the same thing as for dhcp+masquarade but it does not work on a bridge. Here is what i do:

# setup a bridge
/interface ethernet set master-port=none ether4-slave-local
/interface ethernet set master-port=none ether5-slave-local
/interface bridge add name=bridge-4-5
/interface bridge port add bridge=bridge-4-5 interface=ether4-slave-local
/interface bridge port add bridge=bridge-4-5 interface=ether5-slave-local
/interface bridge settings set use-ip-firewall=yes

# add nat rule "reroute packets 10.0.0.150 -> 8.8.8.8 to 10.0.0.150 -> 9.9.9.9"
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=9.9.9.9 dst-address=8.8.8.8 in-interface=bridge-4-5

what i got is all packets destinied 8.8.8.8 just disappear. I suppose the rule is wrong. I tried few other variants -- none worked. What would be the right rule?

IMHO, if you want reroute packet to different IP in same subnet (for ex. 10.0.0.x), you must also do DST MAC address translation ("DMAT") and maybe "SMAT" in bridge tables. Because mtik must L2 reroutes packet to diferent MAC address, only L3 DNAT doesn't revoke change of DST MAC in this case.

If you want reroute packet to different IP in different subnet connected to mikrotik, you must redirect packet to mtik itself (in bridge tables) and in iptables you must DNAT and SNAT IP packet to different host in different subnet.

In both cases, it is not 100% transparent redirecting.

To use IP Firewall you need to select the in/out-bridge-port rather than in/out-interface etc. . In Winbox the in/out bridge-port selections are on the advanced tab.

@CelticComms: I have disabled old rules and added 4 new ones with in/out-bridge-port filter. Rules 6, 7, 8 do nothing, no packets are matched against them. Rule 9 consumes all packets destinied to 8.8.8.8 (does not rewrite address, packets just do not come out of the bridge).

6 chain=dstnat action=dst-nat to-addresses=9.9.9.9 dst-address=8.8.8.8 out-bridge-port=ether5-slave-local

7 chain=dstnat action=dst-nat to-addresses=9.9.9.9 dst-address=8.8.8.8 out-bridge-port=ether4-slave-local

8 chain=dstnat action=dst-nat to-addresses=9.9.9.9 dst-address=8.8.8.8 in-bridge-port=ether5-slave-local

9 chain=dstnat action=dst-nat to-addresses=9.9.9.9 dst-address=8.8.8.8 in-bridge-port=ether4-slave-local

@5nik: the main task is to rewrite IP on same subnet, i switched to 8.8.8.8 only to simplify testing. By transparent i mean ip level transparent. I do not understand why do i need mac address rewrite. But for now i can not even rewrite ip destination.

the main task is to rewrite IP on same subnet, i switched to 8.8.8.8 only to simplify testing. By transparent i mean ip level transparent. I do not understand why do i need mac address rewrite. But for now i can not even rewrite ip destination.

Within same subnet, packets are routed by switches (bridges) based on MAC adrresses, not IP. In your case, when Mikrotik changes DST IP address without changing DST MAC address, packet will be delivered to original target, which checks DST IP and drops packet (right MAC, wrong IP).

In your case (switching to 8.8.8., you must change DST IP and change DST MAC to MAC of gateway.

On the config where the DNATed packets disappear make sure that you have a route in IP routes to the new destination so that ROS knows which interface it is ARPing on.

It might be worthwhile uploading your current config using /export compact so we can suggest changes.

@5nik: about L2 routing i did not know. My understanding now is that i should also use DMAT for same subnet. However if i rewrite packet destinied to internet (e.g. 8.8.8.8 ), i do not see why i should do DMAT. Packet to 8.8.8.8 is already destinied to gateway's MAC, so it would be sufficient to rewrite ip destination only.

Also, i am sure that packet does not reach gateway at all, as it does not show up in wireshark on gateway (even when interface is in promiscous mode).

On the config where the DNATed packets disappear make sure that you have a route in IP routes to the new destination so that ROS knows which interface it is ARPing on.

For my current test new destination is also in the internet (e.g. 9.9.9.9) => packet must proceed to gateway with the same MAC. Bridge knows gateway and passes packets to it normally. They only disappear if i change 8.8.8.8 to 9.9.9.9. So i do not understand what kind of IP route would help.

Here is what /export says. It is rather lengthy, the short summary is:
- ports 1, 2, 3 -- default configuration with NAT masquerade
- wifi -- disabled
- ports 4, 5 -- bridge with rewrite concerned, port 4 connected to client, port 5 to gateway

ros code

# jan/16/1970 18:51:07 by RouterOS 5.22
# software id = JNSB-K4XH
#
/interface bridge
add admin-mac=00:0C:42:E9:06:03 ageing-time=5m arp=enabled auto-mac=no disabled=no forward-delay=15s l2mtu=\
    1598 max-message-age=20s mtu=1500 name=bridge-local priority=0x8000 protocol-mode=rstp \
    transmit-hold-count=6
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=15s l2mtu=\
    1598 max-message-age=20s mtu=1500 name=bridge-4-5 priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=00:0C:42:E9:06:02 master-port=none mtu=1500 name=ether1-gateway speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=00:0C:42:E9:06:03 master-port=none mtu=1500 name=ether2-master-local speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=00:0C:42:E9:06:04 master-port=ether2-master-local mtu=1500 name=ether3-slave-local speed=\
    100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=00:0C:42:E9:06:05 master-port=none mtu=1500 name=ether4-slave-local speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=00:0C:42:E9:06:06 master-port=none mtu=1500 name=ether5-slave-local speed=100Mbps
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1
/interface wireless security-profiles
set [ find default=yes ] authentication-types="" eap-methods=passthrough group-ciphers=aes-ccm \
    group-key-update=5m interim-update=0s management-protection=disabled management-protection-key="" mode=\
    none name=default radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no \
    radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=\
    none static-algo-1=none static-algo-2=none static-algo-3=none static-key-0="" static-key-1="" \
    static-key-2="" static-key-3="" static-sta-private-algo=none static-sta-private-key="" \
    static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=none tls-mode=no-certificates \
    unicast-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key=""
/interface wireless
set 0 adaptive-noise-immunity=none allow-sharedkey=no antenna-gain=0 area="" arp=enabled band=2ghz-b/g/n \
    basic-rates-a/g=6Mbps basic-rates-b=1Mbps bridge-mode=enabled channel-width=20/40mhz-ht-above compression=\
    no country=no_country_set default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 \
    default-forwarding=yes dfs-mode=none disable-running-check=no disabled=yes disconnect-timeout=3s distance=\
    indoors frame-lifetime=0 frequency=2412 frequency-mode=manual-txpower frequency-offset=0 hide-ssid=no \
    ht-ampdu-priorities=0 ht-amsdu-limit=8192 ht-amsdu-threshold=8192 ht-basic-mcs=\
    mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-guard-interval=any ht-rxchains=0,1 ht-supported-mcs="mcs\
    -0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,m\
    cs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23" ht-txchains=0,1 hw-fragmentation-threshold=disabled \
    hw-protection-mode=none hw-protection-threshold=0 hw-retries=7 l2mtu=2290 mac-address=00:0C:42:E9:06:07 \
    max-station-count=2007 mode=ap-bridge mtu=1500 multicast-helper=default name=wlan1 noise-floor-threshold=\
    default nv2-cell-radius=30 nv2-noise-floor-offset=default nv2-preshared-key="" nv2-qos=default \
    nv2-queue-count=2 nv2-security=disabled on-fail-retry-time=100ms periodic-calibration=default \
    periodic-calibration-interval=60 preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=\
    000C42E90607 rate-selection=advanced rate-set=default scan-list=default security-profile=default ssid=\
    MikroTik station-bridge-clone-mac=00:00:00:00:00:00 supported-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps \
    tdma-period-size=2 tx-power-mode=default update-stats-interval=disabled wds-cost-range=50-150 \
    wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled wireless-protocol=any \
    wmm-support=disabled
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps\
    :17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT2\
    0-7:17,HT40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-7:17"
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=3200 framer-policy=none
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=3d \
    http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 \
    split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default shared-users=1 \
    status-autorefresh=1m transparent-proxy=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default \
    pfs-group=modp1024
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay bootp-support=static disabled=no interface=\
    bridge-local lease-time=3d name=default
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=default use-encryption=default \
    use-mpls=default use-vj-compression=default
set 1 change-tcp-mss=yes name=default-encryption only-one=default use-compression=default use-encryption=yes \
    use-mpls=default use-vj-compression=default
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 \
    red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=none name=only-hardware-queue
set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 7 kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes disabled=no ignore-as-path-len=no name=default \
    out-filter="" redistribute-connected=no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
    redistribute-static=no router-id=0.0.0.0 routing-table=""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never in-filter=ospf-in metric-bgp=auto \
    metric-connected=20 metric-default=1 metric-other-ospf=auto metric-rip=20 metric-static=20 name=default \
    out-filter=ospf-out redistribute-bgp=no redistribute-connected=no redistribute-other-ospf=no \
    redistribute-rip=no redistribute-static=no router-id=0.0.0.0
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=backbone type=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 authentication-password="" authentication-protocol=MD5 \
    encryption-password="" encryption-protocol=DES name=public read-access=yes security=none write-access=no
/system logging action
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=\
    auto target=remote
/user group
set read name=read policy=\
    local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,!ftp,!write,!policy skin=default
set write name=write policy=\
    local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,!ftp,!policy skin=default
set full name=full policy=\
    local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api skin=default
/interface bridge port
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none interface=ether2-master-local \
    path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none interface=wlan1 path-cost=10 \
    point-to-point=auto priority=0x80
add bridge=bridge-4-5 disabled=no edge=auto external-fdb=auto horizon=none interface=ether4-slave-local \
    path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge-4-5 disabled=no edge=auto external-fdb=auto horizon=none interface=ether5-slave-local \
    path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=disabled
set 1 vlan-header=leave-as-is vlan-mode=disabled
set 2 vlan-header=leave-as-is vlan-mode=disabled
set 3 vlan-header=leave-as-is vlan-mode=disabled
set 4 vlan-header=leave-as-is vlan-mode=disabled
set 5 vlan-header=leave-as-is vlan-mode=disabled
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 \
    max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=default enabled=no \
    keepalive-timeout=60 mac-address=FE:D7:EC:D3:42:9C max-mtu=1500 mode=ip netmask=24 port=1194 \
    require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=\
    1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default enabled=no \
    keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled port=443 verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 \
    frame-size=300 frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 multiple-channels=no only-headers=no \
    receive-errors=no streaming-enabled=no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=no interface=bridge-local network=\
    192.168.88.0
/ip dhcp-client
add add-default-route=yes comment="default configuration" default-route-distance=1 disabled=no interface=\
    ether1-gateway use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dhcp-option="" dns-server=192.168.88.1 gateway=\
    192.168.88.1 ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=4096 servers=""
/ip dns static
add address=192.168.88.1 disabled=no name=router ttl=1d
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no
add action=accept chain=input comment="default configuration" connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway
add action=dst-nat chain=dstnat disabled=no dst-address=8.8.8.8 in-bridge-port=ether4-slave-local \
    to-addresses=9.9.9.9
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip neighbor discovery
set ether1-gateway disabled=yes
set ether2-master-local disabled=no
set ether3-slave-local disabled=no
set ether4-slave-local disabled=no
set ether5-slave-local disabled=no
set wlan1 disabled=yes
set bridge-local disabled=no
set bridge-4-5 disabled=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=no \
    max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest password="" read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no lsr-id=0.0.0.0 path-vector-limit=\
    255 transport-address=0.0.0.0 use-explicit-null=no
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1-gateway queue=only-hardware-queue
set ether2-master-local queue=only-hardware-queue
set ether3-slave-local queue=only-hardware-queue
set ether4-slave-local queue=only-hardware-queue
set ether5-slave-local queue=only-hardware-queue
set wlan1 queue=wireless-default
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m gateway-selection=no-gateway \
    origination-interval=5s preferred-gateway=0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 metric-default=1 metric-ospf=1 \
    metric-static=1 redistribute-bgp=no redistribute-connected=no redistribute-ospf=no redistribute-static=no \
    routing-table=main timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-generators="" trap-target="" trap-version=1
/system clock
set time-zone-name=manual
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=+00:00
/system identity
set name=MikroTik
/system leds
set 0 disabled=no interface=wlan1 leds=wlan-led type=wireless-status
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no mode=broadcast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
/system routerboard settings
set boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=600MHz force-backup-booter=no \
    silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set address=0.0.0.0 from=<> password="" port=25 starttls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set [ find default=yes ] disabled=yes interface=all
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface=ether5-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes interface=all
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface=ether5-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""
/tool sniffer
set file-limit=1000KiB file-name="" filter-ip-address="" filter-ip-protocol="" filter-mac-address="" \
    filter-mac-protocol="" filter-port="" filter-stream=yes interface=all memory-limit=100KiB memory-scroll=\
    yes only-headers=no streaming-enabled=no streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-scale=10 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no

@aeon:
I don't see problem in your script, it should work. At least, you should see packets on gateway. I don't see reason, why Mtik blocks packets.
On weekend, I'll try to simulate your problem in virtual environment and I'll post the results. In your case (8.8.8.8 -> 9.9.9.9) "DMAT" is not neccesary.

@aeon
Ok, simulation succesfully done.

Try modify firewall rule:

ros code

add action=dst-nat chain=dstnat disabled=no dst-address=8.8.8.8 in-interface=bridge-4-5 in-bridge-port=ether4-slave-local \
    to-addresses=9.9.9.9

And add default route to your LAN gateway in Mtik. It should start working.

Try modify firewall rule:

i've removed old rule then added a new one as you say, still packets disappear

And add default route to your LAN gateway in Mtik. It should start working.

how to do it? Is it under "/ip firewall nat" or elsewhere?

In the config you uploaded earlier it looked as if you had a DHCP client set to provide a default route. Do you see a default route when you look in /IP route?

yes, i can see default route. And it was there from the start:

ros code

/ip route print
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
0 ADC  192.168.88.0/24    192.168.88.1    bridge-local              0

By factory defaults all ports are in "bridge-local" and DHCP client settings are for that bridge. I did not touch ports 1, 2, 3 at all. I created "bridge-4-5" then took ports 4, 5 from "bridge-local" and put them into "bridge-4-5". In short all DHCP client settings are for default configuration and relate to ports 1, 2, 3

No, default route has dst-address=0.0.0.0/0

Can you briefly describe IP settings of your LAN ? (gw, switch, who is DHCP server etc.)

No, default route has dst-address=0.0.0.0/0

my mistake perhaps (do not know definition of default route), but anyway it is the only route present

Can you briefly describe IP settings of your LAN ? (gw, switch, who is DHCP server etc.)

I have two computers in my test setup, G (gateway 10.0.0.10, dhcp server) and A (10.0.0.151, dhcp client). They are connected via Mtik, G eth3 connected to port 5, A eth0 to port 4.

Besides (and possibly irrelevant): G eth0 is connected to the internet. G eth2 is connected to Mtik port 2, to control Mtik (this time G is dhcp client, Mtik is dhcp server).

Try to add default gateway to Mtik:

ros code

/ip route  add dst-address=0.0.0.0/0 gateway=10.0.0.10

Mtik after DNAT of packet from A reroutes packets (as if Mtik sends packet). Without default gateway Mtik doesn't know, where it should send packets.

/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.10

tried it, nothing has changed. I also tried

ros code

/ip route  add dst-address=0.0.0.0/0 gateway=bridge-4-5

this led to interesting results:
- ping at A starts to report "Destination Host Unreachable"
- mtik starts broadcasting arp "who has 9.9.9.9?"
that seems like almost ok, and may work with LAN-scope address substitution. Need some time to check though. It also does not solve global->global case.

For testing it might be better to swap 8.8.8.8 to 8.8.4.4 so that the traffic has somewhere to go. I could see the ping replies change when I tested this earlier but it certainly needed a working default route.

i've tried

ros code

/ip address add address=10.0.0.11/24 network=10.0.0.0 interface=bridge-4-5
/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.10

and now changed packets do show up on the gateway. However 10.0.0.11 is "self-assigned" address which is not good. I would prefer bridge to not have ip address at all, which AFAIU is the whole idea of ethernet bridge.

Managed switch has IP address, it is not unusualy. I think, if you want DNAT function (which is normaly router's funcion) IP address is necessary. You can set dynamic ip address (dhcp client).

i I would prefer bridge to not have ip address at all, which AFAIU is the whole idea of ethernet bridge.

However the functionality that you are looking for is not bridge or even layer 2 functionality. NAT is a layer 3 function so some layer 3 features are used.

You can set dynamic ip address (dhcp client).

tried and it worked right away.

I guess this is it. Not exactly what i expected, but close enough. Thank you both very much for help.

@aeon
You're welcome, interesting case.