Lets explain a simple VPN site:
Code: Select all
/ip address
add address=192.168.250.24 interface=lo # OSPF router ID
add address=10.0.0.2/30 interface=ether1 # LTE internet gateway
add address=172.17.95.1/24 interface=ether2 # LAN
/ip route
add gateway=10.0.0.1 # Default gateway for router to establish VPN
/ip route vrf
add interfaces=lo,vpn-hosting,ether2 routing-mark=mpls # The VRF
If we direct everything to rfc1918 IPs, with exception of any local subnets, to the 'mpls' routing table we get traceroute working. It's however fairly dangerous as any mistakes on the exception would result in the VPN not establishing and us loosing remote access to the router:
Code: Select all
[davidh@Customer - Site 1] > /ip route rule print
Flags: X - disabled, I - inactive
0 dst-address=10.0.0.0/30 action=lookup table=main # Exempt internet breakout subnet
1 dst-address=10.0.0.0/8 action=lookup table=mpls
2 dst-address=172.16.0.0/12 action=lookup table=mpls
3 dst-address=192.168.0.0/16 action=lookup table=mpls
The following is a sample working traceroute from a remote site:
Code: Select all
[davidh@Customer - Site 2] > /tool traceroute 172.17.95.9 routing-table=mpls src-address=192.168.253.2
# ADDRESS LOSS SENT LAST AVG BEST WORST
1 192.168.253.1 0% 42 9.1ms 13.8 6.4 31
2 192.168.250.24 0% 42 230ms 243.7 193.9 296.2
3 172.17.95.9 0% 42 230.9ms 242.1 188.7 343.5
The 2nd hop above is the router at Site 1 (192.168.250.24).
I would prefer to replace these routing rules with firewall rules but have an issue in that source NAT routes are not applied. I first removed the routing rules and loaded the following mangle firewall rules:
Code: Select all
/ip firewall address-list
add list=mpls address=10.0.0.0/8
add list=mpls address=172.16.0.0/12
add list=mpls address=192.168.0.0/16
/ip firewall mangle
add chain=prerouting src-address-list=mpls protocol=icmp ttl=equal:1 action=mark-connection new-connection-mark=mpls passthrough=yes
add chain=output connection-mark=mpls action=mark-routing new-routing-mark=mpls passthrough=yes
If I set the 'output' mangle rule to log, I observe the following:
Code: Select all
13:49:36 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.0.0.2->192.168.253.2, len 56
13:49:37 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.0.0.2->192.168.253.2, len 56
13:49:38 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.0.0.2->192.168.253.2, len 56
13:49:39 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.0.0.2->192.168.253.2, len 56
13:49:40 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.0.0.2->192.168.253.2, len 56
13:49:41 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.0.0.2->192.168.253.2, len 56
13:49:42 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.0.0.2->192.168.253.2, len 56
13:49:43 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.0.0.2->192.168.253.2, len 56
Great, so far everything is actually working. ICMP packets with a TTL of 1 are tracked and corresponding output packets are identified by RouterOS. The trace route at the far end subsequently now shows the router as being 10.0.0.2 though:
Code: Select all
[davidh@Customer - Site 2] > /tool traceroute 172.17.95.9 routing-table=mpls src-address=192.168.253.2
# ADDRESS LOSS SENT LAST AVG BEST WORST
1 192.168.253.1 0% 30 13.7ms 12.9 6 24.9
2 10.0.0.2 0% 30 237.7ms 262.7 198.9 343.7
3 172.17.95.9 0% 28 246.9ms 265.5 226.2 314.1
Okay, so then I simply want to set a source NAT rule on traffic leaving the vpn-hosting interface for packets from 10.0.0.2. None of the following rules however match:
Code: Select all
/ip firewall nat
add chain=srcnat out-interface=vpn-hosting src-address=10.0.0.2 action=src-nat to-addresses=192.168.250.24
add chain=srcnat connection-mark=mpls action=src-nat to-addresses=192.168.250.24
How does one source NAT traffic after using mangle to send the packet via a different routing table?