Community discussions

MikroTik App
  4. RouterOS
  5. Forwarding Protocols

multiple [NAT-IP + OSPF routes]

Post Reply
 
anuser
Long time Member
Long time Member
Topic Author
Posts: 601
Joined: Sat Nov 29, 2014 7:27 pm

multiple [NAT-IP + OSPF routes]

Fri Mar 15, 2019 10:51 am

Hello,

I have srcNAT connection problems with wifi clients. The connection below is being used on a CCR router with CAPSMAN enabled. wifi clients connect, get an IP address from one single /16 subnet which ist srcNATed to 4 public ip addresses. For the public ip addresses OSPF is enabled, so ECMP should be used. Unfortunately, the public IP which is used for srcNAT is not respected. It seems OSPF ECMP changes this one randomely which breaks TCP connection at all. Hopefully it is clear what I say?

Let´s look at the configuration on the CCR
- DHCP server
/ip dhcp-server network
add address=10.40.0.0/16 dns-server=10.40.0.241 domain=hob.com \
gateway=10.40.0.240 netmask=16
- OSPF interfaces + network
/routing ospf interface
add interface=vlan2081 network-type=broadcast
add interface=vlan1000 network-type=broadcast passive=yes
add interface=vlan2082 network-type=broadcast
add interface=vlan2083 network-type=broadcast
add interface=vlan2084 network-type=broadcast
/routing ospf network
add area=backbone network=195.0.1.5.20/32
add area=backbone network=195.12.108.0/30
add area=backbone network=195.12.108.4/30
add area=backbone network=195.12.108.8/30
add area=backbone network=195.12.108.12/30
- OSPF routes, i.e. /routing ospf route> print
0.0.0.0/0 ext-2 1
195.12.108.1 vlan2081
195.12.108.5 vlan2082
195.12.108.9 vlan2083
195.12.108.13 vlan2084

- srcnat:
/ip firewall nat
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src0 src-address=10.40.0.0/19 to-addresses=195.12.108.2
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src64 src-address=10.40.32.0/19 to-addresses=195.12.108.6
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src128 src-address=10.40.64.0/19 to-addresses=195.12.108.10
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src192 src-address=10.40.96.0/19 to-addresses=195.12.108.14
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src0 src-address=10.40.128.0/19 to-addresses=195.12.108.2
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src64 src-address=10.40.160.0/19 to-addresses=195.12.108.6
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src128 src-address=10.40.192.0/19 to-addresses=195.12.108.10
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src192 src-address=10.40.224.0/19 to-addresses=195.12.108.14
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src16 src-address=10.40.0.0/16 to-addresses=195.12.108.2

e.g.
- my client has 10.40.72.111
- So public NAT IP 195.12.108.10 should be used
- Browsing to showip.net it shows 195.12.108.2

So OSPF ECMP mixes with srcNAT. So it seems I have to get OSPF up and running with some kind of "routing-mark" policies. Those below don´t work:
/ip firewall mangle add chain=prerouting src-address=10.40.0.0/19 action=mark-routing new-routing-mark=r_src0
/ip firewall mangle add chain=prerouting src-address=10.40.32.0/19 action=mark-routing new-routing-mark=r_src32
/ip firewall mangle add chain=prerouting src-address=10.40.64.0/19 action=mark-routing new-routing-mark=r_src64
/ip firewall mangle add chain=prerouting src-address=10.40.96.0/19 action=mark-routing new-routing-mark=r_src96
/ip firewall mangle add chain=prerouting src-address=10.40.128.0/19 action=mark-routing new-routing-mark=r_src128
/ip firewall mangle add chain=prerouting src-address=10.40.160.0/19 action=mark-routing new-routing-mark=r_src160
/ip firewall mangle add chain=prerouting src-address=10.40.192.0/19 action=mark-routing new-routing-mark=r_src192


/ip firewall nat
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src0 routing-mark=r_src0 src-address=10.40.0.0/19 to-addresses=\
195.12.108.2
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src64 routing-mark=r_src32 src-address=10.40.32.0/19 to-addresses=\
195.12.108.6
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src128 routing-mark=r_src64 src-address=10.40.64.0/19 to-addresses=\
195.12.108.10
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src192 routing-mark=r_src96 src-address=10.40.96.0/19 to-addresses=\
195.12.108.14
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src0 routing-mark=r_src128 src-address=10.40.128.0/19 to-addresses=\
195.12.108.2
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src64 routing-mark=r_src160 src-address=10.40.160.0/19 to-addresses=\
195.12.108.6
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src128 routing-mark=r_src192 src-address=10.40.192.0/19 to-addresses=\
195.12.108.10
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src192 routing-mark=r_src224 src-address=10.40.224.0/19 to-addresses=\
195.12.108.14


/ip route
add distance=1 gateway=195.12.108.9 pref-src=195.12.108.10 routing-mark=\
r_src192
add distance=1 gateway=195.12.108.13 pref-src=195.12.108.14 routing-mark=\
r_src224
add distance=1 gateway=195.12.108.1 pref-src=195.12.108.2 routing-mark=r_src0
add distance=1 gateway=195.12.108.5 pref-src=195.12.108.6 routing-mark=\
r_src32
add distance=1 gateway=195.12.108.9 pref-src=195.12.108.10 routing-mark=\
r_src64
add distance=1 gateway=195.12.108.13 pref-src=195.12.108.14 routing-mark=\
r_src96
add distance=1 gateway=195.12.108.1 pref-src=195.12.108.2 routing-mark=\
r_src128
add distance=1 gateway=195.12.108.5 pref-src=195.12.108.6 routing-mark=\
r_src160
e.g.
- my client has 10.40.72.111
- So public NAT IP 195.12.108.10 should be used
- Browsing to showip.net it shows 195.12.108.2 sometimes

I forget to mention that I added a "catch it all" rule in "ip firewall nat" at the end, which is being used, when that "error" occurs:
Code: Select all
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
    src16 src-address=10.40.0.0/16 to-addresses=195.12.108.2
Why is it being used at all? There shouldn´t be any match as I catch everything with the rules above...
So I added logging to this rule with "src-catch-all" and hit "F5" for reloading the homepage:
Code: Select all
2019-03-15 11:59:06	Local7.Debug	firewall,info src-catch-all: src192 srcnat: in:(unknown 0) out:vlan2084, src-mac 20:16:b9:10:a2:0a, proto TCP (SYN), 10.40.72.111:58906->13.23.19.91:443, len 52
<=>
Code: Select all
2019-03-15 12:01:14	Local7.Debug	firewall,info src192 srcnat: in:(unknown 0) out:vlan2084, src-mac 20:16:b9:10:a2:0a, proto TCP (SYN), 10.40.72.111:50906->13.23.19.91:443, len 52
=> different public IPs are being used
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 20 guests
  4. RouterOS
  5. Forwarding Protocols