Community discussions

MikroTik App
  4. RouterOS
  5. General

Mode-Config Placement in NAT Rules  [SOLVED]

Post Reply
 
.09.
just joined
Topic Author
Posts: 3
Joined: Tue Oct 10, 2006 12:16 pm

Mode-Config Placement in NAT Rules

Fri Jul 02, 2021 6:52 pm

I have IKEv2 NordVPN configured with mode-config which dynamically generates a NAT rule:

Code: Select all
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=LAN use-responder-dns=no

My problem is that I have other NAT rules in place and this newly created dynamic rule gets creted as the first rule and because of this some other NATs don't work.
For everything to work as expected, the mode-config dynamic rule has to be the 3rd rule:

Code: Select all
[admin@MIKROTIK] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; No NAT for Site-to-Site IPSec
      chain=srcnat action=accept src-address=10.1.1.0/24 dst-address=192.168.77.0/24 log=no log-prefix="" 

 1    ;;; NAT for ISP Network
      chain=srcnat action=src-nat to-addresses=192.168.1.100 src-address=10.1.1.0/24 dst-address=192.168.1.0/24 log=no log-prefix="" 

 2  D ;;; ipsec mode-config
      chain=srcnat action=src-nat to-addresses=10.6.0.15 src-address-list=LAN dst-address-list=!LAN 

 3    ;;; Default Inside NAT
      chain=srcnat action=src-nat to-addresses=192.168.1.100 out-interface=ether1 log=no log-prefix=""

Is there a way to automate this without me manually moving it every time NordVPN reconnects?
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12001
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: Mode-Config Placement in NAT Rules

Fri Jul 02, 2021 7:08 pm

Mmm... let me see

probably a script than automate the "moving up" (alias move after the disabled passtrough rule existing only for point where put the rule)

is feasible.
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12001
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: Mode-Config Placement in NAT Rules  [SOLVED]

Fri Jul 02, 2021 7:22 pm

search tag # rextended automove NAT rule placeholder

Paste this on terminal
Code: Select all
/ip firewall nat
add action=passthrough chain=srcnat comment="placeholder for ipsec mode-config" disabled=yes
/system scheduler
add interval=10m name="automove_ipsec_mode-config" policy=read,write start-date=jul/02/2021 start-time=00:00:00 \
    on-event="/ip firewall nat\r\nmove [find where comment=\"ipsec mode-config\"] [find where comment=\"placeholder for ipsec mode-config\"]"
place the "placeholder" with winbox on the right position, the ipsec dynamic entry is moved before that position.

Is scheduled every 10 minutes but you can set at any time you want.

what is executed inside the scheduler:
Code: Select all
/ip firewall nat
move [find where comment="ipsec mode-config"] [find where comment="placeholder for ipsec mode-config"]
Top
 
.09.
just joined
Topic Author
Posts: 3
Joined: Tue Oct 10, 2006 12:16 pm

Re: Mode-Config Placement in NAT Rules

Sat Jul 03, 2021 10:18 am

It's working as expected, thank you.
Top
Post Reply

Who is online

Users browsing this forum: fadelliz78 and 43 guests
  4. RouterOS
  5. General