I have started to put a CHR trial into my chicago cloud and so far from the performance etc. it looks amazing. FINALLY I can move that part over to Mikrotik from a WIndows Server RRAS install. No, there was no real chance to put mikrotik there before - we use HyperV and hardware is not an option with remote data centers often. Anyhow, CHR works.

What does not work is one criticial element - NAT. SRCNAT to be exact.

I have 3 NAT entries:

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; DNat: http
chain=dstnat action=dst-nat to-addresses=XXXXXXx protocol=tcp
dst-address=XXXXX dst-port=80 log=no log-prefix=""

1 ;;; DNat: https
chain=dstnat action=dst-nat to-addresses=XXXXX protocol=tcp
dst-address=XXXXXXX dst-port=443 log=no log-prefix=""

2 chain=srcnat action=masquerade connection-limit=100,32
out-interface=internet log=no log-prefix=""

The first 2 work - they handle incoming traffic for a web server. The thrd one is my problem - no NAT happens a tall on outgoing traffic. The counters are flat (0 bytes, 0 packets). Which means none of the machines behing Mikrotik can actually reach out to the internet (to download data etc.).... anyone an idea what is broken here?

Just an update.... i got it working by adding a srcnat entry...

3 chain=srcnat action=src-nat to-addresses=XXXXXXX out-interface=internet log=no log-prefix=""

THAT one is getting traffic - which makes me think that masquerade may be broken in the current stable version of CHR?

Normally it just means the operator has made a mistake.