Community discussions

MikroTik App
 
acssol
just joined
Topic Author
Posts: 8
Joined: Mon Feb 05, 2018 2:13 pm

Exclude multiple destination networks from src-nat (masquerade)

Wed Jun 06, 2018 12:09 pm

Hello folks,

I have a split-tunnel setup with OpenVPN that works just fine. Everything gets routed & NATed to public internet, except for traffic with destination in 10.0.0./8 - which gets routed inside the OpenVPN tunnel and is not NATed.

The rule that excludes traffic destined from 10.0.0.0/8 beeing NATed looks like this:

Code: Select all

Action Chain SRC DST
masquerade srcnat * !10.0.0.0/8

How can I exclude more address ranges (e.g. 192.168.0.0/16) from beeing NAted? If I just insert a second statement like this, traffic destined for public internet doesn't get NATed anymore. So this won't work:

Code: Select all

Action Chain SRC DST
masquerade srcnat * !10.0.0.0/8
masquerade srcnat * !192.168.0.0/16
I think I made this work with two statements but another action - but I don't remember the solution anymore.

Any suggestions? Thanks in advance.
 
sindy
Forum Guru
Forum Guru
Posts: 5381
Joined: Mon Dec 04, 2017 9:19 pm

Re: Exclude multiple destination networks from src-nat (masquerade)  [SOLVED]

Wed Jun 06, 2018 3:29 pm

You can put action=accept rules with the destination subnets you don't want to masquerade before the action=masquerade rule in the srcnat chain, or you can create an /ip firewall address-list containing all the destination subnets you want to exclude from masquerade handling and refer to it in the action=masquerade rule as dst-address-list=!the-list-name.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
acssol
just joined
Topic Author
Posts: 8
Joined: Mon Feb 05, 2018 2:13 pm

Re: Exclude multiple destination networks from src-nat (masquerade)

Fri Jun 15, 2018 4:08 pm

You can put action=accept rules with the destination subnets you don't want to masquerade before the action=masquerade rule in the srcnat chain, or you can create an /ip firewall address-list containing all the destination subnets you want to exclude from masquerade handling and refer to it in the action=masquerade rule as dst-address-list=!the-list-name.
Thank you very much - this was what I was looking for!
 
User avatar
ariosvelez
newbie
Posts: 29
Joined: Mon Mar 11, 2013 5:39 pm
Location: Ocala, FL
Contact:

Re: Exclude multiple destination networks from src-nat (masquerade)

Thu Feb 28, 2019 4:35 pm

I got a customer that instead of seeing their Public IP they seeing the CORE router main BGP Provider IP address. I created a NatEsclusion Address List with the networks I like to exclude as follow.
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1-L3-BGP src-address-list=!NatExclusion

The Public IP is routed to that customer on IP Routes dst address= XX.XX.XX.200/29 Gatway 10.10.50.254 which is the customer IP on a /30 sfp1 port on CORE router is 10.10.50.253/30 on bridge-fiber port.

Even though I have that Nat exclusion they still seeing the BGP Provider IP on the core router instead of the assigned Public IP address.

Can any one help me they need to see their Public IP instead of the core router
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
MTCNA, MTCRE, MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 5381
Joined: Mon Dec 04, 2017 9:19 pm

Re: Exclude multiple destination networks from src-nat (masquerade)

Thu Feb 28, 2019 11:53 pm

instead of seeing their Public IP they seeing the CORE router main BGP Provider IP address
...
Can any one help me they need to see their Public IP instead of the core router
Not sure I get you right - you say you want them to see a single IP address (their assigned public one) as source but you do the exclusion from the masquerade based on a src-address-list. That doesn't fit well to me - if you really want that traffic from those subnets is NATed to the public IP assigned to the customer, you don't need an exception from the existing action=masquerade rule but a dedicated action=src-nat rule (before the masquerade one), where their assigned public IP is used as the value of to-addresses.

But as said, I'm not sure I got you right, so describe better what should happen and whether it is really so that for some internal source addresses one public IP should be used and for other internal source addresses another public IP shoudl be used, or whether you just want that anything they send out from their private networks to the internet would be NATed to the IP assigned to them.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: m86895 and 82 guests