Using src-nat over masquarade (Static public addresses)

draid · Sat Jan 19, 2019 5:38 pm

Hello guys,

I have the following configuration at this moment:

RB760iGS - x1 as main router (Eth0 for the main PPPoE link and Eth1 for the backup link which is behind ADSL modem)
hAP ac^2 - x2 as AP bridges

Both Main ISP and the BackUP ISP are providing static public addresses. Till now I was using WAN failover with multiple gateway ping check alongside with masquerade. So far so good - everything worked perfectly and I had 22 days up time without problems (I'm using netwatch to log any main link failure).

Few days ago a fellow forum member posted a link to an interesting presentation in which it was pointed that using masquerade + failover would be a bad practice which on top of all could have security problems (https://mum.mikrotik.com/presentations/ ... 639302.pdf - starting from p27). So after reading this I thought it would be a good idea to try to implement the "good practice" Could you please guys check my current configuration and point out if there are any problems or things I should change/improve?

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=!WAN \
    protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=\
    out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Nat rules - masquerade to src-nat

/ip firewall nat
add action=src-nat chain=srcnat comment="SRC-NAT MainLink" out-interface=pppoe
    to-addresses=main ISP public address
add action=src-nat chain=srcnat comment="SRC-NAT BackUp" out-interface=eth1
    to-addresses=192.168.x.x (Static address from the ADSL modem of the backup ISP)
add action=dst-nat chain=dstnat comment="OpenVPN " dst-address=ISP public address dst-port=\
    1194 in-interface-list=WAN log=yes protocol=udp to-addresses=Internal server address

Recursive

/ip route
add distance=1 gateway=10.1.1.1
add distance=2 gateway=10.2.2.2
add distance=1 dst-address=8.8.4.4/32 gateway=ADSL_modem scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=ISP1_public_address scope=10
add distance=1 dst-address=208.67.220.220/32 gateway=ISP1_public_address scope=10
add distance=1 dst-address=208.67.222.222/32 gateway=ADSL_modem scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=8.8.8.8 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=208.67.220.220 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=208.67.222.222 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=8.8.4.4 scope=10

Also ,should I add blackhole route? Additionally everything except winbox is disabled (www,SSH,Telnet, etc.)

anav · Sat Jan 19, 2019 9:48 pm

The source nat rules look okay to me ( I use masquerade for mine but may choose to go your route as well).
The Routing Rules look a bit suspect so will look at them more closely
Assuming ASDL is the backup........

I believe this may be effective for you??
/ip route
add check-gateway=ping distance=2 gateway=8.8.4.4
add check-gateway=ping distance=3 gateway=208.67.220.220
add distance=10 gateway=10.2.2.2
add distance=2 dst-address=8.8.4.4/32 gateway=10.1.1.1 scope=10
add distance=3 dst-address=208.67.220.220/32 gateway=10.1.1.1 scope=10

In english, I think this basically checks to see if it can reach google server through your primary gateway.
If, it doesnt connect, the router then checks to see if it can reach opendns server through your primary gateway.
If it doesnt then the router attempts to connect to the secondary WAN.

As soon as the primary becomes available it switches back.......... (to either 8.8 or 208.. whichever comes up first).
Just ensure you do not have the same servers selected for IP DNS (in this case you can use 8.8.8.8 or 208.67.222.222 in IP DNS Servers)

draid · Sun Jan 20, 2019 6:28 pm

Well, basically I'm using the ADSL link only for back up as it's slower than the main link (30Mbps). Generally I used this recursive fail-over for more then a month with no visible problems. Every link checks one google and one open DNS address (in case some of them have problems) And if both hosts on the main link are down it switches to the ADSL. It worked with WAN list masquarade till now but after seeing this presentation I thought that it would be a good idea to switch to src-nat and to get few more opinions on this matter. I'm also using 1.1.1.1 for the clients so it won't cover with the check ping addresses.

Using src-nat over masquarade (Static public addresses)

Using src-nat over masquarade (Static public addresses)

Re: Using src-nat over masquarade (Static public addresses)

Re: Using src-nat over masquarade (Static public addresses)

Who is online