Page 1 of 1

masq with a /32 address?

Posted: Fri Dec 30, 2011 8:14 pm
by troy
All,

In order to conserve IP addresses (we have very few), I'd like to find a way to get masq working on a /32 address.

With initial testing, if I put a /32 address on a loopback (bridge), all incoming stuff, including dst-nat works great, but I've been unable to get masq to work. I can't seem to find the right firewall rules to get this to work.

lo0: 12.34.56.78/32
ether9: 172.17.82.1/24 (dhcp server for lan)
ether8: 172.17.85.165/29
gateway: 172.17.85.161

Re: masq with a /32 address?

Posted: Mon Jan 02, 2012 10:05 am
by yancho
Use src/dst nat instead.

Re: masq with a /32 address?

Posted: Mon Jan 02, 2012 11:04 am
by Egate
In nat rule set out interface as lo0 and masquerade as action. Should do the trick.

Re: masq with a /32 address?

Posted: Mon Jan 02, 2012 11:12 am
by dasiu
I think you are looking for the pref-src parameter in /ip route :). This parameter tells RouterOS what source IP it should use in packets generated by the router (and - also - masqueraded) when sending a packet to a specified destination :). Modify your /ip route and add pref-src=12.34.56.78 on the route you would like it to use (probably the default route), example:
/ip route add dst-address=0.0.0.0/0 gateway=172.17.85.161 pref-src=12.34.56.78 :)

Re: masq with a /32 address?

Posted: Mon Jan 02, 2012 11:14 am
by dasiu
In nat rule set out interface as lo0 and masquerade as action. Should do the trick.
No, no, no, "out-interface" is a "trigger", is a selector, not an action :). Then the NAT rule would work ONLY for packets routed through lo0 interface. As packets routed outside (through gateway) have out-interface=ether8 - the rule will not work :). The out-interface can be "set" only in /ip route :).
troy - see my previous post and try the pref-src (just be careful when connecting from outside - not to cut yourself off, for example - use Safe Mode)

Re: masq with a /32 address?

Posted: Mon Jan 30, 2012 10:27 pm
by troy
Well, here's what I did, and it works!

First, /32 routing... I found this post, which explains how to do it. The beauty on this, is that I can utilize a /28 (or whatever sized network) in multiple locations, as the shortest prefix is always preferred.

So, on my gateway:
/ip address
add address=12.34.56.209/28 disabled=no interface=lo0 network=12.34.56.208
add address=12.34.56.209/32 disabled=no interface=backbone network=12.34.56.219
On the remote system, I have a LOT of stuff going on. In addition to being an OSPF router, I'm also doing some VLAN bridging, and now NAT for an attached public access network.
/ip address
add address=172.17.85.233/26 comment="primary routing interface" disabled=no interface=backbone network=172.17.85.192
add address=12.34.56.219/28 comment="public access WAN" disabled=no interface=backbone network=12.34.56.208
add address=172.17.82.1/24 comment="public access LAN" disabled=no interface=ether8 network=172.17.82.0
Now, here's where things get tricky (for me at least). First, I mangled some stuff (based on a few posts I found):
/ip firewall mangle
add action=accept chain=prerouting disabled=no dst-address=172.17.0.0/16 in-interface=ether8
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \
    dst-address=!172.17.0.0/16 in-interface=ether8 new-connection-mark=need_nat \
    passthrough=yes src-address=172.17.82.0/24
add action=mark-routing chain=prerouting connection-mark=need_nat disabled=no \
    in-interface=ether8 new-routing-mark=to_nat passthrough=yes src-address=172.17.82.0/24
I'm rather confused on this though... the first mangle rule accepts traffic to local destinations, this is acceptable. The second rule does a connection mark and the third rule does a routing mark. I'm not sure why I need both of these, but when I try each on their own, I get no love.

Anyways, now that we're mangled, we need NAT and a route:
/ip firewall nat
add action=masquerade chain=srcnat connection-mark=need_nat disabled=no

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=12.34.56.209 routing-mark=to_nat scope=30 target-scope=10
Note that this is my only static route. The regular default and other routes are learned via OSPF.

This is not how I originally wanted to achieve this, but it works and does not interfere with my use of other addresses within the given /28 subnet. In fact, now that I have this working as a model, I'll be able to reclaim 6 additional addresses by not using a pair of /30 subnets elsewhere. Pretty cool.

Maybe someday, I'll sit down and learn ipchains and why there are so many different chains and types of marks.