Community discussions

MikroTik App
 
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:

Understanding NAT ....

Sat Feb 25, 2006 1:11 pm

So, the next question, regarding NAT:

We use simple scenario - we simply use chain=srcnat, outgoing-interface=public and finally action=masquarade. Works like a charm. But now we would like to have two gates, as we've got two ISP lines. So far, let's forget bonding and failover. Let's say we want to use one ISP for some of our subnets, and other ISP for other subnets.

1) My understanding is, that I have to use source nat, without masquarading? I tried something, but it did not seem to work. Any example here?

2) When I want to get public IP to some internal network interface, is it sufficient to define DST nat on ISP machine, and srcnat on our internal machine, as shown in docs? No routing involved?

Thanks a lot,
-pekr-
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1734
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Mon Feb 27, 2006 8:41 am

lets take a look at:

http://www.mikrotik.com/docs/ros/2.9/gr ... flow31.jpg

As you can see src-nat is after any of "routing-decision" action, so I assume, when you are using your src-nat, it is already determined through what port it would go out.

Try to use mark-routing action in the mangle in the chain prerouting, and then set these marks for specific gateways

Please inform me about any success.
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:

Mon Feb 27, 2006 1:19 pm

Uh, NAT is done after routing decision? that is strange no? You have packet arriving to your local interface. Now it looks into routing table what to do and if there would be no masquarading involved first imo, packet would not get thru .... because imo only after masquarading to output interface network IP, it knows the gateway, no? But maybe I am just seeing it the wrong way.

What I simply want to achieve is to have two gateways to our ISPs, no bonding yet, no fail-over yet, no troble with marking packets for routing purposes, just simply deciding, which interface (networks) are masquaraded to what destination network ....

Simple scenario:

eth1 - local1 - 10.0.0.1
eth2 - local2 - 10.0.1.1
wlan1 - public1 - 10.5.0.1
wlan2 - public2 - 10.5.1.1

I simply want to "masquarade" eth1 to wlan1 and eth2 to wlan2. I can't use simple chain=srcnat, outgoing interface=wlan1, action=masquarade, as everything will be masquaraded to that interface.

So perhaps without defining outgoing interface, I could use source address and destination address parameters to achieve what I want - simply to have eth1 masquaraded to wlan1 and eth2 masquaraded to wlan2?

Thanks a lot,
Petr
 
flovin
just joined
Posts: 12
Joined: Wed Sep 21, 2005 11:46 am

Mon Feb 27, 2006 1:29 pm

Uh, NAT is done after routing decision? that is strange no? You have packet arriving to your local interface. Now it looks into routing table what to do and if there would be no masquarading involved first imo, packet would not get thru .... because imo only after masquarading to output interface network IP, it knows the gateway, no? But maybe I am just seeing it the wrong way.

What I simply want to achieve is to have two gateways to our ISPs, no bonding yet, no fail-over yet, no troble with marking packets for routing purposes, just simply deciding, which interface (networks) are masquaraded to what destination network ....

Simple scenario:

eth1 - local1 - 10.0.0.1
eth2 - local2 - 10.0.1.1
wlan1 - public1 - 10.5.0.1
wlan2 - public2 - 10.5.1.1

I simply want to "masquarade" eth1 to wlan1 and eth2 to wlan2. I can't use simple chain=srcnat, outgoing interface=wlan1, action=masquarade, as everything will be masquaraded to that interface.

So perhaps without defining outgoing interface, I could use source address and destination address parameters to achieve what I want - simply to have eth1 masquaraded to wlan1 and eth2 masquaraded to wlan2?

Thanks a lot,
Petr
Just add a check on the source ip net. Or if you're advanced, mark packages as they enter the interface to route them out based upon interface.

Flovin
 
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:

Mon Feb 27, 2006 2:20 pm

Uh, NAT is done after routing decision? that is strange no? You have packet arriving to your local interface. Now it looks into routing table what to do and if there would be no masquarading involved first imo, packet would not get thru .... because imo only after masquarading to output interface network IP, it knows the gateway, no? But maybe I am just seeing it the wrong way.

What I simply want to achieve is to have two gateways to our ISPs, no bonding yet, no fail-over yet, no troble with marking packets for routing purposes, just simply deciding, which interface (networks) are masquaraded to what destination network ....

Simple scenario:

eth1 - local1 - 10.0.0.1
eth2 - local2 - 10.0.1.1
wlan1 - public1 - 10.5.0.1
wlan2 - public2 - 10.5.1.1

I simply want to "masquarade" eth1 to wlan1 and eth2 to wlan2. I can't use simple chain=srcnat, outgoing interface=wlan1, action=masquarade, as everything will be masquaraded to that interface.

So perhaps without defining outgoing interface, I could use source address and destination address parameters to achieve what I want - simply to have eth1 masquaraded to wlan1 and eth2 masquaraded to wlan2?

Thanks a lot,
Petr
Just add a check on the source ip net. Or if you're advanced, mark packages as they enter the interface to route them out based upon interface.

Flovin

OK, let's assume packet-marking is next level of my excercise (although that should not be difficult too), I just wonder if anything like following would work?

defining tow rules:

/ip firewall nat add chain=srcnat src-address=10.0.0.1 out-interface=wlan1 action=masquarade

/ip firewall nat add chain=srcnat src-address=10.0.1.1 out-interface=wlan2 action=masquarade

So that it would masquarade selectively upon source address to corrent outgoing interface? Maybe I could even use in-interface instead of src-address in my case ... just wonder if above rules would work as I epxect?

-pekr-
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1734
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Mon Feb 27, 2006 2:22 pm

Ok here you are:

First we will make packets from the client groups to the internet:

/ip firewall mangle add chain=prerouting in-interface=wlan1 dst-address=!10.0.1.0/24 action=mark-routing new-routing-mark=client1
/ip firewall mangle add chain=prerouting in-interface=wlan2 dst-address=!10.0.0.0/24 action=mark-routing new-routing-mark=client2

Then we will add specific gateways for thos marks:


/ip route add gateway=9.9.9.9 routing-mark=client1 // 9.9.9.9 GW of the first ISP
/ip route add gateway=8.8.8.8 routing-mark=client2 // 8.8.8.8 GW of the second ISP

Then make simple masquerade:

/ip firewall nat add chain=srcnat out-interface=wlan1 action=
masquerade
/ip firewall nat add chain=srcnat out-interface=wlan2 action=
masquerade


Looks simple for me
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1734
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Mon Feb 27, 2006 2:24 pm

OK, let's assume packet-marking is next level of my excercise (although that should not be difficult too), I just wonder if anything like following would work?

defining tow rules:

/ip firewall nat add chain=srcnat src-address=10.0.0.1 out-interface=wlan1 action=masquarade

/ip firewall nat add chain=srcnat src-address=10.0.1.1 out-interface=wlan2 action=masquarade

So that it would masquarade selectively upon source address to corrent outgoing interface? Maybe I could even use in-interface instead of src-address in my case ... just wonder if above rules would work as I epxect?

-pekr-
It will not work!
 
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:

Mon Feb 27, 2006 3:12 pm


It will not work!
Why not? :-) What are the fields of source adress, dst address there for then? OK, maybe I start to understand a bit after all. The thing is, I can't somehow "imagine", what NAT does with the packet under the hood. Does it just change src/dst address accordingly? Well, so NAT has nothing to do with "routing packets" here or there, right? It just takes packets on some interface and rewrites their adressess, no routing, forwarding, whatsover, right?

So it all depends upon how routing is defined. Your example, using mangle is not difficult to understand, I will do it according to your suggestion.

btw - any good book on routing techniques as your suggestion?

Thanks a lot,
Petr
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1734
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Mon Feb 27, 2006 3:25 pm


Why not? :-) What are the fields of source adress, dst address there for then? OK, maybe I start to understand a bit after all. The thing is, I can't somehow "imagine", what NAT does with the packet under the hood. Does it just change src/dst address accordingly? Well, so NAT has nothing to do with "routing packets" here or there, right? It just takes packets on some interface and rewrites their adressess, no routing, forwarding, whatsover, right?

So it all depends upon how routing is defined. Your example, using mangle is not difficult to understand, I will do it according to your suggestion.

btw - any good book on routing techniques as your suggestion?

Thanks a lot,
Petr
Finally :) You are on the right way!

routing techniques..... hmmm.... there are three points:

1) simple routing - in any book of TCP/IP basics
2) simple routing with packet marking ( this topic)
3) advanced routing - try to search for OSPF, BGP, RIP
 
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:

Mon Feb 27, 2006 5:24 pm

lets take a look at:

http://www.mikrotik.com/docs/ros/2.9/gr ... flow31.jpg

As you can see src-nat is after any of "routing-decision" action, so I assume, when you are using your src-nat, it is already determined through what port it would go out.

Try to use mark-routing action in the mangle in the chain prerouting, and then set these marks for specific gateways

Please inform me about any success.
Uh, so now I am confused once again ;-) I just re-read docs and chain=srcnat has following explanation to it:

"a rule placed in this chin is applied before routing ....", which somehow contradicts what you said :-)

Petr
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1734
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Tue Feb 28, 2006 8:30 am

Uh, so now I am confused once again ;-) I just re-read docs and chain=srcnat has following explanation to it:
"a rule placed in this chin is applied before routing ....", which somehow contradicts what you said :-)
Petr
Found it:
chain (dstnat | srcnat | name) - specifies the chain to put a particular rule into. As the different traffic is passed through different chains, always be careful in choosing the right chain for a new rule. If the input does not match the name of an already defined chain, a new chain will be created

dstnat - a rule placed in this chain is applied after routing. The rules that replace destination addresses of IP packets should be placed there
srcnat - a rule placed in this chain is applied before routing. The rules that replace the source addresses of IP packets should be placed there
:) they just mixed up "after" and "before" between srcnat and dstnat
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1734
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Tue Feb 28, 2006 8:35 am

I reported this mistake already!
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.

Who is online

Users browsing this forum: CZFan, kos and 63 guests