Have have recently been assigned public IPs to our network and are using them for customers. We are still using a lot of private IPs inside our network, especially between highsites.

We have a SRC NAT rule to still Masquerade all traffic leaving our network and coming from the internal private IPs. So this NATs everything but our Public IPs.

We also have local loopback IPs assigned to a bridge interface (no ports added to bridge) for OSPF and BGP to work better.


What we would like to do is to have all traffic originating from the router (DNS requests, RADIUS communication, etc) that leaves our network to srcnat (come from) the public IP assigned on the loopback interface. How can we do this without effecting traffic passing through the router (forward chain) from other towers?

The main reason why we want to do this is because our RADIUS servers are hosted outside of our network. When adding all our towers/routers to the RADIUS server, you have to specify the source IP address so disconnect packets can be sent back to the router when a customer reach their service limit or get suspended for not paying. So having a single public IP for each tower where RADIUS communication comes from is the ideal solution.

you should be able to mark packets in mangle output chain and then src-nat them to address you like based on that mark you set up.

Oh yes! That'll work. Thanks!

Could you please provide a more detailed solution? I'm currently facing the same issue. I've created a mangle rule to mark traffic on the output chain. With the logging turned on I can see the mangle rule catching the traffic. Then I try to create a src-nat rule to catch the marked traffic and change its source address but nothing happens.

That srcnat needs only one condition (connection-mark=<your mark>), so that's hard to mess up. Also don't forget that order of rules matters, they are processed from top to bottom and first matching one is used.

Yeah, mangle rule and src-nat seem to be working fine. The torch tool shows me that i receive responses to my substitutional address. But they're not being translated back to the original address.
I think i'd better start a new topic concerning my issue. Cause there're some configurational aspects that might affect the situation.