Page 1 of 1

Route Marking & NAT

Posted: Sun Apr 16, 2006 3:24 pm
by Hammy
I have some clients off a tower with a wireless backhaul to a provider and then another feed to a DSL. When I set the default route to go through the wireless backhaul (with public IPs), alls well (well, all's not well, but we're a couple steps ahead of the alternate). When it goes through the DSL (via NAT), all is well. Torch displays the destination address as the public IP of the DSL link (when torch is assigned to the DSL). When I setup routing marks to push some traffic off the tower to the DSL, it seems to miss the NAT. I came to this conclusion as the destination address in torch displays the true destination instead of the public IP of the DSL.

This is the masquerade on the DSL interface:
chain=srcnat out-interface=Verizon-PPPoE action=masquerade

This is the route marking I have setup on the DSL router and the tower:
chain=forward protocol=tcp dst-port=443 action=mark-routing new-routing-mark=DSL passthrough=yes

I have a static default route setup on the DSL routing mark to push it out Verizon-PPPoE. I'd paste what the terminal has for this, but apparently the GUI shows the routing mark field, but the terminal does not. I tried adding another masquerade on the Verizon-PPPoE interface with the routing mark as well, but that didn't seem to make a difference.

Posted: Tue Apr 18, 2006 11:58 am
by pekr
Hi,

I have similar problems, we have public1 and public2 interfaces:

1) I mark routing, according to source networks:

0 chain=prerouting src-address=10.0.0.0/24 action=mark-routing new-routing-mark=public1 passthrough=yes

1 chain=prerouting src-address=10.0.5.0/24 action=mark-routing new-routing-mark=public2 passthrough=yes

and here I am not sure passthrough=yes is correct, but I can see both rules increasing transferred packets, so it probably works


2) I set-up two gateways:

dst-address=0.0.0.0/0 gateway=x.x.x.x scope=255 target-scope=10 routing-mark=public1
dst-address=0.0.0.0/0 gateway=y.y.y.y scope=255 target-scope=10 routing-mark=public2

3) Masquarade both networks ...

chain=srcnat out-interface=public1 routing-mark=public1 action=masquarade

chain=srcnat out-interface=public2 routing-mark=public2 action=masquarade

And - only one outgoing interface works, the second does not - counters stay at 0. Not sure, but maybe for NAT, I don't need to specify those routing-marks, as packets are already going via correct interface?

Thanks,
-pekr-

Posted: Wed Apr 19, 2006 6:29 pm
by butche
1) I mark routing, according to source networks:

0 chain=prerouting src-address=10.0.0.0/24 action=mark-routing new-routing-mark=public1 passthrough=yes

1 chain=prerouting src-address=10.0.5.0/24 action=mark-routing new-routing-mark=public2 passthrough=yes

and here I am not sure passthrough=yes is correct, but I can see both rules increasing transferred packets, so it probably works
This is fine. Passthrough can be either yes or no. It is only important if some later rule may change the mark, and you don't want this. In your case, since you are using src-address to identify traffic, you can just set this in the routing rules (/ip route rule) instead of needing mangle.
2) I set-up two gateways:

dst-address=0.0.0.0/0 gateway=x.x.x.x scope=255 target-scope=10 routing-mark=public1
dst-address=0.0.0.0/0 gateway=y.y.y.y scope=255 target-scope=10 routing-mark=public2
This is correct, but remember you will have a main table as well that has all of your local (DC) routes. You have to account for that in the rules (see below).
3) Masquarade both networks ...

chain=srcnat out-interface=public1 routing-mark=public1 action=masquarade

chain=srcnat out-interface=public2 routing-mark=public2 action=masquarade

And - only one outgoing interface works, the second does not - counters stay at 0. Not sure, but maybe for NAT, I don't need to specify those routing-marks, as packets are already going via correct interface?
You won't need to specify the routing mark in the src-nat. It is a good practice to specify the src-address, but not needed for making it functional. Here is a quick example using the following information:

public1 IP:10.10.10.1/30 public1 gateway:10.10.10.2 ether1
public2 IP:10.10.11.1/30 public2 gateway:10.10.11.2 ether2

clients:
192.168.1.0/24 on ether3 use public1
192.168.2.0/24 on ether4 use public2

The config:

/ip firewall nat
add chain=src-nat out-interface=public1 action=masquerade
add chain=src-nat out-interface=public2 action=masquerade
(NOTE: you may want to specify the src-address on the 2 above rules)

/ip route
add gateway=10.10.10.2
add gateway=10.10.11.2 routing-mark=public2
add gateway=10.10.10.2 routing-mark=public1

/ip route rule
add dst-address=10.10.10.0/30 action=lookup table=main
add dst-address=10.10.11.0/30 action=lookup table=main
add dst-address=192.168.0.0/16 action=lookup table=main
add src-address=192.168.1.0/24 action=lookup table=public1
add src-address=192.168.2.0/24 action=lookup table=public2

You can do the above with routing marks, too (I just like the way I showed it). If you use routing marks, you set the rules (and marks) like this:

/ip firewall mangle
add chain=prerouting dst-address=10.10.10.0/30 action=mark-routing \
new-routing-mark=maintable
add chain=prerouting dst-address=10.10.11.0/30 action=mark-routing \
new-routing-mark=maintable
add chain=prerouting dst-address=192.168.0.0/16 action=mark-routing \
new-routing-mark=maintable
add chain=prerouting src-address=192.168.1.0/24 action=mark-routing \
new-routing-mark=public1
add chain=prerouting src-address=192.168.2.0/24 action=mark-routing \
new-routing-mark=public2

/ip route rule
add routing-mark=maintable action=lookup table=main
add routing-mark=public1 action=lookup table=public1
add routing-mark=public2 action=lookup table=public2

Note: the need to add the rules for the main table is what most people seem to miss. There are one or two versions (I don't recall what they were) where this type of policy routing seemed to work without using the rules to tell the router to use the main table.

Hope this helps.

[/quote]

Posted: Thu Apr 20, 2006 12:47 pm
by pekr

public1 IP:10.10.10.1/30 public1 gateway:10.10.10.2 ether1
public2 IP:10.10.11.1/30 public2 gateway:10.10.11.2 ether2

clients:
192.168.1.0/24 on ether3 use public1
192.168.2.0/24 on ether4 use public2

The config:

/ip firewall nat
add chain=src-nat out-interface=public1 action=masquerade
add chain=src-nat out-interface=public2 action=masquerade
(NOTE: you may want to specify the src-address on the 2 above rules)
OK, but do I need to? I know that the more precise setting, the better. But in the case of NAT, it is applied after the routing decision is being made, so I think that it is already clear, what source network is being masquearaded to what IP ....

/ip route
add gateway=10.10.10.2
add gateway=10.10.11.2 routing-mark=public2
add gateway=10.10.10.2 routing-mark=public1
Interesting .... is there a need for the first line? Is there any other network, which would need default route (0.0.0.0/0) not belonging into public1 nor public2?

/ip route rule
add dst-address=10.10.10.0/30 action=lookup table=main
add dst-address=10.10.11.0/30 action=lookup table=main
add dst-address=192.168.0.0/16 action=lookup table=main
add src-address=192.168.1.0/24 action=lookup table=public1
add src-address=192.168.2.0/24 action=lookup table=public2

You can do the above with routing marks, too (I just like the way I showed it). If you use routing marks, you set the rules (and marks) like this:

/ip firewall mangle
add chain=prerouting dst-address=10.10.10.0/30 action=mark-routing \
new-routing-mark=maintable
add chain=prerouting dst-address=10.10.11.0/30 action=mark-routing \
new-routing-mark=maintable
add chain=prerouting dst-address=192.168.0.0/16 action=mark-routing \
new-routing-mark=maintable
add chain=prerouting src-address=192.168.1.0/24 action=mark-routing \
new-routing-mark=public1
add chain=prerouting src-address=192.168.2.0/24 action=mark-routing \
new-routing-mark=public2

/ip route rule
add routing-mark=maintable action=lookup table=main
add routing-mark=public1 action=lookup table=public1
add routing-mark=public2 action=lookup table=public2

Note: the need to add the rules for the main table is what most people seem to miss. There are one or two versions (I don't recall what they were) where this type of policy routing seemed to work without using the rules to tell the router to use the main table.

Hope this helps.
Yes, thanks a lot, helped a lot. I now have new ideas to try. I just followed docs, and iirc there was nothing like the need to mangle the rest of the traffic, or just the need to do lookups (I followed the policy routing - failover part of the docs).

Petr

Posted: Thu Apr 20, 2006 4:39 pm
by butche
/ip firewall nat
add chain=src-nat out-interface=public1 action=masquerade
add chain=src-nat out-interface=public2 action=masquerade
(NOTE: you may want to specify the src-address on the 2 above rules)
OK, but do I need to? I know that the more precise setting, the better. But in the case of NAT, it is applied after the routing decision is being made, so I think that it is already clear, what source network is being masquearaded to what IP ....
You are correct in that the NAT is applied after the routing decision. These rules apply to anything leaving via the public1 (or public2) interface. This is not really part of the policy routing. You don't need to specify the src-address unless you want to. I just added that note for clarity.
/ip route
add gateway=10.10.10.2
add gateway=10.10.11.2 routing-mark=public2
add gateway=10.10.10.2 routing-mark=public1
Interesting .... is there a need for the first line? Is there any other network, which would need default route (0.0.0.0/0) not belonging into public1 nor public2?
In this case, there is not a need for the default gateway in the first line. It is my own practice to insure that there is a default gateway in the "main" routing table, which is the purpose of the first line.

Posted: Mon Apr 24, 2006 7:17 pm
by gerencia@e-digitales.com
Hi, I made exactly like this (with my own adrreses):




[/quote]/ip firewall nat
add chain=src-nat out-interface=public1 action=masquerade
add chain=src-nat out-interface=public2 action=masquerade
(NOTE: you may want to specify the src-address on the 2 above rules)

/ip route
add gateway=10.10.10.2
add gateway=10.10.11.2 routing-mark=public2
add gateway=10.10.10.2 routing-mark=public1

/ip route rule
add dst-address=10.10.10.0/30 action=lookup table=main
add dst-address=10.10.11.0/30 action=lookup table=main
add dst-address=192.168.0.0/16 action=lookup table=main
add src-address=192.168.1.0/24 action=lookup table=public1
add src-address=192.168.2.0/24 action=lookup table=public2

AND IT WORKS BUT THE PACKETS BEYOND THE ROUTER FROM LAN SOMETIMES DON´T CROSS, i tried with 2.9.20 and 2.9.22 and the same, and if i use 1:1 NAT to the clients, works fine but not masquerade.

Please helpme because i don´t have many Public Ip´s for all my customers.

Dimas

Posted: Fri Apr 28, 2006 12:48 pm
by pekr
butche, could you please also explain to me, what are look-up tables good for and when are they created?

Am I correct thinking, that they are created during the mangle phase?

And why you used them? What is the reasong to "lookup" the "table", if router can do decision according to routing-mark itself, specified when I define my gateway?

What exactly does following statement do?

/ip route rule
add src-address=192.168.1.0/24 action=lookup table=public1

Does it "create" lookup table public1, which can be used later in:

/ip route
add gateway=10.10.10.2 routing-mark=public1

... or do I still need mangle to create routing-mark public1? And if so, what is the router rule good for?

Thanks :-)
Petr



Thanks,
Petr