Community discussions

 
lz1dsb
Member Candidate
Member Candidate
Topic Author
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

A question about Masquarade

Tue Aug 26, 2014 3:46 pm

Is my understanding correct?
A masquarade is considered a source NAT, which means that according to the packet flow diagram
http://wiki.mikrotik.com/images/2/24/Packetflowv6.png
the NAT-ing should happen in the Postrouting phase, after the packet has already been routed, correct?

If this is so, than it does not matter if I have multiple outbound gateways. The NAT process will happen after the packets have been routed. Is my assumption correct?
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: A question about Masquarade

Tue Aug 26, 2014 6:00 pm

Is my understanding correct?
A masquarade is considered a source NAT, which means that according to the packet flow diagram
http://wiki.mikrotik.com/images/2/24/Packetflowv6.png
the NAT-ing should happen in the Postrouting phase, after the packet has already been routed, correct?

If this is so, than it does not matter if I have multiple outbound gateways. The NAT process will happen after the packets have been routed. Is my assumption correct?
AFAIK, yes.

The source IP will be changed to whatever the source IP for the routed gateway is. So if you have two ISPs, a packet that is routed to the first will have the router's IP for the first ISP, and a packet that is routed to the second will get your router's IP for the second ISP.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
lz1dsb
Member Candidate
Member Candidate
Topic Author
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: A question about Masquarade

Tue Aug 26, 2014 6:30 pm

Is my understanding correct?
A masquarade is considered a source NAT, which means that according to the packet flow diagram
http://wiki.mikrotik.com/images/2/24/Packetflowv6.png
the NAT-ing should happen in the Postrouting phase, after the packet has already been routed, correct?

If this is so, than it does not matter if I have multiple outbound gateways. The NAT process will happen after the packets have been routed. Is my assumption correct?
AFAIK, yes.

The source IP will be changed to whatever the source IP for the routed gateway is. So if you have two ISPs, a packet that is routed to the first will have the router's IP for the first ISP, and a packet that is routed to the second will get your router's IP for the second ISP.
It turns out, that this is not the case. Here's what i found in the documentation...
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

"masquerade - replace source address of an IP packet to IP determined by routing facility."

My tests have also confirmed this.
So now, if I still want to use masquarade, I'll have to come up with some PBR based on source IP address that forwards the traffic only to one outbound interface...
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: A question about Masquarade

Tue Aug 26, 2014 7:24 pm

Is my understanding correct?
A masquarade is considered a source NAT, which means that according to the packet flow diagram
http://wiki.mikrotik.com/images/2/24/Packetflowv6.png
the NAT-ing should happen in the Postrouting phase, after the packet has already been routed, correct?

If this is so, than it does not matter if I have multiple outbound gateways. The NAT process will happen after the packets have been routed. Is my assumption correct?
AFAIK, yes.

The source IP will be changed to whatever the source IP for the routed gateway is. So if you have two ISPs, a packet that is routed to the first will have the router's IP for the first ISP, and a packet that is routed to the second will get your router's IP for the second ISP.
It turns out, that this is not the case. Here's what i found in the documentation...
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

"masquerade - replace source address of an IP packet to IP determined by routing facility."

My tests have also confirmed this.
So now, if I still want to use masquarade, I'll have to come up with some PBR based on source IP address that forwards the traffic only to one outbound interface...
What do you mean "that's not the case"? What did you think was the case?

What I meant above was that if you have

ros code

/ip address
add interface=ehter1 address=10.10.10.30/24
add interface=ether2 address=10.200.200.40/24
add interface=ether3 address=192.168.0.1/24 comment="LOCAL"
/ip route
add dst-address=0.0.0.0/0 distance=1 gateway=10.10.10.1
add dst-address=0.0.0.0/0 distance=2 gateway=10.200.200.1
/ip firewall nat
add action=masquerade out-interface=!ether3
What will happen is that IPs in the 192.168.0.0/24 network will present themselves to the world as 10.10.10.30 when going through ether1, and with 10.200.200.40 when going through ether2.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
lz1dsb
Member Candidate
Member Candidate
Topic Author
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: A question about Masquarade

Tue Aug 26, 2014 11:42 pm

What I meant above was that if you have

ros code

/ip address
add interface=ehter1 address=10.10.10.30/24
add interface=ether2 address=10.200.200.40/24
add interface=ether3 address=192.168.0.1/24 comment="LOCAL"
/ip route
add dst-address=0.0.0.0/0 distance=1 gateway=10.10.10.1
add dst-address=0.0.0.0/0 distance=2 gateway=10.200.200.1
/ip firewall nat
add action=masquerade out-interface=!ether3
What will happen is that IPs in the 192.168.0.0/24 network will present themselves to the world as 10.10.10.30 when going through ether1, and with 10.200.200.40 when going through ether2.
I think I didn't put it correct. In my masquarade rule I've also put to-address=<public-ip=address>. it turned out though that when masquarade is used, like you noted, after the routing process is done, the source IP address is translated to whatever the outbound gateway is resolved. That was my misconception about masquarade. The to-address parameter does not play any role in here. It should have been disabled when masquarade is used... But anyway...

Now, my problem is that one of the outbound interfaces is a public IP address, the other one is a private one. The interface with the private IP address is connected to another router, which is an exit point from the AS. With the current BGP configs that I have, the international prefixes are routed over the local outbound interface with the public IP address - no issues with masquarade. The BG prefixes are routed via the interface with the private IP address and eventually exit the AS over the second router. So this is where the issue is, because now the masquarade rule takes the private IP address (RFC 1918 10.0.0.0 something network) and translates the source IP address of the packets using it.
That's why I have to find a way to implement something like PBR that will match the source of the network I would like to masquarade and always route it to one of the outbound interfaces. I have had flaky results so far...

Who is online

Users browsing this forum: No registered users and 136 guests