In the end traffic from wifi goes like this:
wlan0 -> RB2011(br-primary) -> vlan400 -> CCR1009 -> VLAN1000 -> RB2011 -> world
Unfortunately it doesn't work because RB2011 doesn't perform masquerade on outgoing traffic. As configuration of actual routers is really complex and it wouldn't make much sense to post here, I re-created issue in virtualized CHR lab:
First case (that doesn't work) goes like this: And ping result is follwing:
As you can see from logs masquerade is not performed properly. Second case (that works) goes like this:
Config is the same. As you can see, now as machine is connected directly to second router so that packets are going through router1 only once, masquerade is performed properly (src IP change visible in log). When I enabled more detailed logging in actual setup I noticed that all chains except srcnat and dstnat are entered on every packet, but srcnat and dstnat are entered only once, at the beginning of connection, when packets go through br-primary. Of course it's too early to perform masquerade now so in the end masquerade doesn't work. Here's log from actual RB2011:
Code: Select all
20:04:12 firewall,info rb: OOOOO-PRE prerouting: in:br-primary(ether3-primary) out:(none), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOO-NAT-DST dstnat: in:br-primary(ether3-primary) out:(none), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOO-MAN-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0),
192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOOO-FW-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0),
192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOO-POST postrouting: in:(none)(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8,
len 84
20:04:12 firewall,info rb: OOOOO-NAT-SRC srcnat: in:(none)(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8,
len 84
20:04:12 firewall,info rb: OOOOO-PRE prerouting: in:br-gw-ccr(sfp1-vlan-ccr) out:(none), src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOO-MAN-FWD forward: in:br-gw-ccr(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOOO-FW-FWD forward: in:br-gw-ccr(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOO-POST postrouting: in:(none)(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOO-PRE prerouting: in:br-primary(ether3-primary) out:(none), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOO-MAN-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0),
192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOOO-FW-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0),
192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOO-POST postrouting: in:(none)(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8,
len 84
20:04:12 firewall,info rb: OOOOO-PRE prerouting: in:br-gw-ccr(sfp1-vlan-ccr) out:(none), src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOO-MAN-FWD forward: in:br-gw-ccr(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOOO-FW-FWD forward: in:br-gw-ccr(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOO-POST postrouting: in:(none)(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOO-PRE prerouting: in:br-primary(ether3-primary) out:(none), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOO-MAN-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0),
192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOOO-FW-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0),
192.168.4.6->8.8.8.8, len 84
20:04:12 firewall,info rb: OOOOO-POST postrouting: in:(none)(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8,
len 84
I'm also aware that it can be done with metarouter but unfortunately for some reason metarouter doesn't work on my particular RB2011 (cpu usage instantly skyrockets to 100% and stays here, while VM hangs in "booting" stage. But it's issue for another thread.
I know that I could just get third router but it feels silly to put 3 routers one on top of another just because one has to be edge, one AP and one core. RB2011 makes perfect edge router due to 10/100 interfaces.
PLS HALP.