I have been struggling with a problem for 3 days where my NAT masquerade rule is not working and something very strange is happening with it's out-bridge-port-list parameter.
The simplified topography is at the bottom.
192.168.0.2 is connected to 192.168.0.1 on ether1 (ISP)
I have my WAN ISP router that I can't replace and also I can't edit its routing. It can only route packets to 192.168.0.0/24 (and to the Internet ofc).
That's why I have added a NAT masquerade rule on 192.168.0.2 so that the devices in 192.168.1.0/24 can access the Internet
My masquerade rule on 192.168.0.2 is:
Code: Select all
add action=masquerade chain=srcnat comment="Masquerade all traffic to ISP router because it does not allow to set routing" out-bridge-port-list="ISP Router" src-address-list="!LAN Network"
Additional config of 192.168.0.2:
Code: Select all
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX arp=proxy-arp auto-mac=no comment=defconf dhcp-snooping=yes igmp-snooping=yes name=bridge
/interface list
add comment=defconf name=LAN
add name="ISP Router"
add exclude="ISP Router" include=LAN name="LAN without ISP Router"
/interface bridge port
add bridge=bridge comment=defconf hw=no ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf hw=no ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list="ISP Router"
/ip firewall address-list
add address=192.168.0.0/24 list="LAN Network"
The problem is that the following rule does not work when trying to access the Internet (ping 8.8.8.8 ) from 192.168.1.100:
Code: Select all
add action=masquerade chain=srcnat out-bridge-port-list="ISP Router" src-address-list="!LAN Network"
But if I change
Code: Select all
out-bridge-port-list="ISP Router"
Code: Select all
out-bridge-port-list="!LAN without ISP Router"
Code: Select all
add action=masquerade chain=srcnat out-bridge-port-list="!LAN without ISP Router" src-address-list="!LAN Network"
Well logically "ISP Router" should be the same as "!LAN without ISP Router" , but for MikroTik it isn't...
So could someone please tell me why out-bridge-port-list="!LAN without ISP Router" works but out-bridge-port-list="ISP Router" does not? I want to use out-bridge-port-list="ISP Router" as out-bridge-port-list="!LAN without ISP Router" isn't straightforward.
EDIT: Something that also works is the following as the ISP Router is only used to access the Internet:
Code: Select all
add action=masquerade chain=srcnat dst-address-list="!Not in Internet" src-address-list="!LAN Network