Community discussions

MikroTik App
 
ether3al
newbie
Topic Author
Posts: 42
Joined: Tue Jan 19, 2010 3:23 am

VRF and NAT Masquerade

Fri Jan 14, 2011 5:44 am

Hi All,

I am having some trouble getting NAT masquerade to work with a VRF. I have a VPLS PW interface with the public range routed to it using a VRF. I have setup src-nat to mask from the LAN subnet outbound on the VPLS PW interface within the VRF. I have setup the NAT rules to include the routing mark, however I continue to not get any hits on the rule.

thanks.
 
blake
Member
Member
Posts: 426
Joined: Mon May 31, 2010 10:46 pm
Location: Arizona

Re: VRF and NAT Masquerade

Fri Jan 14, 2011 8:52 am

I take it you're following this tutorial?

http://wiki.mikrotik.com/wiki/Internet_ ... F_with_NAT
IT consultant. Network manager. Packet junkie.
1-928-328-1509
 
ether3al
newbie
Topic Author
Posts: 42
Joined: Tue Jan 19, 2010 3:23 am

Re: VRF and NAT Masquerade

Sat Jan 15, 2011 11:26 am

No i wasn't, thanks for the link!
 
ether3al
newbie
Topic Author
Posts: 42
Joined: Tue Jan 19, 2010 3:23 am

Re: VRF and NAT Masquerade

Thu Jan 20, 2011 3:01 am

OK so upon looking over that WIKI article properly it is irrelevant to what I am trying to do, so just to clarify:

I have a VPLS interface that has an Internet address on it within a VRF, I then have a VLAN interface using private addressing with a host on the VLAN also within the VRF. I have a dst-nat rule that port forwards to the host on the LAN the result being I should be able to access this host from the Internet via the routers address port "x". The issue is that the dst-nat works and then the host responds with a packet but the router is dropping the packet before it gets out over the src-nat

NAT
 0   ;;; Port Forward to Trinity printer for Internet printing
     chain=dstnat action=dst-nat to-addresses=192.168.90.254 to-ports=6310 
     protocol=tcp dst-address=x.x.x.x routing-mark=TrinityInternet 
     dst-port=6310 

 1   ;;; NAT Printer to Internet
     chain=srcnat action=masquerade out-interface=VPE-10001-B 
VRF
 0   routing-mark=TrinityInternet 
     interfaces=VPE-10001-B,Eth2-Vlan50-Printer,Eth2-Vlan610-Wlan1,Eth2-
                Vlan611-Wlan2 
Interfaces
 1  R  ;;; Fa0/1 Comms-C2950
       ether2                                      ether            1500  1524 
 2     ether3                                      ether            1500  1524 
 3     ether4                                      ether            1500  1524 
 4     ether5                                      ether            1500  1524 
 5     ether6                                      ether            1500  1524 
 6     ether7                                      ether            1500  1524 
 7     ether8                                      ether            1500  1524 
 8     ether9                                      ether            1500  1524 
 9  R  ;;; Loopback for routing protocols
       lo0                                         bridge           1500  65535
10  R  ;;; Management VLAN
       Eth2-Vlan600-Mgmt                           vlan             1500  1520 
11  R  ;;; Signup WLAN VLAN
       Eth2-Vlan610-Wlan1                          vlan             1500  1520 
12  R  ;;; Secure WLAN VLAN
       Eth2-Vlan611-Wlan2                          vlan             1500  1520 
13  R  ;;; TrinityCollege Printer
       Eth2-Vlan50-Printer                         vlan             1500  1520 
14  R  ;;; Management/data
       ether1.601                                  vlan             1500  1520 
15  R  ;;; Loopback - Temp for remote access to printer
       lo1                                         bridge           1500  65535
16  R  VPE-10001-B                                 vpls             1500  1500 
Addresses
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE              
 0   10.60.4.1/32       10.60.4.1       10.60.4.1       lo0                    
 1   10.60.14.11/23     10.60.14.0      10.60.15.255    ether1.601             
 2   10.60.2.1/28       10.60.2.0       10.60.2.15      Eth2-Vlan600-Mgmt      
 3   192.168.90.1/24    192.168.90.0    192.168.90.255  Eth2-Vlan50-Printer    
 4   210.x.x.2/30    210.x.x.0    210.x.x.3    VPE-10001-B            
 5   172.16.1.1/24      172.16.1.0      172.16.1.255    Eth2-Vlan610-Wlan1
 
ether3al
newbie
Topic Author
Posts: 42
Joined: Tue Jan 19, 2010 3:23 am

Re: VRF and NAT Masquerade

Fri Jan 21, 2011 12:32 am

OK, I have tested further by routing a public subnet across the VRF and assigned an address from this range to the host on the LAN. I am able to ping the routers address on this subnet however the router is dropping the ICMP request on the return trip from the host across the router... I am guessing something about the VRF or routing mark is the problem.
 
User avatar
Eising
Member Candidate
Member Candidate
Posts: 272
Joined: Mon Oct 27, 2008 10:21 am
Location: Copenhagen, Denmark

Re: VRF and NAT Masquerade

Fri Jan 21, 2011 2:37 pm

I'm always happy when someone reads the howto's I've done :)

Did you remember to make the correct MANGLE? Return traffic does not automatically go into the correct VRF, so you need to use /ip firewall mangle to make sure the traffic ends back in the VRF.
The road to hell is paved with good intentions.
 
ether3al
newbie
Topic Author
Posts: 42
Joined: Tue Jan 19, 2010 3:23 am

Re: VRF and NAT Masquerade

Fri Jan 21, 2011 11:21 pm

Hmm, I did have a mangle rule in place based on that logic, however was not getting any hits on it and MikroTik support told me to remove it.

I will put the mangle rules back on and post an update.

Thanks!
 
ether3al
newbie
Topic Author
Posts: 42
Joined: Tue Jan 19, 2010 3:23 am

Re: VRF and NAT Masquerade

Sat Jan 22, 2011 12:49 am

So still no luck with the mangle rules... Tried to add the routing mark using the VLAN interface inbound, global interface, src-addr & dst-addr... still dont get any hits:
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting action=mark-routing new-routing-mark=Internet 
     passthrough=yes src-address=192.168.90.0/24 

 1   chain=prerouting action=mark-routing new-routing-mark=Internet 
     passthrough=yes in-interface=Eth2-Vlan611-Wlan2 

 2   chain=prerouting action=mark-routing new-routing-mark=Internet 
     passthrough=yes src-address=210.x.x.64/26 
VLAN 611 is where the host I am trying to reach is on, which has the subnet of 210.x.x.64/26

Any input is greatly appreciated!
 
volkirik
Member Candidate
Member Candidate
Posts: 119
Joined: Sat Jul 23, 2016 2:03 pm

Re: VRF and NAT Masquerade

Sat Jun 11, 2022 3:15 pm

/ip firewall address-list
add address=10.0.0.0/8 list=LAN_addresses
add address=192.168.0.0/16 list=LAN_addresses
add address=100.64.0.0/10 list=LAN_addresses

/ip firewall mangle
add action=mark-routing chain=prerouting comment="mark-routing:main (LAN)" src-address-list=!LAN_addresses dst-address-list=LAN_addresses \
new-routing-mark=main passthrough=yes

/routing rule routing-mark=main action=lookup table=main

thats all

otherwise responses will not reach
 
volkirik
Member Candidate
Member Candidate
Posts: 119
Joined: Sat Jul 23, 2016 2:03 pm

Re: VRF and NAT Masquerade

Thu Aug 04, 2022 7:25 pm

this is a bug in ROSv7 that needs to be fixed...

fallback to main routing-table is not working...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 12497
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VRF and NAT Masquerade

Sat Aug 06, 2022 4:34 pm

Same here heard vrf with version7 is flaky...........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
volga629
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Tue Nov 19, 2013 6:21 am

Re: VRF and NAT Masquerade

Mon Aug 08, 2022 5:31 am

That resolved issue for me in ver 7.4
Return traffic from internet to correct VRF
[admin@fw-up-1.networklab.local] > /ip/firewall/mangle/print

 8    ;;; Returning traffic to vrf
      chain=prerouting action=mark-connection new-connection-mark=VRF_TRAFFIC_OUT passthrough=no
      src-address-list=SRC_NAT_NET log=no log-prefix=""

 9    chain=prerouting action=mark-routing new-routing-mark=sdwan_vrf_1 passthrough=no
      connection-mark=VRF_TRAFFIC_OUT in-interface=WAN-eth1 log=no log-prefix=""
[admin@fw-up-1.networklab.local] > 

Who is online

Users browsing this forum: No registered users and 9 guests