Community discussions

MikroTik App
 
stich86
just joined
Topic Author
Posts: 8
Joined: Mon Oct 31, 2022 8:44 pm

NAT MASQ rules doens't match if using interface list

Wed Jan 18, 2023 11:23 am

hi guys,

i've migrated all my config from OPNSense to Mikrotik, but there is a little issue.
My setup is composed by:

2 LAN, one main and one for IoT stuff
2 PPPoE WAN
1 LTE WAN
3 WireGuard, 1 for remote accesse, 1 for public IP thru a VPS (used ad 3rd WAN for remote access in case of fault of the 2 PPPoE) and 1 for Surfshark VPN

Now here is my current export configuration (i've removed some personal stuff):
/interface bridge
add comment="LAN Bridge - vmbr3" ingress-filtering=no name=bridge1 vlan-filtering=yes
add comment="Docker Containers" name=dockers
/interface ethernet
set [ find default-name=ether1 ] comment="Transito - vmbr3" name=vnic0
set [ find default-name=ether2 ] comment="Transito - vmbr1" name=vnic1
set [ find default-name=ether3 ] comment="Transito - vmbr2" name=vnic2
/interface veth
add address=172.17.0.2/24 comment="UDP Broadcast Relay Container" gateway=172.17.0.1 name=veth1
add address=172.17.1.2/24 comment="Tailscale Container" gateway=172.17.1.1 name=veth2
/interface wireguard
add comment="WireGuard VPN" listen-port=64001 mtu=1280 name=wg0
add comment="WireGuard VPS" listen-port=13231 mtu=1360 name=wg1
add comment="WireGuard SurfShark" listen-port=13232 mtu=1420 name=wg2
/interface vlan
add comment="VLAN IoT - vmbr3" interface=bridge1 name=vlan2 vlan-id=2
add comment="VLAN WWAN - vmbr3" interface=bridge1 name=vlan99 vlan-id=99
add comment="VLAN PPPoE TIM" interface=vnic1 name=vlan835 vlan-id=835
add comment="VLAN PPPoE Poste" interface=vnic2 name=vlan835-poste vlan-id=835
/interface list
add include=static name=LAN
add include=static name=WAN
add include=all name=VPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add comment="DHCP Scope - LAN" name=LAN-Pool ranges=10.0.1.120-10.0.1.245
add comment="DHCP Scope - IoT" name=IoT-Pool ranges=10.0.2.150-10.0.2.250
/ip dhcp-server
add address-pool=LAN-Pool interface=bridge1 lease-time=1d name=dhcp_s_lan
add address-pool=IoT-Pool interface=vlan2 lease-time=1d name=dhcp_s_iot
/ppp profile
add change-tcp-mss=yes name=ppp-dyndns on-down="delay 10s\r\
    \n:execute \"dyndns\"" on-up="delay 10s\r\
    \n:execute \"dyndns\""
/interface pppoe-client
add add-default-route=yes comment="WAN Poste" default-route-distance=2 disabled=no interface=vlan835-poste name=Poste profile=ppp-dyndns user=\
    XXXXX@postepay
add add-default-route=yes comment="WAN TIM" disabled=no interface=vlan835 name=TIM profile=ppp-dyndns user=timadsl
/routing table
add disabled=no fib name=WG_DF_VPS
add disabled=no fib name=WG_DF_SS
add disabled=no fib name=MGMT_TIK_VPS
/container
add envlist=tailscale hostname=tailscale-proxy interface=veth2 logging=yes start-on-boot=yes
add interface=veth1 logging=yes start-on-boot=yes
/container config
set registry-url=https://ghcr.io tmpdir=docker/pull
/container envs
add key=PASSWORD name=tailscale value=XXXXX
add key=DOMAIN name=tailscale value=XXXXXX
add key=AUTH_KEY name=tailscale value=XXXX
add key=API_KEY name=tailscale value=XXXXX
add key=ADVERTISE_ROUTES name=tailscale value=10.0.1.0/24,10.0.2.0/24
add key=CONTAINER_GATEWAY name=tailscale value=172.17.1.1
add key=TAILSCALE_ARGS name=tailscale value=--accept-routes
/interface bridge port
add bridge=bridge1 interface=vnic0
add bridge=bridge1 ingress-filtering=no interface=veth1 pvid=100
add bridge=dockers interface=veth2
/ip firewall connection tracking
set icmp-timeout=30s tcp-close-wait-timeout=1m tcp-fin-wait-timeout=2m tcp-last-ack-timeout=30s tcp-syn-received-timeout=2m tcp-syn-sent-timeout=\
    2m tcp-time-wait-timeout=2m udp-timeout=30s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 comment="VLAN IoT" tagged=bridge1,vnic0,veth1 vlan-ids=2
add bridge=bridge1 comment="VLAN WWAN" tagged=bridge1,vnic0 vlan-ids=99
add bridge=bridge1 tagged=veth1 vlan-ids=1
/interface list member
add interface=bridge1 list=LAN
add interface=vlan2 list=LAN
add interface=vlan99 list=WAN
add interface=TIM list=WAN
add interface=Poste list=WAN
add interface=wg0 list=VPN
add interface=wg1 list=WAN
add interface=wg2 list=WAN
add interface=vnic1 list=WAN
add interface=vnic2 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=*1 cipher=aes128 port=64000 protocol=udp tls-version=only-1.2
/interface wireguard peers
add allowed-address=172.19.255.3/32 comment="iPhone" interface=wg0 public-key="XXXX"
add allowed-address=172.19.255.4/32 comment="MBP" interface=wg0 public-key="XXXXX"
add allowed-address=172.19.255.5/32 comment="Laptop" interface=wg0 public-key="XXXXX"
add allowed-address=172.19.255.2/32,192.168.179.0/24 comment="MF286" interface=wg0 public-key=\
    "XXXXX"
add allowed-address=0.0.0.0/0,VPS_PUB_IP/32 endpoint-address=VPS_ENTRY_POINT endpoint-port=65011 interface=wg1 persistent-keepalive=15s \
    public-key="XXXXXX"
add allowed-address=0.0.0.0/0 endpoint-address=de-fra.prod.surfshark.com endpoint-port=51820 interface=wg2 persistent-keepalive=15s public-key=\
    "XXXXX"
/ip address
add address=10.0.2.1/24 comment="IoT Network" interface=vlan2 network=10.0.2.0
add address=10.0.1.1/24 comment="LAN Network" interface=bridge1 network=10.0.1.0
add address=192.168.99.151/24 comment="WWAN Network" interface=vlan99 network=192.168.99.0
add address=192.168.0.151/24 comment="XGSPON Network" interface=vnic1 network=192.168.0.0
add address=192.168.1.151/24 comment="GPON Network" interface=vnic2 network=192.168.1.0
add address=172.19.255.1/24 comment="WG Gateway" interface=wg0 network=172.19.255.0
add address=172.17.1.1/24 comment="Docker Gateway" interface=dockers network=172.17.1.0
add address=185.25.205.34/24 comment="VPS Public IP" interface=wg1 network=185.25.205.0
add address=10.14.0.2/16 comment="SurfShark IP" interface=wg2 network=10.14.0.0
/ip dhcp-server network
add address=10.0.1.0/24 comment="DHCP Scope - LAN" dns-server=10.0.1.41,10.0.1.42 domain=my.home gateway=10.0.1.1 netmask=24
add address=10.0.2.0/24 comment="DHCP Scope - IoT" dns-server=8.8.8.8,8.8.4.4 gateway=10.0.2.1 netmask=24
/ip dns
set cache-max-ttl=1d servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall filter
add action=accept chain=input disabled=yes
add action=accept chain=forward disabled=yes
add action=accept chain=input comment="Accept Webfig/SSH from LAN" dst-address=10.0.1.254 dst-port=22,80 protocol=tcp src-address=10.0.1.0/24
add action=accept chain=input comment="Accept VPN Tailscale" in-interface=dockers src-address=100.64.0.0/10
add action=accept chain=input comment="Accept RDP Proxy from XXX" dst-port=8080-8443 in-interface-list=WAN protocol=tcp src-address=\
    1.0.0.0/24
add action=accept chain=input comment="Accept VPN Remote Access" dst-port=64001 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Accept any ICMP" protocol=icmp
add action=accept chain=input comment="Accept inbound ESTABLISHED,RELATED,UNTRACKED - Input" connection-state=established,related,untracked
add action=drop chain=input comment="Drop any to WAN" in-interface-list=WAN
add action=accept chain=input comment="LAN to IoT - Accept" dst-address=10.0.2.0/24 src-address=10.0.1.0/24
add action=accept chain=input comment="LAN to Any" src-address=10.0.1.0/24
add action=accept chain=input comment="SkyQ to LAN" dst-address=10.0.1.0/24 src-address-list=skyq
add action=accept chain=input comment="IoT to LAN - MQTT" dst-address=10.0.1.41 dst-port=1883 protocol=tcp src-address=10.0.2.0/24
add action=accept chain=input comment="IoT to LAN - Co-IoT" dst-address=10.0.1.42 dst-port=5683 protocol=udp src-address=10.0.2.0/24
add action=drop chain=input comment="Drop Invalid - Input" connection-state=invalid
add action=drop chain=input comment="Cleanup - Input"
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept inbound ESTABLISHED,RELATED,UNTRACKED - Forward" connection-state=established,related,untracked
add action=accept chain=forward comment="Accept from WAN DSTNATed" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop Invalid - Forward" connection-state=invalid
add action=accept chain=forward comment="Forward LAN to Any" in-interface=bridge1
add action=accept chain=forward comment="Forward Docker to Any" in-interface=dockers
add action=accept chain=forward comment="Forward IoT to LAN" in-interface=vlan2 out-interface=bridge1
add action=accept chain=forward comment="Forward VPN to Any" in-interface-list=VPN
add action=accept chain=forward comment="Forward LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=reject chain=forward comment="Cleanup - Forward" reject-with=icmp-network-unreachable
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat comment="NoNAT - LAN to IoT" dst-address=10.0.2.0/24 src-address=10.0.1.0/24
add action=accept chain=srcnat comment="NoNAT - IoT to LAN" dst-address=10.0.1.0/24 src-address=10.0.2.0/24
add action=masquerade chain=srcnat comment="MASQ LAN" out-interface-list=WAN src-address=10.0.1.0/24
add action=masquerade chain=srcnat comment="MASQ IoT" out-interface-list=WAN src-address=10.0.2.0/24
add action=masquerade chain=srcnat comment="MASQ Docker" src-address=172.17.1.0/24
add action=dst-nat chain=dstnat comment="NAT Stunnel" dst-address-type=local dst-port=8443 in-interface-list=WAN protocol=tcp to-addresses=\
    10.0.1.199 to-ports=8443
add action=dst-nat chain=dstnat comment="NAT Guacamole" dst-address-type=local dst-port=8080 in-interface-list=WAN protocol=tcp to-addresses=\
    10.0.1.6 to-ports=443
/ip route
add check-gateway=ping comment="Routing to LTE" disabled=no distance=4 dst-address=0.0.0.0/0 gateway=192.168.99.1 pref-src=0.0.0.0 routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=40
add comment="Routing Tailscale" disabled=no distance=1 dst-address=100.64.0.0/10 gateway=172.17.1.2 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Routing Peer VPS to LTE" disabled=no distance=1 dst-address=VPS_PUB_IP/32 gateway=192.168.99.1 pref-src=0.0.0.0 routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Routing to VPS" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=185.25.205.1 pref-src=0.0.0.0 routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=10
add comment="Routing WG VPS - Tabella WG_DF_VPS" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 pref-src=0.0.0.0 routing-table=WG_DF_VPS \
    scope=30 suppress-hw-offload=no target-scope=10
add comment="Routing WG SurfShark - Tabella WG_DF_SS" disabled=no dst-address=0.0.0.0/0 gateway=wg2 routing-table=WG_DF_SS suppress-hw-offload=no
add comment="Routing Peer VP per MGMT" disabled=no distance=1 dst-address=VPS_ENTRY_POINT/32 gateway=TIM pref-src="" routing-table=MGMT_TIK_VPS \
    scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.1.0/24
set ssh address=10.0.1.0/24
set api disabled=yes
set api-ssl disabled=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/routing rule
add action=lookup-only-in-table disabled=no dst-address=VPS_ENTRY_POINT/32 src-address=10.0.1.199/32 table=MGMT_TIK_VPS
/system clock
set time-zone-name=Europe/Rome
/system hardware
set allow-x86-64=yes
/system identity
set name=rossy
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp1.ien.it
add address=ntp2.ien.it
/tool graphing interface
add
/tool graphing resource
At the moment i've put those two rules to avoid SNAT between VLANs:
add action=accept chain=srcnat comment="NoNAT - LAN to IoT" dst-address=10.0.2.0/24 src-address=10.0.1.0/24
add action=accept chain=srcnat comment="NoNAT - IoT to LAN" dst-address=10.0.1.0/24 src-address=10.0.2.0/24
Without these two rules, all traffic originated from LAN to IoT or IoT to LAN is source-natted with IP of the interface. May be i'm missing something, but the MASQ rules are:
add action=masquerade chain=srcnat comment="MASQ LAN" out-interface-list=WAN src-address=10.0.1.0/24
add action=masquerade chain=srcnat comment="MASQ IoT" out-interface-list=WAN src-address=10.0.2.0/24
Where the interface list WAN contains all interface except bridge1 and vlan2:
/interface list member
add interface=bridge1 list=LAN
add interface=vlan2 list=LAN
add interface=vlan99 list=WAN
add interface=TIM list=WAN
add interface=Poste list=WAN
add interface=wg0 list=VPN
add interface=wg1 list=WAN
add interface=wg2 list=WAN
add interface=vnic1 list=WAN
add interface=vnic2 list=WAN
I've tried also to put a negate destination on the rules but nothing to do, it still source natting with interface IP, i'm on 7.6 rOS.

Any suggestion?

Thanks in advance!
Last edited by stich86 on Thu Jan 19, 2023 1:35 am, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: NAT MASQ rules doens't match if using interface list

Wed Jan 18, 2023 9:31 pm

Any suggestion?

Yes. Start using interface lists sensibly. Why would you include all interfaces in every interface list? Or stop using interface lists entirely, most of your firewall rules avoid them already.
 
stich86
just joined
Topic Author
Posts: 8
Joined: Mon Oct 31, 2022 8:44 pm

Re: NAT MASQ rules doens't match if using interface list

Wed Jan 18, 2023 9:40 pm

Any suggestion?

Yes. Start using interface lists sensibly. Why would you include all interfaces in every interface list? Or stop using interface lists entirely, most of your firewall rules avoid them already.
Hi mkx,

first of all thanks for your replay.
I’ve used the interface list to avoid put all masq rules on the interface that should be masqueraded when the traffic pass them (and use the lists only on NAT rules).

I’m still don’t understand why they are not working… there is a particular reason (or may be it’s a big misconfiguration) not related to my particular use case?

Thx in advance

Who is online

Users browsing this forum: Amazon [Bot] and 71 guests