Community discussions

MikroTik App
 
Ping64
just joined
Topic Author
Posts: 3
Joined: Mon Jun 28, 2021 10:41 pm

[GNS3-CHR] SNAT not working for networks transiting from VRF to Main Table

Mon Jun 28, 2021 11:46 pm

Hello,

I've encountered an unexpected behavior in my tests in a GNS3 Simulation, in the following use case.

I have a network/interface (VL100) placed in a VRF where traffic transits through another CHR device (via default route) and then traffic comes back into the Main table and finally exiting via the Internet interface. For some reason the firewall nat rule to masquarade/SNAT that network does not work, it is not being evaluated. Apparently DNAT works as expected. In my scenario the goal was to have users in a particular network that are part of a VRF to transit a Firewall device, for inspection/advanced malware protection, and back into the Mikrotik router in the Main table, everything seems to be working as expected besides NAT, specifically in SNAT chain.

From my point of view this should work but apparently I'm missing something.

This is the configuration that I used and a diagram
MKT-1 Router
# jun/30/2021 18:21:10 by RouterOS 6.48.3
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1-Internet
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no name=ether3-FW-IN
set [ find default-name=ether4 ] disable-running-check=no name=ether4-FW-Out
set [ find default-name=ether5 ] disable-running-check=no name=ether5-SW
/interface vlan
add interface=ether5-SW name=VL100-Office vlan-id=100
/ip pool
add name=pool-vl100 ranges=192.168.100.50-192.168.100.250
/ip dhcp-server
add address-pool=pool-vl100 disabled=no interface=VL100-Office lease-time=2d10m name=dhcp-vl100
/ip address
add address=192.168.163.99/24 interface=ether5-SW network=192.168.163.0
add address=192.168.100.1/24 interface=VL100-Office network=192.168.100.0
add address=10.0.1.1/30 interface=ether3-FW-IN network=10.0.1.0
add address=10.0.2.1/30 interface=ether4-FW-Out network=10.0.2.0
add address=192.168.122.245/24 interface=ether1-Internet network=192.168.122.0
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-Internet
/ip route
add distance=1 gateway=10.0.1.2 routing-mark=VRF100
add distance=1 gateway=192.168.122.1
add distance=1 dst-address=192.168.100.0/24 gateway=10.0.2.2
/ip route vrf
add interfaces=ether3-FW-IN,VL100-Office routing-mark=VRF100
/system identity
set name=MKT-1


MKT-2 Router
# jun/30/2021 18:24:26 by RouterOS 6.47
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no name=ether3-MKT-IN
set [ find default-name=ether4 ] disable-running-check=no name=ether4-MKT-OUT
set [ find default-name=ether5 ] disable-running-check=no name=ether5-Mngmt
/ip address
add address=192.168.163.98/24 interface=ether5-Mngmt network=192.168.163.0
add address=10.0.1.2/30 interface=ether3-MKT-IN network=10.0.1.0
add address=10.0.2.2/30 interface=ether4-MKT-OUT network=10.0.2.0
/ip route
add distance=1 gateway=10.0.2.1
add distance=1 dst-address=192.168.100.0/24 gateway=10.0.1.1
/system identity
set name=MKT-2
Diagram:
Image
You do not have the required permissions to view the files attached to this post.
 
Ping64
just joined
Topic Author
Posts: 3
Joined: Mon Jun 28, 2021 10:41 pm

Re: [GNS3-CHR] SNAT not working for networks transiting from VRF to Main Table

Thu Jul 01, 2021 1:28 pm

Anyone had the chance to test this scenario?

Soon, I'm going to test this on physical/real equipments as well, but, most likely the behavior is going to be the same; otherwise I'll have a pleasant surprise.

Keep you posted.
 
Ping64
just joined
Topic Author
Posts: 3
Joined: Mon Jun 28, 2021 10:41 pm

Re: [GNS3-CHR] SNAT not working for networks transiting from VRF to Main Table

Tue Jul 20, 2021 4:34 pm

Just a quick update,

I've just tested this setup in a live environment, having a 1100AHx2 and sadly the result is the same.

This seems to be a bug in RouterOS present in multiple versions. Tested with 6.44.1 and 6.48.3.

Cheers.

Who is online

Users browsing this forum: No registered users and 11 guests