I've encountered an unexpected behavior in my tests in a GNS3 Simulation, in the following use case.
I have a network/interface (VL100) placed in a VRF where traffic transits through another CHR device (via default route) and then traffic comes back into the Main table and finally exiting via the Internet interface. For some reason the firewall nat rule to masquarade/SNAT that network does not work, it is not being evaluated. Apparently DNAT works as expected. In my scenario the goal was to have users in a particular network that are part of a VRF to transit a Firewall device, for inspection/advanced malware protection, and back into the Mikrotik router in the Main table, everything seems to be working as expected besides NAT, specifically in SNAT chain.
From my point of view this should work but apparently I'm missing something.
This is the configuration that I used and a diagram
Code: Select all
MKT-1 Router
# jun/30/2021 18:21:10 by RouterOS 6.48.3
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1-Internet
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no name=ether3-FW-IN
set [ find default-name=ether4 ] disable-running-check=no name=ether4-FW-Out
set [ find default-name=ether5 ] disable-running-check=no name=ether5-SW
/interface vlan
add interface=ether5-SW name=VL100-Office vlan-id=100
/ip pool
add name=pool-vl100 ranges=192.168.100.50-192.168.100.250
/ip dhcp-server
add address-pool=pool-vl100 disabled=no interface=VL100-Office lease-time=2d10m name=dhcp-vl100
/ip address
add address=192.168.163.99/24 interface=ether5-SW network=192.168.163.0
add address=192.168.100.1/24 interface=VL100-Office network=192.168.100.0
add address=10.0.1.1/30 interface=ether3-FW-IN network=10.0.1.0
add address=10.0.2.1/30 interface=ether4-FW-Out network=10.0.2.0
add address=192.168.122.245/24 interface=ether1-Internet network=192.168.122.0
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-Internet
/ip route
add distance=1 gateway=10.0.1.2 routing-mark=VRF100
add distance=1 gateway=192.168.122.1
add distance=1 dst-address=192.168.100.0/24 gateway=10.0.2.2
/ip route vrf
add interfaces=ether3-FW-IN,VL100-Office routing-mark=VRF100
/system identity
set name=MKT-1
MKT-2 Router
# jun/30/2021 18:24:26 by RouterOS 6.47
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no name=ether3-MKT-IN
set [ find default-name=ether4 ] disable-running-check=no name=ether4-MKT-OUT
set [ find default-name=ether5 ] disable-running-check=no name=ether5-Mngmt
/ip address
add address=192.168.163.98/24 interface=ether5-Mngmt network=192.168.163.0
add address=10.0.1.2/30 interface=ether3-MKT-IN network=10.0.1.0
add address=10.0.2.2/30 interface=ether4-MKT-OUT network=10.0.2.0
/ip route
add distance=1 gateway=10.0.2.1
add distance=1 dst-address=192.168.100.0/24 gateway=10.0.1.1
/system identity
set name=MKT-2