Community discussions

MikroTik App
 
darxis
just joined
Topic Author
Posts: 3
Joined: Sun Mar 20, 2022 1:58 pm

NAT masquerade out-bridge-port-list parameter ignored

Thu Apr 07, 2022 4:27 pm

Hello,

I have been struggling with a problem for 3 days where my NAT masquerade rule is not working and something very strange is happening with it's out-bridge-port-list parameter.
The simplified topography is at the bottom.

192.168.0.2 is connected to 192.168.0.1 on ether1 (ISP)

I have my WAN ISP router that I can't replace and also I can't edit its routing. It can only route packets to 192.168.0.0/24 (and to the Internet ofc).
That's why I have added a NAT masquerade rule on 192.168.0.2 so that the devices in 192.168.1.0/24 can access the Internet

My masquerade rule on 192.168.0.2 is:
add action=masquerade chain=srcnat comment="Masquerade all traffic to ISP router because it does not allow to set routing" out-bridge-port-list="ISP Router" src-address-list="!LAN Network"

Additional config of 192.168.0.2:
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX arp=proxy-arp auto-mac=no comment=defconf dhcp-snooping=yes igmp-snooping=yes name=bridge

/interface list
add comment=defconf name=LAN
add name="ISP Router"
add exclude="ISP Router" include=LAN name="LAN without ISP Router"

/interface bridge port
add bridge=bridge comment=defconf hw=no ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf hw=no ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list="ISP Router"

/ip firewall address-list
add address=192.168.0.0/24 list="LAN Network"

The problem is that the following rule does not work when trying to access the Internet (ping 8.8.8.8 ) from 192.168.1.100:
add action=masquerade chain=srcnat out-bridge-port-list="ISP Router" src-address-list="!LAN Network"

But if I change
out-bridge-port-list="ISP Router"
to
out-bridge-port-list="!LAN without ISP Router"
it works:
add action=masquerade chain=srcnat out-bridge-port-list="!LAN without ISP Router" src-address-list="!LAN Network"

Well logically "ISP Router" should be the same as "!LAN without ISP Router" , but for MikroTik it isn't...

So could someone please tell me why out-bridge-port-list="!LAN without ISP Router" works but out-bridge-port-list="ISP Router" does not? I want to use out-bridge-port-list="ISP Router" as out-bridge-port-list="!LAN without ISP Router" isn't straightforward.

EDIT: Something that also works is the following as the ISP Router is only used to access the Internet:
add action=masquerade chain=srcnat dst-address-list="!Not in Internet" src-address-list="!LAN Network
Mikrotik.png
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: deadmaus911, rjuho and 39 guests