Community discussions

MikroTik App
 
dustcat
just joined
Topic Author
Posts: 2
Joined: Thu Apr 27, 2023 6:33 pm

Masquerade changed in RouterOS 7?

Thu Apr 27, 2023 6:57 pm

Hi Everyone!

I have several routers which are running RouterOS 6.x and some running Router OS 7.8.

I use masquerade on all of them. I also use dst-nat to allow access to servers in the local network.
One example configuration on RouterOS 6.x would be:
ETH1 is the WAN interface and it is the only interface in the "WAN" interface list.
I also have an address list which resolves our domain name to the public IP of the router, this is called WAN_IP.
The NAT rules are:
chain=srcnat action=masquerade out-interface-list=WAN
ipsec-policy=out,none
chain=dstnat action=dst-nat to-addresses=x.x.x.x to-ports=5000
protocol=tcp dst-address-list=WAN_IP dst-port=5000 log=no log-prefix=""

This works fine. Outside requests to WAN_IP port 5000 get forwarded to address x.x.x.x port 5000 in the local network.

But for some reason this doesn't work in RouterOS 7.8.
I checked the logs, there is only a SYN sent to the x.x.x.x server, no ACK is coming back.
I've managed to solve it by removing the out-interface-list=WAN option from the masquerade rule so it is:
chain=srcnat action=masquerade ipsec-policy=out,none

Can someone please explain to me why doesn't masquerading work in RouterOS 7.8 if I specify the out-interface-list?
I've also tried with the out-interface option but the problem is the same. It only works when no outbound interface is specified.

I've been searching for the answer for weeks on the forums but all in vain.

Please point out if I'm missing some really basic concept or doing something completely wrong.
I tend to use the default firewall configuration of the router whenever possible, only adding rules on top of them.

Thank you everyone!
 
dustcat
just joined
Topic Author
Posts: 2
Joined: Thu Apr 27, 2023 6:33 pm

Re: Masquerade changed in RouterOS 7?  [SOLVED]

Tue Jun 06, 2023 1:18 pm

In case someone has the same issue, I updated to ROS v7.9 and that fixed it for me.

Who is online

Users browsing this forum: adimihaix, Bing [Bot], coreshock, Railander, sted and 72 guests