Community discussions

MUM Europe 2020
 
troy
Member
Member
Topic Author
Posts: 307
Joined: Thu Jun 30, 2005 6:47 pm

masq with a /32 address?

Fri Dec 30, 2011 8:14 pm

All,

In order to conserve IP addresses (we have very few), I'd like to find a way to get masq working on a /32 address.

With initial testing, if I put a /32 address on a loopback (bridge), all incoming stuff, including dst-nat works great, but I've been unable to get masq to work. I can't seem to find the right firewall rules to get this to work.

lo0: 12.34.56.78/32
ether9: 172.17.82.1/24 (dhcp server for lan)
ether8: 172.17.85.165/29
gateway: 172.17.85.161
 
yancho
Member Candidate
Member Candidate
Posts: 205
Joined: Tue Jun 01, 2004 3:04 pm
Location: LV

Re: masq with a /32 address?

Mon Jan 02, 2012 10:05 am

Use src/dst nat instead.
 
User avatar
Egate
Long time Member
Long time Member
Posts: 547
Joined: Thu May 15, 2008 10:43 am
Location: South Africa

Re: masq with a /32 address?

Mon Jan 02, 2012 11:04 am

In nat rule set out interface as lo0 and masquerade as action. Should do the trick.
Happy days. :-)
 
User avatar
dasiu
Trainer
Trainer
Posts: 232
Joined: Fri Jan 30, 2009 11:41 am
Location: Reading, UK
Contact:

Re: masq with a /32 address?

Mon Jan 02, 2012 11:12 am

I think you are looking for the pref-src parameter in /ip route :). This parameter tells RouterOS what source IP it should use in packets generated by the router (and - also - masqueraded) when sending a packet to a specified destination :). Modify your /ip route and add pref-src=12.34.56.78 on the route you would like it to use (probably the default route), example:
/ip route add dst-address=0.0.0.0/0 gateway=172.17.85.161 pref-src=12.34.56.78 :)
 
User avatar
dasiu
Trainer
Trainer
Posts: 232
Joined: Fri Jan 30, 2009 11:41 am
Location: Reading, UK
Contact:

Re: masq with a /32 address?

Mon Jan 02, 2012 11:14 am

In nat rule set out interface as lo0 and masquerade as action. Should do the trick.
No, no, no, "out-interface" is a "trigger", is a selector, not an action :). Then the NAT rule would work ONLY for packets routed through lo0 interface. As packets routed outside (through gateway) have out-interface=ether8 - the rule will not work :). The out-interface can be "set" only in /ip route :).
troy - see my previous post and try the pref-src (just be careful when connecting from outside - not to cut yourself off, for example - use Safe Mode)
 
troy
Member
Member
Topic Author
Posts: 307
Joined: Thu Jun 30, 2005 6:47 pm

Re: masq with a /32 address?

Mon Jan 30, 2012 10:27 pm

Well, here's what I did, and it works!

First, /32 routing... I found this post, which explains how to do it. The beauty on this, is that I can utilize a /28 (or whatever sized network) in multiple locations, as the shortest prefix is always preferred.

So, on my gateway:
/ip address
add address=12.34.56.209/28 disabled=no interface=lo0 network=12.34.56.208
add address=12.34.56.209/32 disabled=no interface=backbone network=12.34.56.219
On the remote system, I have a LOT of stuff going on. In addition to being an OSPF router, I'm also doing some VLAN bridging, and now NAT for an attached public access network.
/ip address
add address=172.17.85.233/26 comment="primary routing interface" disabled=no interface=backbone network=172.17.85.192
add address=12.34.56.219/28 comment="public access WAN" disabled=no interface=backbone network=12.34.56.208
add address=172.17.82.1/24 comment="public access LAN" disabled=no interface=ether8 network=172.17.82.0
Now, here's where things get tricky (for me at least). First, I mangled some stuff (based on a few posts I found):
/ip firewall mangle
add action=accept chain=prerouting disabled=no dst-address=172.17.0.0/16 in-interface=ether8
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \
    dst-address=!172.17.0.0/16 in-interface=ether8 new-connection-mark=need_nat \
    passthrough=yes src-address=172.17.82.0/24
add action=mark-routing chain=prerouting connection-mark=need_nat disabled=no \
    in-interface=ether8 new-routing-mark=to_nat passthrough=yes src-address=172.17.82.0/24
I'm rather confused on this though... the first mangle rule accepts traffic to local destinations, this is acceptable. The second rule does a connection mark and the third rule does a routing mark. I'm not sure why I need both of these, but when I try each on their own, I get no love.

Anyways, now that we're mangled, we need NAT and a route:
/ip firewall nat
add action=masquerade chain=srcnat connection-mark=need_nat disabled=no

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=12.34.56.209 routing-mark=to_nat scope=30 target-scope=10
Note that this is my only static route. The regular default and other routes are learned via OSPF.

This is not how I originally wanted to achieve this, but it works and does not interfere with my use of other addresses within the given /28 subnet. In fact, now that I have this working as a model, I'll be able to reclaim 6 additional addresses by not using a pair of /30 subnets elsewhere. Pretty cool.

Maybe someday, I'll sit down and learn ipchains and why there are so many different chains and types of marks.

Who is online

Users browsing this forum: Google [Bot], millenium7 and 44 guests