I have a 3 interface Mikrotik
E1: 192.168.1.0/24
E2: 172.16.1.0/24
E3: Connection to my DSL modem using PPPoE
And a one interface router on E2 with a default route to the E2 interface of the Mikrotik
I have SrcNAT configured to masquerade all traffic that traverses the pppoe interface
All works fine and I can browse the internet. Problem starts when I configure mangle (PBR) and send all port 80 traffic coming on interface E1 and sending it to my second router connected on E2. The second router has a default route to send traffic back to the Mikrotik router via E2. So the traffic path is user to E1, E2 to Router-2, Router-2 to E2, PPPoE to Internet
When this happens the Mikrotik router does not invoke the srcNAT chain when the packet goes from E2 to PPPoE. It is invoke from E1 to E2, but since SrcNAT is not configured on that outgoing interface it does not NAT, which is expected. However it shold nat after postrouting from E2 to PPPoE
See the log
00:02:06 firewall,info prerouting: in:E1 out:(none), src-mac c8:bc:c8:f0:0a:c0, proto TCP (SYN), 192.168.1.252:54769->38.113.1.225:80, len 52
00:02:06 firewall,info dstnat: in:E1 out:(none), src-mac c8:bc:c8:f0:0a:c0, proto TCP (SYN), 192.168.1.252:54769->38.113.1.225:80, len 52
00:02:06 firewall,info forward: in:E1 out:E2, src-mac c8:bc:c8:f0:0a:c0, proto TCP (SYN), 192.168.1.252:54769->38.113.1.225:80, len 52
00:02:06 firewall,info postrouting: in:(none) out:E2, proto TCP (SYN), 192.168.1.252:54769->38.113.1.225:80, len 52
00:02:06 firewall,info srcnat: in:(none) out:E2, proto TCP (SYN), 192.168.1.252:54769->38.113.1.225:80, len 52
00:02:06 firewall,info prerouting: in:E2 out:(none), src-mac 00:50:73:26:e3:c0, proto TCP (SYN), 192.168.1.252:54769->38.113.1.225:80, len 52
00:02:06 firewall,info forward: in:E2 out:pppoe-out1, src-mac 00:50:73:26:e3:c0, proto TCP (SYN), 192.168.1.252:54769->38.113.1.225:80, len 52
00:02:06 firewall,info postrouting: in:(none) out:pppoe-out1, proto TCP (SYN), 192.168.1.252:54769->38.113.1.225:80, len 52
Re: SrcNat does not work if packet exits router and comes ba
Post the output of "/ip address print detail", "/ip route print detail", "/interface print", and "/ip firewall export".
Thinking about it, this may be impossible. NAT is decided on when the first packet of a connection traverses the router. That same decision is repeated for each packet of the connection. Since the first packet traverses the router without NAT being applied, that may get repeated when the same packet (and all subsequent packets) come through a second time. You could test this by changing the packet state (and making it a new connection as far as the first router is concerned) by configuring source NAT on the second router.
Thinking about it, this may be impossible. NAT is decided on when the first packet of a connection traverses the router. That same decision is repeated for each packet of the connection. Since the first packet traverses the router without NAT being applied, that may get repeated when the same packet (and all subsequent packets) come through a second time. You could test this by changing the packet state (and making it a new connection as far as the first router is concerned) by configuring source NAT on the second router.
Re: SrcNat does not work if packet exits router and comes ba
Here are the outputs
[admin@MikroTik] /ip address> /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; added by setup
address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=LAN-TL actual-interface=LAN-TL
1 address=172.16.1.1/24 network=172.16.1.0 broadcast=172.16.1.255 interface=Router-2 actual-interface=Router-2
2 D address=201.171.87.27/32 network=200.76.252.33 broadcast=0.0.0.0 interface=pppoe-out1 actual-interface=pppoe-out1
[admin@MikroTik] /ip address> /ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=172.16.1.2 gateway-status=172.16.1.2 reachable Router-2 distance=1 scope=30 target-scope=10 routing-mark=web
1 ADS dst-address=0.0.0.0/0 gateway=200.76.252.33 gateway-status=200.76.252.33 reachable pppoe-out1 distance=1 scope=30 target-scope=10
2 ADC dst-address=172.16.1.0/24 pref-src=172.16.1.1 gateway=Router-2 gateway-status=Router-2 reachable distance=0 scope=10
3 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=LAN-TL gateway-status=LAN-TL reachable distance=0 scope=10
4 ADC dst-address=200.76.252.33/32 pref-src=201.171.87.27 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=0 scope=10
[admin@MikroTik] /ip address> /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R LAN-TL ether 1500
1 R Router-2 ether 1500
2 R WAN-TR ether 1500
3 R ether4 ether 1500
4 R pppoe-out1 pppoe-out 1480
[admin@MikroTik] /ip address> /ip firewall export
# mar/17/2011 04:54:36 by RouterOS 4.17
# software id = XADM-0S5Q
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \
udp-timeout=10s
/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no dst-port=80 in-interface=LAN-TL new-routing-mark=web passthrough=no protocol=tcp
add action=log chain=forward comment="" disabled=no log-prefix=""
/ip firewall nat
add action=src-nat chain=srcnat comment="" disabled=no out-interface=pppoe-out1 to-addresses=201.171.87.27
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] /ip address>
From the looks of the output you requested the firewall by default tracks connections even in cases of not doing NAT (from internal interface to my router-2 interface). I cant turn connection tracking of because then it does not build the tracker for when its needed NAT (From Router-2 interface to PPPoe)
Any recommendations? My goal is to send traffic to a device connected to the interface called Router-2. This device will be modifying headers, Ethernet, IP, TCP and in some cases HTTP, then sending it back to the router for it to go out to the Internet. So imagine a sort of transparent proxy.
[admin@MikroTik] /ip address> /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; added by setup
address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=LAN-TL actual-interface=LAN-TL
1 address=172.16.1.1/24 network=172.16.1.0 broadcast=172.16.1.255 interface=Router-2 actual-interface=Router-2
2 D address=201.171.87.27/32 network=200.76.252.33 broadcast=0.0.0.0 interface=pppoe-out1 actual-interface=pppoe-out1
[admin@MikroTik] /ip address> /ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=172.16.1.2 gateway-status=172.16.1.2 reachable Router-2 distance=1 scope=30 target-scope=10 routing-mark=web
1 ADS dst-address=0.0.0.0/0 gateway=200.76.252.33 gateway-status=200.76.252.33 reachable pppoe-out1 distance=1 scope=30 target-scope=10
2 ADC dst-address=172.16.1.0/24 pref-src=172.16.1.1 gateway=Router-2 gateway-status=Router-2 reachable distance=0 scope=10
3 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=LAN-TL gateway-status=LAN-TL reachable distance=0 scope=10
4 ADC dst-address=200.76.252.33/32 pref-src=201.171.87.27 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=0 scope=10
[admin@MikroTik] /ip address> /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R LAN-TL ether 1500
1 R Router-2 ether 1500
2 R WAN-TR ether 1500
3 R ether4 ether 1500
4 R pppoe-out1 pppoe-out 1480
[admin@MikroTik] /ip address> /ip firewall export
# mar/17/2011 04:54:36 by RouterOS 4.17
# software id = XADM-0S5Q
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \
udp-timeout=10s
/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no dst-port=80 in-interface=LAN-TL new-routing-mark=web passthrough=no protocol=tcp
add action=log chain=forward comment="" disabled=no log-prefix=""
/ip firewall nat
add action=src-nat chain=srcnat comment="" disabled=no out-interface=pppoe-out1 to-addresses=201.171.87.27
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] /ip address>
From the looks of the output you requested the firewall by default tracks connections even in cases of not doing NAT (from internal interface to my router-2 interface). I cant turn connection tracking of because then it does not build the tracker for when its needed NAT (From Router-2 interface to PPPoe)
Any recommendations? My goal is to send traffic to a device connected to the interface called Router-2. This device will be modifying headers, Ethernet, IP, TCP and in some cases HTTP, then sending it back to the router for it to go out to the Internet. So imagine a sort of transparent proxy.
Re: SrcNat does not work if packet exits router and comes ba
I'm a little baffled that it doesn't work with new headers, so hopefully someone else will chime in in. I have never used a transparent proxy with RouterOS, but am under the impression that it should work.
Re: SrcNat does not work if packet exits router and comes ba
I can confirm it. We tried to setup another policy based routing and after that multiple routing tables through VRF with same result: src-nat rule is not applied in post-routing chain.
Example:
When some traffic goes on router1 (input) to iface1 is redirected by PBR to iface2 ( even though default gw of traffic is on iface4) goes through router 2 comes back on iface3 and leave from router for on iface4 than on iface4 src-nat is not applied.
Maybe it is because of connetion tracking on router1.
Possible solution is to move the src-nat rule on router2.
Example:
When some traffic goes on router1 (input) to iface1 is redirected by PBR to iface2 ( even though default gw of traffic is on iface4) goes through router 2 comes back on iface3 and leave from router for on iface4 than on iface4 src-nat is not applied.
Maybe it is because of connetion tracking on router1.
Possible solution is to move the src-nat rule on router2.