Traffic from VLAN not Masqueraded Out WAN Interface

OwenITGuy · Fri Jan 03, 2014 2:58 pm

My organization is serving in a part of the world where Internet access is limited. We have a VSAT system for Internet access at one of our staff houses. We operate a small WISP for other organizations in the area as well, and connect our office, other staff homes, and WISP clients to the network via the same wireless network.

I decided that I would like to setup a VLAN between our office and staff house (where our server also is located), so that we could have layer 2 connectivity between the locations. After extensive reading the wiki and other sites about how to setup VLANs on MikroTik, I arrived at a setup in the diagram. For simplicity, some of the network information is not shown here (additional subnets for other services, our WISP antennas, and filter rules limiting access to the company network by clients for example).

vlanProblem.png

The setup seems to work, in that a staff computer in our office will receive a 10.20.0.0/24 address from the house router via DHCP with 10.20.0.1 as the default gateway. I can connect to anything in the servers, devices in the WISP subnet, and our other subnets. However, traffic destined for the Internet fails. I ran torch on ether1 on the house router, and found that the source address from the staff computer was not being masqueraded. I cannot figure out why the traffic that comes from the VLAN is not being masqueraded. Everything else from all subnets masquerades properly. I am using this for my rule:

> ip firewall nat print chain=srcnat 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Masquerade WAN traffic
     chain=srcnat action=masquerade out-interface=ether1-VSAT

Thanks for your assistance!

efaden · Fri Jan 03, 2014 7:58 pm

My organization is serving in a part of the world where Internet access is limited. We have a VSAT system for Internet access at one of our staff houses. We operate a small WISP for other organizations in the area as well, and connect our office, other staff homes, and WISP clients to the network via the same wireless network.

I decided that I would like to setup a VLAN between our office and staff house (where our server also is located), so that we could have layer 2 connectivity between the locations. After extensive reading the wiki and other sites about how to setup VLANs on MikroTik, I arrived at a setup in the diagram. For simplicity, some of the network information is not shown here (additional subnets for other services, our WISP antennas, and filter rules limiting access to the company network by clients for example).

vlanProblem.png
The setup seems to work, in that a staff computer in our office will receive a 10.20.0.0/24 address from the house router via DHCP with 10.20.0.1 as the default gateway. I can connect to anything in the servers, devices in the WISP subnet, and our other subnets. However, traffic destined for the Internet fails. I ran torch on ether1 on the house router, and found that the source address from the staff computer was not being masqueraded. I cannot figure out why the traffic that comes from the VLAN is not being masqueraded. Everything else from all subnets masquerades properly. I am using this for my rule:
Code: Select all
> ip firewall nat print chain=srcnat 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Masquerade WAN traffic
     chain=srcnat action=masquerade out-interface=ether1-VSAT
Thanks for your assistance!

Post your exports from the two mikrotik boxes. I'll take a look at the configs. It should work, but one question. With the current setup it seems that you have to double nat packets. Why not just pass the VLAN packets from one router to the other and let all of the NAT be done in one place?

OwenITGuy · Sat Jan 04, 2014 3:47 pm

Post your exports from the two mikrotik boxes. I'll take a look at the configs. It should work, but one question. With the current setup it seems that you have to double nat packets. Why not just pass the VLAN packets from one router to the other and let all of the NAT be done in one place?

Hi efaden. Thanks for your response. Let me consider your request for the configs. Our main router has quite a large config, and contains some information I'd rather not post for the whole world. Maybe I can export relevant sections though. I'll have to save that for Monday when I return to the office.

Yes, the double NAT is intentional, and I will explain why. We have several clients from many different organizations which use our system. Each client has one antenna (Ubiquiti) on the 10.10.0.0/24 network. Each of those antennas runs in NAT router mode, and distributes DHCP addresses to each of the clients on the private side of the antenna. This way our main (house) router sees only 1 IP address (10.10.0.x) per client antenna. This way we don't have to assign addresses for every single client machine, and it's easier to control or limit traffic on the main router. Plus it protects each client's LAN from one another. The second NAT happens necessarily when we hit the WAN connection.

Our office has been setup in the same way that the other clients had been (one device in NAT router mode on the 10.10.0.x network). When I tried adding the VLAN the other day for "company" traffic, I decided to leave a guest network on the office router, and keep with the same model (1 NATed IP address). However, applying the NAT rule on ether1 only masquerades traffic truly from ether1. Traffic from vlan100-ether1 is not being masqueraded. The traffic shows up in the main router as originating from the 10.20.0.0/24 address assigned to it. It is visible this way in both the connection table and when running torch on ether1.

OwenITGuy · Tue Jan 14, 2014 1:22 pm

Sorry, I've had a busy week that took me out of town for awhile.

Here is the relevant configuration information from the routers. I've omitted some information that is not pertinent to this particular issue for the sake of clarity.

House (main) router
------------------------

/ip address print

#   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; WISP Antennas
     10.10.0.1/24       10.10.0.0       bridgeWISP                           
                   
 2   ;;; Company Network
     10.20.0.1/24       10.20.0.0       bridgeCompany                              
                    
 4   ;;; VSAT
     10.2.8.18/29       10.2.8.16       ether1-VSAT

ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                                 10.2.8.17                10
 1 ADC  10.2.8.16/29       10.2.8.18       ether1-VSAT               0
 2 ADC  10.10.0.0/24       10.10.0.1       bridgeWISP            0

 5 ADC  10.20.0.0/24       10.20.0.1       bridgeCompany               0

interface print 
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                                  TYPE               MTU L2MTU  MAX-L2MTU
 2  R  ;;; AP 11 Southeast
       ether7-Southeast                                      ether             1500  1600       4080
 3     ether8                                                ether             1500  1600       4080
 4  R  ;;; AP 10 North
       ether6-North                                          ether             1500  1600       4080
 5  R  ;;; Servers
       ether5-Servers                                        ether             1500  1598       4078
 9  R  ;;; VSAT (WAN)
       ether1-VSAT                                           ether             1500  1598       4078
10  R  ;;; WISP
       bridgeWISP                                       bridge            1500  1598
11  R  ;;; Company bridge
       bridgeCompany                                           bridge            1500  1594
12  R  ;;; Company VLAN
       vlan100-bridgeWISP                                vlan              1500  1594

interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                         BRIDGE                        PRIORITY  PATH-COST    HORIZON
 1    ether7-Southeast                  bridgeWISP                   0x80         10       none
 2    ether6-North                      bridgeWISP                   0x80         10       none
 3    ether5-Servers                    bridgeCompany                        0x80         10       none
 4    vlan100-bridgeWISP           bridgeCompany                       0x80         10       none

ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Masquerade WAN traffic
     chain=srcnat action=masquerade out-interface=ether1-VSAT

Office router
======================

 ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; Guest Network
     10.0.0.1/24        10.0.0.0        wlan2                              
 1   ;;; WISP
     10.10.0.80/24      10.10.0.0       ether1-Ant

interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE         MTU L2MTU  MAX-L2MTU
 0  R  ether1-Ant                          ether       1500  1600       4076
 
 5  RS wlan1                               wlan        1500  2290
 6   S wlan2                               wlan        1500  2290
 
 8  R  bridgeCompany                     bridge      1500  1596
 9  RS ether1-Ant-VLAN100                  vlan        1500  1596

interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE               BRIDGE               PRIORITY  PATH-COST    HORIZON
 0    ether5                  bridgeCompany              0x80         10       none
 1    ether2                  bridgeCompany              0x80         10       none
 2 I  ether3                  bridgeCompany              0x80         10       none
 3 I  ether4                  bridgeCompany              0x80         10       none
 4    wlan1                   bridgeCompany              0x80         10       none
 5    ether1-Ant-VLAN100      bridgeCompany       0x80         10       none

ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=ether1-Ant

All traffic out the WAN interface (ether1-VSAT) on the house router masquerades properly, except that from clients in the 10.20.0.0/24 network connected over the VLAN from the office.

I even tried adding this dstnat rule on the house router specifically for the IP address of test computer at the office, but it caught no traffic. Running torch on ether1 still showed traffic from the src address of 10.20.0.99.

 0   chain=srcnat action=masquerade src-address=10.20.0.99 
     out-interface=ether1-VSAT

Likewise, I tried this rule rule specifically for one source and destination IP, and still it caught nothing when I tried pinging 8.8.8.8:

 0   chain=srcnat action=masquerade src-address=10.20.0.99 dst-address=8.8.8.8

Any other suggestions why VLAN traffic might not be masquerading? We are going to try a different router this afternoon or tomorrow, and the latest RouterOS.

danielm · Fri Feb 14, 2014 4:36 pm

I had this same issue - no natting over VLAN. Eventually I upgraded from OS 5.24 to OS 6.9 and it immediately started to work (I didn't even change 1 setting).

Traffic from VLAN not Masqueraded Out WAN Interface

Traffic from VLAN not Masqueraded Out WAN Interface

Re: Traffic from VLAN not Masqueraded Out WAN Interface

Re: Traffic from VLAN not Masqueraded Out WAN Interface

Re: Traffic from VLAN not Masqueraded Out WAN Interface

Re: Traffic from VLAN not Masqueraded Out WAN Interface

Who is online