Example / Tips for Multiple Public IPs and Multiple SRC-NAT

robertl · Tue Jun 17, 2014 4:13 pm

I have an IPv4 /29 subnet of static IPs from my ISP. What I am looking for is an example basic configuration or some guidance on how to best utilize these with RouterOS. My goal would be something like the following (simplified):

ETH1 [WAN - X.X.X.[1-5] - Connects to ISP provided equipment]
ETH2 [SRC-NAT X.X.X.1 to 10.10.1.X/24]
ETH3 [SRC-NAT X.X.X.2 to 10.10.2.X/24]
ETH4 [SRC-NAT X.X.X.3 to 10.10.3.X/24]
ETH5 [SRC-NAT X.X.X.4 to 10.10.4.X/24]
ETH6 [SRC-NAT X.X.X.5 to 10.10.5.X/24]

I need to ensure outbound traffic for each internal NAT subnet appears to originate from the correct public IP.

I have no problem configuring the router with a single public IP to a single SRC-NAT-ed subnet (using masquerade). Things start behaving erratically when I try to add additional public IPs and multiple SRC-NAT rules. I know the issue is likely due to my current level of experience with RouterOS.

Any guidance would be greatly appreciated.

semakka · Tue Jun 17, 2014 6:15 pm

/ip firewall nat
add action=src-nat chain=srcnat in-interface=ETH2 out-interface=<WAN> src-address=10.10.1.0/24 to-addresses=1.1.1.1
add action=src-nat chain=srcnat in-interface=ETH3 out-interface=<WAN> src-address=10.10.2.0/24 to-addresses=1.1.1.2
........
........

The above works fine but I would use address lists in case you have to add subnets after...

cheers

cdiedrich · Tue Jun 17, 2014 6:20 pm

In case you don't want your subnets to communicate with each other, this should work:

ros code

/ip firewall nat
add chain=srcnat action=src-nat src-address=10.10.1.0/24 out-interface=ETH1 dst-address!=10.10.1.0/24 to-address=x.x.x.1
add chain=srcnat action=src-nat src-address=10.10.2.0/24 out-interface=ETH1 dst-address!=10.10.2.0/24 to-address=x.x.x.2
add chain=srcnat action=src-nat src-address=10.10.3.0/24 out-interface=ETH1 dst-address!=10.10.3.0/24 to-address=x.x.x.3
add chain=srcnat action=src-nat src-address=10.10.4.0/24 out-interface=ETH1 dst-address!=10.10.4.0/24 to-address=x.x.x.4
add chain=srcnat action=src-nat src-address=10.10.5.0/24 out-interface=ETH1 dst-address!=10.10.5.0/24 to-address=x.x.x.5

If there should be inter-subnet communication, you might want to add your subnets to an address list and use dst-address-list!=mysubnets instead of dst-address!=10.10.x.0/24
-Chris

robertl · Wed Jun 18, 2014 2:56 pm

Thank you Chris D. and semakka.

I'm curious though, what is the difference between a NAT rule on the srcnat chain using an "action" of "src-nat", versus an action of "masquerade"? Looking at the wiki, they are defined almost identically, other than src-nat allows you to explicitly state the IP address?

masquerade - replace source address of an IP packet to IP determined by routing facility.
src-nat - replaces source address of an IP packet to values specified by to-addresses and to-ports parameters

I've always used masquerade, at least when I am dealing a single public WAN IP. It was when I tried multiple "masquerades" that my problems began. Will switching to src-nat actions, make any changes to how packets are processed?

Thanks!

cdiedrich · Thu Jun 19, 2014 11:43 am

Masquerade is the foolproof option - very good for single (dynamic) public IPs. Masquerade can handle dynamic IP addresses, but in a multi-IP-environment it will always use the lowest address only.
This is the recommended practice for this (single dynmaic IP, as for home use) scenario.
src-nat wouldn't work with dynamic addresses, but lets you define which address under which circumstances should be used.
This is the recommendended practice for multiple IP addresses (would also work with a single static IP).

Cheers
-Chris