Hello all,
I have faced a nasty problem: I have several public IP addresses and several internal subnets; each subnet uses a separate IP to access the Internet. I use "src-nat", but this effectively kills all UDP(53) traffic through NAT. If I set NAT to "masquerade" (which picks the first IP from the pool) -- everything is fine.
What might be the issue here? Any solutions available or is it a RouterOS bug?
Kind regards, Vadim.
Re: Nasty problem with src-nat and external DNS
unless you post your configuration export, it will be difficult to say what's your specific case: if this is a bug or a configuration flaw.
Re: Nasty problem with src-nat and external DNS
I am sorry, what file are you talking about? Will it contain passwords?
Re: Nasty problem with src-nat and external DNS
As Mikrotik admin you should be aware of export command.
Re: Nasty problem with src-nat and external DNS
Code: Select all
/export hide-sensitiveRe: Nasty problem with src-nat and external DNS
Here we go:
If I set NAT action to "masquerade" it picks the wrong address, but passes DNS packets through. Cannot understand what's wrong here. Unless there is some undocumented difference between "masquerade" and "src-nat" except predefined address setting.
The "out" addresses are different subnets from the default gateway. Weird, but this is our provider configuration.
Code: Select all
# may/29/2017 10:56:01 by RouterOS 6.39.1
#
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/queue tree
add max-limit=256M name=Inbound packet-mark=Inbound parent=global queue=default
add max-limit=256M name=Outbound packet-mark=Outbound parent=global queue=default
/snmp community
set [ find default=yes ] addresses=10.0.0.150/32
/interface l2tp-server server
set caller-id-type=ip-address
/ip address
add address=10.0.100.100/16 interface=ether1 network=10.0.0.0
add address=192.168.100.62/26 interface=ether2 network=192.168.100.0
add address=192.168.111.1/30 interface=ether3 network=192.168.111.0
add address=82.135.232.173/29 interface=combo1 network=82.135.232.168
add address=82.135.237.86/29 interface=combo1 network=82.135.237.80
add address=213.190.53.86/28 interface=combo1 network=213.190.53.80
add address=192.168.101.62/26 interface=ether4 network=192.168.101.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input in-interface=combo1 src-address=82.135.232.168/29
add action=drop chain=input in-interface=combo1 protocol=icmp
add action=drop chain=input dst-port=21,22,23,80 in-interface=combo1 protocol=tcp
add action=drop chain=input dst-port=21,22,23,80 in-interface=ether2 protocol=tcp
/ip firewall mangle
add action=mark-packet chain=prerouting in-interface=combo1 new-packet-mark=Inbound passthrough=yes
add action=mark-packet chain=postrouting new-packet-mark=Outbound out-interface=combo1 passthrough=yes
add action=mark-routing chain=prerouting new-routing-mark=NEETV passthrough=yes src-address=192.168.100.0/26
add action=mark-routing chain=prerouting new-routing-mark=WiFi passthrough=yes src-address=192.168.111.0/30
add action=mark-routing chain=prerouting new-routing-mark=Test passthrough=yes src-address=192.168.101.0/26
/ip firewall nat
add action=src-nat chain=srcnat comment=NEETV: out-interface=combo1 src-address=192.168.100.0/26 to-addresses=82.135.237.86
add action=src-nat chain=srcnat comment=Test: out-interface=combo1 src-address=192.168.101.0/26 to-addresses=82.135.237.86
add action=src-nat chain=srcnat comment=WiFi: out-interface=combo1 src-address=192.168.111.0/30 to-addresses=213.190.53.86
/ip route
add distance=1 gateway=82.135.232.172
/ip traffic-flow
set cache-entries=32k enabled=yes
/ip traffic-flow target
add dst-address=10.0.0.150 port=10000
/lcd
set color-scheme=dark default-screen=stat-slideshow flip-screen=yes read-only-mode=yes
/snmp
set enabled=yes trap-version=3
/system clock
set time-zone-name=Europe/Vilnius
/system identity
set name=RouterOS.ois.lt
/system ntp client
set enabled=yes primary-ntp=10.0.0.2 secondary-ntp=10.0.0.20
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool bandwidth-server
set authenticate=no enabled=no
The "out" addresses are different subnets from the default gateway. Weird, but this is our provider configuration.
Last edited by LP006688 on Mon May 29, 2017 11:22 am, edited 1 time in total.
Re: Nasty problem with src-nat and external DNS
Should mention as well that identical configuration implemented with a Fortigate-800C works fine.
Re: Nasty problem with src-nat and external DNS
Thank you so muchAs Mikrotik admin you should be aware of export command.
I just started with them. Perhaps, you are a lucky man and were born with a knowledge of everything in the world 
Re: Nasty problem with src-nat and external DNS
I wish I could be so lucky ... "I should be so lucky, lucky, lucky, lucky ...."
Re: Nasty problem with src-nat and external DNS
If you want to get help, you'd better provide all the possible details...
What is connected to combo1? I assume this is a CCR1009-7G-1C-*?
Is that the full export? what is this for?
Look for outgoing DNS connections at IP > Firewall > Connections tab when using masquerade and when using src-nat, (click on the funnel icon to filter outgoing DNS and paste screenshots)
Suggestion: ask your provider about the possibility to set a private IP /30 for transit so that you can "float" the public IPs on loopbacks and avoid the need of binding them to external interfaces.
What is connected to combo1? I assume this is a CCR1009-7G-1C-*?
Is that the full export? what is this for?
Code: Select all
add action=mark-routing chain=prerouting new-routing-mark=NEETV passthrough=yes src-address=192.168.100.0/26
add action=mark-routing chain=prerouting new-routing-mark=WiFi passthrough=yes src-address=192.168.111.0/30
add action=mark-routing chain=prerouting new-routing-mark=Test passthrough=yes src-address=192.168.101.0/26Suggestion: ask your provider about the possibility to set a private IP /30 for transit so that you can "float" the public IPs on loopbacks and avoid the need of binding them to external interfaces.