Running on a V6.37.1 I have the following:
LAN 192.168.1.0/24
RB is 192.168.1.1
PC is 192.168.1.2 (should have 1.1.1.2 as public IP)

WAN 1.1.1.0/29
1.1.1.1-1.1.1.5 assigned for me.
1.1.1.6 is the ISP gateway


The firewall filter rule listed is the #1 rule. 0 hits.
src-nat generates hits
dst-nat has 0 hits.
Everyone is masqueraded to 1.1.1.1 and it works - ISP gateway is reachable.
Except 192.168.1.2 which is tied to 1.1.1.2 and it isn't able to ping the ISP gateway. When I disable the 1.1.1.2 rules then the PC goes out through 1.1.1.1 and works.
ISP router ARP table only has 1.1.1.1 visible from my side.
The problem is in the RB because when I assign 1.1.1.2 to the PC and hook it up in place of the RB I do have internet access and Google knows me as 1.1.1.2

What am I doing wrong? What to check?

Got it. You need to have BOTH of these in the masquerade rule:

add action=masquerade chain=srcnat out-interface=ether1-gateway \
src-address=!192.168.1.2 dst-address=!192.168.1.2

I thought the NAT table also has a rule priority like the Filer list but it doesn't. Doh!

Got it. You need to have BOTH of these in the masquerade rule:

add action=masquerade chain=srcnat out-interface=ether1-gateway \
src-address=!192.168.1.2 dst-address=!192.168.1.2

I thought the NAT table also has a rule priority like the Filer list but it doesn't. Doh!

Hi sveno,
NAT table does have a priority, it is read from the top down. as you can see here: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow, it will execute the dst-nat chain before any routing decision is made and the src-nat chain after the routing decision has been made.

So incoming packets will trigger the first dst-nat rule they hit and, after being routed, any src-nat rules that apply. (this is why it's important to be specific about interfaces and IPs in your NAT rules)
The same goes for outbound packets, the router will run through the dst-nat chain and look for a rule. (in most cases there wont be a hit for dst-nat on outbound traffic)
After it has made routing decision and just before forwarding the packet out of the correct interface the router will check the src-nat chain and trigger the correct rule.

So your original rule set was correct, you were saying that if the src-ip was 192.168.1.2 then src-nat to 1.1.1.2, once that rule fires no more are checked.


So why didn't it work?
Where were you checking from? Were you testing from another internal host? if so I suspect that you were having trouble with hairpin nat.
This is a great explaination: http://gregsowell.com/?p=4242

Hope that helps

Thanks for your feedback tslytsly. I am thinking that by some weird bug or other problem Winbox was showing me the incorrect (or old) rule order and that the rule order was indeed wrong with the masquerade rule being above src-nat.

Thanks for your feedback tslytsly. I am thinking that by some weird bug or other problem Winbox was showing me the incorrect (or old) rule order and that the rule order was indeed wrong with the masquerade rule being above src-nat.

No problem.

If you were testing from another internal host then it will almost definitely be hairpin nat that is the issue.

The same problem occurred again. It was fixed by disabling and reenabling this: It happened out of the blue - no changes to the router. 1.1.1.2 was unreachable the internet and 1.1.1.2 (192.168.1.2) couldn't access the internet. When I set my laptop as 1.1.1.2 and directly attached it to WAN, google "whats my IP" confirmed I was 1.1.1.2 thus the problem was in the router. Is this a bug? Why did the disable/enable work? Can someone explain?