MikroTik

Community discussions
https://forum.mikrotik.com/

Forcing source ip and/or route

https://forum.mikrotik.com/viewtopic.php?t=206329

Page 1 of 1

Forcing source ip and/or route

Posted: Sun Mar 31, 2024 9:37 am
by dalami
I'm not sure how to properly express this. I had a problem that I tried to solve with various combinations of src-nat and routing policy, failed, and then fixed it by doing it properly - which means configuring the clients directly instead of trying to use network magic.

But I *want* to learn network magic. So while my original problem has been solved - I'd like to know how I *could* have accomplished this through the router.

My cloud server is has static public IP a.a.a.a. It provides wireguard service as b.b.b.a.
My office router has dynamic public IP so.me.th.ing. It has wireguard IP b.b.b.b.
My office server has a LAN IP c.c.c.c behind the router.

<deleted long story>

The question - how can I force traffic from c.c.c.c, destined to a.a.a.a, come from b.b.b.b? Or to put it another way how to force traffic from my office server destined to the public address of the cloud server, which is otherwise properly routed and reachable, instead through the VPN? And while in this particular case a valid answer *might* be via wireguard configuration - I really want to know how to do it via routing.

I tried
Code: Select all
/ip firewall nat add action=src-nat chain=srcnat dst-address=a.a.a.a src-address=c.c.c.c to-addresses=b.b.b.b
That didn't work.

I tried
Code: Select all
/routing table add fib name=wg
/routing rule add action=lookup-only-in-table dst-address=a.a.a.a src-address=c.c.c.c table=wg
/ip route distance=1 dst-address=a.a.a.a gateway=b.b.b.b pref-src="" routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
And that didn't work.

What am I missing?

Re: Forcing source ip and/or route

Posted: Sun Mar 31, 2024 3:41 pm
by anav
Post both configs
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, long dchp lease lists etc..)

Re: Forcing source ip and/or route

Posted: Mon Apr 01, 2024 3:01 am
by IlKa
Code: Select all
dst-address=a.a.a.a gateway=b.b.b.b
Why not
Code: Select all
gateway=b.b.b.a
?

I'd say that you took a right direction.

1. Create a separate routing table to route `a.a.a.a` to `b.b.b.a`
2. Create a rule that sticks your client (source address) to this table.
3. Add NAT/Masq. to make sure source address of your client gets substituted by ` b.b.b.b` (you server expects connections from `b.b.b.b` only)
3. Run trace on client
4. Check connections on Mikrotik. What do you see?

Re: Forcing source ip and/or route

Posted: Mon Apr 01, 2024 3:20 am
by dalami
Interesting.

In the process of sanitizing my export I found some garbage filter rules. Removing those was probably a good thing. Now that I've done that, and re-activated the src-nat & routing...

It almost works. Or at least - now traffic from the office server fails to reach the cloud server where it used to make it through fine. And by traffic I mean ping/mtr/tcptraceroute.

So I've disabled the rules again pending more guidance.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/