Community discussions

MikroTik App
 
ether3al
newbie
Topic Author
Posts: 42
Joined: Tue Jan 19, 2010 3:23 am

VRF and NAT Masquerade

Fri Jan 14, 2011 5:44 am

Hi All,

I am having some trouble getting NAT masquerade to work with a VRF. I have a VPLS PW interface with the public range routed to it using a VRF. I have setup src-nat to mask from the LAN subnet outbound on the VPLS PW interface within the VRF. I have setup the NAT rules to include the routing mark, however I continue to not get any hits on the rule.

thanks.
 
blake
Member
Member
Posts: 426
Joined: Mon May 31, 2010 10:46 pm
Location: Arizona

Re: VRF and NAT Masquerade

Fri Jan 14, 2011 8:52 am

I take it you're following this tutorial?

http://wiki.mikrotik.com/wiki/Internet_ ... F_with_NAT
 
ether3al
newbie
Topic Author
Posts: 42
Joined: Tue Jan 19, 2010 3:23 am

Re: VRF and NAT Masquerade

Sat Jan 15, 2011 11:26 am

No i wasn't, thanks for the link!
 
ether3al
newbie
Topic Author
Posts: 42
Joined: Tue Jan 19, 2010 3:23 am

Re: VRF and NAT Masquerade

Thu Jan 20, 2011 3:01 am

OK so upon looking over that WIKI article properly it is irrelevant to what I am trying to do, so just to clarify:

I have a VPLS interface that has an Internet address on it within a VRF, I then have a VLAN interface using private addressing with a host on the VLAN also within the VRF. I have a dst-nat rule that port forwards to the host on the LAN the result being I should be able to access this host from the Internet via the routers address port "x". The issue is that the dst-nat works and then the host responds with a packet but the router is dropping the packet before it gets out over the src-nat

NAT
 0   ;;; Port Forward to Trinity printer for Internet printing
     chain=dstnat action=dst-nat to-addresses=192.168.90.254 to-ports=6310 
     protocol=tcp dst-address=x.x.x.x routing-mark=TrinityInternet 
     dst-port=6310 

 1   ;;; NAT Printer to Internet
     chain=srcnat action=masquerade out-interface=VPE-10001-B 
VRF
 0   routing-mark=TrinityInternet 
     interfaces=VPE-10001-B,Eth2-Vlan50-Printer,Eth2-Vlan610-Wlan1,Eth2-
                Vlan611-Wlan2 
Interfaces
 1  R  ;;; Fa0/1 Comms-C2950
       ether2                                      ether            1500  1524 
 2     ether3                                      ether            1500  1524 
 3     ether4                                      ether            1500  1524 
 4     ether5                                      ether            1500  1524 
 5     ether6                                      ether            1500  1524 
 6     ether7                                      ether            1500  1524 
 7     ether8                                      ether            1500  1524 
 8     ether9                                      ether            1500  1524 
 9  R  ;;; Loopback for routing protocols
       lo0                                         bridge           1500  65535
10  R  ;;; Management VLAN
       Eth2-Vlan600-Mgmt                           vlan             1500  1520 
11  R  ;;; Signup WLAN VLAN
       Eth2-Vlan610-Wlan1                          vlan             1500  1520 
12  R  ;;; Secure WLAN VLAN
       Eth2-Vlan611-Wlan2                          vlan             1500  1520 
13  R  ;;; TrinityCollege Printer
       Eth2-Vlan50-Printer                         vlan             1500  1520 
14  R  ;;; Management/data
       ether1.601                                  vlan             1500  1520 
15  R  ;;; Loopback - Temp for remote access to printer
       lo1                                         bridge           1500  65535
16  R  VPE-10001-B                                 vpls             1500  1500 
Addresses
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE              
 0   10.60.4.1/32       10.60.4.1       10.60.4.1       lo0                    
 1   10.60.14.11/23     10.60.14.0      10.60.15.255    ether1.601             
 2   10.60.2.1/28       10.60.2.0       10.60.2.15      Eth2-Vlan600-Mgmt      
 3   192.168.90.1/24    192.168.90.0    192.168.90.255  Eth2-Vlan50-Printer    
 4   210.x.x.2/30    210.x.x.0    210.x.x.3    VPE-10001-B            
 5   172.16.1.1/24      172.16.1.0      172.16.1.255    Eth2-Vlan610-Wlan1
 
ether3al
newbie
Topic Author
Posts: 42
Joined: Tue Jan 19, 2010 3:23 am

Re: VRF and NAT Masquerade

Fri Jan 21, 2011 12:32 am

OK, I have tested further by routing a public subnet across the VRF and assigned an address from this range to the host on the LAN. I am able to ping the routers address on this subnet however the router is dropping the ICMP request on the return trip from the host across the router... I am guessing something about the VRF or routing mark is the problem.
 
User avatar
Eising
Member Candidate
Member Candidate
Posts: 272
Joined: Mon Oct 27, 2008 10:21 am
Location: Copenhagen, Denmark

Re: VRF and NAT Masquerade

Fri Jan 21, 2011 2:37 pm

I'm always happy when someone reads the howto's I've done :)

Did you remember to make the correct MANGLE? Return traffic does not automatically go into the correct VRF, so you need to use /ip firewall mangle to make sure the traffic ends back in the VRF.
 
ether3al
newbie
Topic Author
Posts: 42
Joined: Tue Jan 19, 2010 3:23 am

Re: VRF and NAT Masquerade

Fri Jan 21, 2011 11:21 pm

Hmm, I did have a mangle rule in place based on that logic, however was not getting any hits on it and MikroTik support told me to remove it.

I will put the mangle rules back on and post an update.

Thanks!
 
ether3al
newbie
Topic Author
Posts: 42
Joined: Tue Jan 19, 2010 3:23 am

Re: VRF and NAT Masquerade

Sat Jan 22, 2011 12:49 am

So still no luck with the mangle rules... Tried to add the routing mark using the VLAN interface inbound, global interface, src-addr & dst-addr... still dont get any hits:
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting action=mark-routing new-routing-mark=Internet 
     passthrough=yes src-address=192.168.90.0/24 

 1   chain=prerouting action=mark-routing new-routing-mark=Internet 
     passthrough=yes in-interface=Eth2-Vlan611-Wlan2 

 2   chain=prerouting action=mark-routing new-routing-mark=Internet 
     passthrough=yes src-address=210.x.x.64/26 
VLAN 611 is where the host I am trying to reach is on, which has the subnet of 210.x.x.64/26

Any input is greatly appreciated!
 
volkirik
Member Candidate
Member Candidate
Posts: 158
Joined: Sat Jul 23, 2016 2:03 pm

Re: VRF and NAT Masquerade

Sat Jun 11, 2022 3:15 pm

/ip firewall address-list
add address=10.0.0.0/8 list=LAN_addresses
add address=192.168.0.0/16 list=LAN_addresses
add address=100.64.0.0/10 list=LAN_addresses

/ip firewall mangle
add action=mark-routing chain=prerouting comment="mark-routing:main (LAN)" src-address-list=!LAN_addresses dst-address-list=LAN_addresses \
new-routing-mark=main passthrough=yes

/routing rule routing-mark=main action=lookup table=main

thats all

otherwise responses will not reach
 
volkirik
Member Candidate
Member Candidate
Posts: 158
Joined: Sat Jul 23, 2016 2:03 pm

Re: VRF and NAT Masquerade

Thu Aug 04, 2022 7:25 pm

this is a bug in ROSv7 that needs to be fixed...

fallback to main routing-table is not working...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VRF and NAT Masquerade

Sat Aug 06, 2022 4:34 pm

Same here heard vrf with version7 is flaky...........
 
volga629
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Tue Nov 19, 2013 6:21 am

Re: VRF and NAT Masquerade

Mon Aug 08, 2022 5:31 am

That resolved issue for me in ver 7.4
Return traffic from internet to correct VRF
[admin@fw-up-1.networklab.local] > /ip/firewall/mangle/print

 8    ;;; Returning traffic to vrf
      chain=prerouting action=mark-connection new-connection-mark=VRF_TRAFFIC_OUT passthrough=no
      src-address-list=SRC_NAT_NET log=no log-prefix=""

 9    chain=prerouting action=mark-routing new-routing-mark=sdwan_vrf_1 passthrough=no
      connection-mark=VRF_TRAFFIC_OUT in-interface=WAN-eth1 log=no log-prefix=""
[admin@fw-up-1.networklab.local] > 
 
volkirik
Member Candidate
Member Candidate
Posts: 158
Joined: Sat Jul 23, 2016 2:03 pm

Re: VRF and NAT Masquerade

Thu Aug 11, 2022 6:24 pm

flaky. lots of packet loss.

VRF needs improvement
Last edited by volkirik on Sat Aug 13, 2022 11:30 pm, edited 1 time in total.
 
volga629
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Tue Nov 19, 2013 6:21 am

Re: VRF and NAT Masquerade

Fri Aug 12, 2022 4:58 pm

they announced the fix in 7.4.1 and 7.5.b8
Do you know which it is ? I am looking on release notes in router and I don't see vrf fixes.
 
volkirik
Member Candidate
Member Candidate
Posts: 158
Joined: Sat Jul 23, 2016 2:03 pm

Re: VRF and NAT Masquerade

Sat Aug 13, 2022 11:31 pm

*) firewall - fixed "in-interface-list" matcher when VRF is used;
but; its still broken somehow IMO

we experience lots of random packet loss when VRF is used.
 
volkirik
Member Candidate
Member Candidate
Posts: 158
Joined: Sat Jul 23, 2016 2:03 pm

Re: VRF and NAT Masquerade

Sun Aug 14, 2022 12:16 pm

good news and bad news together

do not use address-lists. use in-interface-list. it will work

using address-lists currently causes routing-loop ; in and out interface becomes WAN interface..

we have been droping WAN to WAN connections in forward chain. thats how we found the issue..

must be fixed by mikrotik ASAP
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VRF and NAT Masquerade

Thu Aug 18, 2022 2:09 pm

thanks volkirik, did you sent a supout report to MT ??
 
volkirik
Member Candidate
Member Candidate
Posts: 158
Joined: Sat Jul 23, 2016 2:03 pm

Re: VRF and NAT Masquerade

Thu Aug 18, 2022 6:21 pm

nope. they are not friendly IMO.

I would rather wait for somebody else to report it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VRF and NAT Masquerade

Thu Aug 18, 2022 6:52 pm

Ahh you have bystander complex!!!
https://escholarship.org/content/qt7rj7 ... f?t=krnpwg

Luckily, I am not as lazy, nor lacking in moral fortitude and have passed the info along. ;-)
 
volkirik
Member Candidate
Member Candidate
Posts: 158
Joined: Sat Jul 23, 2016 2:03 pm

Re: VRF and NAT Masquerade

Thu Aug 18, 2022 7:12 pm

whatever
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VRF and NAT Masquerade

Thu Aug 18, 2022 8:36 pm

Yes, the disinterested complex, a common infliction to see when one already has the missing the I take responsiblility bone. ;-)
 
volkirik
Member Candidate
Member Candidate
Posts: 158
Joined: Sat Jul 23, 2016 2:03 pm

Re: VRF and NAT Masquerade

Thu Aug 18, 2022 8:48 pm

if they have testing labs, well then, they have enough evidence of bugs from the forum

let them invest in bug-finding and fixing. i am not responsible for escalation.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VRF and NAT Masquerade

Fri Aug 19, 2022 2:57 pm

Guess what............

I have already had two responses from MT support.

(1) Hello,
Please send us the supout.rif file from your device.
This article explains how to make a supout.rif file:
https://help.mikrotik.com/docs/display/ROS/Supout.rif
Best regards,
O.L

(2) Hello!
There is no known issues with address-lists matching in firewall.
Sorry, I can't debug this issue without knowing full configuration and without problem exact description.
If the person wants he can write to support himself and provide needed information.
Best Regards,
O.L..

So they would like to help and attempt to get at the root cause of your issues, but its rather difficult when your being such a dick.
 
volkirik
Member Candidate
Member Candidate
Posts: 158
Joined: Sat Jul 23, 2016 2:03 pm

Re: VRF and NAT Masquerade

Fri Aug 19, 2022 5:53 pm

i am not being dick

do not use interface(-name) or interface-list

create address list with LAN prefixes... (192...., 100...., 10....)

use src-dst address list.. for matching traffic. in mangle.

all combinations create routing loop

thats how to reproduce, at least in our rb4011
Last edited by volkirik on Fri Aug 19, 2022 5:55 pm, edited 2 times in total.
 
volkirik
Member Candidate
Member Candidate
Posts: 158
Joined: Sat Jul 23, 2016 2:03 pm

Re: VRF and NAT Masquerade

Fri Aug 19, 2022 5:54 pm

i am repeating... i do not have to escalate the bug. i told how to reproduce it.. i do not have to send my topology and all.. we have NDA with the company without exceptions to MT. sorry.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VRF and NAT Masquerade

Fri Aug 19, 2022 6:29 pm

I will pass on your additional info, understood about NDA.
 
volkirik
Member Candidate
Member Candidate
Posts: 158
Joined: Sat Jul 23, 2016 2:03 pm

Re: VRF and NAT Masquerade

Fri Aug 19, 2022 8:31 pm

OKay thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VRF and NAT Masquerade

Mon Aug 22, 2022 2:06 pm

From support...........
Hello!
If there both source and destination addresses in one address list it may cause issues with matching but it is incorrect configuration.
If source address list and destination address list are separated, there should not be problems.
If the person's configuration is clear for you, please provide simple network diagram and example configuration where we can see IP addresses on interfaces and full firewall configuration.

Who is online

Users browsing this forum: No registered users and 1 guest