It sounds to me like there is either a bug you have hit or a typo in the rule that was applied.
What version are you running? And is the 10.0.1.0/24 network on a different interface? There seems to be a bug in some versions that don't apply rule changes correctly (so if this rule was originally a masquerade with out interface wan then it may be sticking like that until a reboot. Another issue is if that first rule applies to some traffic and you changed it remember to flush the conntrack table to clear any natting that came through before it And on the performance side (especially under DDOS attack) if this is your ISP edge router and you are natting traffic for your management range etc then get a separate small mikrotik to do that natting and give it a public IP in the range. Then you can turn off conntrack and avoid all packet reassembly in the router and avoid state exhaustion attacks against your infrastructure there. Especially once 6.30 is released (and stabilised) now providing VLAN fast path. Now I just looking forward to PPP encap fast path and fast track. For your issue. If you can provide the version and a sanitised export (for anything you can't / don't want to share) we can look and help. Regards Alexander Alexander Neilson Neilson Productions Ltd [email protected] 021 329 681 > On 4/07/2015, at 5:38 am, Ryan Spott <[email protected]> wrote: > > it is the only NAT rule I have. > I only want to NAT the 10. network > > I do NOT want to NAT the 216 network. > > ryan > > > > >> On Jul 3, 2015, at 10:01 AM, Chupaka <[email protected]> wrote: >> >> Seems like that's not the only NAT rule you have, because that rule >> masquerades only 10.0.1.0/24 :) >> >> Anyway, I prefer using scheme like >> >> /ip firewall nat >> add action=accept chain=srcnat out-interface=WAN src-address=209.90.234.1/28 >> add action=masquerade chain=srcnat out-interface=WAN >> >> I.e. accept your public addresses so that they won't be NATted, and then >> masquerade everything else. >> >> >> -- >> Подпись: >> (добавляется в конце всех исходящих писем) >> >> 2015-07-03 19:49 GMT+03:00 D. Ryan Spott <[email protected]>: >> >>> I have the following network: >>> >>> <internet>-<router>-<ISP Network> >>> >>> The router has a WAN IP of 209.90.234.1/28 >>> The router has a LAN IP of 216.168.46.0/24 >>> The router has a LAN IP of 10.0.1.0/24 >>> >>> When I enable this: >>> /ip firewall nat >>> add action=masquerade chain=srcnat out-interface=WAN src-address= >>> 10.0.1.0/24 >>> >>> The result is ALL of the LAN clients 10. and 216. are all masqueraded to >>> 209.90.234.1. >>> >>> >>> >>> >>> How can I limit the masquerade to the 10.0.1.0/24 network ONLY and let >>> the 216.168.46.0 addresses do the normal internet routing thing? >>> >>> It is something obvious. Need more coffee.. or Scotch. >>> >>> >>> ryan >>> >>> -- >>> D. Ryan Spott | NGC457, llc >>> broadband | telco | colo | communities >>> PO Box 1734 Sultan, WA 98294 >>> 425-939-0047 >>> >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: < >>> http://mail.butchevans.com/pipermail/mikrotik/attachments/20150703/e80d012b/attachment.html >>> _______________________________________________ >>> Mikrotik mailing list >>> [email protected] >>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>> >>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>> RouterOS >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> <http://mail.butchevans.com/pipermail/mikrotik/attachments/20150703/bcc8f86d/attachment.html> >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://mail.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
