Hey all, this is my first time post. I'll try to keep it as clear as possible, please bear with me.
Why am I seeing internal IP addresses on my external (WAN) port of my router?
My routerOS (version 3.23) is configured as a gateway, using NAT masquerade to connect my clients on my internal network to one routable static IP address on the WAN side of the network. I also have a number of clients that I have set up one to one NAT for (using different static routable IP's).
When I use Torch on the WAN port of my router, I see a number of my dynamic internal IP addresses under the "Dst. Address" listing.
This was brought to my attention by my internet service provider, who said they are seeing my internal traffic on their end, something I'm assuming...is bad.
Any thoughts?
Re: Internal IP's showing up on external port
Please post the output of "/ip address print detail", "/ip route print detail", an "/ip firewall nat export".
-
-
davederksen
just joined
- Posts: 12
- Joined:
Re: Internal IP's showing up on external port
Here you go...Please post the output of "/ip address print detail", "/ip route print detail", an "/ip firewall nat export".
Address
Code: Select all
address=10.25.0.1/16 network=10.25.0.0 broadcast=10.25.255.255
interface=1: NIC Local actual-interface=1: NIC Local
1 address=10.75.0.1/16 network=10.75.0.0 broadcast=10.75.255.255
interface=1: NIC Local actual-interface=1: NIC Local
2 address=209.205.94.98/32 network=209.205.94.97 broadcast=209.205.94.11>
interface=2: KTI actual-interface=2: KTI
3 ;;; NIC Server - 10.25.0.5
address=209.205.94.99/32 network=209.205.94.97
broadcast=209.205.94.111 interface=2: KTI
actual-interface=2: KTI
4 address=10.25.0.2/16 network=10.25.0.0 broadcast=10.25.255.255
interface=1: NIC Local actual-interface=1: NIC Local
5 ;;; AX - 10.25.2.4
address=209.205.94.104/32 network=209.205.94.97
broadcast=209.205.94.111 interface=2: KTI
actual-interface=2: KTI
6 ;;; AH - 10.25.2.1
address=209.205.94.105/32 network=209.205.94.97
broadcast=209.205.94.111 interface=2: KTI
actual-interface=2: KTI
7 ;;; TH
address=209.205.94.101/32 network=209.205.94.97
broadcast=209.205.94.111 interface=2: KTI
actual-interface=2: KTI
8 ;;; EC 1 - 10.25.2.2
address=209.205.94.102/32 network=209.205.94.97
broadcast=209.205.94.111 interface=2: KTI
actual-interface=2: KTI
9 ;;; Test
address=209.205.94.106/32 network=209.205.94.97
broadcast=209.205.94.111 interface=2: KTI
actual-interface=2: KTI
10 X address=209.205.94.107/32 network=209.205.94.97
broadcast=209.205.94.111 interface=2: KTI
actual-interface=2: KTI
11 X address=209.205.94.108/32 network=209.205.94.97
broadcast=209.205.94.111 interface=2: KTI
actual-interface=2: KTI
12 ;;; DB
address=209.205.94.109/32 network=209.205.94.97
broadcast=209.205.94.111 interface=2: KTI
actual-interface=2: KTI
13 X address=209.205.94.110/32 network=209.205.94.97
broadcast=209.205.94.111 interface=2: KTI
actual-interface=2: KTI
14 ;;; EC 2 - 10.25.2.3
address=209.205.94.103/32 network=209.205.94.97
broadcast=209.205.94.111 interface=2: KTI
actual-interface=2: KTICode: Select all
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=209.205.94.97 interface=2: KTI
gateway-state=reachable distance=1 scope=30 target-scope=10
1 ADC dst-address=10.25.0.0/16 pref-src=10.25.0.1 interface=1: NIC Local
distance=0 scope=10
2 ADC dst-address=10.75.0.0/16 pref-src=10.75.0.1 interface=1: NIC Local
distance=0 scope=10
3 ADC dst-address=209.205.94.97/32 pref-src=209.205.94.98
interface=2: KTI distance=0 scope=10
Code: Select all
# nov/12/2010 10:54:08 by RouterOS 3.23
# software id = 60GM-89T
#
/ip firewall nat
add action=netmap chain=dstnat comment=RDP disabled=no dst-address=\
209.205.94.99 to-addresses=10.25.0.4
add action=netmap chain=srcnat comment=RDP disabled=no src-address=\
10.25.0.4 to-addresses=209.205.94.99
add action=netmap chain=dstnat comment="EC 1" disabled=no \
dst-address=209.205.94.102 to-addresses=10.25.2.2
add action=netmap chain=srcnat comment="EC 1" disabled=no \
src-address=10.25.2.2 to-addresses=209.205.94.102
add action=netmap chain=dstnat comment="EC 2" disabled=no \
dst-address=209.205.94.103 to-addresses=10.25.2.3
add action=netmap chain=srcnat comment="EC 2" disabled=no \
src-address=10.25.2.3 to-addresses=209.205.94.103
add action=netmap chain=dstnat comment=AX disabled=no dst-address=\
209.205.94.104 to-addresses=10.25.2.4
add action=netmap chain=srcnat comment=AX disabled=no src-address=\
10.25.2.4 to-addresses=209.205.94.104
add action=netmap chain=dstnat comment="AH" disabled=no \
dst-address=209.205.94.105 to-addresses=10.25.2.1
add action=netmap chain=srcnat comment="AH" disabled=no \
src-address=10.25.2.1 to-addresses=209.205.94.105
add action=netmap chain=dstnat comment=TH disabled=no dst-address=\
209.205.94.101 to-addresses=10.25.2.8
add action=netmap chain=srcnat comment=TH disabled=no src-address=\
10.25.2.8 to-addresses=209.205.94.101
add action=netmap chain=dstnat comment="DB" disabled=no \
dst-address=209.205.94.109 to-addresses=10.25.2.9
add action=netmap chain=srcnat comment="DB" disabled=no \
src-address=10.25.2.9 to-addresses=209.205.94.109
add action=netmap chain=dstnat comment="Test puter" disabled=no \
dst-address=209.205.94.106 to-addresses=10.25.2.5
add action=netmap chain=srcnat comment="Test Puter" disabled=no \
src-address=10.25.2.5 to-addresses=209.205.94.106
add action=masquerade chain=srcnat comment="" disabled=no dst-address=\
0.0.0.0/0 out-interface="2: KTI" src-address=10.25.0.0/16
add action=masquerade chain=srcnat comment="" disabled=no dst-address=\
0.0.0.0/0 out-interface="2: KTI" src-address=10.75.0.0/16Re: Internal IP's showing up on external port
In all your dstnat chain rules, set the action to dst-nat instead of netmap. That should fix your issue.
-
-
davederksen
just joined
- Posts: 12
- Joined:
Re: Internal IP's showing up on external port
Hey Guru,
Thanks very much for the quick response! I made the change you suggested, but the problem is still there. Do I need to reboot the router, or wait for a while for the changes to propogate through the system?
Thanks very much for the quick response! I made the change you suggested, but the problem is still there. Do I need to reboot the router, or wait for a while for the changes to propogate through the system?
Re: Internal IP's showing up on external port
It should take effect for new connections immediately, but won't apply to new connections. A reboot would fix that up right quick, or you can wait for connections to expire, or terminate them manually in the IP > Firewall > Connections view.
If you want to make 100% sure internal RFC 1918 IP space doesn't leak outside, you could also add this:
It certainly won't hurt as those packets will be dropped by your ISP anyway, and takes effect immediately even for existing connections.
If you want to make 100% sure internal RFC 1918 IP space doesn't leak outside, you could also add this:
Code: Select all
/ip firewall address-list
add list=RFC1918 address=10.0.0.0/8
add list=RFC1918 address=172.16.0.0/12
add list=RFC1918 address=192.168.0.0/16
/ip firewall filter
add chain=forward src-address-list=RFC1918 out-interface="2: KTI" action=drop
-
-
davederksen
just joined
- Posts: 12
- Joined:
Re: Internal IP's showing up on external port
Hey Guru,
That last set of instructions cut off all internal access to the internet. Is it possible it should be
instead of
as the dst-address of the WAN port is where the internal IP's are showing up?
That last set of instructions cut off all internal access to the internet. Is it possible it should be
Code: Select all
/ip firewall filter
add chain=forward dst-address-list=RFC1918 out-interface="2: KTI" action=drop
Code: Select all
/ip firewall filter
add chain=forward src-address-list=RFC1918 out-interface="2: KTI" action=drop
Re: Internal IP's showing up on external port
Whoops, my bad. There is no filtering after source NAT so you cannot use that approach at all. Don't know what I was thinking.
Did a reboot or time fix it?
Did a reboot or time fix it?
-
-
davederksen
just joined
- Posts: 12
- Joined:
Re: Internal IP's showing up on external port
Neither reboot nor time has resolved this issue.
Re: Internal IP's showing up on external port
Someone else seems to have the same problem: http://forum.mikrotik.com/viewtopic.php?f=2&t=46612
Who is online
Users browsing this forum: No registered users and 19 guests