Struggling to get src-nat masquerade to work on hAP AC Lite

andreimd · Sun May 12, 2024 2:30 am

I have a strange behavior for hAP ac Lite, with the following setup:
Ether1 is connected to ISP, there is a DHCP client on it that is receiving public IP address

Ether3-Ether5 and wlan1-wlan2 are in a bridge and there is a local IP address assigned to the bridge.

There is src-nat with masquerading configured for WAN interface (Ether1)
The issue I noticed is that the IP packets from Internet resources are going out to the ether1 interface instead of bridge Here is a snippet of the log on IP Firewall NAT rule and IP Filter rule, when a host on LAN (say 192.168.0.142) is pinging public IP on Internet

Screenshot 2024-05-12 at 02.15.49.png

# may/12/2024 02:19:59 by RouterOS 6.49.15
/interface bridge
add admin-mac=2C:C8:1B:24:B4:C3 auto-mac=no comment=defconf name=bridge
add name=bridge1-car
/interface ethernet
set [ find default-name=ether1 ] mac-address=E4:FA:C4:AF:47:0D
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid="Guest" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no frequency=auto mode=ap-bridge ssid="Guest"
/interface eoip
add allow-fast-path=no local-address=201.201.107.131 mac-address=02:D5:5E:E0:70:C2 name=eoip-tunnel1-c remote-address=201.201.75.181 tunnel-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=server1
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
add name=admin policy=local,ftp,reboot,read,write,test,winbox,password,web,sniff,sensitive,romon,dude,tikapp,!telnet,!ssh,!policy,!api
/interface bridge port
add bridge=bridge1-car comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge1-car interface=eoip-tunnel1-car
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1 comment=defconf interface=bridge network=192.168.0.0
add address=192.168.90.99/24 interface=eoip-tunnel1-car network=192.168.90.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add disabled=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,8.8.4.4,8.8.8.8 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="accept all coming from WAN and ip" in-interface-list=WAN src-address=201.201.75.181
add action=accept chain=input comment="accept all coming from WAN and ip" src-address=192.168.90.0/24
add action=accept chain=input comment="accept all coming from LAN" disabled=yes in-interface-list=LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related log=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log=yes out-interface-list=WAN to-addresses=178.251.107.131
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes port=12414
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Chisinau
/system logging
add disabled=yes prefix=ipsec topics=ipsec
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether1 filter-ip-protocol=udp

What would make the reply IP packets from 8.8.8.8 for local LAN IP 192.168.0.142 to go to ether1 (WAN) instead of bridge (LAN) ?

loloski · Sun May 12, 2024 3:10 am

that's how NAT works, it's a return packet from 8.8.8.8 going to LAN host that's why it's outgoing interface is ether1 which is your WAN interface isn't it?

andreimd · Sun May 12, 2024 9:38 am

that's how NAT works, it's a return packet from 8.8.8.8 going to LAN host that's why it's outgoing interface is ether1 which is your WAN interface isn't it?

The IP packet goes from:

a host on LAN --> bridge interface on hAC --> ether1 on hAC --> ISP --> 8.8.8.8

The reply for above IP packet comes from Internet as follows:
8.8.8.8 --> ISP --> ether1 on hAC and stays on ether1 instead of being forwarded on to bridge interface of hAC after the destination IP address is changed from public IP address of ether1 (WAN) to local IP address (192.168.0.142) of the host on LAN side of hAP

The host 192.168.0.142 doesn't have Internet access even src NAT is configured on hAP ac lite. I am troubleshooting that and the nearest I have come around is this fact - for some reason I see the packet with destination IP address 192.168.0.142 still being left on ether1 WAN interface (please see logs in initial post:
forward: in:ether1 out:ether1

jaclaz · Sun May 12, 2024 12:15 pm

What do you get with:

/ip route print

?

vingjfg · Sun May 12, 2024 12:29 pm

First, can you fix the netmask on your bridge interface?

/ip address
   add address=192.168.0.1 comment=defconf interface=bridge network=192.168.0.0

Should be

/ip address
   add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0

Second, masquerade implies natting behind the device's IP address, so no to-addresses is needed. Can you fix

/ip firewall nat
   add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log=yes out-interface-list=WAN to-addresses=178.251.107.131

so it reads

/ip firewall nat
   add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log=yes out-interface-list=WAN

andreimd · Sun May 12, 2024 1:06 pm

What do you get with:
Code: Select all
/ip route print
?

[admin@MikroTik] > ip rou print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          178.251.107.129           1
 1 ADC  201.201.107.128/28 201.201.107.131 ether1                    0
 2 ADC  192.168.0.0/32     192.168.0.1     bridge                    0
 3 ADC  192.168.90.0/24    192.168.90.99   bridge1-car               0

andreimd · Sun May 12, 2024 1:22 pm

First, can you fix the netmask on your bridge interface?
Code: Select all
/ip address
   add address=192.168.0.1 comment=defconf interface=bridge network=192.168.0.0
Should be
Code: Select all
/ip address
   add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0

I fixed the mask to /24 and now the logs shows that the response IP packets are sent to bridge interface which is the expected behavior. Thanks!

Screenshot 2024-05-12 at 13.08.11.png

Second, masquerade implies natting behind the device's IP address, so no to-addresses is needed. Can you fix
Code: Select all
/ip firewall nat
   add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log=yes out-interface-list=WAN to-addresses=178.251.107.131
so it reads
Code: Select all
/ip firewall nat
   add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log=yes out-interface-list=WAN

For some reason, in Winbox, the properties of ip firewall nat rule show only masquerade action, no mention of the to-address. However the terminal still shows to-addresses. How that would be possible?

Just to mention I haven't tested yet the Internet access for any of the device on the LAN side of hAP AC Lite. Will do that in next few minutes

Screenshot 2024-05-12 at 13.18.31.png

jaclaz · Sun May 12, 2024 1:47 pm

You should consider masquerade as an automated src-nat:
viewtopic.php?t=11368
being automated, you cannot specify to-addresses, but you can use src-nat instead of masquerade to be able to specify that.

andreimd · Sun May 12, 2024 2:34 pm

You should consider masquerade as an automated src-nat:
viewtopic.php?t=11368
being automated, you cannot specify to-addresses, but you can use src-nat instead of masquerade to be able to specify that.

Please see the screenshot in my previous post, doesn’t it already use automated src-nat and masquerade?

For some reasons, Winbox shows the use of masquerade but command line shows masquerade and to-addresses

jaclaz · Sun May 12, 2024 4:46 pm

The to-addresses in masquerade is AFAIK in the best case not needed/not used, in the worst case it is part of the issue.

You should have EITHER (advised at the moment):

/ip firewall nat
   add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log=yes out-interface-list=WAN

the action=masquerade will "decide" automatically the to-addresses value, using the IP given to the out-interface(s), in your case your ether1 is the only out interface belonging to WAN and very likely it gets the 178.251.107.131 address through the DHCP client from a DHCP server on your gateway at IP 178.251.107.129
OR (if really-really needed):

/ip firewall nat
   add action=src-nat chain=srcnat comment="myconf: src-nat" ipsec-policy=out,none log=yes out-interface-list=WAN to-addresses=178.251.107.131

It is possible that the "to-addresses=178.251.107.131" is actually added automatically in the settings or in the export, in the ROS version you are running, cannot say.
All the exports of /ip firewall nat I have seen with masquerade have not the "to-addresses", however.

Anyway, try removing it.

BTW, is the thingy working now?

andreimd · Sun May 12, 2024 4:51 pm

The to-addresses in masquerade is AFAIK in the best case not needed/not used, in the worst case it is part of the issue.

You should have EITHER (advised at the moment):
Code: Select all
/ip firewall nat
   add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log=yes out-interface-list=WAN
the action=masquerade will "decide" automatically the to-addresses value, using the IP given to the out-interface(s), in your case your ether1 is the only out interface belonging to WAN and very likely it gets the 178.251.107.131 address through the DHCP client from a DHCP server on your gateway at IP 178.251.107.129
OR (if really-really needed):
Code: Select all
/ip firewall nat
   add action=src-nat chain=srcnat comment="myconf: src-nat" ipsec-policy=out,none log=yes out-interface-list=WAN to-addresses=178.251.107.131
It is possible that the "to-addresses=178.251.107.131" is actually added automatically in the settings or in the export, in the ROS version you are running, cannot say.
All the exports of /ip firewall nat I have seen with masquerade have not the "to-addresses", however.

Anyway, try removing it.

BTW, is the thingy working now?

Yes, thanks for the tip with missing subnet mask in IP Addresses on the bridge interface. Devices on the LAN have internet access.

Anything else you have advised in your reply I will check and try in few hours then will provide feedback

Thanks!

jaclaz · Sun May 12, 2024 5:44 pm

Yes, thanks for the tip with missing subnet mask in IP Addresses on the bridge interface. Devices on the LAN have internet access.

You should thank vingjfg, it was him spotting that incorrect line, I only tried to give some context to the "masquerade" possible issue.
Happy things are working now.

andreimd · Mon May 13, 2024 12:43 am

First, can you fix the netmask on your bridge interface?
Code: Select all
/ip address
   add address=192.168.0.1 comment=defconf interface=bridge network=192.168.0.0
Should be
Code: Select all
/ip address
   add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0
Second, masquerade implies natting behind the device's IP address, so no to-addresses is needed. Can you fix
Code: Select all
/ip firewall nat
   add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log=yes out-interface-list=WAN to-addresses=178.251.107.131
so it reads
Code: Select all
/ip firewall nat
   add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log=yes out-interface-list=WAN

Thank you very much for the advice to fix the net mask on the bridge device, this was the main issue why the src-nat was not working properly and the return IP packets with changed destination address where delivered on WAN interface instead of LAN interface

Struggling to get src-nat masquerade to work on hAP AC Lite [SOLVED]

Struggling to get src-nat masquerade to work on hAP AC Lite

Re: src-nat - reply IP packets are forwarded to WAN instead of WAN

Re: src-nat - reply IP packets are forwarded to WAN instead of WAN

Re: Struggling to get src-nat masquerade to work on hAP AC Lite

Re: Struggling to get src-nat masquerade to work on hAP AC Lite [SOLVED]

Re: Struggling to get src-nat masquerade to work on hAP AC Lite

Re: Struggling to get src-nat masquerade to work on hAP AC Lite

Re: Struggling to get src-nat masquerade to work on hAP AC Lite

Re: Struggling to get src-nat masquerade to work on hAP AC Lite

Re: Struggling to get src-nat masquerade to work on hAP AC Lite

Re: Struggling to get src-nat masquerade to work on hAP AC Lite

Re: Struggling to get src-nat masquerade to work on hAP AC Lite

Re: Struggling to get src-nat masquerade to work on hAP AC Lite

Who is online