action=dst-nat NOT working

supermega · September 25, 2011, 6:17pm

Hi,

I’m using MT 5.7 on 711-5Hn-MMCX.

/system reset-configuration
On startup: Remove (default) configuration.
Add bridge1 with ports: ether1, wlan1 and IP address on bridge1 interface.
/interface bridge nat add chain=dstnat action=dst-nat to-dst-mac-address=MAC2 src-mac-address=MAC1/ff:ff:ff:ff:ff:ff
Monitor on MAC2 with tcpdump
Ping a host behind this MT.

I want all traffic from MAC1 to any host behind the MT to be redirected to MAC2. Instead it is dropped. No traffic arrives at MAC1. It’s not an ARP problem - ping is lost right after adding the rule.

That’s the simplest rule of dst-nat and I guess it’s just a bug. Correct me.

WirelessRudy · September 25, 2011, 7:03pm

Well, I don’t know. All your router’s interfaces are bridged. So all (mac) traffic passes. The whole dst-nat has no meaning imho.

supermega · September 25, 2011, 10:07pm

http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
“dstnat - used for redirecting some pakets to another destinations”

I forgot to tell that the traffic is dropped.

WirelessRudy · September 25, 2011, 10:22pm

Bringing both interfaces in a bridge means all packets pass router transparent like both connected LAN’s are part of one big LAN. So packages travel from one mac to another like in one big network.

The setting for nat is only valid if you would have another interface that is outside the bridge, and thus routed, and a package with destination to that ´non-bridged´ interface has to get another mac. That how it works imho.

fewi · September 25, 2011, 10:39pm

He’s using bridge NAT: http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_NAT

supermega, can you post your configuration rather than describe it, together with a network diagram that shows links and devices with their ports, IPs, and MACs labeled? The configuration should include, at minimum, the output of “/interface bridge export” and “/interface print detail”.

WirelessRudy · September 25, 2011, 11:20pm

Maybe he forgot to enable the bridge firewall:
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=

But what is the purpose of using a bridge if you actually are routing all traffic from certain mac/IP to one other mac/IP?
In bridge all traffic is still broadcast over the whole network? Even the answer from the recipient is broadcast LAN wide again.
Would it not more economic to use the router as router to do this? But maybe indeed it depends on how his network is setup and how much traffic he has to deviate.

supermega · September 26, 2011, 2:28am

# jan/02/1970 00:04:21 by RouterOS 5.7
# software id = T585-J63M
#
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    disabled=no forward-delay=15s l2mtu=1600 max-message-age=20s mtu=1500 \
    name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface bridge nat
add action=dst-nat chain=dstnat disabled=no src-mac-address=\
    00:1A:4D:9E:03:B0/FF:FF:FF:FF:FF:FF to-dst-mac-address=00:02:A5:4E:44:A9 
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
    interface=wlan1 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ether1 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=no

Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name="wlan1" type="wlan" mtu=1500 l2mtu=2290 

 1  R  name="ether1" type="ether" mtu=1500 l2mtu=1600 max-l2mtu=4076 

 2  R  name="bridge1" type="bridge" mtu=1500 l2mtu=1600

LAN — MT — CPE

Hosts on LAN:
10.1.0.1 (00:02:a5:4e:44:a9) - tcpdump
10.1.0.5 (00:1A:4D:9E:03:B0) - ping

MT has 10.1.0.200 on bridge1, output config above is from this one
CPE has 10.1.0.201 on bridge1, mode: station-bridge

I need this for broadcast separation. This is not my final configuration - I would rather redirect all traffic not from whitelisted MACs.

fewi · September 26, 2011, 2:41am

Is there anything in the IP firewall that could block traffic?

Also, this is a shot in the dark - I don’t have much experience with bridge NAT - but I vaguely remember seeing somewhere that the admin MAC should be set for bridge filters and NAT. Can you try setting a locally administered MAC address on that?

Otherwise that looks good to me. I wouldn’t scream bug - it’s unlikely you’ve hit a bug. Misconfiguration is more likely, though right now I’m unfortunately not seeing it.

supermega · September 26, 2011, 2:49am

No IP firewall rules, 100% default config with changes stated.

MAC filtering itself works - action=drop/accept/jump/return. In this configuration traffic is dropped.

I’ve set admin MAC - no change.

add admin-mac=11:0C:42:BF:67:19 ageing-time=5m arp=enabled auto-mac=no disabled=no forward-delay=15s l2mtu=1600 \
    max-message-age=20s mtu=1500 name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface bridge nat
add action=dst-nat chain=dstnat disabled=no src-mac-address=00:1A:4D:9E:03:B0/FF:FF:FF:FF:FF:FF to-dst-mac-address=\
    00:02:A5:4E:44:A9
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=wlan1 path-cost=10 point-to-point=auto \
    priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=ether1 path-cost=10 point-to-point=auto \
    priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no

kirshteins · September 26, 2011, 6:31am

Bridge Dst-NAT works fine for me. Are counters increasing for this rule? How do you determine that packets get dropped and where they get dropped?

supermega · September 26, 2011, 11:33am

Counters are increased.

Flags: X - disabled, I - invalid, D - dynamic 
 #   CHAIN                           ACTION                 BYTES         PACKETS
 0   dstnat                          dst-nat                 4554              99

I determinate by observing ping - it’s lost when I activate the rule. What you mean where?

LAN — MT — CPE — WLAN-HOST

I’ve done some more tests: when I ping WLAN-HOST and dnat to CPE MAC it’s redirected well - packets go to CPE and then are forwarded in layer 3 to WLAN-HOST. Main difference with this setup is that output interface for dst-nated packet isn’t changed, while in previous setup it was changed from wlan1 to ether1.

kirshteins, do you also use dst-nat to change destination interface?

supermega · September 27, 2011, 5:22pm

Still get no results for dst-nat. Thing is, it’s very simple to reproduce by anyone who has any MT device. Commands below are for devices with at least 2 ethernet ports, otherwise you need to change ether2 for example to wlan1.

/system reset-configuration no-defaults=yes skip-backup=yes
/interface bridge add name=bridge1
/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=ether2
/interface bridge nat add chain=dstnat action=dst-nat to-dst-mac-address=DST_MAC dst-mac-address=!FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF mac-protocol=!arp

Comments:
dst-mac-address=!FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF - not to lose communication with MT (connecting to MAC address is via broadcast)
mac-protocol=!arp - to be sure that problem is not arp issue
DST_MAC - is MAC of a device able to monitor traffic: tcpdump, Wireshark, MT with Torch, etc.

Now we ping any host behind the MT:

When out-interface is different from in-interface - redirection works OK.
When out-interface is same as in-interface - packets are dropped.

Topology:
1a. Pinging host on ether1, monitoring host on ether2, pinged host on ether2
1b. Pinging host on ether1, monitoring host on ether3, pinged host on ether2
2. Pinging host and monitoring host on same interface.
supout.rif.zip (193 KB)