Any way to trace where a packet is dropping WITHIN RouterOS?

Suthern101 · May 1, 2012, 8:49pm

Setup: Router as a normal router doing NAT from internal to external.

Internal network: 10.212.1.x
External Network: 68.116.x.x (charter subscriber)

Some NAT and Firewall rules.

Problem: Most NAT rules work as they should. Remote RDP users can login, and other services work as expected. EXCEPT incoming packets a destination port of 2143 and source ip of 208.99.245.17. THESE specific packets vanish somewhere between the MANGLE PREROUTING and NAT FORWARD chains.

I have a MANGLE rule set up to mark these specific packets, and it’s counter increases when I send packets.

I then have a very generic NAT rule, which simply does an action based on the packet mark. It’s counter NEVER increases.

I also have some firewall rules, but I’m watching those counters as well, and they are not increasing. Not even the default drop-all rule, so I know the packet isn’t being dropped at a firewall.

I’ve tried putting the NAT rule at the top of the list, at the bottom of the list..etc. No matter where, it’s counter never increases.

So, is there a feature to trace what happens to a specific packet? Or what happens to all packets with a certain mangle-mark?

Thanks!

Feklar · May 1, 2012, 9:23pm

Chances are based off of your description that it could be getting remarked further down the chain then and causing the issue you are seeing. Try setting passthrough=no for the mangle rule if it’s not already and see what happens.

If not, post your firewall rules so people can look over them and see if they can spot something.

Suthern101 · May 1, 2012, 11:07pm

The passthrough check box makes no difference, checked or unchecked.

Here are my enabled ip filters:

# may/01/2012 16:04:10 by RouterOS 4.2
# software id = X6LQ-UZQV
#
/ip firewall filter
add action=accept chain=forward comment="Accept people from OUR office" disabled=no dst-address=10.212.1.113 src-address=\
    10.212.0.0/16
add action=accept chain=forward comment="Accept the knockers - ADD COME IN FILTER" disabled=no dst-address=10.212.1.113 src-address=\
    0.0.0.0/0
add action=drop chain=forward comment="Drop Anything Else To RDP" disabled=no dst-address=10.212.1.113
add action=accept chain=forward comment="Accept SW21 REMOTE" disabled=no dst-port=2143 protocol=tcp src-address=208.99.245.17
add action=accept chain=input comment="Allow VPN" disabled=no dst-port=1723 protocol=tcp
add action=accept chain=input comment="Accept PING" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="" connection-state=related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="" disabled=no in-interface=ether1-gateway

Thanks for looking. This one has be baffled.

Yea, I realize I don’t need the two rules that accept packets heading for 10.212.1.113, that was part of an earlier experiment, and I’ve tried testing with these rules disabled, but it makes no difference. No IP FIREWALL FILTERS packet counts go up when the mangle-marked packets are being dropped.

CelticComms · May 2, 2012, 3:27am

Are you actually marking with packet marks or routing marks? If so are the relevant Forward or NAT entries also looking for those marks?

It might be useful to see the Mangle and NAT entries too.

Suthern101 · May 2, 2012, 4:09am

Sure thing. I’ll grab those and get them up when I can.

Suthern101 · May 2, 2012, 3:28pm

Here are my mangle rules

# may/02/2012 08:22:52 by RouterOS 4.2
# software id = X6LQ-UZQV
#
/ip firewall mangle
add action=mark-connection chain=prerouting comment="" disabled=yes new-connection-mark=JeffsHouse passthrough=yes port=80 protocol=tcp src-address=\
    10.212.1.165
add action=set-priority chain=prerouting comment="Prioritize Pings" disabled=no new-priority=2 passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting comment="voip tos 24" disabled=no dscp=46 new-packet-mark=VoIP passthrough=no
add action=mark-packet chain=prerouting comment="VoIP RTP PORTS" disabled=no new-packet-mark=VoIP passthrough=no port=10000-36000 protocol=udp
add action=mark-connection chain=prerouting comment=SWRemote disabled=no dst-port=2143 new-connection-mark=SW21remote passthrough=no protocol=tcp \
    src-address=208.99.245.17

and here are my NAT rules (with the x.x.x.x being my external ip address).

# may/02/2012 08:24:06 by RouterOS 4.2
# software id = X6LQ-UZQV
#
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=x.x.x.x dst-port=59122 protocol=tcp to-addresses=10.212.1.122 to-ports=59122
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=x.x.x.x dst-port=15900 protocol=tcp to-addresses=10.212.1.124 to-ports=5900
add action=dst-nat chain=dstnat comment="SW21 Remote Admin" disabled=no packet-mark=SWRemote to-addresses=10.212.1.114
add action=dst-nat chain=dstnat comment="Port Knocking to .1.250" disabled=no dst-port=54321,52134,50198,53891 protocol=udp to-addresses=10.212.1.250
add action=dst-nat chain=dstnat comment=VNC disabled=no dst-address=x.x.x.x dst-port=12123 protocol=tcp to-addresses=10.212.1.123 to-ports=3389
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=x.x.x.x dst-port=12124 protocol=tcp to-addresses=10.212.1.124 to-ports=3389
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=x.x.x.x dst-port=12125 protocol=tcp to-addresses=10.212.1.125 to-ports=3389
add action=dst-nat chain=dstnat comment=RDP disabled=no dst-address=x.x.x.x dst-port=12113 protocol=tcp to-addresses=10.212.1.113 to-ports=3389
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=x.x.x.x dst-port=12122 protocol=tcp to-addresses=10.212.1.122 to-ports=3389
add action=dst-nat chain=dstnat comment="HTTP - CAMS" disabled=no dst-address=x.x.x.x protocol=tcp to-addresses=10.212.1.117 to-ports=80
add action=dst-nat chain=dstnat comment=HTTP-CAMS-VID disabled=no dst-address=x.x.x.x dst-port=17300-17320 protocol=udp to-addresses=10.212.1.117 \
    to-ports=17300-17320
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=x.x.x.x protocol=tcp to-addresses=10.212.1.117 to-ports=4550
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=x.x.x.x dst-port=5550 protocol=tcp to-addresses=10.212.1.117 to-ports=5550
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=x.x.x.x dst-port=3663 protocol=tcp to-addresses=10.212.1.117 to-ports=3663
add action=dst-nat chain=dstnat comment=VOIP disabled=no dst-address=x.x.x.x dst-port=5060 protocol=tcp to-addresses=10.212.1.200 to-ports=5060
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=x.x.x.x dst-port=5060 protocol=udp to-addresses=10.212.1.200 to-ports=5060
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=x.x.x.x dst-port=10000-36000 protocol=udp to-addresses=10.212.1.200
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=x.x.x.x dst-port=4569 protocol=udp to-addresses=10.212.1.200
add action=dst-nat chain=dstnat comment="Multiplier System" disabled=no dst-address=x.x.x.x dst-port=50080 protocol=tcp to-addresses=10.212.1.115 \
    to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=x.x.x.x dst-port=8554 protocol=tcp to-addresses=10.212.1.117 to-ports=8554

Just to recap, the packets get marked via the mangle rule, then vanish right after that (with or without ‘passthrough’ checked). I can see the packets with TORCH on the gateway interface coming in, and I can capture them with the packet sniffer on the gateway interface as well.

Thanks for any tips!

Feklar · May 2, 2012, 5:02pm

You are marking your SWRemote packets in the forward chain, that happens after dst-nat and that is why the counter is never increasing. NAT has already happened before the packets are marked.
http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram

Move that mangle rule to prerouting and it should start to work like you expect it to.

Suthern101 · May 2, 2012, 6:27pm

Thanks for looking.

add action=mark-connection chain=prerouting comment=SWRemote disabled=no dst-port=2143 new-connection-mark=SW21remote passthrough=no protocol=tcp
src-address=208.99.245.17

>

You mean that the above rule is actually marking it in the forward chain, even though it is set to 'prerouting' already?

The mangle rule is already set to prerouting (as quoted from my mangle rules). The FIREWALL filter rule is on the 'forward' chain, so I can see how it wouldn't be effecting anything one way or the other.

Did I miss something?

CelticComms · May 2, 2012, 6:39pm

The mangle rule is setting connection mark SW21remote.

The NAT rule is looking for packet mark SWRemote.

Suthern101 · May 2, 2012, 9:01pm

Thank you! It was something simple.

Pardon me while I chew on a pencil in a corner for a while… I like it when the solution is simple!