Have found strange thing
RouterOS dont make NAT correctly for all LAN traffic
for example (see shema NAT-problem.jpeg and 192-168-0-0_16_new in attachmet)
in 192-168-0-0_16_new you can see outgoing packets with src address 192.168.0.0/16
for example
23:35:42.238882 IP 192.168.215.43.4864 > 81.176.235.143.80: F 0:0(0) ack 1 win 65535
23:35:42.238887 IP 192.168.215.43.4867 > 81.177.141.153.80: F 0:0(0) ack 1 win 65535
23:35:42.294745 IP 192.168.214.136.65062 > 81.177.141.150.80: F 0:0(0) ack 1 win 64800
these packets must not be on WAN interface
in BRAS - where pppoes goes via NAT - BRAS do not NAT all packets - so on BGP
router in ether5 I can see local addresses (clients pppoe) which might be
NATed on BRAS - see attachment of dump on ether5 of BGP router - on this
router wheremust not be any local addresses - because in BRAS I have such NAT
rules:
25 chain=srcnat action=src-nat to-addresses=91.215.232.172
src-address=192.168.100.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
27 chain=srcnat action=src-nat to-addresses=91.215.232.171
src-address=192.168.200.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
29 chain=srcnat action=src-nat to-addresses=91.215.232.170
src-address=192.168.201.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
31 chain=srcnat action=src-nat to-addresses=91.215.232.169
src-address=192.168.202.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
33 chain=srcnat action=src-nat to-addresses=91.215.232.168
src-address=192.168.203.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
35 chain=srcnat action=src-nat to-addresses=91.215.232.166
src-address=192.168.204.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
37 chain=srcnat action=src-nat to-addresses=91.215.232.165
src-address=192.168.205.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
39 chain=srcnat action=src-nat to-addresses=91.215.232.173
src-address=192.168.206.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
41 chain=srcnat action=src-nat to-addresses=91.215.232.163
src-address=192.168.207.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
43 chain=srcnat action=src-nat to-addresses=91.215.232.176
src-address=192.168.209.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
out-interface=ether1
44 chain=srcnat action=src-nat to-addresses=91.215.232.176
src-address=192.168.210.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
out-interface=ether1
46 chain=srcnat action=src-nat to-addresses=91.215.232.178
src-address=192.168.211.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
out-interface=ether1
47 chain=srcnat action=src-nat to-addresses=91.215.232.179
src-address=192.168.213.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
out-interface=ether1
48 chain=srcnat action=src-nat to-addresses=91.215.232.178
src-address=192.168.212.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
out-interface=ether1
49 chain=srcnat action=src-nat to-addresses=91.215.232.180
src-address=192.168.214.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
out-interface=ether1
50 chain=srcnat action=src-nat to-addresses=91.215.232.181
src-address=192.168.215.0/24 dst-address=0.0.0.0/0
dst-address-list=!lokalka
out-interface=ether1
52 chain=srcnat action=src-nat to-addresses=91.215.232.163
src-address=192.168.230.0/24 dst-address=91.215.232.0/22
dst-address-list=!lokalka
out-interface=ether1
53 chain=srcnat action=src-nat to-addresses=92.42.8.210
src-address=192.168.230.0/24 dst-address=!91.215.232.0/22
dst-address-list=!lokalka
out-interface=ether1
so here you can see that all NAT rules are correct but not all client`s
traffic do not NATed by BRAS (on BRAS routerOS 5.0 7rc was when I dumped this
traffic - the same situation if on BRAS 4.11 version and on 3.30 version)
What I do wrong when make rules for NATing?
can anyone make dump on WAN who use SNAT and look a round ?
