ccr-1036, NAT translations bug ?

lisena · May 30, 2014, 10:59am

Hi all!

I have Mikrotik ccr-1036 with 6.13 routerOS.

We use src NAT, (from 10.10.0.0 to 91.233.x.x) (in 719 vlan) and looks like some packets are bypassing NAT.

this is configuration

[lisena@MikroTik-1] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=src-nat to-addresses=91.233.219.xx9
src-address-list=seo1 out-interface=V719

1 chain=srcnat action=src-nat to-addresses=91.233.219.xx9
src-address-list=seo2 out-interface=V719

2 chain=srcnat action=src-nat to-addresses=91.233.219.xx0
src-address-list=dev out-interface=V719

3 chain=srcnat action=src-nat to-addresses=91.233.219.xx0
src-address-list=office out-interface=V719

4 chain=srcnat action=src-nat to-addresses=91.233.219.xx1
src-address-list=guest_net out-interface=V719
[lisena@MikroTik-1] /ip firewall nat>

[lisena@MikroTik-1] /interface vlan> print
Flags: X - disabled, R - running, S - slave

NAME MTU ARP VLAN-ID INTERFACE

0 R V718 1500 enabled 718 bond1
1 R V719 1500 enabled 719 bond1

and after that, i have packets with src address 10.10.16.0.

here is data from packet sniffer on microtik

[lisena@MikroTik-1] /tool sniffer> quick interface=bond1 direction=tx
INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE
bond1 4.6 32700 → 00:00:5E:00:01:02 00:24:C4:74:38:BF 718 54.225.70.39:443 (https) 10.10.10.204:59925 ip:tcp 1518
bond1 4.6 32701 → 00:00:5E:00:01:02 00:24:C4:74:38:BF 718 54.225.70.39:443 (https) 10.10.10.204:59925 ip:tcp 1518
bond1 4.6 32702 → 00:00:5E:00:01:02 00:24:C4:74:38:BF 718 54.225.70.39:443 (https) 10.10.10.204:59925 ip:tcp 1518
bond1 4.6 32703 → 00:00:5E:00:01:02 00:24:C4:74:38:BF 718 54.225.70.39:443 (https) 10.10.10.204:59925 ip:tcp 1518
bond1 4.6 32704 → 00:00:5E:00:01:02 00:24:C4:74:38:BF 718 54.225.70.39:443 (https) 10.10.10.204:59925 ip:tcp 1518
bond1 4.6 32705 → 00:00:5E:00:01:02 00:24:C4:74:38:BF 718 54.225.70.39:443 (https) 10.10.10.204:59925 ip:tcp 1518
bond1 4.6 32706 → 00:00:5E:00:01:02 00:24:C4:74:38:BF 718 54.225.70.39:443 (https) 10.10.10.204:59925 ip:tcp 1518
bond1 4.6 32707 → 4C:5E:0C:23:E6:A8 00:24:C4:74:38:BF 719 91.233.219.210:59925 54.225.70.39:443 (https) ip:tcp 58
bond1 4.6 32708 → 4C:5E:0C:23:E6:A8 00:24:C4:74:38:BF 719 91.233.219.210:59925 54.225.70.39:443 (https) ip:tcp 58
bond1 4.601 32709 → 4C:5E:0C:23:E6:A8 00:24:C4:74:38:BF 719 91.233.219.210:59925 54.225.70.39:443 (https) ip:tcp 58
bond1 4.602 32710 → 00:00:5E:00:01:02 00:24:C4:74:38:BF 718 69.171.247.29:443 (https) 10.10.12.142:59917 ip:tcp 127
bond1 4.602 32711 → 4C:5E:0C:23:E6:A8 00:24:C4:74:38:BF 719 10.10.16.54:60760 111.221.74.18:80 (http) ip:tcp 58
bond1 4.603 32712 → 00:00:5E:00:01:02 00:24:C4:74:38:BF 718 54.225.70.39:443 (https) 10.10.10.204:59925 ip:tcp 1518
bond1 4.603 32713 → 00:00:5E:00:01:02 00:24:C4:74:38:BF 718 54.225.70.39:443 (https) 10.10.10.204:59925 ip:tcp 1518
bond1 4.603 32714 → 00:00:5E:00:01:02 00:24:C4:74:38:BF 718 54.225.70.39:443 (https) 10.10.10.204:59925 ip:tcp 1518
bond1 4.603 32715 → 00:00:5E:00:01:02 00:24:C4:74:38:BF 718 54.225.70.39:443 (https) 10.10.10.204:59925 ip:tcp 1518
bond1 4.603 32716 → 00:00:5E:00:01:02 00:24:C4:74:38:BF 718 54.225.70.39:443 (https) 10.10.10.204:59925 ip:tcp 1518
bond1 4.603 32717 → 00:00:5E:00:01:02 00:24:C4:74:38:BF 718 54.225.70.39:443 (https) 10.10.10.204:59925 ip:tcp 1518
bond1 4.603 32718 → 00:00:5E:00:01:02 00:24:C4:74:38:BF 718 54.225.70.39:443 (https) 10.10.10.204:59925 ip:tcp 1518
bond1 4.603 32719 → 4C:5E:0C:23:E6:A8 00:24:C4:74:38:BF 719 91.233.219.209:62042 79.165.232.60:61252 ip:udp 49

update sofrware from 6.5 to 6.13 did not help

any ideas ?

AlexS · June 2, 2014, 3:26am

can i suggest
export not to use print but export

also export out the address lists as well

lisena · June 3, 2014, 8:39am

Hey, AlexS!
This is export

/ip firewall address-list
add address=10.10.10.0/23 list=office
add address=10.10.12.0-10.10.14.255 list=dev
add address=10.10.10.115 list=seo1
add address=10.10.10.117 list=seo2
add address=10.10.16.0/24 list=guest_net
/ip settings
set send-redirects=no
/ip firewall nat
add action=src-nat chain=srcnat out-interface=V719 src-address-list=seo1
to-addresses=91.233.219.209
add action=src-nat chain=srcnat out-interface=V719 src-address-list=seo2
to-addresses=91.233.219.209
add action=src-nat chain=srcnat out-interface=V719 src-address-list=dev
to-addresses=91.233.219.210
add action=src-nat chain=srcnat out-interface=V719 src-address-list=office
to-addresses=91.233.219.210
add action=src-nat chain=srcnat out-interface=V719 src-address-list=guest_net
to-addresses=91.233.219.211

/interface vlan
add interface=bond1 name=V718 vlan-id=718
add interface=bond1 name=V719 vlan-id=719

lisena · June 3, 2014, 1:06pm

Okay, AlexS, here is export

/ip firewall address-list
add address=10.10.10.0/23 list=office
add address=10.10.12.0-10.10.14.255 list=dev
add address=10.10.10.115 list=seo1
add address=10.10.10.117 list=seo2
add address=10.10.16.0/24 list=guest_net
/ip settings
set send-redirects=no
/ip firewall nat
add action=src-nat chain=srcnat out-interface=V719 src-address-list=seo1
to-addresses=91.233.219.209
add action=src-nat chain=srcnat out-interface=V719 src-address-list=seo2
to-addresses=91.233.219.209
add action=src-nat chain=srcnat out-interface=V719 src-address-list=dev
to-addresses=91.233.219.210
add action=src-nat chain=srcnat out-interface=V719 src-address-list=office
to-addresses=91.233.219.210
add action=src-nat chain=srcnat out-interface=V719 src-address-list=guest_net
to-addresses=91.233.219.211

/interface vlan
add interface=bond1 name=V718 vlan-id=718
add interface=bond1 name=V719 vlan-id=719

janisk · June 6, 2014, 10:09am

in forward chain add action=drop chain=forward connection-state=invalid.

as some programs tend to send more packets after it closes connection, so, when connection is removed from connection tracking table, packets will not be natted anymore.

adding rule that drops invalid packets - will remove these for good.

AlexS · June 7, 2014, 11:33am

Not sure about this

add address=10.10.12.0-10.10.14.255 list=dev

you can can do this
add address=10.10.12.0/24 list=dev
add address=10.10.13.0/24 list=dev
add address=10.10.14.0/24 list=dev

But thats not the problem in your example

Something similar is working for me

What i would do
connect twice to the router
Windows 1) sniff on v718 for ip address 10.10.16.54
Window 2) sniff on v719 for ip address 111.221.74.18

jump on 10.10.16.54 and run telnet 111.221.74.18 80
see if you can see the packet coming in and then leave

I have vlan’s of a lacp bond / trunk and doing the exact same thing NAT and routing never had an issue
A

janisk · June 9, 2014, 7:27am

please post if changing antenna location, frequency changes anything. Also, moving antenna connectors to a different place.

lisena · June 11, 2014, 7:49am

Hi, janisk!

Thanks for the idea of drop packets, it solved our problem, finally!

Thanks for all the help !