Edge core: NAT SAME /28

maximo · September 23, 2019, 12:10pm

Good morning companions

In my edge core I use the NAT Same rule to get the entire private network 10.0.0.0/8
The rule does not mention the origin ips, allows all traffic to pass through it
Do I have to expecify the real origin?: 10.0.0.0/8

chain=srcnat action=same to-addresses=50.xxx.xxx.xx/28 same-not-by-dst=no out-interface=sfpp1_WAN0_10GB

With the rule log I am seeing that external ips connect to my public output, is this correct?

14:02:57 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.160.160.xx:40661->50.xxx.xxx.68:5921, len 40
14:02:57 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.160.160.xx:54851->50.xxx.xxx.7:4112, len 40
14:02:57 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55518->50.xxx.xxx.48:41203, len 40
14:02:57 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55652->50.xxx.xxx.85:35642, len 40
14:02:57 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55652->50.xxx.xxx.212:35647, len 40
14:02:57 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.169.80.xx:20753->50.xxx.xxx.13:81, len 44
14:02:57 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55518->50.xxx.xxx.181:36969, len 40
14:02:57 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.24.139.xx:40962->50.xxx.xxx.249:445, len 40
14:02:57 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.20.45.xx:35772->50.xxx.xxx.182:8080, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.137.234.xx:42026->50.xxx.xxx.243:46211, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55518->50.xxx.xxx.248:27687, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55652->50.xxx.xxx.90:40007, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55518->50.xxx.xxx.120:40307, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.137.234.xx:42026->50.xxx.xxx.3:6991, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.137.234.xx:42026->50.xxx.xxx.8:6991, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55518->50.xxx.xxx.180:38365, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto UDP, xx.171.206.xx:36518->50.xxx.xxx.1:33434, len 92
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55518->50.xxx.xxx.96:37102, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.137.234.xx:42026->50.xxx.xxx.148:40508, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55518->50.xxx.xxx.189:26875, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55518->50.xxx.xxx.43:34226, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.137.234.xx:42026->50.xxx.xxx.50:29635, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55652->50.xxx.xxx.55:38665, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55652->50.xxx.xxx.102:38972, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55652->50.xxx.xxx.207:26145, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55652->50.xxx.xxx.210:36339, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55242->50.xxx.xxx.169:22301, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55518->50.xxx.xxx.67:39660, len 40
14:02:58 firewall,info info srcnat: in:(unknown 0) out:sfpp1_WAN0_10GB, src-mac 00:00:00:00:00:00, proto TCP (SYN), xx.57.71.xx:55518->50.xxx.xxx.65:27237, len 40

Thanks for the help

maximo · September 23, 2019, 5:07pm

Is it correct to tell the rule to only route when the source is my LAN 10.0.0.0/8?

chain=srcnat action=same to-addresses=50.xxx.xxx.xx/28 same-not-by-dst=no src-address=10.0.0.0/8 out-interface=sfpp1_WAN0_10GB

I don’t quite understand this, sorry

maximo · September 23, 2019, 10:14pm

ok, with a blackhole is solved

now I found something strange, ips of the range 192.168.0.0/16 go out the edge core towards public ips external to my Local / Public

this is strange

I’m still investigating …
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
firewall,info alert prerouting: in:sfpp7_LAN_Nodo_1 out:(unknown 0), src-mac 64:d1:54:ee:a7:de, proto TCP (ACK,FIN), 192.168.0.103:58631->185.170.xxx.3:80, len 52
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.101:56265->23.246.xxx.133:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.101:56265->23.246.xxx.133:443, len 40
firewall,info alert prerouting: in:sfpp7_LAN_Nodo_1 out:(unknown 0), src-mac 64:d1:54:ee:a7:de, proto TCP (RST), 192.168.0.100:50066->192.xxx.236.9:443, len 40
firewall,info alert prerouting: in:sfpp7_LAN_Nodo_1 out:(unknown 0), src-mac 64:d1:54:ee:a7:de, proto TCP (RST), 192.168.0.100:33745->192.xxx.236.9:443, len 40
firewall,info alert prerouting: in:sfpp7_LAN_Nodo_1 out:(unknown 0), src-mac 64:d1:54:ee:a7:de, proto TCP (RST), 192.168.0.100:33745->192.xxx.236.9:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
firewall,info alert prerouting: in:sfpp6_LAN_Nodo_0 out:(unknown 0), src-mac 4c:5e:0c:e8:af:19, proto TCP (RST), 192.168.0.100:60030->77.226.xxx.97:443, len 40
I don’t understand these requests when the LAN is 10.0.0.0/8

I have reached a client and from his antenna I see those requests, in a huawei phone according to his router which has that IP + MAC.

Your router works under OSPF with your PPPoE on the antenna, just in the next hop from your router, everything seems normal but that traffic sneaks up to the edge core, and outwards.

I have a beautiful internal infection, right?