Help - packets passing un-NATed through router! *SOLVED*

RouterOS General
1

I have an RB333 with ROS 3.0 rc5 and the following settings:

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   ;;; added by setup
     192.168.4.10/24    192.168.4.0     192.168.4.255   ether1
 1   10.0.0.1/24        10.0.0.0        10.0.0.255      wlan2

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        G GATEWAY         DISTANCE INTERFACE
 0 A S  ;;; added by setup
        0.0.0.0/0                          r 192.168.4.1     1        ether1
 1 ADC  10.0.0.0/24        10.0.0.1                          0        wlan2
 2 ADC  192.168.4.0/24     192.168.4.10                      0        ether1

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0   chain=src-nat action=masquerade out-interface=ether1
[admin@MikroTik] >

In addition I have setup a DHCP server on WLAN2. First client computer gets IP 10.0.0.109 (last in pool) and GW/DNS set to 10.0.0.1, i.e. the address of WLAN2.

From the router itself I am able to ping anything upwards, including hosts on the internet. NTP updates also work ok.

The problem is that from the attached client computer I am not able to ping beyond the router itself. I.e ping “192.168.4.10” works ok, but not “ping 192.168.4.1”
I have entered firewall logging rules to watch packets flowing from/to the router, and I can see that the ICMP requests leave ether1 with dst-addr 192.168.4.1, however with src-addr 10.0.0.109:

proto ICMP (type 8, code 0), 10.0.0.109->192.168.4.1, len 60 
06:45:45 firewall,info forward: in:wlan2 out:ether1, src-mac 00:90:4b:ad:8e:9c, 
proto ICMP (type 8, code 0), 10.0.0.109->192.168.4.1, len 60 
06:45:51 firewall,info forward: in:wlan2 out:ether1, src-mac 00:90:4b:ad:8e:9c,

No packets return from 192.168.4.1, and I assume this is the problem: Upstream GW 192.168.4.1 receives the ICMP requests, but replies to 10.0.0.109 making the response disappear in the wild somewhere upstream.

Why does not the masquerade rule in “firewall nat” src-nat the packets, making them look like they come from 192.168.4.10?

There must be something basic I’ve overlooked? :open_mouth:

2

I tried static and it went all fine. Then I realised that it was something about my DHCP settings.
The problem was that in the DHCP network settings I specified 24 in the netmask field. When leaving this as non-specified everything was fine!

According to the manual this netmask is to be specified if different than the netmask in the Network field. Then, why didn’t it work when I re-specified the netmask 24?

After all, what is this separate netmask for?