Internal IP's showing up on external port

davederksen · November 12, 2010, 5:58pm

Hey all, this is my first time post. I’ll try to keep it as clear as possible, please bear with me.

Why am I seeing internal IP addresses on my external (WAN) port of my router?

My routerOS (version 3.23) is configured as a gateway, using NAT masquerade to connect my clients on my internal network to one routable static IP address on the WAN side of the network. I also have a number of clients that I have set up one to one NAT for (using different static routable IP’s).

When I use Torch on the WAN port of my router, I see a number of my dynamic internal IP addresses under the “Dst. Address” listing.

This was brought to my attention by my internet service provider, who said they are seeing my internal traffic on their end, something I’m assuming…is bad.

Any thoughts?

fewi · November 12, 2010, 6:18pm

Please post the output of “/ip address print detail”, “/ip route print detail”, an “/ip firewall nat export”.

davederksen · November 12, 2010, 7:07pm

Please post the output of “/ip address print detail”, “/ip route print detail”, an “/ip firewall nat export”.

Here you go…

Address

 
     address=10.25.0.1/16 network=10.25.0.0 broadcast=10.25.255.255 
     interface=1: NIC Local actual-interface=1: NIC Local 

 1   address=10.75.0.1/16 network=10.75.0.0 broadcast=10.75.255.255 
     interface=1: NIC Local actual-interface=1: NIC Local 

 2   address=209.205.94.98/32 network=209.205.94.97 broadcast=209.205.94.11>
     interface=2: KTI actual-interface=2: KTI

 3   ;;; NIC Server - 10.25.0.5
     address=209.205.94.99/32 network=209.205.94.97 
     broadcast=209.205.94.111 interface=2: KTI 
     actual-interface=2: KTI

 4   address=10.25.0.2/16 network=10.25.0.0 broadcast=10.25.255.255 
     interface=1: NIC Local actual-interface=1: NIC Local 

 5   ;;; AX - 10.25.2.4
     address=209.205.94.104/32 network=209.205.94.97 
     broadcast=209.205.94.111 interface=2: KTI     
     actual-interface=2: KTI

 6   ;;; AH - 10.25.2.1
     address=209.205.94.105/32 network=209.205.94.97 
     broadcast=209.205.94.111 interface=2: KTI
     actual-interface=2: KTI

 7   ;;; TH
     address=209.205.94.101/32 network=209.205.94.97 
     broadcast=209.205.94.111 interface=2: KTI
     actual-interface=2: KTI 

 8   ;;; EC 1 - 10.25.2.2
     address=209.205.94.102/32 network=209.205.94.97 
     broadcast=209.205.94.111 interface=2: KTI 
     actual-interface=2: KTI 

 9   ;;; Test
     address=209.205.94.106/32 network=209.205.94.97 
     broadcast=209.205.94.111 interface=2: KTI 
     actual-interface=2: KTI 

10 X address=209.205.94.107/32 network=209.205.94.97 
     broadcast=209.205.94.111 interface=2: KTI
     actual-interface=2: KTI 

11 X address=209.205.94.108/32 network=209.205.94.97 
     broadcast=209.205.94.111 interface=2: KTI 
     actual-interface=2: KTI

12   ;;; DB
     address=209.205.94.109/32 network=209.205.94.97 
     broadcast=209.205.94.111 interface=2: KTI
     actual-interface=2: KTI

13 X address=209.205.94.110/32 network=209.205.94.97 
     broadcast=209.205.94.111 interface=2: KTI 
     actual-interface=2: KTI

14   ;;; EC 2 - 10.25.2.3
     address=209.205.94.103/32 network=209.205.94.97 
     broadcast=209.205.94.111 interface=2: KTI 
     actual-interface=2: KTI

Route

C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=209.205.94.97 interface=2: KTI 
        gateway-state=reachable distance=1 scope=30 target-scope=10 

 1 ADC  dst-address=10.25.0.0/16 pref-src=10.25.0.1 interface=1: NIC Local 
        distance=0 scope=10 

 2 ADC  dst-address=10.75.0.0/16 pref-src=10.75.0.1 interface=1: NIC Local 
        distance=0 scope=10 

 3 ADC  dst-address=209.205.94.97/32 pref-src=209.205.94.98 
        interface=2: KTI distance=0 scope=10

Firewall

# nov/12/2010 10:54:08 by RouterOS 3.23
# software id = 60GM-89T
#
/ip firewall nat
add action=netmap chain=dstnat comment=RDP disabled=no dst-address=\
    209.205.94.99 to-addresses=10.25.0.4
add action=netmap chain=srcnat comment=RDP disabled=no src-address=\
    10.25.0.4 to-addresses=209.205.94.99
add action=netmap chain=dstnat comment="EC 1" disabled=no \
    dst-address=209.205.94.102 to-addresses=10.25.2.2
add action=netmap chain=srcnat comment="EC 1" disabled=no \
    src-address=10.25.2.2 to-addresses=209.205.94.102
add action=netmap chain=dstnat comment="EC 2" disabled=no \
    dst-address=209.205.94.103 to-addresses=10.25.2.3
add action=netmap chain=srcnat comment="EC 2" disabled=no \
    src-address=10.25.2.3 to-addresses=209.205.94.103
add action=netmap chain=dstnat comment=AX disabled=no dst-address=\
    209.205.94.104 to-addresses=10.25.2.4
add action=netmap chain=srcnat comment=AX disabled=no src-address=\
    10.25.2.4 to-addresses=209.205.94.104
add action=netmap chain=dstnat comment="AH" disabled=no \
    dst-address=209.205.94.105 to-addresses=10.25.2.1
add action=netmap chain=srcnat comment="AH" disabled=no \
    src-address=10.25.2.1 to-addresses=209.205.94.105
add action=netmap chain=dstnat comment=TH disabled=no dst-address=\
    209.205.94.101 to-addresses=10.25.2.8
add action=netmap chain=srcnat comment=TH disabled=no src-address=\
    10.25.2.8 to-addresses=209.205.94.101
add action=netmap chain=dstnat comment="DB" disabled=no \
    dst-address=209.205.94.109 to-addresses=10.25.2.9
add action=netmap chain=srcnat comment="DB" disabled=no \
    src-address=10.25.2.9 to-addresses=209.205.94.109
add action=netmap chain=dstnat comment="Test puter" disabled=no \
    dst-address=209.205.94.106 to-addresses=10.25.2.5
add action=netmap chain=srcnat comment="Test Puter" disabled=no \
    src-address=10.25.2.5 to-addresses=209.205.94.106
add action=masquerade chain=srcnat comment="" disabled=no dst-address=\
    0.0.0.0/0 out-interface="2: KTI" src-address=10.25.0.0/16
add action=masquerade chain=srcnat comment="" disabled=no dst-address=\
    0.0.0.0/0 out-interface="2: KTI" src-address=10.75.0.0/16

fewi · November 12, 2010, 7:19pm

In all your dstnat chain rules, set the action to dst-nat instead of netmap. That should fix your issue.

davederksen · November 12, 2010, 7:40pm

Hey Guru,

Thanks very much for the quick response! I made the change you suggested, but the problem is still there. Do I need to reboot the router, or wait for a while for the changes to propogate through the system?

fewi · November 12, 2010, 8:31pm

It should take effect for new connections immediately, but won’t apply to new connections. A reboot would fix that up right quick, or you can wait for connections to expire, or terminate them manually in the IP > Firewall > Connections view.

If you want to make 100% sure internal RFC 1918 IP space doesn’t leak outside, you could also add this:

/ip firewall address-list
add list=RFC1918 address=10.0.0.0/8
add list=RFC1918 address=172.16.0.0/12
add list=RFC1918 address=192.168.0.0/16
/ip firewall filter
add chain=forward src-address-list=RFC1918 out-interface="2: KTI" action=drop

It certainly won’t hurt as those packets will be dropped by your ISP anyway, and takes effect immediately even for existing connections.

davederksen · November 13, 2010, 3:25am

Hey Guru,

That last set of instructions cut off all internal access to the internet. Is it possible it should be

/ip firewall filter
add chain=forward dst-address-list=RFC1918 out-interface="2: KTI" action=drop

instead of

/ip firewall filter
add chain=forward src-address-list=RFC1918 out-interface="2: KTI" action=drop

as the dst-address of the WAN port is where the internal IP’s are showing up?

fewi · November 13, 2010, 5:29am

Whoops, my bad. There is no filtering after source NAT so you cannot use that approach at all. Don’t know what I was thinking.

Did a reboot or time fix it?

davederksen · November 13, 2010, 5:41pm

Neither reboot nor time has resolved this issue.

rmichael · November 13, 2010, 6:12pm

Someone else seems to have the same problem: http://forum.mikrotik.com/t/weird-torch-traffic-lan-visable-to-wan/42240/1