Is dst-nat different in 7x than 6x ?

exitcomestothis · December 7, 2022, 4:16am

I deploy the hAP Lite devices at remote sites for easy and secure remote access. the hAP connects to my office via EoIP over SSTP. I have about a dozen of these guys out there, and my setup is essentially the same on all of them (save for the SSTP/EoIP tunnel numbers, ip’s, etc).

The hAP graps a dhcp from the local network, connects, and my EoIP tunnel is established. I then assign a /30 for a management interface between my router (RB4011) and the hAP, that way I’m able to access the router as well as some other devices on the other end of the network.

I just deployed one of these this week that’s running ros 7.6, and the dst-nat function doesn’t seem to work like it does on all the other hAP’s running ros 6.xx. I’m about ready to pull my hair out trying to figure this out, but nothing has seemed to work. I’ve looked at several working configs for other sites dozens of times over the last 3 days, and everything feels like it should be working. So, I’m asking for help.

What I’m trying to accomplish - I need to access a host on the remote side within the DHCP range 10.1.10.10/24, via my management interface of 10.10.32.6/30. I’ve been able to set this up with a dst-nat firewall rule, but traffic doesn’t ever reach the remote range.

When I’m at my office, I need to be able to visit 10.10.32.6:80 and have that bet dst-nat’d to the remote 10.1.10.10:80 address.

Here’s copies of my configs

Firewall
These are the only 3 firewall rules - period

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface=bridge1 log=yes log-prefix=WEB protocol=tcp src-address=10.10.32.5 to-addresses=10.1.10.10 to-ports=80
add action=dst-nat chain=dstnat dst-port=3011 in-interface=bridge1 protocol=tcp src-address=10.10.32.5 to-addresses=10.1.10.10 to-ports=3011
add action=dst-nat chain=dstnat dst-port=8006 in-interface=bridge1 protocol=tcp src-address=10.10.32.5 to-addresses=10.1.10.10 to-ports=8006

Addresses

/ip address
add address=10.10.32.6/30 comment="Mgmt Addr" interface=eoip-tunnel1 network=10.10.32.4

Interfaces

/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=wlan1
add bridge=bridge1 ingress-filtering=no interface=eoip-tunnel1
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether1

Packets are making it to the other side just fine, and this is one of the log entries from my log tag above. This log behavior is the exact same as all the others on my 6.x devices.

Log output

WEB dstnat: in:bridge1 out:(unknown 0), connection-state:new src-mac d4:ca:6d:fa:bb:93, proto TCP (syn), 10.10.32.5:56122->10.10.32.6:80, len 48

mkx · December 7, 2022, 6:37am

Certain things in your setup are not exactly right, e.g. management IP address set on interface=eoip-tunnel1 while said interface is used as bridge port. That’s something conceptually wrong but ROS doesn’t complain about it. Then you’re using bridge interface as in-interface for packets to be NAT-ed while IP layer thinks it’s bound to eoip-tunnel1 interface. Etc.

IMO you should not mix L2 operations (eoip-tunnel1 being part of LAN bridge on remote site) and L3 operations (DST-NAT). Perhaps you should rather perform DST-NAT on office router … since using EOIP tunnel implies that device(s) in office LAN are aware of 10.1.10.0/24 subnet. If they’re not, you should be using tunnel between sites as routed interface instead.

And yes, architectually ROSv7 and ROSv6 are different enough (due to much newer linux kernel used in v7) for such marginal things to break.

Sob · December 7, 2022, 1:12pm

Aside from EoIP being seemingly useless, at least I don’t see any reason in provided description why it’s there at all, it should work. Try some more logging, see e.g. this as example: http://forum.mikrotik.com/t/port-forwarding-so-simple-so-difficult/161719/19