Nasty problem with src-nat and external DNS

LP006688 · May 26, 2017, 7:43am

Hello all,

I have faced a nasty problem: I have several public IP addresses and several internal subnets; each subnet uses a separate IP to access the Internet. I use “src-nat”, but this effectively kills all UDP(53) traffic through NAT. If I set NAT to “masquerade” (which picks the first IP from the pool) – everything is fine.

What might be the issue here? Any solutions available or is it a RouterOS bug?

Kind regards, Vadim.

pukkita · May 27, 2017, 6:38am

unless you post your configuration export, it will be difficult to say what’s your specific case: if this is a bug or a configuration flaw.

LP006688 · May 28, 2017, 12:37pm

I am sorry, what file are you talking about? Will it contain passwords?

BartoszP · May 28, 2017, 12:52pm

As Mikrotik admin you should be aware of export command.

Sob · May 28, 2017, 11:04pm

/export hide-sensitive

It won’t contain system user accounts at all, and will filter stuff like wireless or ppp passwords. And you can always censor other stuff like IP addresses manually if you want to. But try not to go overboard there. If you do, it will be hard to help you, we need to see what’s public address, tell one from other, etc..

LP006688 · May 29, 2017, 8:08am

Here we go:

# may/29/2017 10:56:01 by RouterOS 6.39.1
#
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/queue tree
add max-limit=256M name=Inbound packet-mark=Inbound parent=global queue=default
add max-limit=256M name=Outbound packet-mark=Outbound parent=global queue=default
/snmp community
set [ find default=yes ] addresses=10.0.0.150/32
/interface l2tp-server server
set caller-id-type=ip-address
/ip address
add address=10.0.100.100/16 interface=ether1 network=10.0.0.0
add address=192.168.100.62/26 interface=ether2 network=192.168.100.0
add address=192.168.111.1/30 interface=ether3 network=192.168.111.0
add address=82.135.232.173/29 interface=combo1 network=82.135.232.168
add address=82.135.237.86/29 interface=combo1 network=82.135.237.80
add address=213.190.53.86/28 interface=combo1 network=213.190.53.80
add address=192.168.101.62/26 interface=ether4 network=192.168.101.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input in-interface=combo1 src-address=82.135.232.168/29
add action=drop chain=input in-interface=combo1 protocol=icmp
add action=drop chain=input dst-port=21,22,23,80 in-interface=combo1 protocol=tcp
add action=drop chain=input dst-port=21,22,23,80 in-interface=ether2 protocol=tcp
/ip firewall mangle
add action=mark-packet chain=prerouting in-interface=combo1 new-packet-mark=Inbound passthrough=yes
add action=mark-packet chain=postrouting new-packet-mark=Outbound out-interface=combo1 passthrough=yes
add action=mark-routing chain=prerouting new-routing-mark=NEETV passthrough=yes src-address=192.168.100.0/26
add action=mark-routing chain=prerouting new-routing-mark=WiFi passthrough=yes src-address=192.168.111.0/30
add action=mark-routing chain=prerouting new-routing-mark=Test passthrough=yes src-address=192.168.101.0/26
/ip firewall nat
add action=src-nat chain=srcnat comment=NEETV: out-interface=combo1 src-address=192.168.100.0/26 to-addresses=82.135.237.86
add action=src-nat chain=srcnat comment=Test: out-interface=combo1 src-address=192.168.101.0/26 to-addresses=82.135.237.86
add action=src-nat chain=srcnat comment=WiFi: out-interface=combo1 src-address=192.168.111.0/30 to-addresses=213.190.53.86
/ip route
add distance=1 gateway=82.135.232.172
/ip traffic-flow
set cache-entries=32k enabled=yes
/ip traffic-flow target
add dst-address=10.0.0.150 port=10000
/lcd
set color-scheme=dark default-screen=stat-slideshow flip-screen=yes read-only-mode=yes
/snmp
set enabled=yes trap-version=3
/system clock
set time-zone-name=Europe/Vilnius
/system identity
set name=RouterOS.ois.lt
/system ntp client
set enabled=yes primary-ntp=10.0.0.2 secondary-ntp=10.0.0.20
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool bandwidth-server
set authenticate=no enabled=no

If I set NAT action to “masquerade” it picks the wrong address, but passes DNS packets through. Cannot understand what’s wrong here. Unless there is some undocumented difference between “masquerade” and “src-nat” except predefined address setting.

The “out” addresses are different subnets from the default gateway. Weird, but this is our provider configuration.

LP006688 · May 29, 2017, 8:12am

Should mention as well that identical configuration implemented with a Fortigate-800C works fine.

LP006688 · May 29, 2017, 8:18am

Thank you so much I just started with them. Perhaps, you are a lucky man and were born with a knowledge of everything in the world

BartoszP · May 29, 2017, 8:49am

I wish I could be so lucky … “I should be so lucky, lucky, lucky, lucky …”

pukkita · May 29, 2017, 9:15am

If you want to get help, you’d better provide all the possible details…

What is connected to combo1? I assume this is a CCR1009-7G-1C-*?

Is that the full export? what is this for?

add action=mark-routing chain=prerouting new-routing-mark=NEETV passthrough=yes src-address=192.168.100.0/26
add action=mark-routing chain=prerouting new-routing-mark=WiFi passthrough=yes src-address=192.168.111.0/30
add action=mark-routing chain=prerouting new-routing-mark=Test passthrough=yes src-address=192.168.101.0/26

Look for outgoing DNS connections at IP > Firewall > Connections tab when using masquerade and when using src-nat, (click on the funnel icon to filter outgoing DNS and paste screenshots)

Suggestion: ask your provider about the possibility to set a private IP /30 for transit so that you can “float” the public IPs on loopbacks and avoid the need of binding them to external interfaces.