NAT bug?

anesth · July 12, 2013, 4:22pm

Hi. I’m using ROS 6.1 at RB450G in failover multiwan configuration, where NAT from primary channel performed out of the MT device and NAT for spare channel works with

chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=wan2

. wan2 interface also terminates road-warrior ipsec setup and SSTP tunnels. Some time after updgraded 5.24 to 6.1 I noticed that spare channel doesn’t work for lan while ping from device itself through that channel works fine. I investigated the issue and disovered that mikrotik device does NAT, but when responses from remote IP arrives to mikrotik device I see them at input firewall chain:

19:02:20 firewall,info input: in:wan2 out:(none), src-mac 00:00:2e:d0:11:48, proto ICMP (type 0, code 0), 8.8.8.8->WAN2_IP, len 84 
19:02:21 firewall,info input: in:wan2 out:(none), src-mac 00:00:2e:d0:11:48, proto ICMP (type 0, code 0), 8.8.8.8->WAN2_IP, len 84 
19:02:22 firewall,info input: in:wan2 out:(none), src-mac 00:00:2e:d0:11:48, proto ICMP (type 0, code 0), 8.8.8.8->WAN2_IP, len 84

I tried to clean firewall rules holding only masquerade rule for wan2, but without of luck.
Can somebody help me to resolve this issue?

Thanks

manuelritter · July 17, 2013, 7:22am

Similar issue here i think.

I got an issue that the CCR1036 with ROS6.1 ist NATing incoming ipsec connections to in-interface IP

09:18:16 firewall,info VPN forward: in:ether6 out:Ring, src-mac 00:26:0b:28:77:c0, proto 50, IPSEC_SRC->IPSEC_DST, NAT (IPSEC_SRC->ETHER6_PUBLIC_IP)->IPSEC_DST, len 112

I disabled every rule in firewall but nothing changed. The only thing that works is, to disable contrac, but i can’t disable contrac since i need NAT and MANGLE.

Are there any solutions or suggestions?

Best regards
Manuel Ritter

alberth · July 17, 2013, 7:56am

I’ve also got a issue with NAT (RouterOS 6.1)

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN src-address=\
    192.168.111.0/24
add action=masquerade chain=srcnat out-interface=WAN src-address=\
    192.168.113.0/24
add action=masquerade chain=srcnat out-interface=WAN src-address=\
    192.168.112.0/24

I’ve created 3 VLANS with 3 NAT rules. When I disable&enable the NAT rules, It sometimes works, but often 1 or 2 VLANS don’t have NAT anymore.
After several disable/enables it works again…