NAT is not blocking from outside

JoIDS · March 8, 2013, 11:50am

Hello,

I have a problem with NAT.
When I reset to default configuration (RB 750 with OS 5.24) I have 2 working networks on the RB. One is the local (192.168.88.0/24) and the second the “wan” with dhcp client and a source maskeraded NAT.

I tested with a second router (a Bintec, this is the dhcp server) which is connected to the RB at the “wan port”. The RB get an ip address from my second router and a PC, which is also connected to my second router, can access http and ping to the RB.

Why is this possible? The RB must block this traffic (NAT), otherwise, when I connect this port to my ISP an NAT is not working, everyone have access to my RB.

The same when I reconfigure the RB and try it on another port.

Thanks in advance for your answers

Joachim

tomaskir · March 8, 2013, 12:18pm

NAT only covers the “inside” of the network that is behind the RB. If you want to block the access to the RB itself, NAT has nothing to do with that. Configure the input chain in the firewall.

JoIDS · March 8, 2013, 2:47pm

Hello,
normally NAT is blocking all traffic initiated from outside to the inside network .
But with the RB it is possible to have access from the outside network to the inside network.

Following tested configuration:

RB with 2 Networks:
local: 192.168.88.0 /24 connected 1 PC 192.168.1.254
wan: 172.16.2.0/24 RB ip address 172.16.2.1 on this port source nat with maskerade

When I connect a PC on the wan port with the address 172.16.2.2 and configure a route (192.168.88.1 /24 over gateway 172.16.2.1) on this pc, I can ping all pc’s which are connected on the local network 192.168.88.0/24.

An this is what NAT have to block (or cover) in my opinion (all other routers I know do so).

Is there a possibility to prevent this?

Thanks
Joachim

cupis · March 8, 2013, 3:13pm

Add this firewall rule on the mikrotik:

/ip firewall filter chain=forward connection-state=new in-interface=WAN reject-with=icmp-port-unreachable

where WAN is your WAN port.

CelticComms · March 9, 2013, 4:35pm

I’m not sure what you mean by “normally” but suspect that you mean that a typical consumer router from the likes of Linksys by default blocks traffic from the WAN side to the LAN side - which is true - but it is not because of “NAT”, rather it is because new connections are blocked at the forwarding point by the stateful packet inspection firewall.

The same applies on RouterOS. In RouterOS the IP Firewall NAT entries cover both NAT and PAT (port address translation). If you want to block specific forwarding paths that is done in the forwarding chain under filters and if you want to block access to the router itself that is done in the input chain under filters.