Hi all,
I have migrated a nat solution from Cisco to MikroTik and I am experiencing a very strange issue and not sure what else to do.
In summary it works 100% fine if I nat to some ip addresses but it does not work 100% if I nat behind other addresses, these addresses are from the same range.
Here are the details:
If I nat using these rules
add action=src-nat chain=srcnat comment=test src-address=a.b.c.108 to-addresses=x.y.z.155
add action=dst-nat chain=dstnat comment=test dst-address=x.y.z.155 to-addresses=a.b.c.108
My client cannot browse certain web sites, but is fine browsing others.
If I nat using the following rules:
add action=src-nat chain=srcnat comment=test src-address=a.b.c.108 to-addresses=x.y.z.161
add action=dst-nat chain=dstnat comment=test dst-address=x.y.z.161 to-addresses=a.b.c.108
please note, x.y.z is /24 range. I can replicate the problem using pings from the router itself by creating a loopback in a.b.c./24 range.
This is the output of the print ip firewall connection details in the two cases when using .155 address:
[xxxx@rtr-lon-02] /ip firewall connection> print detail where reply-src-address~“^e.f.g.119”
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
0 C s protocol=tcp src-address=a.b.c.108:52849 dst-address=e.f.g.119:80 reply-src-address=e.f.g.119:80
reply-dst-address=x.y.z.155:52849 tcp-state=syn-sent timeout=1s orig-packets=1 orig-bytes=48 orig-fasttrack-packets=0 orig-fasttrack-bytes=0
repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps
1 C s protocol=tcp src-address=a.b.c.108:52848 dst-address=e.f.g.119:80 reply-src-address=e.f.g.119:80
reply-dst-address=x.y.z.155:52848 tcp-state=syn-sent timeout=1s orig-packets=1 orig-bytes=48 orig-fasttrack-packets=0 orig-fasttrack-bytes=0
repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps
[xxxxx@rtr-lon-02] /ip firewall connection> print detail where reply-src-address~“^g.h.i.”
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
0 SAC s protocol=tcp src-address=a.b.c.108:52853 dst-address=g.h.i.90:443 reply-src-address=g.h.i.90:443
reply-dst-address=x.y.z.155:52853 tcp-state=established timeout=23h59m32s orig-packets=17 orig-bytes=1 938 orig-fasttrack-packets=0
orig-fasttrack-bytes=0 repl-packets=41 repl-bytes=46 458 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps
1 SAC s protocol=tcp src-address=a.b.c.108:52884 dst-address=g.h.i.213:443 reply-src-address=g.h.i.213:443
reply-dst-address=x.y.z.155:52884 tcp-state=established timeout=23h59m33s orig-packets=16 orig-bytes=2 168 orig-fasttrack-packets=0
orig-fasttrack-bytes=0 repl-packets=16 repl-bytes=6 895 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps
From the above it would look like I am not getting a reply when natting to a.b.c.155 but if I run torch on the outside interface I see the reply coming on the external interface of the router:
[omniaccess@rtr-lon-02] /tool> torch interface=TIBUS1 src-address=104.207.240.119 dst-address=89.185.140.155
MAC-PROTOCOL SRC-ADDRESS DST-ADDRESS TX RX TX-PACKETS RX-PACKETS
ip e.f.g.119 x.y.z.155 528bps 0bps 1 0
528bps 0bps 1 0
As mentioned above, if I nat my traffic behind x.y.z.161 I have no issue browsing/pinging this site.
Any help would really be appreciated as it is affecting our customers. We might have to roll back to Cisco and stop the migration of our network to MT.
Thank you all.