I have noticed for sometime now that cloud core routers CCR1009-7G & 8G are experiencing inoperable conditions with src-nat (action) <> srcnat (chain). NAT table has >500 entries and issues begin when adding new src-nat <> srcnat addresses.
When creating a new srcnat and the ID# is >100 then the src-nat <> srcnat not longer functions. If I copy a src-nat <> srcnat with a lower ID# (<100) then the src-nat <> srcnat functions as expected.
Is this the limitation or some odd caching issue.
Currently strict ordering is not applied. Do I need to apply and adhere to strict ordering?
Without seeing the full config hard to say.
Also what you do mean by strict ordering.
In general all rules are matched in the order they are put on the router and thus order is important
If you mean RP filter, it should be set to loose.
Why such a complicated sourcenat rule.
Typically one doesnt need to delineate sources as SourceNAT is NOT a routing mechanism.
One typically identifies which interfaces (outbound) where NAT should be applied.
dynamic interfaces are typically set as src-nat / masquerade
static interfaces are typically set as scr-nat / srcnat
I’m asking if strict ordering is required with larger NAT rules?
Yes rules are matched on order but please read my post with the issue at hand.
These are all NAT 1:1 static yes.
I’m not sure where the complication rule is you mention?
About /ip settings set the rp-filter to loose.
They do not influence NAT, but do not use strict if you use routing tables or complex routing.
I have never had so many NAT rules on one device,
and if I think that if I sum the NAT rules of all my network devices (excluding NAT on CPE),
I do not reach more than 100 rules.
Yes all NAT 1:1 rules are as you mention in your example. Total rules (including netmap <> dstnat) >500
Yes there are many but are required for WHM NAT 1:1 otherwise everything breaks. Have many clients on static MX and hosting services within WHM and other internal MX hosts.
These NAT rules then become unstable, especially after making firmware updates or rebooting, NAT gets a bit broken, have to re-assign some src-nat <> srcnat .
Of course WHM NAT, if only that was in the title or first post.
Zing above my head. Curious though what scenario requires this amount of natting. Is this a WISP or something larger??
Still an issue. If I delete a simple rule for a WHM host with port 80, 443 rule then apply with the outlined suggestion, srcnat <> src-nat NAT 1:1 does not work (ends up with router IP) observing ID# set higher than last dstnat rule for WHM.
I then copied rule ID#2 which created the new rule as ID#3 with the suggested config for srcnat <> src-nat and WHM now complains “Not Routable” (this also appeared on that WHM host with many static hosts after that change to #3 ID).
If I copy a srcnat rule with ID #58 then NAT 1:1 does work. It appears that with rp-filter=no (also tried loose), rules in NAT are still being forced by order somewhere.
It appears that srcnat <> src-net for hairpin NAT 1:1 has some sort of condition with order.
Can anyone elaborate?
is this a bug?
If by design then how can this condition be controlled?
Unfortunately if I use @rextended suggestion to streamline the NAT table it breaks Hairpin NAT 1:1 rules to hosts/devices and services.
Hairpin NAT is for the unique case of servers and users and is only needed when one hosts a server on the same subnet as the users who want/need to access the server AND…
the admin is forcing them to use public IP address to reach the server, vice the cleaner LANIP !!
Really I do not check in this case what do that’s rules…
Simply, I simplify on simple way what are simply simplifiable…
Netmap is only for create a static 1:1 mapping of one set of IP addresses to another one.
For example, can be used for distribute public IP addresses to hosts on private networks.
Is the first time I see netmap for “open ports”, probably all the 100 netmap rules are wrong…
and is why not work as expected (only) from @icttech
Yes, used action=dst-nat chain=dstnat and that order ID does not matter. It seems as soon as the order ID for srcnat reaches a higher ID than the lowest dstnat ID then it breaks.
Does this mean every-time I need to add a single NAT 1:1 rule then I have to wipe the NAT table and then add all srcnat first then dstnat (>500) ?
dstnat and srcnat are two different chain of the NAT,
like dstnat and srcnat on bridge,
like prerouting and output on raw,
like input, forward and output on filter,
like prerouting, input, forward, output, postrouting on mangle
Are on same tab, but the order matter for same chain, but is indipendent from other chains.
