Hello,
I have found an issue with srcnat masquerade action. Some packets don’t have translated source IP address (for example: IP packets with TCP segments with FIN, ACK flags). It is tested on RB493G and RB450G with ROS 5.21 and some lower versions. This problem I have seen when using HTTPS protocol (with standard TCP/443 port and also with different TCP port). The configuration is very simple:
1/ one ethernet port is WAN (IP is public and dynamic, assigned by DHCP)
2/ other ethernet ports are in bridge, clients have private addresses from range 10.0.0.0/16
3/ NAT configuration: add action=masquerade chain=srcnat disabled=no out-interface=ether1 src-address=10.0.0.0/16
Situation on some IP packets (direction LAN → WAN):
srcIP: 10.0.0.10 dstIP:public → NAT translation → srcIP: 10.0.0.10 dstIP: public (TTL is decremented)
Why isn’t the source IP address of some IP packets translated? (But the vast majority of packets is translated OK.)
Best regards,
Tom