NAT/masquerading question

mag · March 20, 2006, 8:52am

i can’t see what is causing the following problem:

{LAN} – (MT-router, ROS 2.9.17) – {WAN}

using simple masquerading

chain=srcnat out-interface=to-wan src-address=10.10.1.0/24 action=masquerade

router has 10.10.1.1. now i do

ping www.heise.de src-address=10.10.1.1                                                
193.99.144.85 ping timeout
193.99.144.85 ping timeout
3 packets transmitted, 0 packets received, 100% packet loss

and i’am sure this has been working before…

for clients on the LAN everything is working.

cmit · March 20, 2006, 8:59am

How should this work?

You are instructing your router to go out with its’ internal (!) ip address onto the internet - no way that http://www.heise.de (or someone else) will know how to route the answer packets to 10.10.1.1…

Just leave out the src-address in your ping command, and your router will use its’ public ip address as source and Everything Will Be Good ™

Best regards,
Christian Meis

normis · March 20, 2006, 9:05am

cmit is right. also i don’t think you need src-address in your srcnat rule. what if you have other networks later?

mag · March 20, 2006, 9:27am

Hm, i thought this should match the masqerading rule? Like for any other Client on the internal side of NAT.

concerning the packet-flow diagramm, i guessed it should go through
local → output ->postrouting (src-nat/masquerading) → … → out-interface
am i wrong?

@normis: in this particular case there are other subnets inside not allowed for internet. otherwise the rule should of course be (and i tried this too)

chain=srcnat out-interface=to-wan action=masquerade

(btw. its not for fun, this morning we had a support issue where the VPN was working, but no internet access possible. after reboot everything was ok, but i’am still searching for the reason)

thanks (i’ll go mad on this…

pekr · March 20, 2006, 3:21pm

I thought that too … maybe normally, if you would use ping without the source address parameter, it would be masqeraded, maybe that parameter is overriding it?

-pekr-

cmit · March 20, 2006, 3:25pm

Yep, the packet flow suggests that, correct.
It doesn’t work that way, though

In that regard I should probably take back my “How should it?” from my first post - it was just that I took that for granted for a long time for myself…

Anyone from MikroTik wants to shed some light?

Best regards,
Christian Meis

mag · March 20, 2006, 4:30pm

if the ping is send without src-addr-parameter it goes right out of the WAN interface, originating from the public IP-address the WAN-interface has actually, tried this too.

yes, this would be very kind.

mag · March 21, 2006, 8:40am

ok, never mind why this is not working…

but, how can one test NAT working from the router itself then?

pekr · March 21, 2006, 1:27pm

dunno - but what about some firewall rule on outgoing interface? The thing is however, that NAT is being applied after the routing, so not sure what chain you would have to check, as it will be “forward”.

Or what about logging wan interface traffic? Looking for particular source address packets … otherwise you would have to put your machine onto hub with another PC and use tools as Ethereal. (maybe some internal facility in winbox can be used, sending the traffic to such “ethereal server”.

But don’t take me seriously, I am just routing newbie, if even

-pekr-

mag · March 23, 2006, 7:26am

from the packet flow diagramm src-NAT/Masquerading is applied after that.

Or what about logging wan interface traffic? Looking for particular source address packets … otherwise you would have to put your machine onto hub with another PC and use tools as Ethereal.

the situation would not be a problem, if i could be on-site or have a remote-controled client inside.