NAT only allowing one NAT

natebrau · October 10, 2023, 6:48pm

This is a new install, running RouterOS 7.8 on a RB5009UG+S+

I’ve assigned a public /28 to the router (brought up each ip address individually on the WAN port), and all IPs in the subnet are ping-able from the public Internet.
I’ve brought up the egress IP masquerade on the WAN port, and it works nicely, every server on the LAN (192.168.1.0/24) can route out to the public Internet.
I then brought up multiple dstnat NATs on one of the public IP addresses, asking the router to NAT a different port on the same public IP to a different server and port on the LAN.
When I installed this initially, I tested that every NAT worked, which it did without issue.

However, what’s happened a week later is that the configuration remains unchanged, but somehow all but one of the NATs no longer works. Only the NAT with id 1 works. the NAT with id 2 does not work.

/ip/firewall/nat/print
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

1 chain=dstnat action=dst-nat to-addresses=192.168.1.105 to-ports=22 protocol=tcp dst-address=XXX.XXX.XXX.131
dst-port=2222

2 chain=dstnat action=dst-nat to-addresses=192.168.1.101 to-ports=22 protocol=tcp dst-address=XXX.XXX.XXX.131
dst-port=2223

Checking with the packet sniffer, if I telnet into XXX.XXX.XXX.131 port 2222, I get a correct NAT to 192.168.1.105 port 22, with the usual SSH semantics.
However, if I telnet into XXX.XXX.XXX.131 port 2223, the router sees inbound traffic, but fails to NAT that traffic onto the internal server (192.168.1.101 port 22):

/tool/sniffer quick ip-address=XXX.XXX.XXX.131 port=2223
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERF TIME N DIR SRC-MAC DST-MAC SRC-ADDRESS DST-ADDRESS PROTOC SI C
ether2 6.225 1 ← XX:XX:XX:XX:XX:01 48:A9:8A:E7:1D:38 YYY.YYY.216.61:32915 XXX.XXX.XXX.131:2223 ip:tcp 74 1

And on the server itself at 192.168.1.101:
sudo tcpdump src 192.168.1.1 and port 22
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on eno1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

So it’s not clear to me why the router is perfectly happy with the NAT at id 1, and suddenly unhappy with the NAT at id 2.

Appreciate any assistance here. Thanks in advance!

spippan · October 10, 2023, 10:31pm

masquerade uses the first IP on the OUT interface

if there are more than one ip on that OUT interface, masquerade uses the (i guess) lowest IP of that interface
you need to explicitly src-nat with your desired IP

for DST-NAT:
if there are more than one IP on the IN interface you dst-nat on, you also maybe need to set the dst-address on wich a packet arrives at which then should be dst-nat’d forward to your local resource (e.g. a server)

llamajaja · October 10, 2023, 10:34pm

New install 7.8??? 7.11.2 would be a new install…

spippan · October 10, 2023, 10:35pm

maybe the HARDWARE itself is meant as the “new install” and not the FIRMWARE -.-

natebrau · October 11, 2023, 12:39am

Thank you, apologies for not being clearer, this is a new hardware install as of last week.

Today, I have just upgraded the firmware to version 7.11.2, up from the 7.8 it shipped with. However, there is no difference, I’m still seeing the same issue.

Re: DST-NAT, I do have the dst-address set for each NAT, the configuration I’ve used via command line:

/ip/firewall/nat add chain=dstnat action=dst-nat dst-address=XXX.XXX.XXX.131 dst-port=2223 to-addresses=192.168.1.101 to-ports=2222 protocol=tcp

And that results in the right dst-address being assigned to the NAT rule:
2 chain=dstnat action=dst-nat to-addresses=192.168.1.101 to-ports=22 protocol=tcp dst-address=XXX.XXX.XXX.131 dst-port=2223

I’ll admit this one’s a bit of a puzzle for me.