NAT only NAT'ing 99% of packets.

Issue: not all packets are NAT’et on the mikrotik router. It seems like 99.9% of packets are NAT’et.
But the upstream firewall are seeing lots of martian source packets (rp_filter strict)

I have this setup with Mikrotik router.

/system/routerboard/print
       routerboard: yes
             model: CCR1036-8G-2S+
     serial-number: 4466022F4CCF
     firmware-type: tilegx
  factory-firmware: 3.10
  current-firmware: 7.2.3
  upgrade-firmware: 7.2.3

This is config on mikrotik

/interface vlan
add interface=sfp-sfpplus1 name=v128 vlan-id=128

/interface list
add name=WAN
add name=CUST
add name=GUEST
/interface list member
add interface=sfp-sfpplus2 list=CUST
add interface=ether6 list=GUEST
add interface=v128 list=WAN


/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface-list=CUST out-interface-list=WAN
add action=accept chain=forward in-interface-list=GUEST out-interface-list=WAN
add action=drop chain=forward log=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

/ip address
add address=192.168.213.1/24 interface=ether6 network=192.168.213.0
add address=172.16.31.1/24 interface=sfp-sfpplus2 network=172.16.31.0
add address=xxx.xxx.xxx.xxx/25 interface=v128 network=xxx.xxx.xxx.xxx

On our firewall, we are seeing lots of martitian source packets.
From non-mikrotik firewall:

May 30 15:36:06 firewall-1 kernel: [12077613.285312] IPv4: martian source xxx.xxx.xxx.xxx from 192.168.212.158, on dev eth1.128

This means that the Mikrotik did NOT properly NAT all packets. I would say 99.9% of all packets are properly NAT’ed, but many are not.
I have many mikrotiks with this setup - but they are all failing at the same rates - and they have identical nat rules with interface-lists and VLAN.


Picture for easier explanation:

Try adding a firewall rule add action=drop chain=forward connection-state=invalid after the accept established/related.

I can try. But explain please why you think this will help?
Even if packet is “invalid” and accepted by outgoing firewall rule - it should still be NAT’ed - right?

NAT does rely on connection tracking classification. If connection tracking machinery can’t classify packet leaving packet with connection state invalid, also NAT can’t do it’s job properly.

When the Mikrotik connection tracking sees the end of a TCP conversation (FIN → ACK+FIN → ACK) the tracking entry is removed. Any repeated or unsolicited invalid transmissions from a client, e.g. FIN+ACK, RST+ACK or RST will not create a new connection tracking entry so no NAT will be applied. This is not a bug, just normal linux behaviour.

How did you measured that 99.9%?

I didn’t. Just a wild guestimate:)
It’s probably closer to 99.999%

Thanks
Does fast track change this behaviour in any way?

No, fasttrack is a connection tracking attribute.

Indeed. And if packet is fasttracked, it skips vast majority of packet flow boxes and skips from connection tracking box output directly to output interface, see fasttrack description. Which means that those surplus packets with connection already closed will still be declared invalid by connection tracking machinery. They won’t be fasttracked because not individual packets are fasttracked, fasttracked is connection (and consequently packets belonging to it).