NAT Problem

guk · December 7, 2009, 1:36am

Hello,

I have a Problem with Mikrotik and iPhone with NAT:

1-5 % of all Packets won’t be NATed correctly - some LAN packets will be forwarded to dmz without getting NATed:

shema:

internet
   |
   |
+--+---------------------+
|     linux server       |
| ext.ip.dmz.129         |
+--+---------------------+
   |
   |
+--+---------------------+
| ext.ip.dmz.143 eth0    |
| mikrotik dhcp-server   |
| [color=#00FF00]192.168.101[/color].2   eth1   |
+--+---------------------+
   |
   |
+--+---------------------+
| switch-wlan            |
+--+---------------------+
   |
   |
+--+---------------------+
| iphone [color=#00FF00]192.168.101[/color].149 |
+------------------------+

[guk@guktik2] > /interface ethernet export

dec/06/2009 19:37:42 by RouterOS 4.3

/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment=2DACH-EXTERN disabled=no full-duplex=yes l2mtu=1600
mdix-enable=yes mtu=1492 name=2extern speed=100Mbps
set 1 arp=enabled auto-negotiation=yes comment=2wlan-ROUTER disabled=no full-duplex=yes l2mtu=1600
mtu=1492 name=2wlan speed=100Mbps

/ip address
add address=ext.ip.dmz.143/27 broadcast=ext.ip.dmz.159 comment=“DMZ” disabled=no interface=2extern
network=ext.ip.dmz.128
add address=192.168.101.2/24 broadcast=192.168.101.255 comment=“WLAN Netz” disabled=no interface=2wlan
network=192.168.101.0

/ip firewall nat
add action=masquerade chain=srcnat comment=Internet disabled=no out-interface=
2extern src-address=192.168.101.0/24

/ip route
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ext.ip.dmz.129 scope=255 target-scope=10

/ip firewall filter
add action=accept chain=forward comment=“Internet - zum dach gw” disabled=no dst-address=ext.ip.dmz.129
dst-port=53 in-interface=2wlan out-interface=2extern protocol=udp src-address=192.168.101.0/24
add action=accept chain=forward comment=“Internet rest ja” disabled=no in-interface=2wlan out-interface=
2extern src-address=192.168.101.0/24
add action=accept chain=forward comment=“Internet - Established” connection-state=established disabled=no
dst-address=192.168.101.0/24 in-interface=2extern out-interface=2wlan
add action=accept chain=forward comment=“Internet - Related NEW” connection-state=related disabled=no
dst-address=192.168.101.0/24 in-interface=2extern out-interface=2wlan
add action=accept chain=forward comment=“Internet PING” disabled=no in-interface=2extern out-interface=2wlan
protocol=icmp

linux-in-dmz# tcpdump -s0 -vni eth0 host 192.168.101.149

19:39:35.523117 IP (tos 0x0, ttl 63, id 27506, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.101.149.49829 > 194.232.116.174.80: R, cksum 0x8e98 (correct), 1:1(0) ack 1 win 32904

19:39:39.839287 IP (tos 0x0, ttl 63, id 44068, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.101.149.49819 > 194.232.116.174.80: R, cksum 0x5f1f (correct), 1:1(0) ack 1 win 32904

19:39:43.455372 IP (tos 0x0, ttl 63, id 37961, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.101.149.49913 > 75.125.36.226.80: F, cksum 0xc196 (correct), 0:0(0) ack 1 win 32904 <nop,nop,timestamp 840181647 1556393233>

any ideas why those packets wont be NATed and how to bring Mikrotik working as supposed?

mrz · December 7, 2009, 6:05am

You have to add rule that drops invalid packets.

guk · December 7, 2009, 10:01am

Hi,

where do i have to put this rule? in mikrotik or on linux server?
why should this packets be invalid? how can i recognize/tag them?
do you mean "add chain=forward connection-state=invalid action=drop comment=“Dropping invalid connections” ?
/ ip firewall filter forward chain is checked before snat so i can’t catch those misbehave unNATed pakets via filter

in my opinion: when i tell MikroTik to NAT all packets even invalid from 192.168.101.0/24 leaving “2extern” and i see on a host behind still 1-5% unNATed src-addr then mikrotik does something wrong.

mrz · December 7, 2009, 10:53am

Mikrotik is NATing only packets that belongs to particular connection. If there is no connection in connection table when router receives packet, it is not nated and packet is marked as invalid.

Chupaka · December 7, 2009, 10:56am

NAT only works for new connections. if there are packets of unknown (‘invalid’) connection, that do not start new connection (SYN flag), NAT rules do not affect these packets

guk · December 7, 2009, 8:13pm

… and the packet will be forwarded to internet with LAN src-IPs - good for spoofing

btt:

/ip firewall filter

add action=log chain=forward comment=“INVALID” connection-state=invalid disabled=no in-interface=2wlan log-prefix=eval-invalid-guk out-interface=2extern
add action=reject chain=forward comment=“INVALID tcp” connection-state=invalid disabled=no in-interface=2wlan out-interface=2extern protocol=tcp reject-with=tcp-reset
add action=reject chain=forward comment=“INVALID udp” connection-state=invalid disabled=no in-interface=2wlan out-interface=2extern reject-with=icmp-port-unreachable
add action=log chain=forward comment="not INVALID - ok forward " disabled=no in-interface=2wlan log-prefix=okforward out-interface=2extern

add action=accept chain=forward comment=“Internet - zum dach gw” disabled=no dst-address=ext.ip.dmz.129 dst-port=53 in-interface=2wlan out-interface=2extern protocol=udp src-address=192.168.101.0/24

add action=accept chain=forward comment=“Internet rest ja” disabled=no in-interface=2wlan out-interface=2extern src-address=192.168.101.0/24
add action=accept chain=forward comment=“Internet - Established” connection-state=established disabled=no dst-address=192.168.101.0/24 in-interface=2extern out-interface=2wlan
add action=accept chain=forward comment=“Internet - Related NEW” connection-state=related disabled=no dst-address=192.168.101.0/24 in-interface=2extern out-interface=2wlan
add action=accept chain=forward comment=“Internet PING” disabled=no in-interface=2extern out-interface=2wlan protocol=icmp

and it works better thanx
fine, now i know the problem: its the iphone - but it still lags often -
anyone know a fix to let iphone produce “not invalid” pakets? via utms internet works better…

debug:

linux syslog# grep eval-invalid-guk user |wc -l
136
linux syslog# grep -v eval-invalid-guk user |wc -l
5836

linux syslog# grep eval-invalid-guk user |tail -10|modify
Dec 7 21:01:30 eval-invalid-guk forward: in:2wlan out:2extern, src-mac xxx, proto TCP (ACK,FIN), 192.168.101.149:49682->62.41.3.78:80, len 32
Dec 7 21:01:31 eval-invalid-guk forward: in:2wlan out:2extern, src-mac xxx, proto TCP (ACK,FIN), 192.168.101.149:49581->91.198.174.3:80, len 32
Dec 7 21:01:34 eval-invalid-guk forward: in:2wlan out:2extern, src-mac xxx, proto TCP (ACK,FIN), 192.168.101.149:49811->91.198.174.3:80, len 32
Dec 7 21:01:58 eval-invalid-guk forward: in:2wlan out:2extern, src-mac xxx, proto TCP (ACK,FIN), 192.168.101.149:49811->91.198.174.3:80, len 32
Dec 7 21:02:18 eval-invalid-guk forward: in:2wlan out:2extern, src-mac xxx, proto TCP (ACK,FIN), 192.168.101.149:49810->91.198.174.3:80, len 44
Dec 7 21:02:34 eval-invalid-guk forward: in:2wlan out:2extern, src-mac xxx, proto TCP (ACK,FIN), 192.168.101.149:49682->62.41.3.78:80, len 32
Dec 7 21:02:35 eval-invalid-guk forward: in:2wlan out:2extern, src-mac xxx, proto TCP (ACK,FIN), 192.168.101.149:49581->91.198.174.3:80, len 32
Dec 7 21:02:44 eval-invalid-guk forward: in:2wlan out:2extern, src-mac xxx, proto TCP (ACK,FIN), 192.168.101.149:49810->91.198.174.3:80, len 44
Dec 7 21:02:46 eval-invalid-guk forward: in:2wlan out:2extern, src-mac xxx, proto TCP (ACK,FIN), 192.168.101.149:49811->91.198.174.3:80, len 32
Dec 7 21:03:36 eval-invalid-guk forward: in:2wlan out:2extern, src-mac xxx, proto TCP (ACK,FIN), 192.168.101.149:49810->91.198.174.3:80, len 44

linux syslog# fmt -1 user |grep “(”|sort|uniq -c |sort -n
1 (ACK,FIN,PSH),
7 (type
11 (ACK,RST),
11 (SYN,ACK),
30 (RST),
32 out:(none),
488 (SYN),
532 (ACK,FIN),
892 (ACK,PSH),
4583 (ACK),

linux syslog# grep eval-invalid-guk user | cut -f 7- -d ,|sort|uniq -c |sort -n
11 len 20
14 len 44
141 len 32

→ mostly small packets.

best regards, guk

guk · December 7, 2009, 9:23pm

seems like iphone sends double fin if no response came fast enough and this second one wont get NATed:

full trace of a tcp session (outgoing only):

Dec 7 22:10:33 okforward forward: in:2wlan out:2extern, proto TCP (SYN), 192.168.101.149:50535->75.101.161.62:80, len 44
Dec 7 22:10:34 okforward forward: in:2wlan out:2extern, proto TCP (SYN), 192.168.101.149:50535->75.101.161.62:80, len 44
Dec 7 22:10:35 okforward forward: in:2wlan out:2extern, proto TCP (SYN), 192.168.101.149:50535->75.101.161.62:80, len 44
Dec 7 22:10:36 okforward forward: in:2wlan out:2extern, proto TCP (SYN), 192.168.101.149:50535->75.101.161.62:80, len 44
Dec 7 22:10:37 okforward forward: in:2wlan out:2extern, proto TCP (SYN), 192.168.101.149:50535->75.101.161.62:80, len 44
Dec 7 22:10:37 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:37 okforward forward: in:2wlan out:2extern, proto TCP (ACK,PSH), 192.168.101.149:50535->75.101.161.62:80, len 459
Dec 7 22:10:38 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 44
Dec 7 22:10:39 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 44
Dec 7 22:10:39 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 44
Dec 7 22:10:39 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:39 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:40 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:40 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:40 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:40 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:40 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:41 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:41 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:41 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:42 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:42 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:42 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:42 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:43 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:43 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:43 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:44 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:44 okforward forward: in:2wlan out:2extern, proto TCP (ACK), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:44 okforward forward: in:2wlan out:2extern, proto TCP (ACK,FIN), 192.168.101.149:50535->75.101.161.62:80, len 32
Dec 7 22:10:57 eval-invalid-guk forward: in:2wlan out:2extern, proto TCP (ACK,FIN), 192.168.101.149:50535->75.101.161.62:80, len 32