NAT Type

morzex · April 20, 2011, 3:20am

Why RouterOS doest’n pass the NAT test at http://www.microsoft.com/windows/using/tools/igd/default.mspx ?
It says the NAT type is symmetric! Why?

fewi · April 20, 2011, 5:01am

Because that’s what masquerade and SNAT do in iptables, which is what RouterOS uses under the hood.

Realistically this will only affect their use of IPv6 transitioning techniques, and you can always just run your own tunnel to the IPv6 backbone if you need to.

morzex · April 20, 2011, 7:38am

What masquerade and SNAT do? Symmetric NAT?
Ok. But when I used an OpenWRT-based router that is ising the same masquerade in iptables, it passed this test.
Does that all mean, that only symmetric nat possible on RouterOS?
Is there any way to make that Firewall work like OpenWRT or Windows ICS to pass this test?

ditonet · April 20, 2011, 9:56pm

I’ve just made this test out of curiosity and my RB433AH with ROS 5.1 passed this test.

Success of this test (NAT Type) means that your Internet router or firewall acts similar to a cone NAT.

Regards,

morzex · April 21, 2011, 6:11am

Tell me your connection type and Firewall config please!
I am also using RouterOS 5.1 on custom x86 harware - all works fine, but this NAT test it doesn’t pass.
I realy want to understand what the problem!

ditonet · April 21, 2011, 8:51am

My connection is a DSL line.
Below is my firewall/NAT config:

/ip firewall filter
add action=accept chain=input comment="default configuration - established" \
    connection-state=established disabled=no
add action=accept chain=forward comment="default configuration - established" \
    connection-state=established disabled=no
add action=accept chain=input comment="default configuration - related" \
    connection-state=related disabled=no
add action=accept chain=forward comment="default configuration - related" \
    connection-state=related disabled=no
add action=drop chain=input comment="default configuration - drop invalid" \
    connection-state=invalid disabled=no
add action=drop chain=forward comment="default configuration - drop invalid" \
    connection-state=invalid disabled=no
add action=drop chain=input comment=\
    "default configuration - drop bogons from WAN side" disabled=no \
    in-interface=WAN src-address-list=BOGONS
add action=accept chain=input comment="default configuration - ICMP" \
    disabled=no limit=5,5 protocol=icmp
add action=accept chain=forward comment="default configuration - ICMP" \
    disabled=no limit=5,5 protocol=icmp
add action=reject chain=input comment="default configuration - reject all !!!" \
    disabled=no in-interface=WAN reject-with=icmp-port-unreachable

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration - masquerade" disabled=no out-interface=WAN

HTH,

morzex · April 23, 2011, 5:18am

Oops!
I just now run the test and all is OK. )) I didn’t any change to NAT configuration…
“The IGD’s NAT type is RESTRICTED CONE” ))