Noob NAT question

Xymox · December 19, 2016, 8:16am

So ive been using RouterOS on lots of devices for many years now. Im reasonably good with RouterOS. However I still consider myself a noob.

I have a maybe stupid question.

First my setup. Mostly I use Mikrotik devices in expensive homes. These homes are super high tech and are typically on a CCR 36. I typically have 50-100 devices on the network. These are all mostly consumer devices. These devices are typically really terrible from a IT standpoint and have huge lists of issues. Maybe do not even have firmware update options. With recent IoT attacks and trojans some of these devices have become infected and they must simply be thrown out because they cannot be updated or cleaned. These devices once infected saturate the network looking for other devices. I have developed a rather crazy way to deal with all this. I have started putting mAP’s on critical devices to isolate them from the rest of the network via NAT. So I am placing a single device on its own mAP running NAT to completely isolate it from the rest of the devices on the network. This is actually very effective. The mAP devices are inexpensive enough, and PoE powered this works really well to isolate each device from other devices on the network. If the device has a built in wifi, I turn that off and use the mAP’s wifi as a client for further protection.

On each mAP I use the firewall rules that come with it for NAT. I add a rule that adds the source IP to a bad guy address list if the firewall is going to drop the packet.

My question..

Ive noticed something odd. Even after 2 NAT’s. One at the edge with the CCR 36 and then one in the mAP I am picking up external IP’s being dropped.

Its very few IP. But I am curious what these are.

Some examples are
31.13.66.5 and 31.13.66.36 these show up on every system I run in 3 different cities in Texas.

I dont understand what these addresses from Google are doing on my private network after 2 NAT’s.
216.58.194.35, 216.58.194.46, 216.58.194.106 … the whole 216.58.x.x really
173.194.24.235, 173.194.55.71, 173.194.143.169 …

Those are really almost the only addresses that show up.

So again. 2 routers doing the below rules.
CCR 36 NAT+Below rules > mAP NAT+Below rules and I still get the above addresses.

My firewall rules

/ip firewall filter
add action=drop chain=input src-address-list=BadGuys
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=add-src-to-address-list address-list=BadGuys address-list-timeout=12h chain=input in-interface=Input src-address-list=!GoodGuys
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=Input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=add-src-to-address-list address-list=BadGuys address-list-timeout=0s chain=forward in-interface=Input src-address-list=!GoodGuys
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=Input

Xymox · December 19, 2016, 10:58pm

I admit to being confuzed..

I have setup a test setup with 2 routers. Both running NAT.. I have not been to facebook with the only computer on the second router. Yet.. Im seeing 31.13.66.36 somehow traversing NAT ?

I guess I need to packet capture and see what this is. It salmost the only thing that makes it thru 2 NATs..

WTF is this for ?

Xymox · December 20, 2016, 4:15pm

Man these weird connections are weird. I did tons of browsing, used every application. The strange connections behind 2 NAT’s did not appear. They seem to appear almost randomly and not driven by any application. They come from a huge pool of numbers. So far they ONLY trace back to Facebook and Google.

I have captured a packet exchange. I DO NOT KNOW WHAT IM DOING WITH PACKET CAPTURE..

A packet appears to come in on TCP Port 443 and echo thru all my local computers ? Even moving to secondary NATed routers.

Its OK I dont mind exposing the IP’s..

So WTF is this ?

macgaiver · December 20, 2016, 4:35pm

Why NAT local to local IPs? That is fundamentally wrong
Why load mAPs with firewall ?

use simple routing (or bridging) and filter everything on your CCR.

Make sure that connection-nat-state=!src-nat packets are dropped if coming from public network in firewall forward.

Xymox · December 20, 2016, 4:47pm

This is a test setup as i mentioned to catch these weird packets.. PLUS as i mentioned in the top of the post.. I want to completely isolate each device from each other.

Im curious what can jump thru multiple layers of firewalls and NAT to every computer on the network.

ANy idea what this network traffic is ?