I've put RB951 onto my workplace(made some kind of private network inside corporate)
On WAN interface(ether1) i have public IP and all other(ether2-5+wlan1) are in bridge-lan and has 192.168.18.1/24
So my PC, Laptop and Mobile phone have ip addresses from private range.
configuration is simple just static public ip on ether1 and dhcp server on bridge-lan with NAT
Problem is that our corporate firewall detected packets from my private range:
tcpdump output of port-mirror on switch:
16:36:39.629595 vlan 102, p 0, IP 192.168.18.254.49868 > 212.24.43.44.80: R 1:1(0) ack 1 win 0
16:36:39.629599 vlan 102, p 0, IP 192.168.18.254.49829 > 159.148.147.201.80: R 1:1(0) ack 1 win 0
16:36:39.629779 vlan 102, p 0, IP 192.168.18.254.49782 > 86.59.118.148.80: R 1:1(0) ack 1 win 0
which causes log file violation records:
2013-03-29T16:40:51+01:00 rtr-wan-01 list from-OFFICE denied tcp 192.168.18.254(49868)(Ethernet 1/1 d4ca.6d2b.ab6b) -> 212.24.43.44(http), 7 event(s)
2013-03-29T16:40:52+01:00 rtr-wan-01 list from-OFFICE denied tcp 192.168.18.254(49782)(Ethernet 1/1 d4ca.6d2b.ab6b) -> 86.59.118.148(http), 7 event(s)
and so on.
seems like some of the packets are not being masqueraded and they are arriving from ether1 with internal IP address.
Maybe somebody knows how to fix it?
Firstly router had 5.22 and then I've upgraded it to 6rc12 but nothing had changed.
Here you can see compact export of configuration:
What masquerade does, is substitute the source address with the address of the interface the packet is leaving the router. I am not sure if the last rule you have posted actually does that. Try it this way:
Yes you’re right masquerade does it, in my rules you can see SNAT what is almost the same like masquerade but you can define what IP address to put into the src field of arriving packet(masquerade takes first one from interface dynamically)
But as i can see some packets arriving with original(private) address and next router rejects them. It is not a problem for me, but if somebody from security will see this record i will have problems(as you can see in log file there is also MAC address)
PS and I tried rule that you have proposed - the same behavior
.254 is my PC which got IP address using DHCP on RB. So there is nothing weird. I have also SIP phone and its packets also I can see with original private IP arrives from ether1(WAN)
Is it only occasional packets that arrive upstream with the private IP? Does the NAT seem to operate normally from the LAN side - i.e. you can use internet service etc. without problems?
If so, you can avoid the log entries upstream by dropping any packets with the RFC1918 src. address on the WAN interface
Do you have any forwarding filter entries in IP Firewall? Typically you would be allowing connections from the LAN side to the WAN side and only allowing ESTABLISHED and RELATED connections coming back WAN>LAN.
Try adding such filter entries and make sure that the NAT entry matches the same traffic as the forwarding filter allows.
Yes, i had these rules in my previous configuration before i’ve reset the routerboard. You are talking about incoming connections in the input chain. But I have problem with outgoing packets.
It is interesting to know if this hardware/software issue, i have no opportunity to replicate this on other routerboards with the different sw releases.
I’ve contacted Mikrotik support and got and answer to add rule
/ip firewall filter add action=drop connection-state=invalid
I’ve added it to the router for all 3 chains(input, output and forward)
and now i can see that these rules are blocking invalid packets.
So this is not actually the routeros issue but common iptables problem, so on linux routers you can also filter this packets using:
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
.