Preserve client IP when dst-nat to other server

rechandler · June 10, 2021, 3:27pm

Hi!
I want to force wi-fi clients to use my own NTP server (which is not really important). I have dst-nat and src-nat rules:

add action=dst-nat chain=dstnat comment="Force using local NTP Server" \
    dst-port=123 in-interface-list=LAN protocol=udp src-address-list=\
    "!NTP Server" to-addresses=10.0.0.100 to-ports=123
add action=masquerade chain=srcnat comment="Force using local NTP Server" \
    dst-address-list="NTP Server" dst-port=123 out-interface-list=LAN protocol=\
    udp

And I have one problem with my rules, in NTP server client is always my router (10.0.0.1) and not my real client, eg. 10.0.0.10. I know that src-nat is doing this stuff, is there any other method to achieve my goals?

mkx · June 10, 2021, 3:50pm

When you’re doing dst-nat to server (10.0.0.100) which is in the same subnet as original client (10.0.0.10), then it is essential to perform src-nat as well (without it, server would reply to client directly and client would reject replies because they would be coming back from IP address it did not contact in the first place. But src-nat also means your server doesn’t see IP addresses of real clients.

The only way out is to move NTP server to another subnet, in that case src-nat would not be necessary and server would see IP addresses of real clients.

anav · June 10, 2021, 3:52pm

Not sure what you mean by own NTP server? Time servers are actually on the internet or do you have an atomic clock in your house?
The MT router has its own capability to be an NTP server, so on my network I just point the devices to the subnet gateway they are on and done!!

rextended · June 10, 2021, 4:08pm

inappropriate, removed<

mkx · June 10, 2021, 4:28pm

A raspberry pi, running NTP service … or something like that. Or even own atomic clock, why not? After all, observability of NTP server in ROS is nil, but some of us do care about proper functioning of services.

anav · June 10, 2021, 5:18pm

Sorry I didnt know ROS NTP server was so unstable, non-functioning and unreliable.
I really do need to invest in a better atomic clock for my bitcoin transactions!!

hi rextended
/ip fire nat
add action=dst-nat chain=dstnat comment=“Force using local NTP Server” dst-address-list=“!NTP Server” dst-port=123
in-interface-list=LAN protocol=udp src-address-list=“!NTP Server” to-addresses=10.0.0.100 to-ports=123

Are you assuming one has to also make two firewall address lists?? Why not…
/ip fire nat
add action=dst-nat chain=dstnat comment=“Force using local NTP Server” dst-port=123
in-interface-list=LAN protocol=udp to-addresses=10.0.0.100 to-ports=123

I suppose one might also need (assuming drop all rule in forward chain)
/ip fire nat
add action=accept chain=forward allow access to NTP servers in-interface-list=LAN
dst-port=123 dst-address=10.0.0.100

rextended · June 10, 2021, 5:26pm

I do not understand how traduce that on Italian but…

From 2007 I have two MikroTik NTP Server than sincronize all my devices and 4000 users CPE
and other 4 * 4000 (average number of devices for each user * users) = 16000 devices and no one single problem
(both are sincronized with official Italian atomic clock)

anav · June 10, 2021, 5:30pm

Well, I was basing my profound knowledge on one router and three devices over several months… but cannot hold a candle to that IN UR FACE comment.
MKX-0 Rextended-1

rextended · June 10, 2021, 5:31pm

inappropriate, removed<

anav · June 10, 2021, 6:01pm

Ahh Okay I see that but find the syntax the OP used VERY VERY confusing on the dst nat rule he uses “!list” and on the other he uses “list”
Both being between the quotes are just text and not functioning items. In fact if NTP_Server is a list of those that should use the local NTP (aka his wifi clients)
then why is the quote !NTP_Server ???

So are we to assume that what the op means is that he has ONE firewall address list for all subnets/devices that should use NTP (the wifi ones).
and thus his rule should have been instead of this…
add action=dst-nat chain=dstnat comment=“Force using local NTP Server”
dst-port=123 in-interface-list=LAN protocol=udp src-address-list=
“!NTP Server” to-addresses=10.0.0.100 to-ports=123

Should be written as such
add action=dst-nat chain=dstnat comment=“Force using local NTP Server”
dst-port=123 in-interface-list=LAN protocol=udp src-address-list=
NTP_Server to-addresses=10.0.0.100 to-ports=123

What I dont understand is your use of 127.0.0.1 ? What does that in effect do as the TO address is no longer the NTP server??

rextended · June 10, 2021, 6:01pm

@anav,
tomorrow I’ts my turn for COVID-19 vaccine (Pfizer)

anav · June 10, 2021, 6:02pm

Gluck, if its the first dose, should be okay. Its the second shot that gives you issues.
I know two doctors with 4000 adult patients each family has approx 4 kids = 16000 devices, with the same results

rextended · June 10, 2021, 6:04pm

inappropriate, removed<

rextended · June 10, 2021, 6:05pm

My mother already have 1st, but nothnig, nada, zero, problem…

mkx · June 10, 2021, 6:51pm

I'm talking about ....

[user@MTrouter] > /system ntp client print
          enabled: yes
             mode: unicast
      primary-ntp: 192.168.42.10
    secondary-ntp: 2001:1470:8000::92
  dynamic-servers:
           status: synchronized

versus

user@192.168.42.10:~$ ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 127.127.1.0     .LOCL.          10 l   5d   64    0    0.000    0.000   0.000
 ntp.ISP.TLD     .POOL.          16 p    -   64    0    0.000    0.000   0.000
-10.253.47.11    95.176.233.15    4 u  818 1024  377    6.100    0.502  20.134
-2001:1470:8000: .shm0.           1 u  836 1024  377   12.356    0.892   8.422
*84.255.251.189  .PPS0.           1 u  502 1024  377    6.867   -0.028   1.283
 2a00:ee2:400:42 .XFAC.          16 s  20d 1024    0    0.000    0.000   0.000
+2a00:ee0:e::15  200.123.255.157  3 u  580 1024  377    8.409   -0.021   0.132
-193.77.204.19   172.25.3.2       2 u  632 1024  377    6.393    0.283  11.424
+95.176.233.15   200.123.255.157  3 u  230 1024  377    7.935    0.075   0.152

Anybody (but me) notices the difference?

anav · June 10, 2021, 7:10pm

Yes, the top half is clean and uncluttered and easy on my 60yr old eyes.
The bottom half seems like its full of noise and information I dont really need.

In other words, you are 100% right in terms of performance and usage fidelity.
I just never thought that level of granularity was required as it was a simple thing…and should just work.

mkx · June 10, 2021, 7:20pm

You’re right … as long as it works, we don’t need any logs, debugging information or any other nonsense. But sometimes it doesn’t work … and then we need all the noise we can get … and if there’s no noise to filter, we’re in troubles.

rextended · June 10, 2021, 9:19pm

ignored, removed<

mkx · June 11, 2021, 5:18am

@rextended: I’ll just ignore your last post, it’s quite off topic already. The post is directed at me (concrete examples of “right” choices) and I think I can master my own subnet of NTP servers just fine (I’ve been running public NTP servers for the last 25 years). You don’t know the reasons I’ve had when making the choice of particular NTP servers I’m using for synchronisation so your arguments might be void (they might be very reasonable as well, but let’s not go into this).

My case came on the table just to illustrate the need for running proper NTP server as @OP does.

rechandler · June 11, 2021, 7:10am

Oh wow, I didn’t expect so extensive discussion.
Let me clarify things:
Here’s my motivation to have own NTP server: https://askubuntu.com/questions/14558/how-do-i-setup-a-local-ntp-server
I don’t have atomic clock, but I want to have Stratum 1 time server, so I have GPS module.

Now the rules:

add action=dst-nat chain=dstnat comment="Force using local NTP Server" \
    dst-port=123 in-interface-list=LAN protocol=udp src-address-list=\
    "!NTP Server" to-addresses=10.0.0.100 to-ports=123
add action=masquerade chain=srcnat comment="Force using local NTP Server" \
    dst-address-list="NTP Server" dst-port=123 out-interface-list=LAN protocol=\
    udp

@rextended I can’t have only dst-nat because it just don’t work. @mkx explained it in his first post.

@anav about rules:
dst-port=123 → port of NTP Server
in-interface-list=LAN → all my LAN clients, wifi, guests, ethernet
protocol=udp → protocol of NTP Server
src-address-list=“!NTP Server” → I don’t want to rely only on GPS, I want to use also sources from Internet so I have to allow connect my NTP Server with other public NTP Servers. Without this my NTP Server could only communicate with himself

srcnat → same config but for other chain.

@mkx I want to ask, what do you mean by another subnet, for eq. 10.1.0.0? Or some public IP from internet? I need to leave my own LAN?