We have a hotspot and recently customers are complaining about connection problems.
The board used is a RB433AH, RouterOs v4.14. The system structure is as follows:
Internet ----- WAN-Router 192.168.1.1/24 ---- 192.168.1.200/24 Mikrotik 10.10.1.254/23 ---- About 30 Clients (10.10.0.0/23 network)
Examining the system in order to debug the problem, I encountered that some private network packets (10.10.X.X) are bypassing the NAT masquerade rule without changing Src. Address, causing connectivity problems. In fact, sniffing packets on the 192.168.1.1/24 network some 10.10.X.X scr. address are found:
4.14 have some problems, install 4.16, the most stable of all 4.x versions,
but consider to go up 5.26.
DO NOT WORRY!
It’s normal.
If you want a detailed explanation:
The router not process on outbound the TCP packet if contain “FIN” or “FIN + ACK” or “ACK on reply of FIN”.
This packets are used to close the TCP connection.
Is useless to change the IP of source,
because there is not reply from other side, after closing the connection (is not really true, but now for semplicity nevermind)
It’s a way to not waste CPU time for useless things.
If someone like the explanation, please add Karma.
First of all, I must thank you for your clear response, it sounds very logic and explains perfectly the cause of this behaviour. You are a RouterOS guru
In normal situations this packet bypassing will not affect network operation, but this is not my case:
The WAN port of my mikrotik is connected to a Netgear Prosafe SRX5308 router that is load balancing 4 ADSL lines. These frames are confusing this router causing FIN frames to be sent to the wrong WAN interface and even not respecting protocol binding function.
It is possible to avoid this packet bypassing? Some workaround for the problem?
Regarding the routeros version, we use version 4 because version 5 user manager web interface is missing an important feature: when generating batch users for hotspot, vouchers are not automaticaly printed, so you have to go to the user window, manually select the new users and print them. This is very difficult when there’s lots of users. I can’t understand why mikrotik changed this… I didn’t tried v6. Same behaviour?
You didn’t mention v6 in your upgrade advice. It is not stable enough?
First the easy:
2) I have the same issue with 5.x, but is really better and I stop to print the voucher, because I switch to “card printer” with scratc… I expoort the csv file and the printer program do the remaining! (MagiCard Enduro), But from this season, I go by SMS authentications (provided from 3rd party) but I try to study one solution from myself.
I not suggest you 6.x because I do not know if you are practice or not… If you miss to upgrade firmware to 3.10 before go from 5.26 to 6.7 (I suggest THIS version) your hardware is stucked…
Netgear Prosafe SRX5308 is able SIMPLY to change src on incoming packet from 10.10.0.0/23 to 192.168.1.200?
If any packet coming from 10.10.0.0/23 are unprocesed packet for nat, regardeless TCP flag…
I’m sorry for the delay in my response. Thank you all for your comments.
I managed to solve the problem by changing the network structure:
I disabled mikrotik NAT and used regular routing instead. Then I placed a static route into the NETGEAR routing table so 10.10.0.0/23 network is accesible through 192.168.1.200 gateway. Now everything seems to be working fine.
Rextended:
I don’t think NETGEAR allow this. It’s a very simple router. Thank you anyway. On the other hand, I’m very interested in knowing more about the way you print vouchers. Maybe I must evaluate this MagicCard Enduro. About the firmware upgrade, are you meaning that upgrading from 4.x to 6.x can result in a mikrotik bricking? Oh my god!!
Reinerotto:
I agree totally with you. This must be considered a bug, since this behaviour can cause malfunctions in other routers trying to do connection tracking (saturating the number of active connections, for example).
I expoort the csv file and the printer program do the remaining! (MagiCard Enduro), But from this season, I go by SMS authentications (provided from 3rd party) but I try to study one solution from myself.
