RB2011's gone crazy

mark0x01 · October 22, 2013, 8:11pm

I’ve run into a real odd issue.

After moving the external port, and ip, then reverting back while chasing a port flap issue, one 1:1 NAT rules broke.
The main issue with this one was the ETH2 port would not actually fix at 100/Full, just negotiated to 1G, so I was swapping it out.

I had worked around the issue NAT on this origional one by adding another source ip and NAT rules.

The replacement (later version of hardware) seems to have inherited the same problem.

Pasting the same text config into a new RB2011 has resulted the same NAT issue.
Workaround didn’t help this time.

A reset configuration with no default, and starting again didn’t help.

Torch on the ports shows the inbound NAT rule doesn’t seem to actually work.
I can see the NAT’ed traffic leave, and response come back in the WAN port, but no further.
No packets counted on the dnat rule.

The NAT targets are to a IBM server with Shared IMM/LAN port, which shares a single RJ45 port.
I have identical installations from the same basic template that are working.

This one worked until I changed things, but now refuses to work.

Any assistance would be greatly appreciated.

Config:

\

RB2011UAS ROS 6.3

/interface ethernet
set 0 name=ether1-DISABLED disable=yes
set 1 name=ether2-WAN
set 2 disabled=no name=ether3
set 3 disabled=yes name=ether4
set 4 disabled=yes name=ether5
set 5 disabled=yes name=ether6
set 6 disabled=yes name=ether7
set 7 disabled=no name=ether8-SWITCH
set 8 disabled=no master-port=ether8-SWITCH name=ether9-SWITCH
set 9 disabled=no master-port=ether8-SWITCH name=ether10-SWITCH
set 10 disabled=yes

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=no
set www-ssl disabled=yes
set api disabled=yes

/system package
disable hotspot
disable dhcp
disable wireless
disable mpls
disable routing

/ip address
add address=10.32.42.2/24 interface=ether2-WAN network=10.32.42.0
add address=10.32.42.11/24 interface=ether2-WAN network=10.32.42.0
aadd address=10.32.42.10/24 interface=ether2-WAN network=10.32.42.0
add address=10.32.42.12/24 interface=ether2-WAN network=10.32.42.0
add address=172.20.201.1/29 interface=ether8-SWITCH network=172.20.201.0

/ip route
add distance=1 dst-address=10.0.208.0/23 gateway=10.32.42.1

/ip firewall nat
#This nat doesn’t work any more - disabled it
add action=dst-nat chain=dstnat comment=Svr1-IN disabled=yes dst-address=10.32.42.10 to-addresses=172.20.201.2
add action=src-nat chain=srcnat comment=Svr1-OUT disabled=yes src-address=172.20.201.2 to-addresses=10.32.42.10

#This work around nat does work (same target, different source)
add action=dst-nat chain=dstnat comment=Svr2-IN dst-address=10.32.42.12 to-addresses=172.20.201.2
add action=src-nat chain=srcnat comment=Svr2-OUT src-address=172.20.201.2 to-addresses=10.32.42.12

No problems with this one

add action=dst-nat chain=dstnat comment=Svr1-IMM-IN dst-address=10.32.42.11 to-addresses=172.20.201.3
add action=src-nat chain=srcnat comment=Svr1-IMM-OUT src-address=172.20.201.3 to-addresses=10.32.42.11