i need some help on RB1100AHx4 ,
i have ipsec tunnel between my 2 sites, the config is very simple
between 192.168.5.0/24 to 10.0.0.0/8
within the 10 network, 10.10.3 has default route of the mikrotik (10.10.0.1), the 10.10.0 machines do not, so has to be masqueraded
connection from 192.168.5.0/24 to 10.10.3 and 10.10.0 machines work, BUT the 10.10.0 is a lot slower/sluggish (the initial connection could take 5 seconds)
here’s my config:
chain=prerouting action=passthrough
chain=prerouting action=accept src-address=192.168.5.0/24 dst-address=10.10.0.0/24
chain=prerouting action=notrack src-address=192.168.5.0/24 dst-address=10.10.3.0/24
chain=prerouting action=notrack src-address=10.0.0.0/8 dst-address=192.168.5.0/24
chain=srcnat action=masquerade src-address=192.168.5.0/24 dst-address=10.0.0.0/8 out-interface=internal
chain=srcnat action=accept src-address=10.0.0.0/8 dst-address=192.168.0.0/16 out-interface=external
chain=forward action=passthrough
chain=forward action=fasttrack-connection connection-state=established,related
chain=forward action=accept connection-state=established,related
chain=input action=accept connection-state=established,related
chain=forward action=accept src-address=192.168.5.0/24 dst-address=10.0.0.0/8
as you can see, i use notrack for the 10.10.3, i accept 10.10.0 because i have to masquerade it.
can someone help me understand why a simple NAT/masq cost so much delay?
i only have 25 filter rules, 8 nat rules total
Can you please provide a simple network diagram.
I can just guess that you have some sort of asymmetric routing on one site with ICMP redirect involved and this is known to cause the described behavior.
This is the config of 192.168.5.1, right?
I think you only need a src-nat on 10.10.0.1 from 192.168.5.0/24 to 10.10.0.0/24.
Furthermore, if I understand your config correctly, you “notracking” “half connections” as you use notrack from 192.168.5.0/24 to 10.10.3.0/24 for one direction and from 10.0.0.0**/8** to 192.168.5.0/24 for the other direction. I can imagine, that this causes problems.
i’m sorry i should’ve been clearer, this is for the 10.10.0.1 configuration, there’s no natting in the 192.168.5.1
“I think you only need a src-nat on 10.10.0.1 from 192.168.5.0/24 to 10.10.0.0/24.”
since we’re talking about the 10.10.0.1 router
on the packets from 10.10.0.0/24 to 192.168.5.0/24,
i need to un-nat the src from 10.10.0.1 to 10.10.0.0/24 , keep the dest, right?
and i think that’s what i’m doing.
yes, i’m notracking half the connection, here’s my beginner logic
to go 192 to 10 network, i need to track it so i can do masquerade on src (192.168.5.0/24 to 10.10.0.1)
the 10.10.0.0/24 server will see the packet coming from 10.10.0.1
reply to 10.10.0.1
gets processed as input (instead of forward) packet. right?
this is where i’m murky, the masquerade must be “saving” something that would do dst-nat from 10.10.0.1 to 192.168.5.0/24 host right?
i don’t know when/where/how this happen.
