Some NAT Rules Require Reboot To Apply

thavinci · February 1, 2012, 1:07pm

I seem to be having issues with latest ROS. When I create a simple NAT rule such as

/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; temp rule till routing sorted.... *deleteme
     chain=srcnat action=src-nat to-addresses=10.240.32.49 out-interface=ether5

it WILL not operate until I reboot the Mikrotik.
If I reboot the rule becomes active, however if I then disable the rule while doing say a ping from a VPN client it can be seen that the rule remains active as the ping from the client remains operational.
If I disable the rule THEN reboot pings will no longer go through.

I have also tested this with a NAT LOG rule.
Adding a LOG rule NO traffic is logged until I reboot..

Have logged a ticket, but wondering if anyone else has experianced this…

mrz · February 1, 2012, 1:11pm

NAT sees only first packet of connection. So traffic will be nated until connection expires or router is rebooted even if nat rule is removed.
Traffic will not be natted if NAT rule is added after connection is established.

thavinci · February 2, 2012, 6:53am

Thank you for this…
Can’t beleive I didn’t notice this before!

neticted · February 2, 2012, 9:50am

You actually do not have to reboot. You may open Firewall/Connections and drop connectios there.