Source IP is wrong

RouterOS General
1

I have a 433 with O/S 5.3 configured with a one-to-one nat as such (line 2-3):

[Administrator@ProSecure-Corporate] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0  chain=dstnat action=add-src-to-address-list protocol=tcp 
     dst-address=X.X.X.X src-address-list=!Trixbox Admin 
     address-list=ATTEMPTED ADMIN ACCESS address-list-timeout=0s 
     in-interface=pppoe-out1 dst-port=22,80,443,3306 

 1  chain=dstnat action=redirect to-ports=65535 protocol=tcp 
     dst-address=X.X.X.X src-address-list=!Trixbox Admin 
     in-interface=pppoe-out1 dst-port=22,80,443,3306 

 2   chain=dstnat action=dst-nat to-addresses=10.0.0.10 dst-address=X.X.X.X 

 3   chain=srcnat action=src-nat to-addresses=X.X.X.X src-address=10.0.0.10 

 4   chain=srcnat action=masquerade out-interface=pppoe-out1

X.X.X.X is my public IP Address

Everything works fine but one vital thing. The Linux box behind this firewall is reporting all source addresses as the router which is 10.0.0.2, instead of the proper public source IP address. The router reports the proper source address when performing tests so something in the NAT setup is not right. I just recently upgraded it to 5.3 from 4.17

I have another router, a 493 with O/S 4.17 with 5 different one-to-one NAT’d networks, which had the same problem when I first configured it but about the time I gave up, it began working correctly and I do not know what I did to resolve

Can anyone please give suggestions on how to configure this properly.
Thanks in advance for any suggestions…
-greg

2

The only reason that would happen is if the router is being told to source NAT that traffic - it won’t do it just by itself. Is the Linux host being the pppoe-out1 interface? Presumably not, just checking. Are those ALL your NAT rules? Is there possibly another one that you’re not showing that has an action of “masquerade” and no out-interface qualifier?

3

Those are 100% of all the NAT rules. I do have some packet marking happening in the mangle section if that matters…

/ip firewall mangle
add action=mark-packet chain=forward comment="VoIP Traffic FROM Server" \
    disabled=no new-packet-mark=VoIP passthrough=no src-address=10.0.0.10
add action=mark-packet chain=forward comment="VoIP Traffic TO Server" disabled=\
    no dst-address=10.0.0.10 new-packet-mark=VoIP passthrough=no

Thanks,
-greg

4

Well, I cannot explain but it is now working properly. I have not changed anything AFAIK… Just poking around the configuration and running some bandwidth tests back to one of my other routers. My guess is it is stemming from the DSL pppoe connection that acquires its address by DHCP, which goes away next week as we flip over to a T1. I will give a complete re-config at that point and try again.

Thanks for the input…
-greg

5

The TimeWarner circuit on ether2 is connected but not fully configured as I am waiting for the T1 next week in which the T1 will serve the phone system only and the TimeWarner circuit will serve all other Internet connectivity. The DSL is on ether1 which is an AT&T circuit but I have it labeled as CovadVoIP. I have one remote router connection on the DSL connection as well which will move to the T1 next week, Probably TMI for this issue but just FYI.

Thanks for looking at this…
-greg


[Administrator@ProSecure-Corporate] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=10.0.0.2/24 network=10.0.0.0 interface=ether3 - LAN actual-interface=bridge1 

 1   address=50.84.122.146/32 network=50.84.122.145 interface=ether2 - TimeWarner actual-interface=ether2 - TimeWarner 

 2 D address=99.110.17.206/32 network=76.234.2.65 interface=pppoe-out1 actual-interface=pppoe-out1 

 3 D address=5.0.0.1/32 network=5.0.0.2 interface=<pptp-RemoteRouter_001> actual-interface=<pptp-RemoteRouter_001>




[Administrator@ProSecure-Corporate] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=76.234.2.65 gateway-status=76.234.2.65 reachable pppoe-out1 distance=1 scope=30 target-scope=10 

 1 ADC  dst-address=5.0.0.2/32 pref-src=5.0.0.1 gateway=<pptp-RemoteRouter_001> gateway-status=<pptp-RemoteRouter_001> reachable distance=0 scope=10 

 2 ADC  dst-address=10.0.0.0/24 pref-src=10.0.0.2 gateway=bridge1 gateway-status=bridge1 reachable distance=0 scope=10 

 3 ADC  dst-address=50.84.122.145/32 pref-src=50.84.122.146 gateway=ether2 - TimeWarner gateway-status=ether2 - TimeWarner reachable distance=0 scope=10 

 4 ADC  dst-address=76.234.2.65/32 pref-src=99.110.17.206 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=0 scope=10




[Administrator@ProSecure-Corporate] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                            TYPE               MTU L2MTU  MAX-L2MTU
 0  R  ether1 - CovadVoIP              ether             1500  1526
 1  R  ether2 - TimeWarner             ether             1500  1522       1522
 2  R  ether3 - LAN                    ether             1500  1522       1522
 3  R  wlan1                           wlan              1500  2290
 4  R  pppoe-out1                      pppoe-out         1480
 5  R  bridge1                         bridge            1500  1522
 6  R  eoip-to-remote                  eoip-tunnel       1500 65535
 7 DR  <pptp-RemoteRouter_001>         pptp-in           1460




[Administrator@ProSecure-Corporate] > /ip firewall export
# may/28/2011 19:34:02 by RouterOS 5.3
# software id = LSVT-20U1
#
/ip firewall address-list
add address=99.168.98.201 disabled=no list="Trixbox Admin"
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=reject chain=forward disabled=no reject-with=icmp-network-unreachable src-address=188.0.0.0/8
add action=reject chain=forward disabled=no dst-address=188.0.0.0/8 reject-with=icmp-network-unreachable
/ip firewall mangle
add action=mark-packet chain=forward comment="VoIP Traffic FROM Server" disabled=no new-packet-mark=VoIP passthrough=no src-address=\
    10.0.0.10
add action=mark-packet chain=forward comment="VoIP Traffic TO Server" disabled=no dst-address=10.0.0.10 new-packet-mark=VoIP \
    passthrough=no
/ip firewall nat
add action=add-src-to-address-list address-list="ATTEMPTED ADMIN ACCESS" address-list-timeout=0s chain=dstnat comment=\
    "Looging all port 22 access" disabled=no dst-address=99.110.17.201 dst-port=22,80,443,3306 in-interface=pppoe-out1 protocol=tcp \
    src-address-list="!Trixbox Admin"
add action=redirect chain=dstnat comment="Disable this port for access to SSH port 22" disabled=no dst-address=99.110.17.201 dst-port=\
    22,80,443,3306 in-interface=pppoe-out1 protocol=tcp src-address-list="!Trixbox Admin" to-ports=65535
add action=dst-nat chain=dstnat disabled=no dst-address=99.110.17.201 to-addresses=10.0.0.10
add action=src-nat chain=srcnat disabled=no src-address=10.0.0.10 to-addresses=99.110.17.201
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=no ports=5060,5061
set pptp disabled=no
6

According to that config I don’t see how the issue could have occurred.

7

It is very odd… I had another router recently do exactly the same thing. The config is even simpler on that device except that there are several 1to1 NAT networks. It also gave the LAN interface address for each network initially and I poked it and poked it till it began working but I swear that I do not know what I did to cause it to start working. I have a backup on this router from yesterday which I may try to restore and reboot but not till Tuesday, just in case…

Thanks for jumping into this today. I am adding the T1 on Tuesday so I will be on site and will try the restore and let you know if that reverts back. I will do a full export on both configs to see what is different.

Thanks again…
-greg