src-nat stops working after some time

RouterOS General
1

Hi!

Scenario:

Got 5 static IPs (/29) from my ISP. All come in via ether1-WAN (from ISPs modem in bridge mode) on my HEX-S (v7.2.3), let’s call them addrA, addrB, addrC, addrD, addrE

got some VMs configured on a separate vlan, few matching dst-nat rules, and a few completely generic src-nat rules like so:

add chain=srcnat src-address=10.1.10.234 out-interface=ether1-WAN action=src-nat to-addresses=addrA

and so on, with every VM having a different public IP.

When I restart my router, all these src-nat rules work (in the VM console I check public IP address and it matches the src-nat); I can change them to any public IP address configured on ether1-WAN and after a fwe moments the assigned public address is reported (from ifconfig.io) as the one I set in the rule.

BUT.

after a few minutes, all VMs report only addrE. Changing the src-nat rules to any other address removes outbound internet access on these VMs.

I’m completely baffled as to why it behaves like that.

Of course, default masquerade works, defaulting to addrA.

I have no custom routing addedd (only manually added ISP’s GW address), no mangle rules, nothing out of the ordinary.

Any help will be greatly appreciated.

2

The rule you posted is fine, it must be something else (maybe if you post your whole config, someone will see it). It seems like some communication problem between those other addresses and ISP’s router. The weird part is that it works for a while and then it stops.

3

this is my firewall export.

The various subnets are VLANs, but the communication both ways between router/subnets is fine, so I omitted that part of config.

/ip firewall address-list
add address=addrA list=INEA
add address=addrB list=INEA
add address=addrC list=INEA
add address=addrD list=INEA
add address=addrE list=INEA
add address=10.1.1.0/24 list=LANs
add address=10.1.10.0/24 list=LANs
add address=10.1.20.0/24 list=LANs
add address=10.1.30.0/24 list=LANs
/ip firewall connection tracking
set enabled=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Accept DST NAT" \
    connection-nat-state=dstnat connection-state=new
add action=accept chain=forward comment="Accept SRC NAT" \
    connection-nat-state=srcnat connection-state=""
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix=invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment="SSH HEXs" dst-address=addrE \
    dst-port=22222 protocol=tcp
add action=accept chain=input comment=WireGuard dst-address=addrE \
    dst-port=13231,13232 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1-WAN
/ip firewall nat
add action=src-nat chain=srcnat comment="Anchorage SRC (email)" \
    out-interface=ether1-WAN src-address=10.1.10.234 to-addresses=\
    addrA
add action=src-nat chain=srcnat comment="Buckland SRC (eto)" out-interface=\
    ether1-WAN src-address=10.1.10.235 to-addresses=addrB
add action=src-nat chain=srcnat comment="Coldbay SRC (Adam)" out-interface=\
    ether1-WAN src-address=10.1.11.0/24 to-addresses=addrC
add action=src-nat chain=srcnat comment="Deering SRC (git)" out-interface=\
    ether1-WAN src-address=10.1.10.237 to-addresses=addrD
add action=src-nat chain=srcnat comment="LAN SRC" out-interface=ether1-WAN \
    src-address=10.1.1.0/24 to-addresses=addrE
add action=src-nat chain=srcnat comment="LAN SRC" out-interface=ether1-WAN \
    src-address=10.1.10.0/24 to-addresses=addrE
add action=src-nat chain=srcnat comment="LAN SRC" out-interface=ether1-WAN \
    src-address=10.1.20.0/24 to-addresses=addrE
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface=ether1-WAN
add action=dst-nat chain=dstnat comment="Anchorage E-mail" dst-address=\
    addrA dst-port=80,443,25,587,110,143,993,995 protocol=tcp \
    to-addresses=10.1.10.234
add action=dst-nat chain=dstnat comment="Anchorage SSH" dst-address=\
    addrA dst-port=22222 protocol=tcp to-addresses=10.1.10.234 \
    to-ports=22
add action=dst-nat chain=dstnat comment="Buckland HTTPS" dst-address=\
    addrB dst-port=80,443 protocol=tcp to-addresses=10.1.10.235
add action=dst-nat chain=dstnat comment="Buckland SSH" dst-address=\
    addrB dst-port=22222 protocol=tcp to-addresses=10.1.10.235 \
    to-ports=22
add action=dst-nat chain=dstnat comment="Coldbay Adam" dst-address=\
    addrC dst-port=8444 protocol=tcp to-addresses=10.1.11.10
add action=dst-nat chain=dstnat comment="Coldbay Adam" dst-address=\
    addrC dst-port=22,80,443,1922,25565 protocol=tcp to-addresses=\
    10.1.11.11
add action=dst-nat chain=dstnat comment="Deering GIT, HTTPS" dst-address=\
    addrD dst-port=22,80,443 protocol=tcp to-addresses=10.1.10.237
add action=dst-nat chain=dstnat comment=CCTV disabled=yes dst-port=8000 \
    in-interface=*9 protocol=tcp to-addresses=10.1.10.200 to-ports=8000
add action=dst-nat chain=dstnat comment="R720 PVE webui" disabled=yes \
    dst-port=38006 in-interface=*9 protocol=tcp to-addresses=10.1.1.11 \
    to-ports=8006
add action=dst-nat chain=dstnat comment="Transmission RPC" dst-address=\
    addrE dst-port=59091 protocol=tcp to-addresses=10.1.10.2 \
    to-ports=9091
add action=dst-nat chain=dstnat comment="Transmission TCP" dst-address=\
    addrE dst-port=51413 protocol=tcp to-addresses=10.1.10.2 \
    to-ports=51413
add action=dst-nat chain=dstnat comment="Transmission UDP" dst-address=\
    addrE dst-port=51413 protocol=udp to-addresses=10.1.10.2 \
    to-ports=51413
add action=dst-nat chain=dstnat comment="Elim TRAEFIK" dst-address=\
    addrE dst-port=80,443,8080,8088 in-interface=ether1-WAN \
    protocol=tcp to-addresses=10.1.10.3
4

This doesn’t explain it. If it didn’t work at all, I’d say that you assigned only addrE to router and not others, and so ISP’s router can’t reach them. But that can’t be the case if it works at first.

5

I think I’m going to grab another MT device with software 6.x, replicate this config and check if it works. I’ve used this exact scenario countless times with setups having multiple public IPs and it just worked.

6

Of course I didn’t have time to check with another device, but I went a step back and started testing from step 1.

And it’s weird :slight_smile:

I’m doing ping from mikrotik, checking all my public IPs with src-address.

And only 3 of 5 are working. I’m confused even more.

I’ve called my ISP and there were no changes in any way on their side. Nada.

7

Why are you using src NAT with public static IPs at all? Assign the IPs to the VMs and be happy.

If you want the VMs on a private VLAN as well, that’s fine. Server OSes have supported multiple interfaces and multiple IPs per interface since approximately forever.

8

Because I have a few hosts that are on a VLAN and I want all of them to respond with a specific SRC address. I know I can set the public IPs to hosts directly.

Other than that, I found time to dig into this issue and I’m 99% it’s a bug in MT.

I’ve reset firmware to default settings, the behavior is the same. src-nat to addresses A, B, E is working, addresses C and D are not. And I found something.

For some weird reason, FastTrack isn’t enabling for these not working addresses.

This is what I did: Reset the device to default configuration. Setup public addresses, ISP GW etc.
Then I created the same generic src-nat rule and ran ping from the src-natted host.

Observing the ICMP connections in IP->Firewall->Connections with src-address set to my src-natted host, shows that FastTrack flag is enabled only for outgoing addresses A, B, E, not C, D.

Worth noting is that I modify the src-nat rule to another address, not creating any new rules etc.

Side note, I’ve plugged my laptop directly to IPS modem and all public addresses are working as expected. The problem shows with mikrotik.

So, should I escalate this to MT support?

9

Your “action=fasttrack-connection” line is below the srcnat lines in your firewall, so the “action=accept” on them bypasses the fasttrack action for NAT connections. I suspect this is what distinguishes your C/D address schemes, but I didn’t dig deeply in to check.

10

If that mattered, it would behave the same for all 5 addresses, not only 2 of them.

11

Ok, it gets weirder more and more.

I took more steps backs and started checking if the public IPs are reachable (ping) from outside.

When connected to my laptop (all 5 IPs on the ethernet interface) all 5 IPs are reachable from the internet.

Connected to mikrotik, at most 3 of them work. After last restart, only one.

12

There is something amiss all right. You only posted a part of your configuration earlier. Please post all of your configuration - /export hide-sensitive file=any-filename-you-wish

13

Attached

# may/27/2022 18:31:08 by RouterOS 7.2.3
# software id = TRGR-BPA8
#
# model = RB760iGS
# serial number = A36A0B8BDDB0
/caps-man channel
add band=2ghz-b/g control-channel-width=20mhz name=24g
add band=5ghz-a/n/ac name=5g
/interface bridge
add admin-mac=C4:AD:34:E6:00:07 auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp l2mtu=1598 name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-SG1024DE
set [ find default-name=ether4 ] name=ether4-SG108PE
set [ find default-name=ether5 ] name=ether5-RB951
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
add listen-port=13232 mtu=1420 name=wireguard2
/interface vlan
add interface=bridge name=vlan10-Public vlan-id=10
add interface=bridge name=vlan11-Adam vlan-id=11
add interface=bridge name=vlan20-AP vlan-id=20
add interface=bridge name=vlan30-IOT vlan-id=30
/caps-man security
add authentication-types=wpa2-psk name=ap
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=iot
/caps-man configuration
add channel=24g country=poland datapath.bridge=bridge .local-forwarding=yes \
    .vlan-id=20 .vlan-mode=use-tag installation=indoor name=public \
    security=ap ssid=public
add channel=24g country=poland datapath.bridge=bridge .local-forwarding=yes \
    .vlan-id=30 .vlan-mode=use-tag installation=indoor name=iot security=iot \
    ssid=oz14iot
add channel=5g country=poland datapath.bridge=bridge .local-forwarding=yes \
    .vlan-id=20 .vlan-mode=use-tag installation=indoor name=public-5g \
    security=ap ssid="public 5G"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-LAN ranges=10.1.1.190-10.1.1.199
add name=pool-AP ranges=10.1.20.100-10.1.20.253
add name=pool-Public ranges=10.1.10.200-10.1.10.253
add name=pool-IOT ranges=10.1.30.100-10.1.30.253
add name=dhcp_pool5 ranges=10.1.11.10-10.1.11.19
/ip dhcp-server
add address-pool=pool-LAN interface=bridge name=dhcp-LAN
add address-pool=pool-Public interface=vlan10-Public name=dhcp-Public
add address-pool=pool-AP interface=vlan20-AP name=dhcp-AP
add address-pool=pool-IOT interface=vlan30-IOT name=dhcp-IOT
add address-pool=dhcp_pool5 interface=vlan11-Adam name=dhcp-Adam
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,rest-api"
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=a master-configuration=\
    public-5g
add action=create-dynamic-enabled hw-supported-modes=g master-configuration=\
    public slave-configurations=iot
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4-SG108PE
add bridge=bridge ingress-filtering=no interface=ether5-RB951
add bridge=bridge interface=ether2-SG1024DE
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-source-route=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4-SG108PE,ether5-RB951,ether2-SG1024DE \
    vlan-ids=10,20,30,11
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlan20-AP list=LAN
add interface=vlan30-IOT list=LAN
add interface=vlan10-Public list=LAN
add interface=ether1-WAN list=WAN
add interface=wireguard1 list=LAN
add interface=vlan11-Adam list=LAN
add interface=wireguard2 list=LAN
/ip address
add address=10.1.1.254/24 interface=bridge network=10.1.1.0
add address=10.1.20.254/24 interface=vlan20-AP network=10.1.20.0
add address=10.1.10.254/24 interface=vlan10-Public network=10.1.10.0
add address=10.1.30.254/24 interface=vlan30-IOT network=10.1.30.0
add address=172.16.0.1/29 interface=wireguard1 network=172.16.0.0
add address=addrE/29 comment="ELIM (piwnica)" interface=ether1-WAN \
    network=ISP_NETWORK
add address=addrA/29 comment=ANCHORAGE interface=ether1-WAN network=\
    ISP_NETWORK
add address=addrB/29 comment=BUCKLAND interface=ether1-WAN network=\
    ISP_NETWORK
add address=addrC/29 comment=COLDBAY interface=ether1-WAN network=\
    ISP_NETWORK
add address=addrD/29 comment=DEERING interface=ether1-WAN network=\
    ISP_NETWORK
add address=10.1.11.254/24 interface=vlan11-Adam network=10.1.11.0
add address=172.16.11.1/29 interface=wireguard2 network=172.16.11.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1-WAN
/ip dhcp-server network
add address=10.1.1.0/24 comment=LAN dns-server=10.1.1.254 domain=oz gateway=\
    10.1.1.254 ntp-server=10.1.1.254
add address=10.1.10.0/24 comment="Public servers" dns-server=10.1.10.254 \
    domain=public gateway=10.1.10.254
add address=10.1.11.0/24 gateway=10.1.11.254
add address=10.1.20.0/24 comment=AP dns-server=10.1.20.254 domain=wifi \
    gateway=10.1.20.254
add address=10.1.30.0/24 comment=IOT dns-server=10.1.30.254 domain=iot \
    gateway=10.1.30.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=addrA list=INEA
add address=addrB list=INEA
add address=addrC list=INEA
add address=addrD list=INEA
add address=addrE list=INEA
add address=10.1.1.0/24 disabled=yes list=LANs
add address=10.1.10.0/24 disabled=yes list=LANs
add address=10.1.20.0/24 disabled=yes list=LANs
add address=10.1.30.0/24 disabled=yes list=LANs
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" \
    dst-address-list=INEA protocol=icmp
add action=accept chain=forward comment="Accept DST NAT" \
    connection-nat-state=dstnat connection-state="" disabled=yes \
    in-interface=ether1-WAN
add action=accept chain=forward comment="Accept SRC NAT" \
    connection-nat-state=srcnat connection-state="" disabled=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=INVALID
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1-WAN log=yes log-prefix=INVALID
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix=INVALID
add action=accept chain=input comment="SSH HEXs" dst-address=addrE \
    dst-port=22222 protocol=tcp
add action=accept chain=input comment=WireGuard dst-address=addrE \
    dst-port=13231,13232 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix="NOT LAN"
/ip firewall nat
add action=src-nat chain=srcnat comment="Anchorage SRC (email)" log-prefix=\
    "ANCHORAGE SRC" out-interface=ether1-WAN src-address=10.1.10.234 \
    to-addresses=addrA
add action=src-nat chain=srcnat comment="Buckland SRC (eto)" log-prefix=\
    "BUCKLAND SRC" out-interface=ether1-WAN src-address=10.1.10.235 \
    to-addresses=addrB
add action=src-nat chain=srcnat comment="Coldbay SRC (Adam)" disabled=yes \
    out-interface=ether1-WAN src-address=10.1.11.0/24 to-addresses=\
    addrC
add action=src-nat chain=srcnat comment="Deering SRC (git)" log-prefix=\
    "DEERING SRC" out-interface=ether1-WAN src-address=10.1.10.237 \
    to-addresses=addrD
add action=src-nat chain=srcnat comment="LAN SRC" out-interface=ether1-WAN \
    src-address=10.1.1.0/24 to-addresses=addrA
add action=src-nat chain=srcnat comment="LAN SRC" out-interface=\
    ether1-WAN src-address=10.1.10.0/24 to-addresses=addrB
add action=src-nat chain=srcnat comment="LAN SRC" out-interface=ether1-WAN \
    src-address=10.1.20.0/24 to-addresses=addrE
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    out-interface=ether1-WAN
add action=dst-nat chain=dstnat comment="Anchorage E-mail" dst-address=\
    addrA dst-port=80,443,25,587,110,143,993,995 protocol=tcp \
    to-addresses=10.1.10.234
add action=dst-nat chain=dstnat comment="Anchorage SSH" dst-address=\
    addrA dst-port=22222 protocol=tcp to-addresses=10.1.10.234 \
    to-ports=22
add action=dst-nat chain=dstnat comment="Buckland HTTPS" dst-address=\
    addrB dst-port=80,443 log-prefix="BUCKLAND DST" protocol=tcp \
    to-addresses=10.1.10.235
add action=dst-nat chain=dstnat comment="Buckland SSH" dst-address=\
    addrB dst-port=22222 protocol=tcp to-addresses=10.1.10.235 \
    to-ports=22
add action=dst-nat chain=dstnat comment="Coldbay Adam" dst-address=\
    addrC dst-port=8444 protocol=tcp to-addresses=10.1.11.10
add action=dst-nat chain=dstnat comment="Coldbay Adam" dst-address=\
    addrC dst-port=22,80,443,1922,25565 protocol=tcp to-addresses=\
    10.1.11.11
add action=dst-nat chain=dstnat comment="Deering GIT, HTTPS" dst-address=\
    addrD dst-port=22,80 log-prefix="DEERING DST" protocol=tcp \
    to-addresses=10.1.10.237
add action=dst-nat chain=dstnat comment="Deering GIT, HTTPS" dst-address=\
    addrD dst-port=443 log-prefix="DEERING DST" protocol=tcp \
    to-addresses=10.1.10.237 to-ports=443
add action=dst-nat chain=dstnat comment=CCTV disabled=yes dst-port=8000 \
    in-interface=*9 protocol=tcp to-addresses=10.1.10.200 to-ports=8000
add action=dst-nat chain=dstnat comment="R720 PVE webui" disabled=yes \
    dst-port=38006 in-interface=*9 protocol=tcp to-addresses=10.1.1.11 \
    to-ports=8006
add action=dst-nat chain=dstnat comment="Transmission TCP" disabled=yes \
    dst-address=addrE dst-port=51413,59091 protocol=tcp \
    to-addresses=10.1.10.2
add action=dst-nat chain=dstnat comment="Transmission UDP" disabled=yes \
    dst-address=addrE dst-port=51413 protocol=udp to-addresses=\
    10.1.10.2
add action=dst-nat chain=dstnat comment="Elim TRAEFIK" dst-address=\
    addrE dst-port=80 in-interface=ether1-WAN protocol=tcp \
    to-addresses=10.1.10.3 to-ports=8088
add action=dst-nat chain=dstnat comment="Elim TRAEFIK" dst-address=\
    addrE dst-port=443 in-interface=ether1-WAN protocol=tcp \
    to-addresses=10.1.10.3 to-ports=8443
/ip firewall service-port
set ftp disabled=yes
/ip route
add disabled=yes distance=1 dst-address=10.3.10.0/24 gateway=172.16.0.3 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes dst-address=10.2.10.0/24 gateway=172.16.0.2
add disabled=yes distance=1 dst-address=10.2.30.0/24 gateway=172.16.0.2 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ISP_GW \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ssh port=22222
/system clock
set time-zone-name=Europe/Warsaw
/system logging
add topics=caps,debug
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

export.rsc (11.8 KB)

14

Another update. Torch on WAN interface with protocol ICMP shows incoming pings on all addresses, replying only on addrA. The default firewall rule to accept ICMP on input is in place and enabled.

15

Anyone has any ideas? I’m completely baffled.

Right now I’m on clean install of 7.3

I can ping from mikrotik using all 5 addresses. But src-nat works only for the first one.
WHen I disable addressA, then src-nat starts working for addressB, and so on.

Please help!

16

You can remove proxy ARP from ether1-WAN, there’s no reason why you should need that with current config. Then accept-source-route=yes in IP setting is probably not something you need either. But neither of those should be breaking anything.

Srcnat must work, it’s the simplest thing. You can try to enable logging for those rules and I’m sure you’ll get hits for them. Or add some other logging rules, play with packets sniffer, … there must be something.

17

I’ve added logging to forward rule (the default one with accept established/related/untracked) and in logs it shows the whole (correct!) path of NAT end-to-end BUT despite having src-nat set as addrB, in logs it’s always addrA.

18 
forward: in:bridge out:ether1, src-mac 48:2a:e3:9d:29:f1, proto TCP (ACK), 192.168.88.254:45821->116.202.225.122:80, NAT (192.168.88.254:45821->addrA:45821)->116.202.225.122:80, len 52

This is with masq off, and only this single src-nat entry.

19

Where does 192.168.88.254 come from? There was no such subnet anywhere in posted config.

20

Sigh, yes. I took the device again, reset it again to MT defaults and that was the IP of my laptop.