Suspicious MASQUERADE behavior?

Ive noticed today something suspicious when performing masquerade on a regular MT ROS. On the WAN interface I see addresses from the LAN interface while torching. The rule is quiet simple:

/ip firewall nat add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether3

But very often this second rule count packets:

/ip firewall nat add action=masquerade chain=srcnat comment=“” disabled=no src-address=x.x.x.x/29

Where x.x.x.x/29 is the LAN network. Also noticed that a filter rule on the adjacent router on the WAN side drop all these “NON NATED” packets matched as connection state invalid packet. (Of course, there no 192.168 networks on the wan side)

Then how could I see private addresses on the WAN side? Its MASQUERADE clearly is NOT translating those packets! Note that a connection state invalid drop rule on the router in question does not drop anything. Also noticed that this happen when the router need to handle hundreds connections, while few connections this do not happens. The router in question is running ROS 3.13 on a x86 intel motherboard.

Is there someone from MT that could explain this freak? Is there someone else that could confirm this? Please, help!

Im going to upgrade to 3.27 to see if this freak still happening. I really wont to believe in this behavior.

Thanks
Ozelo

I see that the ROS does not MASQUERADE packets that are identified as “connection state invalid”, so a sanity rule to drop it solves the problem of its propagation through default gateway. But, it that really normal to forward invalid packets without MASQUERADE when there IS a rule matching everything out??? IMHO the first rule above SHOULD masquerade every and all packets. Is not that true?

Thanks
Ozelo

No it’s not true. NAT rule matches only first packet of new connection. Invalid packets do not belong to any connection and should be dropped in firewall.

Thats explain everything, thank you!