Which NAT type dose ros use

lipeng001 · March 1, 2018, 9:48am

Which NAT type dose ros use
Symmetric ?
Cone ?
Can user change nat type on ROS?

CZFan · March 1, 2018, 6:23pm

ROS uses whatever NAT type you configure

sindy · March 2, 2018, 7:43pm

I’m afraid it is an answer to another question.
“cone”, “restricted cone” etc. are terms from an RFC which has attempted to classify NAT types by behaviour in order to allow prediction how future connections through that NAT will look like, so that e.g. a SIP phone could indicate in SDP the public IP address of the NAT and the correct port on it when sending the SDP already before the RTP flow has even started so before the pinhole in the NAT could be created. The concept is called STUN.

So all these “NAT types” deal with what Mikrotik calls src-nat. The differences between these NAT types consist in how many attributes of the flow are taken into account when creating a new pinhole and when letting traffic through the pinhole from the public side to the private one.

When a UDP packet is sent from port a on IP address A at the private side of the NAT to port b on IP address B on the remote end, the NAT allocates port c on its public interface to forward that packet.
The first difference between NATs is whether they try to keep c=a whenever possible or whether they prefer that c != a even if c=a would be possible.
Another difference is whether if c cannot be equal to a, a random one is chosen or the last assigned one incremented by 1.
Yet another difference is whether, once port c is open, only packets coming to C:c from B:b are forwarded to A:a or whether packets from anywhere else are forwarded too.
Yet another difference is whether, for a connection from another internal IP address (D) but same port (a) to another external socket than B:b, the same port c=a is used or another one.

I’m afraid that from this perspective, you cannot configure how Mikrotik’s src-nat behaves. You can only configure whether a single public address will be used or a pool of them, plus you can choose network prefix NAT (network to network) or 1:1 mapping (where each address on private side is systematically NATed to its own unique address on the public side but the mapping is not prefix based and only some private addresses may have their own public address assigned). But for many:1 (private:public) mapping, you cannot influence the behaviour - the connection tracking ensures that always only packets from B:b are let in, but that says nothing about how c is chosen.

lipeng001 · March 5, 2018, 9:45am

ROS uses whatever NAT type you configure

I’m afraid it is an answer to another question.
“cone”, “restricted cone” etc. are terms from an RFC which has attempted to classify NAT types by behaviour in order to allow prediction how future connections through that NAT will look like, so that e.g. a SIP phone could indicate in SDP the public IP address of the NAT and the correct port on it when sending the SDP already before the RTP flow has even started so before the pinhole in the NAT could be created. The concept is called STUN.

So all these “NAT types” deal with what Mikrotik calls src-nat. The differences between these NAT types consist in how many attributes of the flow are taken into account when creating a new pinhole and when letting traffic through the pinhole from the public side to the private one.

When a UDP packet is sent from port a on IP address A at the private side of the NAT to port b on IP address B on the remote end, the NAT allocates port c on its public interface to forward that packet.
The first difference between NATs is whether they try to keep c=a whenever possible or whether they prefer that c != a even if c=a would be possible.
Another difference is whether if c cannot be equal to a, a random one is chosen or the last assigned one incremented by 1.
Yet another difference is whether, once port c is open, only packets coming to C:c from B:b are forwarded to A:a or whether packets from anywhere else are forwarded too.
Yet another difference is whether, for a connection from another internal IP address (D) but same port (a) to another external socket than B:b, the same port c=a is used or another one.

I’m afraid that from this perspective, you cannot configure how Mikrotik’s src-nat behaves. You can only configure whether a single public address will be used or a pool of them, plus you can choose network prefix NAT (network to network) or 1:1 mapping (where each address on private side is systematically NATed to its own unique address on the public side but the mapping is not prefix based and only some private addresses may have their own public address assigned). But for many:1 (private:public) mapping, you cannot influence the behaviour - the connection tracking ensures that always only packets from B:b are let in, but that says nothing about how c is chosen.

Thanks for your answer!
My problem is that,
Setting upnp,and user’s ps4 can’t login or log out in on minute when join to “room”
For test,the firewall filter is empty.
But,if I set dst-nat manually it works well.

sindy · March 12, 2018, 12:15pm

As you mention upnp, there is no need to think about NAT type - upnp allows the device on the LAN to tell the router which ports on the WAN address it wants to open and forward to itself, so the autonomous rules for allocating pinholes as described earlier are not used. So the correct question would be “why upnp does not work (as expected) between the PS4 and the Mikrotik”.

Can you provide the output of “export hide-sensitive” from your Mikrotik?

lipeng001 · March 15, 2018, 7:30am

Pls igore the setting of ppp

/interface ethernet
set 0 arp=enabled auto-negotiation=yes cable-settings=default
disable-running-check=yes disabled=no full-duplex=yes mac-address=
00:D0:B7:72:5E:1C mtu=1500 name=LAN2 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes cable-settings=default
disable-running-check=yes disabled=no full-duplex=yes mac-address=
00:D0:B7:6C:A2:AE mtu=1500 name=WAN speed=100Mbps
set 2 arp=enabled auto-negotiation=yes cable-settings=default
disable-running-check=yes disabled=no full-duplex=yes mac-address=
00:D0:B7:6C:A3:5D mtu=1500 name=ether2 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes cable-settings=default
disable-running-check=yes disabled=no full-duplex=yes mac-address=
00:0D:60:22:3F:B9 mtu=1500 name=LAN speed=100Mbps
/interface vlan
add arp=enabled disabled=yes interface=WAN mtu=1500 name=vlan2363
use-service-tag=no vlan-id=2363
/ip pool
add name=111 ranges=10.0.0.2-10.0.0.254
add name=pool2 ranges=172.10.0.2-172.10.254.254
/ip dhcp-server
add address-pool=111 always-broadcast=yes authoritative=after-2sec-delay
bootp-lease-time=forever bootp-support=dynamic disabled=no interface=LAN
lease-time=3d name=ceshi
/port
set 0 baud-rate=9600 data-bits=8 flow-control=none name=serial0 parity=none
stop-bits=1
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=
default use-encryption=default use-mpls=default use-vj-compression=
default
add change-tcp-mss=default dns-server=202.106.46.151,202.106.196.115
local-address=172.10.0.1 name=ADSL only-one=yes rate-limit=5M/5M
remote-address=pool2 use-compression=default use-encryption=default
use-mpls=default use-vj-compression=default
set 2 change-tcp-mss=yes name=default-encryption only-one=default
use-compression=default use-encryption=yes use-mpls=default
use-vj-compression=default
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20
red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=none name=only-hardware-queue
set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 7 kind=pfifo name=default-small pfifo-limit=10
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 authentication-protocol=MD5
encryption-protocol=DES name=public read-access=yes security=none
write-access=no
/system logging action
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100
disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote-port=514 src-address=0.0.0.0
syslog-facility=daemon syslog-severity=auto target=remote
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=
no
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=
default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=
default enabled=no keepalive-timeout=60 mac-address=FE:8C:44:F7:6B:8D
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pppoe-server server
add authentication=pap default-profile=ADSL disabled=no interface=LAN2
keepalive-timeout=10 max-mru=1480 max-mtu=1480 max-sessions=0 mrru=
disabled one-session-per-host=no service-name=ceshi
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=
default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=
disabled port=443 verify-client-certificate=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=x.x.x.x/29 disabled=no interface=WAN network=x.x.x.z
add address=10.0.0.1/24 disabled=no interface=LAN network=10.0.0.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=10.0.0.0/24 dhcp-option=“” dns-server=
202.106.46.151,202.106.196.115 gateway=10.0.0.1 ntp-server=“”
wins-server=“”
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB
max-udp-packet-size=4096 servers=“”
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward connection-state=established disabled=no
in-interface=WAN
/ip firewall mangle
add action=mark-connection chain=forward comment=
“Allow if Destination NAT Rule” connection-state=related disabled=no
in-interface=WAN new-connection-mark=“Allow if Destination NAT Rule”
passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=no src-address=10.0.0.0/24
to-addresses=y.y.y.y
add action=dst-nat chain=dstnat disabled=yes dst-address=y.y.y.y
dst-port=9305 in-interface=WAN protocol=udp to-addresses=10.0.0.253
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip neighbor discovery
set LAN2 disabled=no
set WAN disabled=no
set ether2 disabled=no
set LAN disabled=no
set vlan2363 disabled=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4
cache-on-disk=no enabled=no max-cache-size=none max-client-connections=
600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0
parent-proxy-port=0 port=8080 serialize-connections=no src-address=
0.0.0.0
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
x.x.x.z scope=30 target-scope=10
/ip service
set telnet address=“” disabled=no port=23
set ftp address=“” disabled=no port=21
set www address=“” disabled=no port=80
set www-ssl address=“” certificate=none disabled=yes port=443
set api address=“” disabled=yes port=8728
set winbox address=“” disabled=no port=38291
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=
all
/ip smb shares
set [ find default=yes ] comment=“default share” directory=/pub disabled=no
max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=yes
/ip upnp interfaces
add disabled=no interface=LAN type=internal
add disabled=no interface=vlan2363 type=external
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=no interim-update=0s use-radius=no
/ppp secret
add caller-id=“” disabled=no limit-bytes-in=0 limit-bytes-out=0 name=yt123
profile=ADSL routes=“” service=pppoe
/queue interface
set LAN2 queue=ethernet-default
set WAN queue=ethernet-default
set ether2 queue=ethernet-default
set LAN queue=ethernet-default
/radius incoming
set accept=no port=3799
/snmp
set contact=“” enabled=no engine-id=“” location=“” trap-generators=“”
trap-target=“” trap-version=1
/system clock
set time-zone-name=manual
/system clock manual
set dst-delta=+00:00 dst-end=“jan/01/1970 00:00:00” dst-start=
“jan/01/1970 00:00:00” time-zone=+00:00
/system console
set [ find port=serial0 ] channel=0 disabled=no port=serial0 term=vt102
set [ find vcno=1 ] channel=0 disabled=no term=linux
set [ find vcno=2 ] channel=0 disabled=no term=linux
set [ find vcno=3 ] channel=0 disabled=no term=linux
set [ find vcno=4 ] channel=0 disabled=no term=linux
set [ find vcno=5 ] channel=0 disabled=no term=linux
set [ find vcno=6 ] channel=0 disabled=no term=linux
set [ find vcno=7 ] channel=0 disabled=no term=linux
set [ find vcno=8 ] channel=0 disabled=no term=linux
/system console screen
set blank-interval=10min line-count=25
/system hardware
set multi-cpu=yes
/system health
set state-after-reboot=enabled
/system identity
set name=MikroTik
/system logging
set 0 action=memory disabled=no prefix=“” topics=info
set 1 action=memory disabled=no prefix=“” topics=error
set 2 action=memory disabled=no prefix=“” topics=warning
set 3 action=echo disabled=no prefix=“” topics=critical
/system note
set note=“” show-at-login=yes
/system ntp client
set enabled=no mode=broadcast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
set 8 cpu=auto
set 9 cpu=auto
set 10 cpu=auto
set 11 cpu=auto
set 12 cpu=auto
set 13 cpu=auto
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=
0.0.0.0 user=“”
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=
none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=
100
/tool e-mail
set address=0.0.0.0 from=<> password=“” port=25 starttls=no user=“”
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set [ find default=yes ] disabled=no interface=all
/tool mac-server mac-winbox
set [ find default=yes ] disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sniffer
set file-limit=1000KiB file-name=“” filter-ip-address=“” filter-ip-protocol=
“” filter-mac-address=“” filter-mac-protocol=“” filter-port=“”
filter-stream=yes interface=all memory-limit=100KiB memory-scroll=yes
only-headers=no streaming-enabled=no streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-scale=10 test-id=0

sindy · March 27, 2018, 5:56am

I have no idea what you use vlan 2363 for, but there is a clear discrepancy between

/ip upnp interfaces
add disabled=no interface=LAN type=internal
add disabled=no interface=vlan2363 type=external

and

/ip firewall nat
...
add action=dst-nat chain=dstnat disabled=yes dst-address=y.y.y.y dst-port=9305 in-interface=WAN protocol=udp to-addresses=10.0.0.253

On top of that, your configuration shows no local IP address to be assigned in vlan 2363.

In the upnp configuration, ****

internal

interfaces are those to which upnp clients (like your console) allowed to control the router are connected, and

external

interface is the one on which the clients can create dst-nat rules.

So assuming that upnp clients can be connected to LAN, your upnp configuraton should look as follows:

/ip upnp interfaces
add disabled=no interface=LAN type=internal
add disabled=no interface=WAN type=external

Off topic, I hope you have a firewall somewhere else, as

/ip firewall filter
add action=accept chain=forward connection-state=established disabled=no in-interface=WAN

effectively does nothing because the default policy of Mikrotik firewall is ****

accept

. So packets which match the rule above are accepted by that rule, while all the other packets are accepted by default.

You have no rules in ****

/ip firewall filter chain=input

and no address ranges in

/ip service

. So unless there is some other firewall between your device and the internet which prevents access to your Mikrotik’s management ports (telnet, http, …) but permits access to other ports (as otherwise the upnp or dstnat rules would be useless and they clearly are not), all the management services of your Mikrotik are accessible from anywhere in the internet.

lipeng001 · March 27, 2018, 1:57pm

I am sorry for that " discrepancy" confused you.
It’s a testing “trail” for vlan 2363 because I have multiple wan line in production environment.
I do user wan interface (vlan 1) to test upnp,
and set
/ip upnp interfaces
add disabled=no interface=LAN type=internal
add disabled=no interface=WAN type=external

Thanks a lot for the reminding of firewall setting. It is only configuration for testing.

sindy · March 27, 2018, 2:38pm

I didn’t feel confused before but now I do Has this change solved your initial issue or not? I.e. do you need the dst-nat rule to make the ps4 work even with this modified upnp setting?

Thanks a lot for the reminding of firewall setting. It is only configuration for testing.

Having no context, I didn’t know whether that is an issue or not. But even if it is a testing configuration, having unprotected devices exposed to internet is a bad idea as they may start spreading malware themselves if infected.

lipeng001 · March 28, 2018, 1:53am

I didn’t feel confused before but now I do > > Has this change solved your initial issue or not? I.e. do you need the dst-nat rule to make the ps4 work even with this modified upnp setting?

Because of the setting of upnp didn’t make ps4 work,I configed the dst-nat setting manualy,then ps4 do work.

Having no context, I didn’t know whether that is an issue or not. But even if it is a testing configuration, having unprotected devices exposed to internet is a bad idea as they may start spreading malware themselves if infected.

Thanks, I have changed the ports of service and limited the source ip address to protect the device.