Community discussions

 
User avatar
lapsio
Member
Member
Topic Author
Posts: 470
Joined: Wed Feb 24, 2016 5:19 pm

DST-NAT in bridge breaks forwarding

Sat Jul 14, 2018 6:28 pm

I have following setup:

CRS326 --- CCR1009 --- RB2011 --- internet

CCR1009 is bridging one network that spans between CRS326 and RB2011 (which is wifi network). RB2011 is router in this network there's DNS server connected to it. CCR doesn't have an IP address in this network. It just performs bridging.

There's NAT for DNS servers so that no matter what DNS server user specifies, it's always redirected to DNS server connected to RB2011. I like to have possibly synchronized configs so I have 1:1 the same NAT rules on CCR and RB, regardless fact that CCR does not actively participate in this network routing.

When I'm performing NAT in this bridge on CCR it doesn't forward packets (on bridge level). I have bridge firewall enabled. Here's what exactly happens if NAT on CCR is enabled:

1. CCR gets packet from 192.168.4.6 to 8.8.8.8
2. CCR changes dst IP to 192.168.10.9
3. CCR doesn't forward packet any further. The same happens if I perform NAT to 192.168.4.6.

If I disable NAT on CCR bridge it does forward packets. My question is - why doing NAT breaks forwarding if router doesn't have addressing on bridge. I somewhat understand it because changing destination IP can potentially turn bridging into routing and considering router has no IP in this bridge it can't perform routing but does NAT always turn bridging into routing? Is there any way to fix it (other than disabling NAT) like for example specifying 192.168.0.0/24 address for bridge (so that it's not functional IP address just indication of network on bridge or something similar)?
MTCNA, MTCRE, MTCINE
 
mkx
Forum Guru
Forum Guru
Posts: 2929
Joined: Thu Mar 03, 2016 10:23 pm

Re: DST-NAT in bridge breaks forwarding

Sat Jul 14, 2018 11:04 pm

My guess is slightly other phenomenon. When CCR is only bridging, it only cares about MAC addresses and it learns them by switching performing switching tasks (layer2 network). If it starts to NAT packets, it suddenly doesn't know where to send the just NATed packet. It is quite obvious it should do ARP request to learn MAC address of new destination ... and it should have default gateway configured as well in case NATed address is not local.

So yes, as NAT is layer3 operation, box doing it should be part of a layer3 network.
BR,
Metod
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 470
Joined: Wed Feb 24, 2016 5:19 pm

Re: DST-NAT in bridge breaks forwarding

Sat Jul 14, 2018 11:23 pm

So yes, as NAT is layer3 operation, box doing it should be part of a layer3 network.
I blacklisted in-interface-list with unaddressed bridges from NAT to prevent NATing on unaddressed bridges. But another question is - how about mangle and PBR? Does assigning routing mark also force routing? I wonder simply because my current infrastructure doesn't really allow me to test it (I use PBR only for management network). At the moment I also blacklisted those bridges from assigning routing mark in mangle but I wonder if it's necessary operation or assigning routing mark to bridged packet is nop.
MTCNA, MTCRE, MTCINE
 
mkx
Forum Guru
Forum Guru
Posts: 2929
Joined: Thu Mar 03, 2016 10:23 pm

Re: DST-NAT in bridge breaks forwarding

Sat Jul 14, 2018 11:33 pm

I'd say that any operation that requires external (to the L3 switch or whatever you call it) L3 information can not be done on unaddressed device (or part of one). I guess assigning routing mark is OK, but routing based on routing mark is ... ah, well, routing is L3 operation after all. PBR has routing in it's name. I guess you could use mangle on L2, but it is more usable on L3 ...
BR,
Metod
 
nescafe2002
Long time Member
Long time Member
Posts: 622
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: DST-NAT in bridge breaks forwarding  [SOLVED]

Sun Jul 15, 2018 12:11 pm

Is there any way to fix it (other than disabling NAT) like for example specifying 192.168.0.0/24 address for bridge (so that it's not functional IP address just indication of network on bridge or something similar)?

Yes, you don't need an IP address but only a route that will direct ARP requests towards the correct interface.
/ip route
add dst-address=192.168.10.9 gateway=bridge1
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 470
Joined: Wed Feb 24, 2016 5:19 pm

Re: DST-NAT in bridge breaks forwarding

Sun Jul 15, 2018 6:26 pm

Yes, you don't need an IP address but only a route that will direct ARP requests towards the correct interface.
Unfortunately it doesn't work. Router already has address in 192.168.10.0/24 network as it's management one. It only doesn't have address in 192.168.4.0/24. NAT makes either 8.8.8.8 -> 192.168.10.9 or 8.8.8.8 -> 192.168.4.1 depending on src ip list. I added both networks in /ip route but it didn't solve the problem.
MTCNA, MTCRE, MTCINE

Who is online

Users browsing this forum: No registered users and 29 guests