Community discussions

MikroTik App
 
tb704
just joined
Topic Author
Posts: 5
Joined: Thu Feb 25, 2021 1:42 am

Setting Up Nat (Properly)

Wed Mar 03, 2021 3:18 am

I am working on setting up a Zabbix server to monitor my hosts. My router is broken up into 5 subnets: trusted, untrusted, servers, game servers, and management. My NAT is set up in a one to many configuration (correct me if that's the wrong term) where each of those subnets gets natted to a public IP. Those public IPs are statically assigned meaning anyone on the trusted subnet ALWAYS uses one IP, untrusted uses another, servers use a third and so on.

My issue is coming from my Zabbix server not being able to communicate with one of the clients because the client sees the request coming from the server's public (natted) IP instead of the internal private IP. The client rejects any requests not coming from a specified IP. See the log entry from the Zabbix server:

5620:20210302:195056.898 failed to accept an incoming connection: connection from "xxx.xxx.xxx.251" rejected, allowed hosts: "10.0.0.10"

As shown above, my client is looking for packets to come from 10.0.0.10 but they are coming from the WAN IP. I could just change the allowed server IP, but more importantly, I don't want these packets touching the internet.

Take a look at my configuration and let me know what I'm doing wrong. I thought of using masqurade instead of "to addresses" in my NAT rules, but I'm not 100% sure if that will accomplish anything. I found a page that say "masquerade - replaces source port of an IP packet to one specified by to-ports parameter and replace source address of an IP packet to IP determined by routing facility." I kind of get this, but mostly don't. I don't think I want this because I need to make sure certain servers always use the same IP address due to DNS requirements.

In short, I only want my router to NAT a packets that needs to go to the internet. If a host needs to communicate with a host that is in its routing table, it shouldn't need NAT to do so. And typing that sentence made me think of something. Is there a way to make the route for 0.0.0.0/0 NOT the first rule? Maybe if it sees the connected route first? So I changed the distance to that route to 254, no change.

Lastly, check out this weirdness in traceroute. I can trace from a server on 10.0.0.0/24 (10.0.0.16) to the gateway of network 10.1.0.1/24 (10.1.0.1), but cannot trace a host on 10.1.0.0 (10.1.0.2).

 tracepath 10.1.0.2
 1?: [LOCALHOST]                                         pmtu 1500
 1:  gateway                                               0.278ms
 1:  gateway                                               0.254ms
 2:  no reply
 3:  no reply
 4:  no reply
^C
[root@web tymier]# tracepath 10.1.0.1
 1?: [LOCALHOST]                                         pmtu 1500
 1:  10.1.0.1                                              0.307ms reached
 1:  10.1.0.1                                              0.268ms reached
     Resume: pmtu 1500 hops 1 back 1
# mar/02/2021 20:15:27 by RouterOS 6.45.3
# software id = HT9Y-4QA6
#
# model = CCR1036-8G-2S+
# serial number = 5AAD02D2FDAA
/interface ethernet
set [ find default-name=ether5 ] comment=LAN
set [ find default-name=ether8 ] comment=WAN
/interface vlan
add interface=ether5 name=GAMESERVERSv50 vlan-id=50
add interface=ether5 name=MGMTv60 vlan-id=60
add interface=ether5 name=SERVERSv40 vlan-id=40
add interface=ether5 name=TRUSTEDv20 vlan-id=20
add interface=ether5 name=UNTRUSTEDv30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=TRUSTED ranges=192.168.1.100-192.168.1.254
add name=UNTRUSTED ranges=192.168.2.100-192.168.2.254
add name=SERVERS ranges=10.0.0.100-10.0.0.200
/ip dhcp-server
add address-pool=TRUSTED disabled=no interface=TRUSTEDv20 name=TRUSTED_DHCP
add address-pool=UNTRUSTED disabled=no interface=UNTRUSTEDv30 name=UNTRUSTED_DHCP
/ip address
add address=192.168.88.1/24 comment="DEFAULT CONFIG" interface=ether1 network=192.168.88.0
add address=xxx.xxx.xxx.250/29 interface=ether8 network=xxx.xxx.xxx.248
add address=xxx.xxx.xxx.251/29 interface=ether8 network=xxx.xxx.xxx.248
add address=xxx.xxx.xxx.252/29 interface=ether8 network=xxx.xxx.xxx.248
add address=xxx.xxx.xxx.253/29 interface=ether8 network=xxx.xxx.xxx.248
add address=xxx.xxx.xxx.254/29 interface=ether8 network=xxx.xxx.xxx.248
add address=192.168.1.1/24 interface=TRUSTEDv20 network=192.168.1.0
add address=192.168.2.1/24 interface=UNTRUSTEDv30 network=192.168.2.0
add address=10.0.0.1/24 interface=SERVERSv40 network=10.0.0.0
add address=10.1.0.1/24 interface=GAMESERVERSv50 network=10.1.0.0
add address=10.10.0.1/24 interface=MGMTv60 network=10.10.0.0
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.2,8.8.8.8,8.8.4.4 domain=servers.tyd-it.local gateway=10.0.0.1 netmask=24
add address=10.1.0.0/24 dns-server=10.0.0.2,8.8.8.8,8.8.4.4 domain=gamesvrs.tyd-it.local gateway=10.1.0.1 netmask=24
add address=192.168.1.0/24 dns-server=10.0.0.2,8.8.8.8,8.8.4.4 domain=trusted.tyd-it.local gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 dns-server=10.0.0.2,8.8.8.8,8.8.4.4 domain=untrusted.tyd-it.local gateway=192.168.2.1 netmask=24
/ip firewall filter
add action=accept chain=input comment="Allow All from Mothaship" src-address=192.168.1.2
add action=drop chain=input comment="Drop Winbox access from WAN" dst-port=8291 in-interface=ether8 protocol=tcp
add action=drop chain=input comment="Drop SSH into WAN port." dst-port=22 in-interface=ether8 protocol=tcp
add action=drop chain=input comment="drop ICMP to WAN" in-interface=ether8 protocol=icmp
add action=drop chain=input comment="DROP ftp to WAN" dst-port=21 in-interface=ether8 protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=drop chain=input comment="DROP TFTP from ETH8" dst-port=69 in-interface=ether8 protocol=udp
add action=drop chain=input comment="DROP packets to Winbox from ETH8" dst-port=8291 in-interface=ether8 protocol=tcp
add action=drop chain=input comment=" Block packets from ETH8 to Winbox API port" dst-port=8728 in-interface=ether8 protocol=tcp
add action=drop chain=input comment="Block MikroTik Bandwidth Test" dst-port=2000 protocol=tcp
add action=accept chain=output comment="drop ftp brute forcers" content="530 Login incorrect" dst-limit=1/1m,4,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=1d chain=output comment="drop ftp brute forcers" content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input comment="drop ssh brute forcers" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment="drop ssh brute forcers" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="drop ssh brute forcers" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="drop ssh brute forcers" connection-state=new dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=forward comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=forward comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=forward comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=forward comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=forward comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=forward comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=forward comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=forward comment="dropping port scanners" disabled=yes src-address-list="port scanners"
add action=drop chain=input comment="Drop NEW packets to xxx.xxx.xxx.251" connection-state=new dst-address=xxx.xxx.xxx.251
/ip firewall nat
add action=dst-nat chain=dstnat comment="FWD SMTP to iRedMail" dst-address=xxx.xxx.xxx.251 dst-port=25 protocol=tcp to-addresses=10.0.0.4
add action=dst-nat chain=dstnat comment="FWD email submission to iRedMail" dst-address=xxx.xxx.xxx.251 dst-port=587 protocol=tcp to-addresses=10.0.0.4
add action=dst-nat chain=dstnat comment="FWD pop3 to iRedMail" dst-address=xxx.xxx.xxx.251 dst-port=110 protocol=tcp to-addresses=10.0.0.4
add action=dst-nat chain=dstnat comment="FWD pop3s to iRedMail" dst-address=xxx.xxx.xxx.251 dst-port=995 protocol=tcp to-addresses=10.0.0.4
add action=dst-nat chain=dstnat comment="FWD IMAP to iRedMail" dst-address=xxx.xxx.xxx.251 dst-port=143 protocol=tcp to-addresses=10.0.0.4
add action=dst-nat chain=dstnat comment="FWD IMAPs to iRedMail" dst-address=xxx.xxx.xxx.251 dst-port=993 protocol=tcp to-addresses=10.0.0.4
add action=dst-nat chain=dstnat comment="FWD RDP to ARMA3" dst-address=xxx.xxx.xxx.251 dst-port=9000 protocol=tcp to-addresses=10.1.0.2 to-ports=3389
add action=dst-nat chain=dstnat comment="FWD to ARMA3 https://community.bistudio.com/wiki/Arma_3:_Dedicated_Server" dst-address=xxx.xxx.xxx.251 dst-port=2302-2306 protocol=udp to-addresses=10.1.0.2
add action=dst-nat chain=dstnat comment="FWD RDP to GroundBranch" dst-address=xxx.xxx.xxx.251 dst-port=9001 protocol=tcp to-addresses=10.1.0.3 to-ports=3389
add action=dst-nat chain=dstnat comment="FWD TCP80 to WebSvr (10.0.0.16)" dst-address=xxx.xxx.xxx.251 dst-port=80 protocol=tcp to-addresses=10.0.0.16
add action=dst-nat chain=dstnat comment="FWD TCP443 to WebSvr (10.0.0.16)" dst-address=xxx.xxx.xxx.251 dst-port=443 protocol=tcp to-addresses=10.0.0.16
add action=dst-nat chain=dstnat comment="FWD HTTP to VPN SVR" dst-address=xxx.xxx.xxx.254 to-addresses=10.0.0.31
add action=src-nat chain=srcnat src-address=192.168.1.0/24 to-addresses=xxx.xxx.xxx.250
add action=src-nat chain=srcnat src-address=192.168.2.0/24 to-addresses=xxx.xxx.xxx.252
add action=src-nat chain=srcnat src-address=10.0.0.0/24 to-addresses=xxx.xxx.xxx.251
add action=src-nat chain=srcnat src-address=10.1.0.0/24 to-addresses=xxx.xxx.xxx.253
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=254 gateway=xxx.xxx.xxx.249
/ip service
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock manual
set dst-delta=-01:00 dst-end="nov/07/2021 00:00:00" dst-start="mar/14/2021 00:00:00" time-zone=-05:00
/system ntp client
set enabled=yes primary-ntp=10.0.0.2
/system scheduler
add interval=12h name=backup on-event="system backup save name=today.backup" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 start-time=00:00:00
/tool sniffer
set filter-interface=ether8 filter-ip-protocol=icmp
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Setting Up Nat (Properly)

Wed Mar 03, 2021 9:56 am

The src-nat rules are "too greedy":
add action=src-nat chain=srcnat src-address=192.168.1.0/24 to-addresses=xxx.xxx.xxx.250
add action=src-nat chain=srcnat src-address=192.168.2.0/24 to-addresses=xxx.xxx.xxx.252
add action=src-nat chain=srcnat src-address=10.0.0.0/24 to-addresses=xxx.xxx.xxx.251
add action=src-nat chain=srcnat src-address=10.1.0.0/24 to-addresses=xxx.xxx.xxx.253
They are all similar, but it's the third one which bothers the zabbix client. The rule instructs router to perform SRC-NAT for every connection passing router which has src-address set to 10.0.0.0/24 (and ther rest of rules for other src-address ranges). And that includes connections with dst-address e.g. 10.1.0.0/24 ... which is obviously not what you want. So you should update all SRC-NAT rules to include some selector limiting their action to connections targeting WAN. According to the rest of your config, you should add out-interface=ether8 to all of them. E.g. by running command
/ip firewall nat set [ find chain=srcnat ] out-interface=ether8
 
tb704
just joined
Topic Author
Posts: 5
Joined: Thu Feb 25, 2021 1:42 am

Re: Setting Up Nat (Properly)

Sun Mar 07, 2021 11:34 pm

That fixed it immediately. Thanks!

Who is online

Users browsing this forum: 0xAA55, manigk and 54 guests