1:1 NAT working as espected only when torch is enabled

alefello · Fri Sep 24, 2021 10:36 pm

Hello everyone
I've a PBX behind my mikrotik RB4011iGS+. My ISP gave me a private subnet for VOIP traffic and a public IP for my internet traffic. So I set up a 1:1 NAT between my PBX private address and my ISP VOIP subnet address for all the traffic except NTP (which is routed to internet subnet).
The problem is: I can register the PBX to my ISP VOIP server, I can receive and place calls, but the voice of the call come only from external to internal and not from my phone to external (to be honest I hear an echo of my voice from my side). The strange thing is that when I enable torch tool on the outgoing inerface or on the PBX interface, traffic flows right both inward and outward and I don't hear the echo anymore from my phone. I really don't know what to think and what to do.

add address=172.29.0.1/24 comment="IP VOIP network" interface=ether2 network=172.29.0.0
/ip firewall filter
add action=accept chain=forward dst-address=172.29.0.1 in-interface-list=VOIP log=yes log-prefix=PBX out-interface-list=LAN
add action=accept chain=forward comment=PBX dst-address=192.168.1.246 in-interface-list=VOIP out-interface-list=LAN
add action=accept chain=forward in-interface-list=LAN log=yes log-prefix=PBX out-interface-list=VOIP src-address=192.168.1.246
add action=accept chain=forward comment=PBX in-interface-list=LAN out-interface-list=VOIP src-address=172.29.0.1
add action=accept chain=forward comment=PBX routing-mark=voip-out
/ip firewall mangle
add action=mark-routing chain=prerouting comment="PBX NTP" disabled=yes dst-address=193.204.114.232 new-routing-mark=main passthrough=yes src-address=192.168.1.246
add action=mark-routing chain=prerouting comment="PBX VOIP out mark" log=yes log-prefix="MARK PBX" new-routing-mark=voip-out passthrough=yes src-address=192.168.1.246
add action=mark-routing chain=output comment="PBX VOIP OUT" new-routing-mark=voip-out passthrough=yes src-address=192.168.1.246
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT 1:1 PBX" dst-address=172.29.0.1 in-interface-list=VOIP log=yes log-prefix=DST-NAT-PBX to-addresses=192.168.1.246
add action=src-nat chain=srcnat comment="PBX 1:1 NAT" log=yes log-prefix=SRC_NAT_PBX routing-mark=voip-out src-address=192.168.1.246 to-addresses=172.29.0.1
/ip route
add comment="gateway route out VOIP PBX" distance=1 gateway=172.29.0.254 routing-mark=voip-out

192.168.1.246: private IP of my PBX
172.29.0.1: assigned IP from my ISP for my PBX
Thank you

pukkita · Mon Sep 27, 2021 5:14 pm

Seems that disabling hw acceleration (Fastpath) fixes it... (Torch disables it, see https://wiki.mikrotik.com/wiki/Manual:Fast_Path)

I'd take a supout with and w/o Torch running and submit it to support.

Try disabling fastpath on your interfaces, does it fix the issue? (w/o running torch)

alefello · Tue Sep 28, 2021 12:19 am

Yesterday I made further improvements in my research (I didn't post them cause the topic was still under review, sorry)

I made further investigation and found that if I make a routes rule like
add action=lookup-only-in-table comment=PBX_ROUTE_OUT src-address=192.168.1.246/32 table=voip-out
everything works fine. The problem is that I need to route SSL and NTP traffic to the other interface, and this was the reason I used mangle to mark the packets and the routes rules were these:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="PBX - VOIP OUT" log=yes log-prefix="MARK PBX VOIP" new-routing-mark=voip-out passthrough=yes src-address=192.168.1.246
add action=mark-routing chain=prerouting comment="PBX - accesso remoto" log=yes log-prefix="MARK PBX 443" new-routing-mark=main passthrough=yes protocol=tcp src-address=192.168.1.246 src-port=443
add action=mark-routing chain=prerouting comment="PBX - NTP" dst-address=193.204.114.232 log=yes log-prefix="MARK PBX NTP" new-routing-mark=main passthrough=yes src-address=192.168.1.246
add action=mark-routing chain=output comment="PBX - VOIP OUT" log=yes log-prefix="MARK PBX VOIP" new-routing-mark=voip-out passthrough=yes src-address=192.168.1.246
/ip route rule
add action=lookup-only-in-table comment="PBX - VOIP OUT" routing-mark= voip-out table=voip-out
but in this way, the packets are marked correctly (as shown in the attached logfile) but the routes based on routing mark don't work as expected and the packets are not forwarded correctly.

alefello · Tue Sep 28, 2021 12:31 am

Seems that disabling hw acceleration (Fastpath) fixes it... (Torch disables it, see https://wiki.mikrotik.com/wiki/Manual:Fast_Path)

I'd take a supout with and w/o Torch running and submit it to support.

Try disabling fastpath on your interfaces, does it fix the issue? (w/o running torch)

I don't find fastpath to disable on the phisical interface. And my VOIP uplink interface is a phisical interface (eth2) without VLAN or bridge. In the link you sent me it seems fastpath is available on other types of interfaces but not on phisical interfaces.

alefello · Wed Sep 29, 2021 3:07 am

Ok I tried to disable fasttrack and things started working as expected. With fasttrack disabled I was able to disable all the routes rules too and everything kept working as expected.
Despite of that I think fasttrack is useful to increase firewall troughput, so I hoper disabling it is not the only way to have the firewall working as expected.

mkx · Wed Sep 29, 2021 8:10 am

Depending on how exactly your firewall filter rules look like (the config snippet you posted doesn't seem to be complete) you might be able to fasttrack some traffic. But beware that fasttracked traffic doesn't get mangled.

alefello · Wed Sep 29, 2021 8:14 pm

Ok. I'll post the config.
A 100/100Mbps connection ona a RB4011iGS+ with an IPSEC VPN onboard will be bottlenecked without fasttrack or could I leave it disabled?
Is it ok if I keep the routes rule disabled? (I think it's a double if everything works)

mkx · Thu Sep 30, 2021 12:45 pm

A 100/100Mbps connection ona a RB4011iGS+ with an IPSEC VPN onboard will be bottlenecked without fasttrack or could I leave it disabled?

IPsec itself puts a lot of burden on router (OK, some ciphers can be offloaded to hardware). And make sure traffic which is supposed to get into IPsec tunnel doesn't get fast-tracked. So if most of your firewalled traffic involves IPsec, then it's probably easiest just to disable fasttrack altogether.

pató · Tue Aug 29, 2023 12:16 pm

I had the same problem with Mikrotik 4011.
RouterOS: 7.11
We have electricity outage and after that we can't reach a few device on the network which in the same vlan.
I disabled hardware offload on every port in the bridge settings since then everything works fine.

1:1 NAT working as espected only when torch is enabled

1:1 NAT working as espected only when torch is enabled

Re: 1:1 NAT working as espected only when torch is enabled

Re: 1:1 NAT working as espected only when torch is enabled

Re: 1:1 NAT working as espected only when torch is enabled

Re: 1:1 NAT working as espected only when torch is enabled

Re: 1:1 NAT working as espected only when torch is enabled

Re: 1:1 NAT working as espected only when torch is enabled

Re: 1:1 NAT working as espected only when torch is enabled

Re: 1:1 NAT working as espected only when torch is enabled

Who is online