I have srcNAT connection problems with wifi clients. The connection below is being used on a CCR router with CAPSMAN enabled. wifi clients connect, get an IP address from one single /16 subnet which ist srcNATed to 4 public ip addresses. For the public ip addresses OSPF is enabled, so ECMP should be used. Unfortunately, the public IP which is used for srcNAT is not respected. It seems OSPF ECMP changes this one randomely which breaks TCP connection at all. Hopefully it is clear what I say?
Let´s look at the configuration on the CCR
- DHCP server
- OSPF interfaces + network/ip dhcp-server network
add address=10.40.0.0/16 dns-server=10.40.0.241 domain=hob.com \
gateway=10.40.0.240 netmask=16
/routing ospf interface
add interface=vlan2081 network-type=broadcast
add interface=vlan1000 network-type=broadcast passive=yes
add interface=vlan2082 network-type=broadcast
add interface=vlan2083 network-type=broadcast
add interface=vlan2084 network-type=broadcast
- OSPF routes, i.e. /routing ospf route> print/routing ospf network
add area=backbone network=195.0.1.5.20/32
add area=backbone network=195.12.108.0/30
add area=backbone network=195.12.108.4/30
add area=backbone network=195.12.108.8/30
add area=backbone network=195.12.108.12/30
0.0.0.0/0 ext-2 1
195.12.108.1 vlan2081
195.12.108.5 vlan2082
195.12.108.9 vlan2083
195.12.108.13 vlan2084
- srcnat:
/ip firewall nat
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src0 src-address=10.40.0.0/19 to-addresses=195.12.108.2
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src64 src-address=10.40.32.0/19 to-addresses=195.12.108.6
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src128 src-address=10.40.64.0/19 to-addresses=195.12.108.10
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src192 src-address=10.40.96.0/19 to-addresses=195.12.108.14
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src0 src-address=10.40.128.0/19 to-addresses=195.12.108.2
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src64 src-address=10.40.160.0/19 to-addresses=195.12.108.6
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src128 src-address=10.40.192.0/19 to-addresses=195.12.108.10
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src192 src-address=10.40.224.0/19 to-addresses=195.12.108.14
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src16 src-address=10.40.0.0/16 to-addresses=195.12.108.2
e.g.
- my client has 10.40.72.111
- So public NAT IP 195.12.108.10 should be used
- Browsing to showip.net it shows 195.12.108.2
So OSPF ECMP mixes with srcNAT. So it seems I have to get OSPF up and running with some kind of "routing-mark" policies. Those below don´t work:
e.g./ip firewall mangle add chain=prerouting src-address=10.40.0.0/19 action=mark-routing new-routing-mark=r_src0
/ip firewall mangle add chain=prerouting src-address=10.40.32.0/19 action=mark-routing new-routing-mark=r_src32
/ip firewall mangle add chain=prerouting src-address=10.40.64.0/19 action=mark-routing new-routing-mark=r_src64
/ip firewall mangle add chain=prerouting src-address=10.40.96.0/19 action=mark-routing new-routing-mark=r_src96
/ip firewall mangle add chain=prerouting src-address=10.40.128.0/19 action=mark-routing new-routing-mark=r_src128
/ip firewall mangle add chain=prerouting src-address=10.40.160.0/19 action=mark-routing new-routing-mark=r_src160
/ip firewall mangle add chain=prerouting src-address=10.40.192.0/19 action=mark-routing new-routing-mark=r_src192
/ip firewall nat
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src0 routing-mark=r_src0 src-address=10.40.0.0/19 to-addresses=\
195.12.108.2
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src64 routing-mark=r_src32 src-address=10.40.32.0/19 to-addresses=\
195.12.108.6
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src128 routing-mark=r_src64 src-address=10.40.64.0/19 to-addresses=\
195.12.108.10
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src192 routing-mark=r_src96 src-address=10.40.96.0/19 to-addresses=\
195.12.108.14
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src0 routing-mark=r_src128 src-address=10.40.128.0/19 to-addresses=\
195.12.108.2
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src64 routing-mark=r_src160 src-address=10.40.160.0/19 to-addresses=\
195.12.108.6
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src128 routing-mark=r_src192 src-address=10.40.192.0/19 to-addresses=\
195.12.108.10
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src192 routing-mark=r_src224 src-address=10.40.224.0/19 to-addresses=\
195.12.108.14
/ip route
add distance=1 gateway=195.12.108.9 pref-src=195.12.108.10 routing-mark=\
r_src192
add distance=1 gateway=195.12.108.13 pref-src=195.12.108.14 routing-mark=\
r_src224
add distance=1 gateway=195.12.108.1 pref-src=195.12.108.2 routing-mark=r_src0
add distance=1 gateway=195.12.108.5 pref-src=195.12.108.6 routing-mark=\
r_src32
add distance=1 gateway=195.12.108.9 pref-src=195.12.108.10 routing-mark=\
r_src64
add distance=1 gateway=195.12.108.13 pref-src=195.12.108.14 routing-mark=\
r_src96
add distance=1 gateway=195.12.108.1 pref-src=195.12.108.2 routing-mark=\
r_src128
add distance=1 gateway=195.12.108.5 pref-src=195.12.108.6 routing-mark=\
r_src160
- my client has 10.40.72.111
- So public NAT IP 195.12.108.10 should be used
- Browsing to showip.net it shows 195.12.108.2 sometimes
I forget to mention that I added a "catch it all" rule in "ip firewall nat" at the end, which is being used, when that "error" occurs:
Code: Select all
add action=src-nat chain=srcnat connection-limit=!100,32 log=yes log-prefix=\
src16 src-address=10.40.0.0/16 to-addresses=195.12.108.2
So I added logging to this rule with "src-catch-all" and hit "F5" for reloading the homepage:
Code: Select all
2019-03-15 11:59:06 Local7.Debug firewall,info src-catch-all: src192 srcnat: in:(unknown 0) out:vlan2084, src-mac 20:16:b9:10:a2:0a, proto TCP (SYN), 10.40.72.111:58906->13.23.19.91:443, len 52
Code: Select all
2019-03-15 12:01:14 Local7.Debug firewall,info src192 srcnat: in:(unknown 0) out:vlan2084, src-mac 20:16:b9:10:a2:0a, proto TCP (SYN), 10.40.72.111:50906->13.23.19.91:443, len 52