strange phenomenon ospf and NAT

Posted: Fri Aug 16, 2013 8:48 pm
by zelon
I've been using this config for a few years, but it happened already twice.
Between rb1 and rb2 is ospf. Suddenly ospf stopped and I've found, that I can ping rb1 from rb2 but not rb2 from rb1. Mac telnet was working correctly. I've downloaded config from rb1 and uploaded to new device and still no ping. Then I've found, that ping is working when i deactiveate all rules in NAT (all are touching another addresses and ports). When even one rule is active in NAT, ther's no ping. It's strange, because everything else works on this device.

Posted: Fri Aug 16, 2013 8:56 pm
by dancho
do you maybe updated firmware on ubiquiti devices? i had some problems with 5.5.6 and ospf.

Posted: Fri Aug 16, 2013 11:45 pm
by zelon
No, nothing was touched for past 2 months. Best part is when I connected rb1--rb3-ubnt1--ubnt2-rb2 and between rb1 and rb3 was the same. I've been able to ping rb1 from rb3 but not rb3 from rb1. When I've added any new NAT rule to rb3, then OSPF was disconnecting. Maybe there's something in packet flow that I don't know? what really changes when NAT is added? Maybe I've to prepare special NAT rules for routing between ethernet ports?

That was working without any problems for a really long time. Today morning I've found that DHCP is down on this device, CPU has 100% load but OSPF is running. I've rebooted device and then it happened. DHCP started but OSPF died.

Posted: Mon Aug 19, 2013 10:33 am
by mrz
OSPF will not work if source or destination address is changed by NAT in OSPF packets.

Posted: Mon Aug 19, 2013 1:32 pm
by zelon
Yes, i know. But this setup was working on different sets of devices. Once between PC as core router and rb1200 (I just realized that this problem occured a few times) and now between 2 x rb750 and rb750 and rb2011. Can you please check such setup, connect rb1 and rb2 with and on second device. Then add any NAT rule (in my case that was for example touching packets on different class, dst nat, and marked srcnat). Now I'm unable to ping from device, where NAT was added. When I disable this rule, ping is running. The strange thing is that this setup was working for 3 or 4 months without issues and then started such things.


I've reproduced this issue on my desk. rb750G and rb600. I've found, that in nat was a 'no-mark' rule. I've added mangle for to mark packets, but question is why this was working before for such a long time? This was probably working until reboot.

Posted: Wed Apr 12, 2017 1:51 am
I have fixed this by upgarding to 6.38.5 - had exactly what you had. NAT rules not linked to the OSPF link at all, would cause it to not work. Also, it was not a particular rule. If you disable all but one, no matter which one, OSPF doesnt start. As soon as you disable the last of it, OSPF immediately stays up. Also stays up after re-enabling the rules. Only on restart or if you toggle the OSPF on the new router, it stops functioning.

Posted: Thu Oct 26, 2017 7:45 am
by bloody
we have exactly the same phenomena here with v6.40.4.
If NAT is enabled on a Router with broadcast OSPF running, then OSPF won't come up.
After disabling the NAT Rule, and rebooting the router, OSPF comes up.
Once it's up, the NAT Rule can be enabled again and OSPF stays up!

Any explanation or fix?

Heiko Rehm

Posted: Sat Apr 07, 2018 12:42 am
by MariusL
You should double-check your NAT-rules...

I use the «destined for not-private-subnet» (! -approach as matching criteria for my NAT-rule, this NATed my OSPF multicast traffic. The destination broadcast address is used to send Hello packets to all OSPF routers on a network segment, and is used to send OSPF routing information to designated routers on a network segment.

By narrowing down my NAT rule further and adding the criteria “dst-address-type=unicast”, my OSPF started working again. After way too many hours of headache experiencing the exact same thing as described by letabawireless and bloody...

- Marius

Posted: Tue Apr 24, 2018 4:11 pm
by sri2007
Yep, you must need to check your NAT rules, OSPF is not the only that is affected by NAT, BGP does it too