Hi there,

I notice some odd behaviour when troubleshooting. It appears some internal IP are not being NAT'ed.
Scenario is basic src NAT masquerade from LAN to WAN.

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=eth01-WAN src-address=10.74.4.0/23 to-addresses=0.0.0.0

/ip address
add address=202.94.35.236/29 comment="WAN" interface=eth01-WAN network=202.94.35.232
add address=10.74.4.1/23 comment="LAN range." interface=eth02-LAN network=10.74.4.0

On the Mikrotik we can find a sample connection such as follows


And the Reply DST Address is the public IP as expected


However on the upstream router (Cisco) we can see flows arriving with both the private LAN IP and public visible IP

QBN-7APT-CO-GWC1#sh ip cache flow | i 189.47.84.9
Gi0/3.3 10.74.4.109 Gi0/2 189.47.84.9 06 F5E0 41DE 1
Gi0/3.3 10.74.4.109 Gi0/2 189.47.84.9 06 F76B 41DE 1
Gi0/3.3 202.94.35.236 Gi0/2 189.47.84.9 06 F9E1 41DE 2
Gi0/2 189.47.84.9 Gi0/3.3 202.94.35.236 06 41DE F9E1 2

Drop invalid packets in firewall.

Hi Mikrotik,
Thank you for your reply.
We have a few hundred units in the field so would prefer not to have to amend firewall rules on every one if possible.
Is this a known issue?
Is there a version of RouterOS you can recommend at present which is unaffected?
Kind regards,

It is not an issue. Packet which doe snot belong to any known connection and is not "new" (first packet of connection) will not be NATed and should be considered invalid.

Basically, what you're seeing is a result of how connection tracking works, how TCP works, and how those effect NAT processing.

When performing NAT, or otherwise having a firewall rule that requires connection tracking, the router keeps track of every connection that it sees. These connections will be one of four states: new, established, related, or invalid. You can use these states in firewall rules to perform very specific matching. NAT rules with a src-nat (or masquerade) action have an implicit match to new connection states only, that cannot be amended.

TCP connections consist of a specific sequence of packets -- the initial "new connection" packet will be a SYN, the first response from the remote server will be a SYN/ACK, and then your computer will send an ACK to complete the connection, and subsequent packets will flow. When the connection is done, one side will send an ACK/FIN, which is ACK'd by the remote side who then closes their connection the same way. If the router sees the ACK/FIN packet, it will clean up the connection and remove the NAT information from the connection tracking table. Once this happens, any more packets on the same connection will be "invalid" (unless a new connection is opened by starting with the SYN again).

So, the core of the problem is that a client inside the router is sending TCP packets on a connection that has already been closed with an ACK/FIN (or the router saw a RST come through -- which should reset that connection, and winds up causing the router to perform the same cleanup as if a FIN had been seen). After the ACK/FIN or RST, the client should be sending a SYN to start a new connection, which will cause the NAT rule to happen.

Otherwise, you need to discard the traffic in the router (preferably by sending a TCP reset to get the client to start over faster, instead of waiting for its internal timeout as you drop packets). The rule to do that would be:

Thank you for the clarification on the NAT order of operation in RouterOS. I am coming from a Cisco ASA/FW world so some of these concepts are rather different for me and it's been a bit of a challenge getting my head around it.
The upstream Cisco router will drop the packet anyway as the source IP is non routable and the interface is configured with RPF strict, but at a conceptual level it kind of breaks my head that the packets get let through to start with.
Thanks again.
Kind regards,

+1 for bringing this topic up because I have encountered the same behavior. However, I might only drop these "invalid" packets instead of sending TCP reset packets as a less drastic measure...