Community discussions

 
pshulgin
just joined
Topic Author
Posts: 1
Joined: Wed Jan 23, 2019 9:44 am

DNAT does not translated returned traffic

Wed Jan 23, 2019 10:00 am

Hi everyone !!!
I have issue with DNAT
i created rule
add action=dst-nat chain=dstnat dst-address=ххх.ххх.ххх.ххх dst-port=64000 in-interface=ether1 protocol=tcp to-addresses=10.60.7.20 to-ports=22
it works in one direction, when traffic comes from outside
i see incoming traffic on 10.60.7.20 and responses to outside then i see returned traffic on router but DNAT does not translated back srcip and srcport to public ip
on all route some routers uses PBR but i think it does not affected traffic


# jan/23/2019 14:57:09 by RouterOS 6.43.8
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface gre
add allow-fast-path=no ipsec-secret=xxxxx !keepalive local-address=xxx.xxx.xxx.xxx mtu=1400 name=xxxxxx remote-address=xxx.xxx.xxx.xxx
add allow-fast-path=no ipsec-secret=xxxxx !keepalive local-address=xxx.xxx.xxx.xxx mtu=1400 name=xxxxxx remote-address=xxx.xxx.xxx.xxx
add allow-fast-path=no ipsec-secret=xxxxx !keepalive local-address=xxx.xxx.xxx.xxx mtu=1400 name=xxxxxx remote-address=xxx.xxx.xxx.xxx
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
add dh-group=modp2048 enc-algorithm=aes-128 hash-algorithm=sha256 name=some_name nat-traversal=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc name=some_name pfs-group=modp2048
/snmp community

/ip address
add address=xxx.xxx.xxx.xxx/20 interface=ether1 network=xxx.xxx.xxx.xxx
add address=10.140.64.2/30 interface=To_MKRHUB network=10.140.64.0
add address=10.140.64.5/30 interface=To_FAC network=10.140.64.4
add address=10.140.80.5/30 interface=To_FAC network=10.140.80.4
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=161 in-interface-list=all protocol=udp
add action=accept chain=input src-address=95.182.74.14
add action=accept chain=input src-address=5.43.226.94
add action=accept chain=input src-address=10.140.64.0/24
add action=accept chain=forward src-address=192.168.10.0/24
add action=accept chain=forward
add action=accept chain=input
/ip firewall nat
add action=src-nat chain=srcnat comment="xxxxxxxxxxx" out-interface=ether1 src-address=10.60.7.0/24 to-addresses=xxx.xxx.xxx.xxx
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=64000 in-interface=ether1 protocol=tcp to-addresses=10.60.7.20 to-ports=22
/ip ipsec policy
set 0 disabled=yes
/ip route
add distance=1 gateway=xxxxxxxxxxx
add distance=1 dst-address=10.33.0.0/18 gateway=10.140.64.1
add distance=1 dst-address=10.60.2.0/24 gateway=10.140.64.1
add distance=1 dst-address=10.60.7.0/24 gateway=10.140.64.1
add distance=1 dst-address=10.140.80.0/23 gateway=xxxxxxxxxxx
add distance=1 dst-address=192.168.10.0/24 gateway=10.140.64.6
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/snmp
set enabled=yes trap-generators="" trap-version=2
/system clock
set time-zone-name=Asia/Krasnoyarsk
/system identity
set name=xxxxxxxxxxx
 
anav
Forum Guru
Forum Guru
Posts: 2938
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: DNAT does not translated returned traffic

Wed Mar 20, 2019 5:49 pm

/ip firewall nat
add action=src-nat chain=srcnat comment="xxxxxxxxxxx" out-interface=ether1 src-address=10.60.7.0/24 to-addresses=xxx.xxx.xxx.xxx
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=64000 in-interface=ether1 protocol=tcp to-addresses=10.60.7.20 to-ports=22

The standard dst-nat rule looks like:
add action=dst-nat chain=dstnat dst-port=xx
in-interface-list=WAN protocol=tcp to-addresses=192.168.y.yy to-ports=yy

Note1: If one has known list of WANIP authorized for access (static) then its best to make the rule more secure by adding a source address list.
Note2: If the destination port and to-ports are the same (no port translation, the too ports are not required).

In your case I dont think you need both destination address and in-interface=ether1 (try just using one or the other first). I dont think putting in both is required but on the other hand I dont see that stopping traffic, but worth a try.

This leads me to believe the source nat rule needs closer inspection.
The standard format is...............
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN Users" \
ipsec-policy=out,none out-interface=eth1

Therefore I believe you rule should be modified to the following (drop everything after ether1!!!.......
add action=src-nat chain=srcnat comment="xxxxxxxxxxx" out-interface=ether1
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 4545
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNAT does not translated returned traffic

Wed Mar 20, 2019 8:23 pm

Dstnat and correct rewriting of responses is something that just works. There's nothing to go wrong, unless there's some asymmetric routing or something like that. I don't see anything wrong in this config.

@anav: You like MUM presentations, don't you? Check this one (notice the title and then from page 25):
https://mum.mikrotik.com/presentations/ ... 948376.pdf
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 2 guests