Community discussions

MikroTik App
  4. RouterOS
  5. General

UDP connection and NAT

Post Reply
 
Tonda
Member Candidate
Member Candidate
Topic Author
Posts: 165
Joined: Thu Jun 30, 2005 12:59 pm

UDP connection and NAT

Wed Sep 16, 2015 4:00 pm

Hi,
we have found strange? behaviour of Mikrotik handling UDP packets. We have Mikrotik with L2TP VPN connected to VPN server. There are more servers behind VPN server, processing data. Behind Mikrotik there is device, which sends UDP packets through VPN to server. Server sends back to device UDP packets with some kind of data confirmation. We have found, that in case when VPN disconnects, UDP packets from device destined to server are correctly masqueraded and sent through WAN. This is normal behaviour. BUT as soon as VPN connects again, UDP packets from device start to flow to server through VPN again, but with SENDER IP incorrectly set to WAN IP of Mikrotik because they are also masqueraded. So Mikrotik is able to recognize situation when it is necessary to start masquerading, but is not able to stop masquerading when VPN is up again and packets start to go by another way.
Solution of this problem is to delete UDP connection in the list of connections in Firewall window. We have also lowered UDP timeout in Connection Tracking from 10 sec to 1 sec and it seems to be solved for now.

But I would like to know whether is this an error in RouterOS or is this normal behavior?
Last edited by Tonda on Wed Sep 16, 2015 4:35 pm, edited 1 time in total.
Top
 
marrold
Member
Member
Posts: 427
Joined: Wed Sep 04, 2013 10:45 am

Re: UDP connection and NAT

Wed Sep 16, 2015 4:04 pm

I have found the same 'issue'. It doesn't just affect VPN connections, it also affects Multi-WAN setups. If a connection fails over to the secondary WAN link, then recovers to the primary, it will have the wrong IP.

As you've discovered, you have to clear the connections. The best way to automate this is with some kind of script.

This isn't a RouterOS error as such, but I believe other routers automate the connection clearing processes, where as RouterOS does not. It's a shame.
Top
 
JJCinAZ
Member
Member
Posts: 475
Joined: Fri Oct 22, 2004 8:03 am
Location: Tucson, AZ

Re: UDP connection and NAT

Wed Sep 16, 2015 6:37 pm

You can clear all the UDP connections in a script with the following:
Code: Select all
/ip firewall connection
:foreach i in=[find protocol="udp"] do={remove $i}
Top
 
changeip
Forum Guru
Forum Guru
Posts: 3830
Joined: Fri May 28, 2004 5:22 pm

Re: UDP connection and NAT

Thu Sep 17, 2015 7:51 am

Setup your masq rules separately, one for each out-interface? Then only NAT new connections? that way 'invalid' connections will die off on their own and start new ones?
Top
 
marrold
Member
Member
Posts: 427
Joined: Wed Sep 04, 2013 10:45 am

Re: UDP connection and NAT

Thu Sep 17, 2015 11:16 am

Setup your masq rules separately, one for each out-interface? Then only NAT new connections? that way 'invalid' connections will die off on their own and start new ones?
But UDP connections don't 'die' as such?
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 146 guests
  4. RouterOS
  5. General