Community discussions

 
SpartanX
just joined
Topic Author
Posts: 22
Joined: Mon Jun 27, 2016 6:13 pm

Static NAT - why does this not work?

Sat Jul 02, 2016 1:56 am

I'm trying to set up RouterOS in ESXi to duplicate my current Cisco config, in preparation for my 80/20 fibre line and buying a Routerboard.

I have a routed /29 public subnet (xx.yy.zz.16/29) and want to use one of those addresses (the one applied to my bridged WAN connection, xx.yy.zz.20) for the whole 10.0.0.0/24 private LAN's NAT/PAT, and another address (xx.yy.zz.22) for static NAT for a specific machine on the LAN which has high traffic. 10.0.0.10 in the test setup.

The general NAT works perfectly. The Static NAT PC received no return traffic. I see the DNS request go out in the log, and that's all.
I have disabled the general NAT and the static still fails. I have also tried putting the xx.yy.zz.20 address into the static rule instead of .22, and then it works. But not when I put .22 back in.

It seems the the failure is caused simply by putting the .22 address in there. There is nothing wrong with the address; I tried assigning it to another PC and putting that onto the bridge directly. That got out to the internet with no trouble.

What am I doing wrong?

These are the two rules:
0    chain=srcnat action=src-nat to-addresses=xx.yy.zz.22 src-address=10.0.0.10 out-interface=bridge1 log=yes log-prefix="" 
1 XI  chain=srcnat action=src-nat to-addresses=xx.yy.zz.20 src-address=10.0.0.0/24 out-interface=bridge1 log=no log-prefix=""


This is all I get in the log:
srcnat: in:(none) out:bridge1, src-mac 02:00:00:00:02:02, proto UDP, 10.0.0.10:34248->8.8.8.8:53, len 63
                                     
Some more of my config:
 [admin@MikroTik] /ip address> print
 #   ADDRESS            NETWORK         INTERFACE                                        
 0   ;;; added by setup
     192.168.1.77/24    192.168.1.0     ether2                                           
 1   xx.yy.zz.20/29    xx.yy.zz.16    bridge1                                          
 2   10.0.0.254/24      10.0.0.0        ether3  


[admin@MikroTik] /ip route> print
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          xx.yy.zz.17              1
 1 ADC  10.0.0.0/24        10.0.0.254      ether3                    0
 2 ADC  xx.yy.zz3.16/29    xx.yy.zz.20    bridge1                   0
 3 ADC  192.168.1.0/24     192.168.1.77    ether2                    0
In my working Cisco config, I have this:
ip nat inside source list NAT_ACL interface BVI1 overload
ip nat inside source static 192.168.1.2 xx.yy.zz.21
          // .21 is the real one in use on my network - .22 is free and used for testing
 
Revelation
Member
Member
Posts: 338
Joined: Fri Dec 25, 2015 5:59 am

Re: Static NAT - why does this not work?

Sat Jul 02, 2016 3:13 am

Where is the .22 assigned on your Mikrotik? If it is not fully assigned have you created a pool for your NAT and using rules/marks to only allow that specific box to use .22? You could also try assigning .22 to a bridge and setting up a NAT on that interface. You would need to create NAT rules for both NATs. One allowing the specific box to use .22 and another for everything to use .20. 


Without seeing the rest of your config that is what I can think of off the top of my head. 
 
SpartanX
just joined
Topic Author
Posts: 22
Joined: Mon Jun 27, 2016 6:13 pm

Re: Static NAT - why does this not work?

Sat Jul 02, 2016 2:58 pm

Ahh... thanks for the clue!

No, .22 was not assigned to anything. On the Cisco, that's how it needs to be; it doesn't need assigning to anything to be used as the NAT-to address.

After assigning .22 to my WAN bridge (as well as .20) the two NAT rules work as expected. I wasn't sure the box would like having two addresses assigned to one bridge, but it hasn't complained so far.

I'm expecting that RouterOS will be able to do everything I currently have my Cisco router doing. It's just a learning curve figuring out the different hoops that need jumping through. I'm used to Cisco's way of doing things; never could quite get my head around Linux and iptables. I had better luck with OpenBSD and pf, which I used to use before I decided to learn Cisco.
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1219
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: Static NAT - why does this not work?

Sat Jul 02, 2016 7:29 pm

I think this should be stepped up to a feature request:

SRC-NAT addresses should not need to be assigned to an interface in order to be used in NAT rules.
While this holds true for masquerade, it is an arbitrary imposed rules for generic src-nat.
Accepting broadcast/multicast addresses as src-nat parameter would also be nice.

This of course creates issues with connection tracking and ARP, so to anticipate: don't expect something like this until ROS 7 :-)
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
Sob
Forum Guru
Forum Guru
Posts: 4794
Joined: Mon Apr 20, 2009 9:11 pm

Re: Static NAT - why does this not work?

Sat Jul 02, 2016 9:44 pm

SRC-NAT addresses should not need to be assigned to an interface in order to be used in NAT rules.
There is no such requirement, you can use any address for src-nat rules and it works fine. Well, the translation part works, there may be some "issues with ARP" in some cases, but that's on different level and to be expected.

If you have routed subnet, then it works. For example, there's ISP router with 1.1.1.1/30, client router with 1.1.1.2/30, and 2.2.2.0/24 routed to 1.1.1.2. On client router, you're free to use any 2.2.2.x for srcnat/dstnat and you don't need to assign those adresses to anything.

The problem occurs when you don't have routed subnet (which I suspect is the case for OP). For example, ISP router has 1.1.1.1/24, your router 1.1.1.2/24 and the rest of /24 is yours too. Then you can still use those addresses for srcnat without assigning them to router and they will get translated correctly. But ISP's router expects that any of those addresses will answer to ARP requests. But they won't, if they are not assigned. You can still use an unassigned address in this case, but you need to use proxy ARP and some fake route, e.g.:
/ip route
add distance=1 dst-address=1.1.1.100/32  gateway=some_non_wan_interface
/ip arp
add address=1.1.1.100 interface=wan published=yes
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
SpartanX
just joined
Topic Author
Posts: 22
Joined: Mon Jun 27, 2016 6:13 pm

Re: Static NAT - why does this not work?

Sun Jul 03, 2016 1:37 am

The problem occurs when you don't have routed subnet (which I suspect is the case for OP).
You might be right about that... I always assumed (in my ignorance) that it was a routed subnet from my ISP going on about 'only five usable address, network address, broadcast address' etc. when I persuaded them to assign it to me. However, I only have the x.y.z.16/29; the first of which (.17) gets assigned to my modem/router during PPPoA.

...It's not a routed subnet, is it?

Added to that, by coincidence earlier today I was reading up on Proxy ARP, and discovered that it is turned on by default in Cisco routers. As someone commented, "it can hide a shed-load of misconfiguration".

I just disabled Proxy ARP on the Cisco. The PC I'm on right now is the one that has the static NAT and it is still worked for a while, until I rebooted the Cisco. Then nothing worked. Unfortunately I can't call that test conclusive because Murphy's Law struck and either the switch's or the Cisco's interface started flapping at the very same moment! Took me three reboots and ten minutes to get back on the Cisco and I just restored the original config.

I'm not impressed. The same thing happened yesterday, and I rebooted everything and it seemed OK. One of them is failing... I hope it's the Cisco since it's destined to be replaced by an RB850Gx2 when it arrives.
 
Sob
Forum Guru
Forum Guru
Posts: 4794
Joined: Mon Apr 20, 2009 9:11 pm

Re: Static NAT - why does this not work?

Sun Jul 03, 2016 2:04 am

If your modem/router has this /29 on its internal interface, it is routed subnet. If your RouterOS device was the border device (modem would use some transparent bridge mode and wouldn't do anything with IP addresses), it would be the easy case which I described as routed subnet. But if we're talking about RouterOS being another device in /29, it's the other case and your modem/router plays the role of ISP's router from my description.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
SpartanX
just joined
Topic Author
Posts: 22
Joined: Mon Jun 27, 2016 6:13 pm

Re: Static NAT - why does this not work?

Sun Jul 03, 2016 6:30 am

Right, thanks for that, now it's starting to make more sense. A cup of Earl Grey (to clear out the Kraken rum) and a quick brain reboot helped.

Yeah, my modem/router is in transparent mode, but doing the PPPoA itself and with the .17 public address (assigned to the dialer interface automatically) also assigned manually to the LAN interface. The next router (Cisco/RouterOS) has .18 on its connection to the modem (actually on a bridge) and uses .17 as its default route.

So as far as the modem is concerned, it's just connected to clients and expects ARP responses from anything on the LAN side. Which it won't get if the IP address isn't configured on an interface. Cisco's magic on-by-default Proxy ARP meant I never needed to think about why it didn't work - because it 'just did'. A quick check of the ARP table on my modem shows the same MAC address for the unassigned NAT-to IP address as for its .18.

---

Thanks to everyone who's been kind enough to answer my questions here, I'm rearranging my network when my kit arrives. ZeroByte pointed me towards an alternative to using a bridge for getting my public subnet to the servers. I couldn't see how that would work at first but... Proxy ARP makes that work too! That means I can put my modem in pure bridge mode and have the router do the PPPoE, duplicating the dialer address on the port to the server instead of bridging, which can't be done with the dialer interface.

That also means I will be using the simple, routed subnet version for my static NAT IP address. I'll also save a public IP address - might come in handy.

I've just built that up in ESXi with one RouterOS as a PPPoE server (pretending to be my ISP, with a PC behind it to ping at) and another RouterOS as my router, with my general NAT, static NAT with a non-assigned IP address, and my public address subnet. Seems to work great so far. 8)
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Static NAT - why does this not work?

Sun Jul 03, 2016 7:12 am

The reason it kept working when you disabled proxy arp is because the upstream router still had your router's MAC address in its arp cache.

Furthermore, some routers will automatically add the src MAC of received IP packets to their arp cache in order to cut down on arping even more. (Cisco does this)

It sounds like your GW router doesn't do this, so you're required to either use proxy arp or explicitly define secondary IP addresses on your WAN interface.

Proxy arp is great when you know it's there, how it behaves, and how to leverage it properly. There are scenarios (not yours) where you need to implement dynamic routing instead of relying on proxy arp. In general though, it's safe to leave it active on interfaces, which is why it defaults to ON in Cisco.

Glad I could help you gain some knowledge about it.
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: No registered users and 143 guests