Community discussions

 
payam124
Trainer
Trainer
Topic Author
Posts: 18
Joined: Thu Jan 07, 2016 11:44 pm

troubleshoot a bug-like situation in NAT

Wed Oct 05, 2016 2:43 pm

Hi
I'm experiencing a difficulty which I think it could be related to a bug, but still have no idea how to pin point it. any comment is appreciated. The issue is as below
I have a L2TP tunnel on my router to another network. there is an IP PBX in the second network. my iPhone using Acrobits Groundwire connects to the IP PBX. i.e. my router does the NAT and route the traffic to L2TP tunnel.
sometime I found my groundwire can not register in the IP PBX (SIP)
usually with restarting the router the problem got solved.
recently I realized that if I delete the existing NAT connection from connection table, it would get resolved!
I realized that when the issue is there, the sate of the connection is Cs (Confirmed, srcnat)
but after deleting, it turns into "SACs" (seen reply, assured, confirmed, srcnat)

any comment on how to troubleshoot it?
still I'm not able to reproduce it. but it happens frequently
 
pe1chl
Forum Guru
Forum Guru
Posts: 5917
Joined: Mon Jun 08, 2015 12:09 pm

Re: troubleshoot a bug-like situation in NAT

Wed Oct 05, 2016 3:35 pm

Change your network structure so that there is no NAT between your phone and the PBX.
(i.e. setup the addresses so that you can route them over the VPN without using NAT)
 
payam124
Trainer
Trainer
Topic Author
Posts: 18
Joined: Thu Jan 07, 2016 11:44 pm

Re: troubleshoot a bug-like situation in NAT

Sat Oct 08, 2016 4:48 am

Change your network structure so that there is no NAT between your phone and the PBX.
(i.e. setup the addresses so that you can route them over the VPN without using NAT)
I can't. the other side of the network is out of my control. I have only one l2tp connection with single IP on that.
also by doing that, I'm deleting the problem. I wonder to know if it is a bug and how to tackle it
 
pe1chl
Forum Guru
Forum Guru
Posts: 5917
Joined: Mon Jun 08, 2015 12:09 pm

Re: troubleshoot a bug-like situation in NAT

Sat Oct 08, 2016 11:15 am

The combination of SIP and NAT is troublesome.
In many cases you can improve it by disabling the SIP helper in the router, this apparently does more evil than good.

/ip firewall service-port
set sip disabled=yes
 
payam124
Trainer
Trainer
Topic Author
Posts: 18
Joined: Thu Jan 07, 2016 11:44 pm

Re: troubleshoot a bug-like situation in NAT

Sun Nov 06, 2016 11:04 pm

Eventually I found the root of the issue.
it was related to connection tracking udp time out.
how?
when a host tried to establish a connection, routerOS creates a connection/session in tracking table.
from that point forward, while the connection is there, NAT would happen using that connection.
So, the scenario was like this:
my L2TP gets disconnected.
my host tries to connect to a private network on the other side of the L2TP. but there is not tunnel. so it goes to the WAN interface and gets NATed using wan interface (i.e. not L2TP)
the host keeps sending register request every 8 seconds. but connection tracking time out for one way UDP connections is 10 second (http://wiki.mikrotik.com/wiki/Manual:IP ... n_tracking)
so, that connection/session in tracking table would stay there! even when the tunnel comes up, still packets get NATed using WAN interface IP instead of L2TP.
so I decreased the udp connection time out to 7 seconds and the issue solved

I wish there would have been something like /proc/net/ip_conntrack which showed which external IP was used for the NAT. then it was easier to troubleshoot it.
in /proc/net/ip_conntrack, system shows the translated IP for each connection

update: it was there. in show columns, "reply src. address" and "reply dst. address"
 
pe1chl
Forum Guru
Forum Guru
Posts: 5917
Joined: Mon Jun 08, 2015 12:09 pm

Re: troubleshoot a bug-like situation in NAT

Mon Nov 07, 2016 11:09 am

It is always better to make your NAT rules specific. So in this case they would not trigger when the
traffic is going out a different interface than you expect. You can add network ranges, including a NOT condition,
to your NAT rules to solve this problem.
 
HExSM
newbie
Posts: 41
Joined: Wed Oct 25, 2017 6:02 pm

Re: troubleshoot a bug-like situation in NAT

Mon Nov 13, 2017 5:34 pm

I have an almost identical problem. I run an Asterisk based PBX (mobydick/pascom) behind the router. The PPPoE connection is interrupted every 24 hours. All existing connections are removed. If the PBX then makes a new request to the SIP provider, then I also have the status Cs instead of SACs.
I use masquerade for NAT and have already tried a combination of source nat and destination nat. Unfortunately, this did not improve. I can also only reconnect to the SIP provider if I interrupt the PBX connection for several minutes. Does anyone have an idea?
Many thanks in advance :)

Who is online

Users browsing this forum: No registered users and 123 guests