Community discussions

 
User avatar
matiaszon
Member
Member
Topic Author
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Not showing the origin IP

Sun Mar 19, 2017 12:42 am

So I have a server in my LAN behind mikrotik router. If the peers connected to the router are from LAN (I have two LAN ranges 10.10.10.0/24 and 192.168.83.0/24 configured), then on this server I can see their real IPs. If the connection comes from the Internet (WAN) side, I can see only the IP of the router (10.10.10.1) at each connection. What may be wrong?
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1219
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: Not showing the origin IP

Sun Mar 19, 2017 12:58 am

Nothing is wrong. You probably have SNAT/Masquerade enabled on the LAN interface.
Last edited by docmarius on Sun Mar 19, 2017 1:07 am, edited 1 time in total.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
User avatar
matiaszon
Member
Member
Topic Author
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Not showing the origin IP

Sun Mar 19, 2017 1:06 am

Well, I have masquarade on ether1, which is used as WAN port. But I can't say what I have changed that I cannot see real IPs any more...
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1219
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: Not showing the origin IP

Sun Mar 19, 2017 1:08 am

Could you post your firewall configuration?
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
User avatar
matiaszon
Member
Member
Topic Author
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Not showing the origin IP

Sun Mar 19, 2017 1:17 am

Here it is...
/ip firewall filter
add action=accept chain=forward comment="LAN Traffic" connection-state="" \
    dst-address=192.168.83.0/24 src-address=10.10.10.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    10.10.10.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=input comment="DNS drop" dst-port=53 in-interface=\
    ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskarada WAN"
add action=dst-nat chain=dstnat comment="futro" dst-port=2502 fragment=\
    no in-interface=ether1 protocol=tcp to-addresses=10.10.10.5 to-ports=2502
The port forwarded to the server is 2502.
Last edited by matiaszon on Sun Mar 19, 2017 4:22 pm, edited 1 time in total.
 
User avatar
matiaszon
Member
Member
Topic Author
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Not showing the origin IP

Sun Mar 19, 2017 1:26 am

OK, so I know what I did.

Look at the last post of THIS TOPIC.
I have deleted ether1 as out interface in masqueade. When I added it again, IPs started to appear correctly...
 
User avatar
matiaszon
Member
Member
Topic Author
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Not showing the origin IP

Sun Mar 19, 2017 3:48 am

I know I am writing to myself, but after I added out interface ether1 some of the peers can't connect getting "connection time out" info. Once I delete ether1 - all are connecting immediately. What the...?!
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1219
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: Not showing the origin IP

Sun Mar 19, 2017 10:49 am

All outgoing traffic, including the one passing dnat will obey the srcnat chain.
So the issue is this rule:
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskarada WAN"
This will do srcnat on ALL interfaces. You need to do this only on WAN:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 comment="Maskarada WAN"
On the other hand,
add action=drop chain=input comment="DNS drop" dst-port=53 in-interface=\
    ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
are useless since you already drop all input on eth1 by
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1
Remember, firewall rules are evaluated in order.
BTW, Oscam supports IPv6 8)
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
User avatar
matiaszon
Member
Member
Topic Author
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Not showing the origin IP

Sun Mar 19, 2017 4:06 pm

As you may noticed, I am a greenhorn regarding MikroTik. Thanks for posting. I started to do some cleaning. :) That DNS rule was made before... I will delete it.
As it comes to IPv6 I believe, that ISP has to provide that too? Anyway, I don't know anything about IPv6 :P

I added out interace for masquerade, but then some peers couldn't connect at all... I couldn't figure out what the problem was, so after 3 hrs I rebooted MikroTik and debian and it started to work... :shock:

Thanks
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1219
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: Not showing the origin IP

Sun Mar 19, 2017 6:08 pm

That has a simple explanation. There are lingering connection tracking connections which are not deleted when you change your firewall rules, especially when changing dst-nat stuff.
Rebooting clears those connections...
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.

Who is online

Users browsing this forum: No registered users and 51 guests