Community discussions

MUM Europe 2020
 
User avatar
Edoras
newbie
Topic Author
Posts: 32
Joined: Wed Apr 05, 2006 12:03 am
Location: Prague, Czech rep.

NAT 1:1 - how to ignore connection tracking

Mon Jul 30, 2018 1:44 am

Hello,

I want to make NAT from local to public IP 1:1 . But I have two internet gateways and it can happends, packet can go thru IGW1 to internet and packet can return thru IGW2.
I made same IP FIREWALL NAT rules on both IGWs:

ip firewall nat add chain=srcnat action=netmap to-addresses=185.160.20.177 src-address=10.140.4.2
ip firewall nat add chain=dstnat action=netmap to-addresses=10.140.4.2 dst-address=185.160.20.177

When packet is returning from the internet by the same IGW , where srcnat was done (packet goes to internet by the same IGW), everything works OK:
in:wan out:lan, proto ICMP (type 0, code 0), 178.217.148.41->10.140.4.2, NAT 178.217.148.41->(185.160.20.177->10.140.4.2), len 56
But when packet is returning from the internet by the second IGW, where srcnat was not done (packet goes to internet by IGW1 but answer come to IGW2), NAT is not working:
in:wan out:wan, proto ICMP (type 0, code 0), 178.217.148.41->185.160.20.177, len 56
I suppose, there is problem, because there is not established connection in connection tracking table. But I want to make NAT 1:1 and ignore connection tracking table ... not matter, if connection is established or not.
 
User avatar
mohannad
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Wed May 02, 2012 2:39 am
Location: Lebanon
Contact:

Re: NAT 1:1 - how to ignore connection tracking

Mon Jul 30, 2018 3:56 pm

dst nat not src nat
chain=dstnat action=netmap to-addresses=182.1.1.80 to-ports=8080 protocol=tcp src-address=172.16.16.0/24 in-interface=!ether1-Real dst-port=80 log=no log-prefix="" 

Your Future Dreams Start With Us
IT For Better Life
 
sindy
Forum Guru
Forum Guru
Posts: 4214
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT 1:1 - how to ignore connection tracking

Mon Jul 30, 2018 5:49 pm

Any nat function is part of connection tracking, the netmap is no exception. So if you exclude the packets from connection tracking by matching them by an action=notrack rule in /ip firewall raw, the packets don't even pass through the /ip firewall nat table so the netmap will not happen. At least at 6.43rc42 where I've just double-checked it.

On top of that, only the initial packet of each connection passes through the nat table, all the following packets of the same connection are srcnated and/or dstnated using the context of that connection.

But the connection tracking does not remember the interface, only the addresses, so if the packet comes back via another interface but has source and destination addresses and ports (or icmp id in case of icmp) which match an already tracked connection (which need not be "established" yet, it is enough that the initial request went through), that connection should be identified and matched even though the response packet came in through a different interface than the request one. So something else must be rotten. The connection below has been src-nated by a netmap rule:

Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
0 SAC s protocol=tcp src-address=10.23.6.188:58742 dst-address=10.215.3.124:22 reply-src-address=10.215.3.124:22
reply-dst-address=10.20.6.188:58742 tcp-state=established timeout=23h59m58s connection-mark="day" orig-packets=23
orig-bytes=2 716 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=19 repl-bytes=4 953
repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=13.2kbps repl-rate=24.3kbps


The one below has seen only its initial packet so far but it is already prepared to accept an answer:

Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
0 C s protocol=tcp src-address=10.23.6.188:60370 dst-address=10.215.3.126:22 reply-src-address=10.215.3.126:22
reply-dst-address=10.20.6.188:60370 tcp-state=syn-sent timeout=3s orig-packets=1 orig-bytes=60
orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0
repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
Edoras
newbie
Topic Author
Posts: 32
Joined: Wed Apr 05, 2006 12:03 am
Location: Prague, Czech rep.

Re: NAT 1:1 - how to ignore connection tracking

Fri Aug 03, 2018 4:30 pm

OK, thanks for explanation.

Is any way, how to solve the problem? Or is it insoluble?
 
sindy
Forum Guru
Forum Guru
Posts: 4214
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT 1:1 - how to ignore connection tracking

Fri Aug 03, 2018 6:11 pm

Když nevím, v čem ten problém je, tak ho těžko můžu řešit :-)

First of all I'd recommend to post the complete configuration following the guidelines in my automatic signature, to exclude any doubts.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: alvar0rodrig0, Guntis, juss, td32 and 87 guests