Community discussions

 
User avatar
lapsio
Member
Member
Topic Author
Posts: 470
Joined: Wed Feb 24, 2016 5:19 pm

Loopback NAT is performed only once

Mon Jul 30, 2018 10:13 pm

I have two routers - CCR1009 and RB2011. I'd like to make CCR1009 core router and RB2011 edge router. However as CCR1009 doesn't have wifi I'd like to also repurpose RB2011 as AP, but still route networks on CCR1009. So in order to do so I bridged wifi interface with one of VLANs, withrout assigning any address to it and used second VLAN as gateway for CCR1009.

In the end traffic from wifi goes like this:
wlan0 -> RB2011(br-primary) -> vlan400 -> CCR1009 -> VLAN1000 -> RB2011 -> world

Unfortunately it doesn't work because RB2011 doesn't perform masquerade on outgoing traffic. As configuration of actual routers is really complex and it wouldn't make much sense to post here, I re-created issue in virtualized CHR lab:

First case (that doesn't work) goes like this:
2.png
susecap624.png
And ping result is follwing:
susecap625.png
As you can see from logs masquerade is not performed properly. Second case (that works) goes like this:
1.png
susecap626.png
Config is the same. As you can see, now as machine is connected directly to second router so that packets are going through router1 only once, masquerade is performed properly (src IP change visible in log). When I enabled more detailed logging in actual setup I noticed that all chains except srcnat and dstnat are entered on every packet, but srcnat and dstnat are entered only once, at the beginning of connection, when packets go through br-primary. Of course it's too early to perform masquerade now so in the end masquerade doesn't work. Here's log from actual RB2011:
20:04:12 firewall,info rb: OOOOO-PRE prerouting: in:br-primary(ether3-primary) out:(none), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-NAT-DST dstnat: in:br-primary(ether3-primary) out:(none), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-MAN-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 
192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOOO-FW-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 
192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-POST postrouting: in:(none)(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, 
len 84 
20:04:12 firewall,info rb: OOOOO-NAT-SRC srcnat: in:(none)(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, 
len 84 
20:04:12 firewall,info rb: OOOOO-PRE prerouting: in:br-gw-ccr(sfp1-vlan-ccr) out:(none), src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-MAN-FWD forward: in:br-gw-ccr(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOOO-FW-FWD forward: in:br-gw-ccr(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-POST postrouting: in:(none)(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-PRE prerouting: in:br-primary(ether3-primary) out:(none), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-MAN-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 
192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOOO-FW-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 
192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-POST postrouting: in:(none)(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, 
len 84 
20:04:12 firewall,info rb: OOOOO-PRE prerouting: in:br-gw-ccr(sfp1-vlan-ccr) out:(none), src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-MAN-FWD forward: in:br-gw-ccr(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOOO-FW-FWD forward: in:br-gw-ccr(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-POST postrouting: in:(none)(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-PRE prerouting: in:br-primary(ether3-primary) out:(none), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-MAN-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 
192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOOO-FW-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 
192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-POST postrouting: in:(none)(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, 
len 84
As you can see OOOOO-NAT-SRC and OOOOO-NAT-DST are entered only once (log was created by adding action=passthrough, log=yes as first entry of /ip firewall nat). It's also worth to mention that adding masquerade on router2 (CCR1009) on gateway vlan breaks connection tracking in RB and packets are properly masqueraded, but this solution is far from perfect from my point of view.

I'm also aware that it can be done with metarouter but unfortunately for some reason metarouter doesn't work on my particular RB2011 (cpu usage instantly skyrockets to 100% and stays here, while VM hangs in "booting" stage. But it's issue for another thread.

I know that I could just get third router but it feels silly to put 3 routers one on top of another just because one has to be edge, one AP and one core. RB2011 makes perfect edge router due to 10/100 interfaces.

PLS HALP.
You do not have the required permissions to view the files attached to this post.
MTCNA, MTCRE, MTCINE
 
Sob
Forum Guru
Forum Guru
Posts: 4628
Joined: Mon Apr 20, 2009 9:11 pm

Re: Loopback NAT is performed only once

Fri Aug 17, 2018 5:18 pm

It must be bridge's use-ip-firewall=yes. I don't think I've ever seriously used it, so I wasn't sure if it's:

a) Just the same filtering mechanism, but independent from routing, i.e. router would see connection on bridge as one, then as another when it comes back from the other router.
b) It's connected and router sees both as same connection.

As you proved, it's b) and then the result makes sense. Try to find a way how to do what you want without use-ip-firewall=yes, bridge filtering might be good enough, but it depends on what exactly you need.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 470
Joined: Wed Feb 24, 2016 5:19 pm

Re: Loopback NAT is performed only once

Fri Aug 17, 2018 5:56 pm

I just bought one more router dedicated as edge router... It was crappy idea anyways because RB2011 was really overloaded with tons of functionality it couldn't handle all at once. It's old and really obsolete router. I hope MikroTik makes refresh of RB2011 soon. With more recent CPU and perhaps two gigabit switches instead of 1000+100. Tough that 10/100 switch was pretty useful for not demanding hardware like printers, logs servers etc...

Also like you suggested this issue doesn't occur when use-ip-firewall is not used but I actively use it. It also doesn't occur when hardware offloaded bridging is used (because it implies that use-ip-firewall is not used on particular bridge)
MTCNA, MTCRE, MTCINE

Who is online

Users browsing this forum: No registered users and 84 guests