Loopback NAT is performed only once

lapsio · Mon Jul 30, 2018 10:13 pm

I have two routers - CCR1009 and RB2011. I'd like to make CCR1009 core router and RB2011 edge router. However as CCR1009 doesn't have wifi I'd like to also repurpose RB2011 as AP, but still route networks on CCR1009. So in order to do so I bridged wifi interface with one of VLANs, withrout assigning any address to it and used second VLAN as gateway for CCR1009.

In the end traffic from wifi goes like this:
wlan0 -> RB2011(br-primary) -> vlan400 -> CCR1009 -> VLAN1000 -> RB2011 -> world

Unfortunately it doesn't work because RB2011 doesn't perform masquerade on outgoing traffic. As configuration of actual routers is really complex and it wouldn't make much sense to post here, I re-created issue in virtualized CHR lab:

First case (that doesn't work) goes like this:

2.png

susecap624.png

And ping result is follwing:

susecap625.png

As you can see from logs masquerade is not performed properly. Second case (that works) goes like this:

1.png

susecap626.png

Config is the same. As you can see, now as machine is connected directly to second router so that packets are going through router1 only once, masquerade is performed properly (src IP change visible in log). When I enabled more detailed logging in actual setup I noticed that all chains except srcnat and dstnat are entered on every packet, but srcnat and dstnat are entered only once, at the beginning of connection, when packets go through br-primary. Of course it's too early to perform masquerade now so in the end masquerade doesn't work. Here's log from actual RB2011:

20:04:12 firewall,info rb: OOOOO-PRE prerouting: in:br-primary(ether3-primary) out:(none), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-NAT-DST dstnat: in:br-primary(ether3-primary) out:(none), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-MAN-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 
192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOOO-FW-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 
192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-POST postrouting: in:(none)(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, 
len 84 
20:04:12 firewall,info rb: OOOOO-NAT-SRC srcnat: in:(none)(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, 
len 84 
20:04:12 firewall,info rb: OOOOO-PRE prerouting: in:br-gw-ccr(sfp1-vlan-ccr) out:(none), src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-MAN-FWD forward: in:br-gw-ccr(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOOO-FW-FWD forward: in:br-gw-ccr(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-POST postrouting: in:(none)(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-PRE prerouting: in:br-primary(ether3-primary) out:(none), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-MAN-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 
192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOOO-FW-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 
192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-POST postrouting: in:(none)(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, 
len 84 
20:04:12 firewall,info rb: OOOOO-PRE prerouting: in:br-gw-ccr(sfp1-vlan-ccr) out:(none), src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-MAN-FWD forward: in:br-gw-ccr(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOOO-FW-FWD forward: in:br-gw-ccr(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-POST postrouting: in:(none)(sfp1-vlan-ccr) out:br-gw-twg, src-mac 6c:3b:6b:e0:83:c6, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-PRE prerouting: in:br-primary(ether3-primary) out:(none), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-MAN-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 
192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOOO-FW-FWD forward: in:br-primary(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 
192.168.4.6->8.8.8.8, len 84 
20:04:12 firewall,info rb: OOOOO-POST postrouting: in:(none)(ether3-primary) out:br-primary(vlan4-ccr), src-mac 00:90:f5:e5:26:14, proto ICMP (type 8, code 0), 192.168.4.6->8.8.8.8, 
len 84

As you can see OOOOO-NAT-SRC and OOOOO-NAT-DST are entered only once (log was created by adding action=passthrough, log=yes as first entry of /ip firewall nat). It's also worth to mention that adding masquerade on router2 (CCR1009) on gateway vlan breaks connection tracking in RB and packets are properly masqueraded, but this solution is far from perfect from my point of view.

I'm also aware that it can be done with metarouter but unfortunately for some reason metarouter doesn't work on my particular RB2011 (cpu usage instantly skyrockets to 100% and stays here, while VM hangs in "booting" stage. But it's issue for another thread.

I know that I could just get third router but it feels silly to put 3 routers one on top of another just because one has to be edge, one AP and one core. RB2011 makes perfect edge router due to 10/100 interfaces.

PLS HALP.

Sob · Fri Aug 17, 2018 5:18 pm

It must be bridge's use-ip-firewall=yes. I don't think I've ever seriously used it, so I wasn't sure if it's:

a) Just the same filtering mechanism, but independent from routing, i.e. router would see connection on bridge as one, then as another when it comes back from the other router.
b) It's connected and router sees both as same connection.

As you proved, it's b) and then the result makes sense. Try to find a way how to do what you want without use-ip-firewall=yes, bridge filtering might be good enough, but it depends on what exactly you need.

lapsio · Fri Aug 17, 2018 5:56 pm

I just bought one more router dedicated as edge router... It was crappy idea anyways because RB2011 was really overloaded with tons of functionality it couldn't handle all at once. It's old and really obsolete router. I hope MikroTik makes refresh of RB2011 soon. With more recent CPU and perhaps two gigabit switches instead of 1000+100. Tough that 10/100 switch was pretty useful for not demanding hardware like printers, logs servers etc...

Also like you suggested this issue doesn't occur when use-ip-firewall is not used but I actively use it. It also doesn't occur when hardware offloaded bridging is used (because it implies that use-ip-firewall is not used on particular bridge)

Loopback NAT is performed only once

Loopback NAT is performed only once

Re: Loopback NAT is performed only once

Re: Loopback NAT is performed only once

Who is online