Community discussions

MikroTik App
 
doush
Long time Member
Long time Member
Topic Author
Posts: 665
Joined: Thu Jun 04, 2009 3:11 pm

RAW Table

Mon Dec 10, 2018 4:53 pm

Hello;
We are struggling with the following.

We have a simple srcnat rule for 10.0.0.0/8 and we want the connection tracking table to be used only by 10.0.0.0/8 Subnet block.
We dont want the rest of our public IP s to go through the CT table.
So;
chain=prerouting action=notrack log=no log-prefix="" src-address=!10.0.0.0/8


Above simply stops 10.0.0.0/8 srcNAT and doesnt work.

Are there any way to accomplish what we require ?
Any help will be appreciated.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RAW Table

Mon Dec 10, 2018 5:18 pm

Hey

You have two parts of communication: inbound (to 10.) and outbound (from 10.).

For outbound, improve your rule by specifying on which interface the traffic will arrive.
For inbound, you can isolate nat traffic by the srcnat address, and then don't track traffic not directed to that ip on incoming interface.

chain=prerouting action=notrack log=no log-prefix="" src-address=!10.0.0.0/8 in-interface=LAN
chain=prerouting action=notrack log=no dst-address=!<external nat ip> in-interface=WAN

Packets arriving for other networks will be addressed as such.

Edit: corrected wrt isolation
 
doush
Long time Member
Long time Member
Topic Author
Posts: 665
Joined: Thu Jun 04, 2009 3:11 pm

Re: RAW Table

Tue Dec 11, 2018 2:54 pm

Thanks for your reply.
It still doesnt work. All srcNAT stops when I implement the below RAW table rules.
Any ideas ?
RAW Table:
/ip firewall raw
add action=notrack chain=prerouting disabled=yes src-address=!10.0.0.0/8
add action=notrack chain=prerouting disabled=yes src-address=!172.16.0.0/16
add action=notrack chain=prerouting disabled=yes dst-address=!WANIP
NAT rules:
/ip firewall nat
add action=src-nat chain=srcnat out-interface=sfp-sfpplus1 src-address=10.0.0.0/8 to-addresses=WANIP 
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RAW Table  [SOLVED]

Tue Dec 11, 2018 3:35 pm

Try this

/ip firewall raw
add action=accept chain=prerouting src-address=10.0.0.0/8
add action=accept chain=prerouting src-address=172.16.0.0/16
add action=accept chain=prerouting dst-address=WANIP
add action=notrack chain=prerouting
 
doush
Long time Member
Long time Member
Topic Author
Posts: 665
Joined: Thu Jun 04, 2009 3:11 pm

Re: RAW Table

Tue Dec 11, 2018 3:40 pm

Wow. I was writing it here but you beat me to it :)
I have done exactly that and it worked.

It seems that the ! (not) operator is not working somehow in RAW table.

Am I correct ?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RAW Table

Tue Dec 11, 2018 3:44 pm

it's working fine, you just forgot the in-interface part ;-).

Good to hear, it's working.
Cheers
 
doush
Long time Member
Long time Member
Topic Author
Posts: 665
Joined: Thu Jun 04, 2009 3:11 pm

Re: RAW Table

Tue Dec 11, 2018 3:51 pm

Yes it seems that the interface part was missing. Thanks for your help.

All I am trying to do is reduce the CT table load, so maybe this garbage CCR1072 does not reboot by itself by watchdog timer every day.
Hopeless attempt but maybe we can make it to have an uptime more than a single day.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RAW Table

Tue Dec 11, 2018 3:53 pm

It's all in configuration ;-)
 
doush
Long time Member
Long time Member
Topic Author
Posts: 665
Joined: Thu Jun 04, 2009 3:11 pm

Re: RAW Table

Tue Dec 11, 2018 3:55 pm

I dont think it is related with configuration

viewtopic.php?f=3&t=122525
 
sid5632
Long time Member
Long time Member
Posts: 553
Joined: Fri Feb 17, 2017 6:05 pm

Re: RAW Table

Tue Dec 11, 2018 3:56 pm

It seems that the ! (not) operator is not working somehow in RAW table.

Am I correct ?
No you aren't.
You just don't seem to understand how boolean logic works.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: RAW Table

Tue Dec 11, 2018 4:27 pm

You just don't seem to understand how boolean logic works.
Please elaborate.
 
sid5632
Long time Member
Long time Member
Posts: 553
Joined: Fri Feb 17, 2017 6:05 pm

Re: RAW Table

Tue Dec 11, 2018 6:34 pm

Elaborate what?
It's fairly obvious that setting notrack on everything that is NOT 10.0.0.0/8 following by setting notrack on everything that is NOT 172.16.0.0/16 effectively sets notrack on EVERYTHING.

(And then obviously the NAT doesn't work as it requires connection-tracking.)
 
doush
Long time Member
Long time Member
Topic Author
Posts: 665
Joined: Thu Jun 04, 2009 3:11 pm

Re: RAW Table

Wed Dec 12, 2018 1:56 pm

Nope it doesnt.
 
Mark13
just joined
Posts: 2
Joined: Wed Dec 12, 2018 9:40 pm

Re: RAW Table

Wed Dec 12, 2018 10:07 pm

Wow. I was writing it here but you beat me to it :)
I have done exactly that and it worked.
hello doush, can you share correct rules to help other newbie like me :)

is that help you for reduce conn track , if you test it ?

are the rules at below correct ?, or should we need to add in interface also ?

and as far as I understand 10.0.0.0/8 range for your local network and 172.16.0.0/16 for the customer pool. what is WANIP in dst-address ? is it your router WAN Ip or your puplic ip range that using for nat.
/ip firewall raw
add action=accept chain=prerouting src-address=10.0.0.0/8
add action=accept chain=prerouting src-address=172.16.0.0/16
add action=accept chain=prerouting dst-address=WANIP
add action=notrack chain=prerouting
 
doush
Long time Member
Long time Member
Topic Author
Posts: 665
Joined: Thu Jun 04, 2009 3:11 pm

Re: RAW Table

Thu Dec 13, 2018 9:13 pm

Hello;
Both 10.0.0.0/8 and 172.16.0.0/16 is my local network.
WANIP (PublicIP) is what we srcnat these local networks.

The rules you have posted are correct.

It reduced the CT load (less entries) but CPU load is aprx same like before. I havent noticed any significant drop in CPU usage.

Regarding the CCR1072 watchdog reboots, we are yet to confirm RAW table rules will help or not. Uptime is 2days now (it never went more than a week before) so still waiting.
.
 
Mark13
just joined
Posts: 2
Joined: Wed Dec 12, 2018 9:40 pm

Re: RAW Table

Fri Dec 14, 2018 7:08 pm

Hello;
Both 10.0.0.0/8 and 172.16.0.0/16 is my local network.
WANIP (PublicIP) is what we srcnat these local networks.

The rules you have posted are correct.

It reduced the CT load (less entries) but CPU load is aprx same like before. I havent noticed any significant drop in CPU usage.

Regarding the CCR1072 watchdog reboots, we are yet to confirm RAW table rules will help or not. Uptime is 2days now (it never went more than a week before) so still waiting.
.
thank you doush,
I see in here,all users in the forum complain about 1072 , but unfortunately no solution by mikrotik side.

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], elvtechnology, GoogleOther [Bot] and 78 guests