Community discussions

 
leibtek
just joined
Topic Author
Posts: 8
Joined: Sun Jul 07, 2019 10:12 pm

DST NAT Rules Work for some connections.

Sun Jul 07, 2019 10:43 pm

I'm having a problem, I've tried plenty of troubleshooting, and I'm stumped. Any help would greatly be appreciated.

I have a simple setup where 2 machines are behind my Mikrotik Router, with a single static WAN on ether1.

There are 2 sets of 3 different software host, with each machine having one set. Each of the 3 hosting software, listen in on different ports.

Machine1, all traffic are properly routed and established to all hosting softwares.

Machine2, basically the same rules as Machine1 (only with unique external listing ports), I would see some connections connect fine, yet others fail continuously. However, doing a telnet from a non-connecting source to any of these ports, would successfully establish a connection. I was also able to establish an RDP connection from a non-connecting source to Machine2 without a problem. Only the hosting software's fail to establish a connection to it's designed listening ports.

I don't know what to do, I even temporarily removed Machine1 and used the same external and internal ports on Machine2 (only the internal IP stayed the same), but still the same behavior.

Please let me know what you would need me to provide here, in order to shed some light what's going on.

Machine1: WIN 2008 R2
Machine2: WIN 2016 Standard
Mikrotik Router: CCR1016-12G, 6.43.8

Thank you very much!
 
anav
Forum Guru
Forum Guru
Posts: 2835
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: DST NAT Rules Work for some connections.

Mon Jul 08, 2019 3:29 am

Lets try to narrow this down first to the facts of one wan, 3 services duplicated but with different external incoming ports.
After we figure out the config errors we can talk about RDP or anything else.

Best to post your config so we can see the setup.
/export hide-sensitive file=yourconfigjul07

In NAT a service (Port can only be used once). The way around this is to use different external listening ports and then doing port translation.
Im assuming that is what you have done. However normally that is for providing different external ports to the same server but I dont see why it cannot be used for two servers of the same ilk with different lan Ips.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
leibtek
just joined
Topic Author
Posts: 8
Joined: Sun Jul 07, 2019 10:12 pm

Re: DST NAT Rules Work for some connections.

Mon Jul 08, 2019 6:44 am

Thank you anav!

Yes, I am aware of that and have setup the rules accordingly. It's the erratic behavior that's throwing me off here. There can be a possibility that there's something up with the host computer running WIN 2016 w/ Broadcom controllers (With Hyper-V VMs). At this point, I'm still pointing a finger at the firewall.

Now regarding the config, since I'm a noob here, is it safe to post the config with all IPs, ports etc disclosed?

Best,
Leibtek
 
mkx
Forum Guru
Forum Guru
Posts: 2468
Joined: Thu Mar 03, 2016 10:23 pm

Re: DST NAT Rules Work for some connections.

Mon Jul 08, 2019 8:35 am

You want to obfuscate public IP address to make you safe. Ports should be OK if nobody knows your public IP address tough. Leave the private IP addresses as they are as well, nobody but you can access them anyway ... unless they get to your router first (for that they'd have to know your public IP address).
BR,
Metod
 
leibtek
just joined
Topic Author
Posts: 8
Joined: Sun Jul 07, 2019 10:12 pm

Re: DST NAT Rules Work for some connections.

Mon Jul 08, 2019 5:02 pm

Thanks.

Here you go. (attached)

Thanks,
Leibtek
yourconfigjul07.rsc
You do not have the required permissions to view the files attached to this post.
 
leibtek
just joined
Topic Author
Posts: 8
Joined: Sun Jul 07, 2019 10:12 pm

Re: DST NAT Rules Work for some connections.

Mon Jul 08, 2019 8:10 pm

Hi guys,

I was able to get my hands on an old Cisco router which I temporarily swapped it out with the Mikrotik, and got the same results. So I figured I'd let you know that I don't think the firewall is at fault.

Thanks!
Leibtek
 
sindy
Forum Guru
Forum Guru
Posts: 3495
Joined: Mon Dec 04, 2017 9:19 pm

Re: DST NAT Rules Work for some connections.

Mon Jul 08, 2019 11:07 pm

What you write sounds to me as some kind of MTU issue. "Telnet works" means that a TCP session could be successfully established. As soon as you connect the real client using the real application protocol over TCP, the server or the client (or both) start sending packets maxing out the reported MTU, and if something is broken between the endpoints, these packets fo not get through. It may depend on the path chosen in the internet between the client and your Mikrotik/Cisco, so some connections to the same service on the same server may work while other not. Packet sniffing at both client and server helps you confirm or deny this suspicion.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
leibtek
just joined
Topic Author
Posts: 8
Joined: Sun Jul 07, 2019 10:12 pm

Re: DST NAT Rules Work for some connections.

Mon Jul 08, 2019 11:46 pm

Thanks sindy,

You definitely identified the characteristics of my issue correctly. However, that same client, should it try to connect to the other server behind my Mikrotik, would succeed. I would assume the path chosen would still be the same?

I did some wireshark logging at both ends, and I think it's showing the many packets are being returned, but some are getting through. May explain why RDP or HTTP would work from the same client -> server, while the application not, as it cannot digest that many packet loss.

Assuming you're right, where would I go from here to try and correct the MTU issue?

Thanks,
Leibtek
 
sindy
Forum Guru
Forum Guru
Posts: 3495
Joined: Mon Dec 04, 2017 9:19 pm

Re: DST NAT Rules Work for some connections.

Tue Jul 09, 2019 12:03 am

You haven't specified what kind of service is running at which server. If the same service (e.g. https) Is running at both and clients have problems to connect to only one of them, the MTU issue would have to exist between that server and the Mikrotik. But as it is an intermediate issue (some connections work while others don't), it would still have to involve different paths (with different MTU) through internet, and thus the MTU issue between the server and the Mikrotik would have to consist in blocking ICMP, thus preventing path MTU discovery from working.

If you can sniff at both client and server simultaneously, check whether, in the failed case, there are packets which never make it through the path (in either direction).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
leibtek
just joined
Topic Author
Posts: 8
Joined: Sun Jul 07, 2019 10:12 pm

Re: DST NAT Rules Work for some connections.

Tue Jul 09, 2019 6:56 am

Thanks again, and sorry for my belated response, I had to gain access to the client.

From the packet capture, there does seem to be some loss here.

I'm sure that you'll know better if you have a quick look, so I attached herein only the summary of the packets from both sides in csv comma delimited format. Please let me know what you think.

Best regards,
Leibtek
Server_Side.csv
Client_Side.csv
You do not have the required permissions to view the files attached to this post.
 
leibtek
just joined
Topic Author
Posts: 8
Joined: Sun Jul 07, 2019 10:12 pm

Re: DST NAT Rules Work for some connections.

Wed Jul 10, 2019 6:33 am

Hi Guys,

I'm back with more troubleshooting, and the Mikrotik does seem to play a role here.

I hooked back up the Cisco router, and put the troublesome server on it's DMZ (because I wasn't sure how to do a DMZ rule on the Mikrotik), and the connections from the applications were being established. However, I didn't see any additional ports connecting besides those that I have the dst-nat rules for. Can we definitely say now that the Mikrotik is at fault here?

Perhaps there's double Natting going on here? Anyone familiar with WIN 2016 that knows if there's more Natting going on?

Maybe someone can guide me to isolate this issue by creating a my liberal rule for this source IP only, and go from there.

Just a side note, after hooking back up the Mikrotik, I created a "input -> SourceIP - ether1, action accept" priority 2, and a saw traffic pass through that rule, but din't help me. However, I since deleted that rule, but now traffic to my dst-nat rule ports are being dropped from this SourceIP. I see it in the logs as "No Destination". I'm hoping that a router restart will fix this, but I cannot do it now while there is other activity going on, I'll have to wait until the morning. - Any suggestions, is this normal?

Thanks,
Leibtek
 
mkx
Forum Guru
Forum Guru
Posts: 2468
Joined: Thu Mar 03, 2016 10:23 pm

Re: DST NAT Rules Work for some connections.

Wed Jul 10, 2019 6:59 am

Some wild guessing: if you make RB default gateway for your server, Windows will detect this as new network and you might need to adjust windows firewall settings to make those services available to the world (again).
BR,
Metod
 
leibtek
just joined
Topic Author
Posts: 8
Joined: Sun Jul 07, 2019 10:12 pm

Re: DST NAT Rules Work for some connections.

Wed Jul 10, 2019 7:06 am

I have the Windows Firewall turned off for now.

So I don't that's in the way now.

Thanks,
Leibtek

Who is online

Users browsing this forum: Bing [Bot] and 37 guests