Community discussions

MikroTik App
  4. RouterOS
  5. General

Unable to ping IP from WAN while using Src-nat and dst-NAT ( ok with masquerade)

Post Reply
 
User avatar
jschenard
just joined
Topic Author
Posts: 4
Joined: Fri Nov 13, 2020 1:33 am

Unable to ping IP from WAN while using Src-nat and dst-NAT ( ok with masquerade)

Mon Jan 11, 2021 12:32 am

Good evening everyone I hope everybody had a good week end.
I am running into a small issue and would ask for some precious help.

I have /29 ip addresses, so 5 dedicated IP address. By default the mikrotik is using masquerade for dynamic ip. With masquerade, I can ping my wan. If I configure the NAT myself based on local IP, wan is not reachable. Firewall rules seems fine and I don't see anything that could prevent pinging.

I will paste the firewall config here. Thanks in advance for your help.
Code: Select all
#
Flags: X - disabled, I - invalid, D - dynamic 
    D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

      ;;; defconf: accept ICMP after RAW
      chain=input action=accept protocol=icmp 

      ;;; defconf: accept established,related,untracked
      chain=input action=accept 
      connection-state=established,related,untracked 

      ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

   X  ;;; defconf: accept all that matches IPSec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

      ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection 
      connection-state=established,related 

      ;;; defconf: accept established,related, untracked
      chain=forward action=accept 
      connection-state=established,related,untracked 

      ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

      ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface-list=WAN 

      ;;; defconf: drop bad forward IPs
      chain=forward action=drop src-address-list=no_forward_ipv4 

      ;;; defconf: drop bad forward IPs
      chain=forward action=drop dst-address-list=no_forward_ipv4 

RAW dump : 


#
Flags: X - disabled, I - invalid, D - dynamic 
    D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

   X  ;;; defconf: enable for transparent firewall
      chain=prerouting action=accept 

      ;;; defconf: accept DHCP discover
      chain=prerouting action=accept in-interface-list=LAN src-port=68 
      dst-port=67 protocol=udp src-address=0.0.0.0 
      dst-address=255.255.255.255 

      ;;; defconf: drop bogon IP's
      chain=prerouting action=drop src-address-list=bad_ipv4 

      ;;; defconf: drop bogon IP's
      chain=prerouting action=drop dst-address-list=bad_ipv4 

      ;;; defconf: drop bogon IP's
      chain=prerouting action=drop src-address-list=bad_src_ipv4 

      ;;; defconf: drop bogon IP's
      chain=prerouting action=drop dst-address-list=bad_dst_ipv4 

      ;;; defconf: drop non global from WAN
      chain=prerouting action=drop in-interface-list=WAN 
      src-address-list=not_global_ipv4 

      ;;; defconf: drop forward to local lan from WAN
      chain=prerouting action=drop in-interface-list=WAN 
      dst-address=192.168.88.0/24 

      ;;; defconf: drop local if not from default IP range
      chain=prerouting action=drop in-interface-list=LAN 
      src-address=!192.168.88.0/24 

      ;;; defconf: drop bad UDP
      chain=prerouting action=drop port=0 protocol=udp 

      ;;; defconf: jump to ICMP chain
      chain=prerouting action=jump jump-target=icmp4 protocol=icmp 

      ;;; defconf: jump to TCP chain
      chain=prerouting action=jump jump-target=bad_tcp protocol=tcp 

      ;;; defconf: accept everything else from LAN
      chain=prerouting action=accept in-interface-list=LAN 

      ;;; defconf: accept everything else from WAN
      chain=prerouting action=accept in-interface-list=WAN 

      ;;; defconf: drop the rest
      chain=prerouting action=drop 

      ;;; defconf: TCP flag filter
      chain=bad_tcp action=drop tcp-flags=!fin,!syn,!rst,!ack protocol=tcp 

      ;;; defconf
      chain=bad_tcp action=drop tcp-flags=fin,syn protocol=tcp 

      ;;; defconf
      chain=bad_tcp action=drop tcp-flags=fin,rst protocol=tcp 

      ;;; defconf
      chain=bad_tcp action=drop tcp-flags=fin,!ack protocol=tcp 

      ;;; defconf
      chain=bad_tcp action=drop tcp-flags=fin,urg protocol=tcp 

      ;;; defconf
      chain=bad_tcp action=drop tcp-flags=syn,rst protocol=tcp 

      ;;; defconf
      chain=bad_tcp action=drop tcp-flags=rst,urg protocol=tcp 

      ;;; defconf: TCP port 0 drop
      chain=bad_tcp action=drop port=0 protocol=tcp 

   X  ;;; defconf: echo reply
      chain=icmp4 action=accept icmp-options=0:0 limit=5,10:packet log=no 
      log-prefix="" protocol=icmp 

   X  ;;; defconf: net unreachable
      chain=icmp4 action=accept icmp-options=3:0 log=no log-prefix="" 
      protocol=icmp 

   X  ;;; defconf: host unreachable
      chain=icmp4 action=accept icmp-options=3:1 log=no log-prefix="" 
      protocol=icmp 

   X  ;;; defconf: protocol unreachable
      chain=icmp4 action=accept icmp-options=3:2 log=no log-prefix="" 
      protocol=icmp 

   X  ;;; defconf: port unreachable
      chain=icmp4 action=accept icmp-options=3:3 log=no log-prefix="" 
      protocol=icmp 

   X  ;;; defconf: fragmentation needed
      chain=icmp4 action=accept icmp-options=3:4 log=no log-prefix="" 
      protocol=icmp 

   X  ;;; defconf: echo
      chain=icmp4 action=accept icmp-options=8:0 limit=5,10:packet log=no 
      log-prefix="" protocol=icmp 

   X  ;;; defconf: time exceeded 
      chain=icmp4 action=accept icmp-options=11:0-255 log=no log-prefix="" 
      protocol=icmp 

   X  ;;; defconf: drop other icmp
      chain=icmp4 action=drop log=no log-prefix="" protocol=icmp 

NAT RULES : 

Flags: X - disabled, I - invalid, D - dynamic 
 0 X  ;;; defconf: accept all that matches IPSec policy
      chain=srcnat action=accept ipsec-policy=in,ipsec 

 1    chain=dstnat action=dst-nat to-addresses=192.168.88.0/24 
      dst-address=23.91.82.50 in-interface-list=WAN 

 2    chain=srcnat action=src-nat to-addresses=23.91.82.50 
      src-address=192.168.88.0/24 out-interface-list=WAN 

 3 X  ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no 
      log-prefix=""
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Unable to ping IP from WAN while using Src-nat and dst-NAT ( ok with masquerade)

Mon Jan 11, 2021 9:46 am

With masquerade, I can ping my wan.
From where you can/cannot ping it? From a device connected to LAN or from the internet?

Is the public address you are pinging attached to the WAN on the Mikrotik, or you only use it as to-addresses in the action=src-nat rule?
Top
 
User avatar
jschenard
just joined
Topic Author
Posts: 4
Joined: Fri Nov 13, 2020 1:33 am

Re: Unable to ping IP from WAN while using Src-nat and dst-NAT ( ok with masquerade)

Mon Jan 11, 2021 10:54 am

With masquerade, I can ping my wan.
From where you can/cannot ping it? From a device connected to LAN or from the internet?

Is the public address you are pinging attached to the WAN on the Mikrotik, or you only use it as to-addresses in the action=src-nat rule?
good day thank you for your response

From where you can/cannot ping it? From a device connected to LAN or from the internet?

I cannot ping from the internet

Is the public address you are pinging attached to the WAN on the Mikrotik, or you only use it as to-addresses in the action=src-nat rule?

Both. On the wan port I have assigned all my public ip there and then I use to-addresses for the specific ip of the device
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Unable to ping IP from WAN while using Src-nat and dst-NAT ( ok with masquerade)

Mon Jan 11, 2021 11:25 am

The thing is that the rules in chain srcnat are only used for the initial packet of a new connection; the decision taken for this packet is then inherited by all subsequent packets of the same connection. So given that your action=masquerade rule acts only on packets which leave through an interface which is a member of interface list WAN, if you ping the router's own public address from anywhere, this rule does not act at all as there is no out-interface for the initial packet (the first request one), and the response packets inherit the reverse of the NAT behaviour chosen for the initial packet.

Your rules in the icmp4 chain of /ip firewall raw explicitly permit echo requests (icmp type 8) through (and although currently all rules in this chain are enabled, including the final "drop the rest" one, another rule permits everything except TCP which came in via any interface on LAN or WAN interface lists). So if all the public IPs are individually assigned to the WAN, the router should respond on all of them no matter from where you ping (LAN or internet) and no matter what NAT rules are configured.

So follow the suggestion in my automatic signature just below.
Top
Post Reply

Who is online

Users browsing this forum: GoogleOther [Bot], simtj and 175 guests
  4. RouterOS
  5. General