Community discussions

MikroTik App
 
sbotnick
just joined
Topic Author
Posts: 20
Joined: Fri Apr 21, 2017 10:54 pm

NAT problem with host's internal traffic using route marking.

Thu Apr 22, 2021 2:14 am

Hello,

I have two routers on the same subnet, each one has its own path to the Internet.
The configs are pretty basic, public IP on WAN interfaces, private IP subnet on the LAN side and default config's masquerade for Internet access.
The goal is to redirect Internet traffic from hosts that have gw2 192.168.49.2 as their default route to go out via the gw1 router.
The below config works, except for dst-nat port forwarding from the Internet:

LAN addresses:
gw1 192.168.49.1
gw2 192.168.49.2

/ip firewall mangle
chain=prerouting action=mark-routing new-routing-mark=to_gw1 passthrough=yes
src-address=192.168.49.0/26 dst-address-type=!local connection-mark=no-mark
in-interface=bridge

/ip firewall route
dst-address=0.0.0.0/0 gateway=192.168.49.1 gateway-status=192.168.49.1 reachable via bridge
check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_gw1

It appears that the marking and routing is good, when testing on a LAN host with default gw set to gw2, I get responses from things outside of gw1 through gw1 as expected.

I have a port NAT'd to the the above LAN host on gw1 and when attempting to access it from the Internet via gw1, I see the Internet-sourced syn packets come in to the host via gw1 and the host responds with a syn-ack. The syn-ack packets appear to make it to gw1 but do not appear make it through gw1.

Note that when the host is configured to use gw1, the dst-nat for it on gw1 works correctly.

Any ideas why gw1 doesn't appear to be dealing with the return traffic for the NAT'd traffic?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NAT problem with host's internal traffic using route marking.

Thu Apr 22, 2021 2:27 am

What confuses me is what is the purpose of two routers?
Simply connect both WANIPs to the same router.........................
 
sbotnick
just joined
Topic Author
Posts: 20
Joined: Fri Apr 21, 2017 10:54 pm

Re: NAT problem with host's internal traffic using route marking.

Thu Apr 22, 2021 4:07 am

What confuses me is what is the purpose of two routers?
Simply connect both WANIPs to the same router.........................
1) Site requires low power equipment
2) One low power router does not have enough LAN ports for the site
3) Two routers allow some level of redundancy for our operations; if one fails, part of our system will work.
4) Site is unmanned, difficult and expensive to access; partial operation is better than no operation.

Changing physical architecture is not an option. Fixing broken logic is an option.
 
sbotnick
just joined
Topic Author
Posts: 20
Joined: Fri Apr 21, 2017 10:54 pm

Re: NAT problem with host's internal traffic using route marking.

Sat Apr 24, 2021 3:29 am

I've located the problem: The router that is marking is neither forwarding TCP packets or sending redirects back to the hosts when they try to send traffic through it. When contacted via through the other router, hosts are responding SYN,ACKs but the marking router is identifying them as invalid in the forwarding chain and dropping them rather than re-directing or forwarding to the other router.

When pinging the Internet from a host, the marking router is sending hosts ICMP redirects so the host is re-sending ICMP to the other router as it should.
UDP to the Internet is being forwarded from hosts by the marking router to the other router and is working correctly as expected and desired.
So, the route marking and route using the marking is otherwise working.

This should have been easy. Any ideas on why it is choking on the TCP rather than forwarding?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT problem with host's internal traffic using route marking.

Sat Apr 24, 2021 9:30 pm

You haven't posted the configurations, but you mention default firewall rules. The default firewall rule "drop invalid" in chain forward of filter prevents those SYN,ACK packets from reaching the out-interface (LAN in this case) and thus triggering the sending of ICMP redirect, as the connection tracking module flags them as invalid because it hasn't seen the SYN packet of the connections they belong to.

So you need to shadow that "drop invalid" rule by a selective "accept" one:
/ip firewall filter add chain=forward protocol=tcp in-interface=bridge out-interface=bridgeaction=accept place-before=[find where connection-state~"invalid" chain=forward action=drop]
 
sbotnick
just joined
Topic Author
Posts: 20
Joined: Fri Apr 21, 2017 10:54 pm

Re: NAT problem with host's internal traffic using route marking.

Fri Apr 30, 2021 5:48 am

Thanks for the input, sindy. I upgraded from 6.48.1 to 6.48.2 today and the problem changed character. Unfortunately, I hadn't applied the suggested filter before the upgrade, but did after the upgrade and it doesn't appear to be catching any traffic. Following the upgrade, ICMP is working with no redirect messages and TCP is sort of working. Handshakes complete, connections are established and I see some packets flowing in both directions but the sessions eventually die. I enabled logging on all the firewall drop rules and they are not catching any of the traffic of interest. Not sure where to look next.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT problem with host's internal traffic using route marking.

Fri Apr 30, 2021 8:15 pm

I'd have to see the actual configurations to suggest something more.

Who is online

Users browsing this forum: Batterio, Bing [Bot], fibracapi, iustin and 82 guests