Community discussions

MikroTik App
  4. RouterOS
  5. General

Unexpected NAT behaviour when a port flaps

Post Reply
 
gosoft
just joined
Topic Author
Posts: 1
Joined: Mon May 24, 2021 11:36 am

Unexpected NAT behaviour when a port flaps

Mon May 24, 2021 12:42 pm

Hi,
I have notices a bit unusual behavior with NAT, running RouterBOARD 962UiGS-5HacT2HnT with RouterOS 6.48.2 in simple home office setup: WAN, and bridge interface to some LAN port and wifi.

I do have NAT:
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=8.9.10.11 dst-port=22 in-interface=ether1 protocol=tcp to-addresses=192.168.88.100
And what I have seen, that when is SSH session established from an IP in the internet 1.2.3.4, as example, to public IP 8.9.10.11, and I do flap (disable and then enable) interface to server 192.168.88.100, then source IP 1.2.3.4 is unable to establish SSH to that server anymore. I have run packet sniffer. On ether1 port are visible packets source 1.2.3.4 destination 8.9.10.11:22 RX only.
On bridge interface are visible packets source 1.2.3.4 destination 192.168.88.100:22 TX and in opposite direction source 192.168.88.100:22 destination 1.2.3.4 RX. Such returning packets are not visible on ether1 (wan port).

After port flap to server, from any other public IP service SSH is still accessible, except from 1.2.3.4. I have tied to clear connection table, waiting few days, only finding how to fix this issue is reboot of device. ARP record is there, ping to server from router works, access to SSH from other IP works, access to server via IPSec tunnel works as well, only source in the internet 1.2.3.4 could not reach SSH service any more.

Have you encounter similar issue? Or do I have incorrect NAT configuration?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Unexpected NAT behaviour when a port flaps

Mon May 24, 2021 1:29 pm

If you have destination address then you dont need in-interface, try removing that first.

also, you may be running into hairpin nat or loopback which is when a user on the same subnet as the server attempts to reach the server via the public wanip.
In your case simply add a source nat rule prior to the exisiting rule
add chain=srcnat action=masquerade dst-address=192.168.88.0/24 src-address=192.168.88.0/24
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Unexpected NAT behaviour when a port flaps

Tue May 25, 2021 9:01 am

On ether1 port are visible packets source 1.2.3.4 destination 8.9.10.11:22 RX only.
On bridge interface are visible packets source 1.2.3.4 destination 192.168.88.100:22 TX and in opposite direction source 192.168.88.100:22 destination 1.2.3.4 RX. Such returning packets are not visible on ether1 (wan port).
On ether1, you should see them with source 8.9.10.11, but I believe you just took that for obvious and didn't write that explicitly.

What does /ip firewall connection print detail where dst-address~"8.9.10.11:22" show before and after the flap?
Top
Post Reply

Who is online

Users browsing this forum: CryptoCurrencyDyday, K0NCTANT1N, triss and 65 guests
  4. RouterOS
  5. General