Community discussions

MikroTik App
 
User avatar
icttech
newbie
Topic Author
Posts: 29
Joined: Mon Dec 04, 2017 3:05 am
Location: Canada

NAT Issue with src-nat <> srcnat?

Mon Jul 26, 2021 4:21 pm

Hi,

I have noticed for sometime now that cloud core routers CCR1009-7G & 8G are experiencing inoperable conditions with src-nat (action) <> srcnat (chain). NAT table has >500 entries and issues begin when adding new src-nat <> srcnat addresses.

eg.
/ip firewall nat
add action=src-nat chain=srcnat comment=srv1.domain.com log-prefix=srv1.domain.com \
    out-interface=ether7 src-address=10.122.10.122 to-addresses=\
    200.200.9.9

When creating a new srcnat and the ID# is >100 then the src-nat <> srcnat not longer functions. If I copy a src-nat <> srcnat with a lower ID# (<100) then the src-nat <> srcnat functions as expected.

Is this the limitation or some odd caching issue.
Currently strict ordering is not applied. Do I need to apply and adhere to strict ordering?

~b10
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NAT Issue with src-nat <> srcnat?

Mon Jul 26, 2021 5:49 pm

Without seeing the full config hard to say.
Also what you do mean by strict ordering.
In general all rules are matched in the order they are put on the router and thus order is important
If you mean RP filter, it should be set to loose.

Why such a complicated sourcenat rule.
Typically one doesnt need to delineate sources as SourceNAT is NOT a routing mechanism.
One typically identifies which interfaces (outbound) where NAT should be applied.

dynamic interfaces are typically set as src-nat / masquerade
static interfaces are typically set as scr-nat / srcnat
 
User avatar
icttech
newbie
Topic Author
Posts: 29
Joined: Mon Dec 04, 2017 3:05 am
Location: Canada

Re: NAT Issue with src-nat <> srcnat?

Mon Jul 26, 2021 5:58 pm

Hello,
 /ip settings
 rp-filter: no

I'm asking if strict ordering is required with larger NAT rules?
Yes rules are matched on order but please read my post with the issue at hand.
These are all NAT 1:1 static yes.
I'm not sure where the complication rule is you mention?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: NAT Issue with src-nat <> srcnat?

Mon Jul 26, 2021 6:27 pm

About /ip settings set the rp-filter to loose.
They do not influence NAT, but do not use strict if you use routing tables or complex routing.

I have never had so many NAT rules on one device,
and if I think that if I sum the NAT rules of all my network devices (excluding NAT on CPE),
I do not reach more than 100 rules.

all your rule are like this?
add action=src-nat chain=srcnat comment=srv1 log-prefix=srv1 out-interface=ether7 src-address=10.122.10.121 to-addresses=200.200.9.1
add action=src-nat chain=srcnat comment=srv1 log-prefix=srv1 out-interface=ether7 src-address=10.122.10.122 to-addresses=200.200.9.2
add action=src-nat chain=srcnat comment=srv1 log-prefix=srv1 out-interface=ether7 src-address=10.122.10.123 to-addresses=200.200.9.3
add action=src-nat chain=srcnat comment=srv1 log-prefix=srv1 out-interface=ether7 src-address=10.122.10.124 to-addresses=200.200.9.4

is not better do some netmap with only two rule?, for example:
add action=netmap chain=srcnat src-address=10.122.10.0/24 to-addresses=200.200.9.0/24 out-interface=ether7
add action=netmap chain=dstnat dst-address=200.200.9.0/24 to-addresses=10.122.10.0/24 in-interface=ether7

or using interval / multiple intarvals
add action=netmap chain=srcnat src-address=10.122.10.10-10.122.10.19 to-addresses=200.200.9.10-200.200.9.19 out-interface=ether7
add action=netmap chain=dstnat dst-address=200.200.9.10-200.200.9.19 to-addresses=10.122.10.10-10.122.10.19 in-interface=ether7

add action=netmap chain=srcnat src-address=10.122.10.44-10.122.10.244 to-addresses=200.200.9.44-200.200.9.244 out-interface=ether7
add action=netmap chain=dstnat dst-address=200.200.9.44-200.200.9.244 to-addresses=10.122.10.44-10.122.10.244 in-interface=ether7
 
User avatar
icttech
newbie
Topic Author
Posts: 29
Joined: Mon Dec 04, 2017 3:05 am
Location: Canada

Re: NAT Issue with src-nat <> srcnat?

Mon Jul 26, 2021 6:54 pm

Hi,

Yes all NAT 1:1 rules are as you mention in your example. Total rules (including netmap <> dstnat) >500
Yes there are many but are required for WHM NAT 1:1 otherwise everything breaks. Have many clients on static MX and hosting services within WHM and other internal MX hosts.
These NAT rules then become unstable, especially after making firmware updates or rebooting, NAT gets a bit broken, have to re-assign some src-nat <> srcnat .

WHM Basic Static Template eg.
add action=src-nat chain=srcnat comment=srv1.domain.com log-prefix=srv1.domain.com out-interface=ether5 src-address=10.122.10.122 to-addresses=200.200.9.9
add action=netmap chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=20 protocol=tcp to-addresses=10.122.10.122 to-ports=20
add action=netmap chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=21 protocol=tcp to-addresses=10.122.10.122 to-ports=21
add action=netmap chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=25 protocol=tcp to-addresses=10.122.10.122 to-ports=25
add action=netmap chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=80 protocol=tcp to-addresses=10.122.10.122 to-ports=80
add action=netmap chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=110 protocol=tcp to-addresses=10.122.10.122 to-ports=110
add action=netmap chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=143 protocol=tcp to-addresses=10.122.10.122 to-ports=143
add action=netmap chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=443 protocol=tcp to-addresses=10.122.10.122 to-ports=443
add action=netmap chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=465 protocol=tcp to-addresses=10.122.10.122 to-ports=465
add action=netmap chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=587 protocol=tcp to-addresses=10.122.10.122 to-ports=587
add action=netmap chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=993 protocol=tcp to-addresses=10.122.10.122 to-ports=993
add action=netmap chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=995 protocol=tcp to-addresses=10.122.10.122 to-ports=995
add action=netmap chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=2080 protocol=tcp to-addresses=10.122.10.122 to-ports=2080
add action=netmap chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=2083 protocol=tcp to-addresses=10.122.10.122 to-ports=2083
add action=netmap chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=2087 protocol=tcp to-addresses=10.122.10.122 to-ports=2087
add action=netmap chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=2096 protocol=tcp to-addresses=10.122.10.122 to-ports=2096

Last edited by icttech on Mon Jul 26, 2021 7:02 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: NAT Issue with src-nat <> srcnat?

Mon Jul 26, 2021 7:00 pm

You can reduce for example all that to:
add action=src-nat chain=srcnat comment=srv1.domain.com log-prefix=srv1.domain.com out-interface=ether5 src-address=10.122.10.122 to-addresses=200.200.9.9
add action=dst-nat chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=20,21,25,80,110,143,443,465,587,993,995,2080,2083,2087,2096 protocol=tcp to-addresses=10.122.10.122

is the to-ports is the same on dst-port, do not set
Last edited by rextended on Tue Jul 27, 2021 6:34 pm, edited 4 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NAT Issue with src-nat <> srcnat?

Mon Jul 26, 2021 7:01 pm

Of course WHM NAT, if only that was in the title or first post. ;-)
Zing above my head. Curious though what scenario requires this amount of natting. Is this a WISP or something larger??
 
User avatar
icttech
newbie
Topic Author
Posts: 29
Joined: Mon Dec 04, 2017 3:05 am
Location: Canada

Re: NAT Issue with src-nat <> srcnat?

Mon Jul 26, 2021 7:07 pm

Hi @rextended

Thanks, I will give that a go and start cleaning up. Will report back later.

regards,
 
User avatar
icttech
newbie
Topic Author
Posts: 29
Joined: Mon Dec 04, 2017 3:05 am
Location: Canada

Re: NAT Issue with src-nat <> srcnat?

Mon Jul 26, 2021 7:56 pm

Still an issue. If I delete a simple rule for a WHM host with port 80, 443 rule then apply with the outlined suggestion, srcnat <> src-nat NAT 1:1 does not work (ends up with router IP) observing ID# set higher than last dstnat rule for WHM.

I then copied rule ID#2 which created the new rule as ID#3 with the suggested config for srcnat <> src-nat and WHM now complains "Not Routable" (this also appeared on that WHM host with many static hosts after that change to #3 ID).

If I copy a srcnat rule with ID #58 then NAT 1:1 does work. It appears that with rp-filter=no (also tried loose), rules in NAT are still being forced by order somewhere.
 
User avatar
icttech
newbie
Topic Author
Posts: 29
Joined: Mon Dec 04, 2017 3:05 am
Location: Canada

Re: NAT Issue with src-nat <> srcnat?

Tue Jul 27, 2021 5:39 pm

Hi,

It appears that srcnat <> src-net for hairpin NAT 1:1 has some sort of condition with order.

Can anyone elaborate?
is this a bug?

If by design then how can this condition be controlled?
Unfortunately if I use @rextended suggestion to streamline the NAT table it breaks Hairpin NAT 1:1 rules to hosts/devices and services.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: NAT Issue with src-nat <> srcnat?

Tue Jul 27, 2021 6:36 pm

The rules obviously are ordered, for each chain the order matter.

Did you try this, but you have noticed than not is a netmap but a dst-nat the 2nd rule?
add action=src-nat chain=srcnat comment=srv1.domain.com log-prefix=srv1.domain.com out-interface=ether5 src-address=10.122.10.122 to-addresses=200.200.9.9
add action=dst-nat chain=dstnat comment="srv1.domain.com" dst-address=200.200.9.9 dst-port=20,21,25,80,110,143,443,465,587,993,995,2080,2083,2087,2096 protocol=tcp to-addresses=10.122.10.122
Last edited by rextended on Tue Jul 27, 2021 6:37 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NAT Issue with src-nat <> srcnat?

Tue Jul 27, 2021 6:37 pm

Hairpin NAT is for the unique case of servers and users and is only needed when one hosts a server on the same subnet as the users who want/need to access the server AND.....
the admin is forcing them to use public IP address to reach the server, vice the cleaner LANIP !!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: NAT Issue with src-nat <> srcnat?

Tue Jul 27, 2021 6:40 pm

Really I do not check in this case what do that's rules...

Simply, I simplify on simple way what are simply simplifiable...

Netmap is only for create a static 1:1 mapping of one set of IP addresses to another one.
For example, can be used for distribute public IP addresses to hosts on private networks.
Is the first time I see netmap for "open ports", probably all the 100 netmap rules are wrong...
and is why not work as expected (only) from @icttech
 
User avatar
icttech
newbie
Topic Author
Posts: 29
Joined: Mon Dec 04, 2017 3:05 am
Location: Canada

Re: NAT Issue with src-nat <> srcnat?

Tue Jul 27, 2021 7:07 pm

Yes, used action=dst-nat chain=dstnat and that order ID does not matter. It seems as soon as the order ID for srcnat reaches a higher ID than the lowest dstnat ID then it breaks.
Does this mean every-time I need to add a single NAT 1:1 rule then I have to wipe the NAT table and then add all srcnat first then dstnat (>500) ?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: NAT Issue with src-nat <> srcnat?  [SOLVED]

Tue Jul 27, 2021 7:17 pm

I quote myself....
The rules obviously are ordered, for each chain the order matter.

dstnat and srcnat are two different chain of the NAT,
like dstnat and srcnat on bridge,
like prerouting and output on raw,
like input, forward and output on filter,
like prerouting, input, forward, output, postrouting on mangle

Are on same tab, but the order matter for same chain, but is indipendent from other chains.
 
User avatar
icttech
newbie
Topic Author
Posts: 29
Joined: Mon Dec 04, 2017 3:05 am
Location: Canada

Re: NAT Issue with src-nat <> srcnat?

Tue Jul 27, 2021 7:30 pm

Hello again,
Ok, so I have to wipe and recreate all NAT rules chain by chain to make any additions.
Thank you
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: NAT Issue with src-nat <> srcnat?

Tue Jul 27, 2021 7:33 pm

The rules on WinBox are drag&droppable
and on CLI are moveable...

after a print,
move 125 destination=20
move rule numer 125 just before rule 20
 
User avatar
icttech
newbie
Topic Author
Posts: 29
Joined: Mon Dec 04, 2017 3:05 am
Location: Canada

Re: NAT Issue with src-nat <> srcnat?

Tue Jul 27, 2021 7:42 pm

CLI move really helps, but I have some CCR8Gs and CCR7G where drag^drop NAT does not work. all v6.48.3
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: NAT Issue with src-nat <> srcnat?

Wed Jul 28, 2021 10:11 am

Try to contact support@mikrotik.com for bugtrack, thanks

Who is online

Users browsing this forum: baragoon, rplant, Shylie and 77 guests