dst-nat not working quite as I'd expect it

posix · Mon Jun 21, 2010 12:28 am

I have a NAT-ed network.
I'm trying to forward all or some outgoing web traffic (port 80) for users in a specific address list to an internal web server where I can display some custom messages. It sort of works but not as I'd expect it.
Here is the rule

chain=dstnat action=dst-nat to-addresses=10.99.1.99 to-ports=80
protocol=tcp src-address=10.0.0.0/8 src-address-list=Small_user
dst-port=80 random=3

What it should do is every 100/3 = 33rd connection redirect to internal web server. It does that just fine. But the problem is that it redirects ALL users, not just the ones in Small_user list (firewall/Address lists).
What I have in Address lists is 20-30 Normal_user entries and everyone else defined as 10.0.0.0/8 being Small_user.
What's wrong with this setup? I only want the unregistered addresses to land on the internal web server.

Thanks for your help in advance!

Pele

Pada · Mon Jun 21, 2010 12:42 am

Do you already run a Transparent Proxy?

The problem with the 10.0.0.0/8 would be that would include the router's own IP address too (10.0.0.1), which is probably why it redirects all the users.

martini · Mon Jun 21, 2010 12:54 am

leave only src-address-list match in firewall dst-nat rule

posix · Mon Jun 21, 2010 10:17 am

sorry that was a mistake, I was experimenting with src-address and in-interface so that bit was left over. it behaves exactly the same with and without src-address=10.0.0.0/8

posix · Tue Jun 22, 2010 1:06 am

bump

does anyone have this working? it pretty much the same as that smtp-forward example in the wiki. but it doesn't work!

fewi · Tue Jun 22, 2010 1:29 am

Please post the output of "/ip firewall nat export" and "/ip firewall address-list export".

posix · Tue Jun 22, 2010 1:54 am

Here you go
Please note the rule in question is the first dst-nat rule and it's currently DISABLED
NAT:
#######################################################
# jun/22/2010 00:46:32 by RouterOS 5.0beta3
# software id =
#
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp random=\
3 src-address=10.0.0.0/8 src-address-list=Small_user to-addresses=\
10.99.1.99 to-ports=80
add action=masquerade chain=srcnat disabled=no out-interface=eoip-one \
src-address=10.0.0.0/8
add action=masquerade chain=srcnat disabled=no out-interface=eoip-two \
src-address=10.0.0.0/8
add action=dst-nat chain=dstnat disabled=no dst-address=111.111.111.111 \
dst-port=80 protocol=tcp to-addresses=10.1.1.1 to-ports=80
add action=dst-nat chain=dstnat disabled=no dst-address=111.111.111.111 \
dst-port=3389 protocol=tcp to-addresses=10.1.1.1 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=222.222.222.222 \
dst-port=3389 protocol=tcp to-addresses=10.1.1.1 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=222.222.222.222 \
dst-port=3388 protocol=tcp to-addresses=10.1.1.34 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=111.111.111.111 \
dst-port=18630 protocol=tcp to-addresses=10.1.1.1 to-ports=18630
add action=dst-nat chain=dstnat disabled=no dst-address=111.111.111.111 \
dst-port=53 protocol=udp to-addresses=10.1.1.1 to-ports=53
add action=dst-nat chain=dstnat disabled=no dst-address=111.111.111.111 \
dst-port=25 protocol=tcp to-addresses=10.1.1.1 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-address=111.111.111.111 \
dst-port=143 protocol=tcp to-addresses=10.1.1.1 to-ports=143
add action=accept chain=srcnat disabled=yes dst-port=25 protocol=tcp \
src-address=10.1.1.1
add action=dst-nat chain=dstnat disabled=no dst-address=111.111.111.111 \
dst-port=443 protocol=tcp to-addresses=10.1.1.250 to-ports=443
#######################################################

Address List
#######################################################
# jun/22/2010 00:46:41 by RouterOS 5.0beta3
# software id =
#
/ip firewall address-list
add address=10.0.0.0/8 disabled=no list=Small_user
add address=10.1.1.71 disabled=no list=Business_user
add address=10.1.1.72 disabled=no list=Business_user
add address=10.1.1.73 disabled=no list=Business_user
add address=10.1.1.74 disabled=no list=Business_user
add address=10.1.1.75 disabled=no list=Business_user
add address=10.1.1.117 comment=" " disabled=no list=Normal_user
add address=10.1.1.199 disabled=yes list=Normal_user
add address=10.1.1.173 comment=" " disabled=no list=Normal_user
add address=10.1.1.221 comment=" " disabled=no list=Normal_user
add address=10.1.1.157 comment=" " disabled=no list=Normal_user
add address=10.1.1.114 comment=" " disabled=no list=Normal_user
add address=10.1.1.164 comment=" " disabled=no list=Normal_user
add address=10.1.11.100 comment=" " disabled=no list=Normal_user
add address=10.1.12.251 comment=" " disabled=no list=Normal_user
add address=10.1.18.121 comment=" " disabled=no list=Normal_user
add address=10.1.19.137 comment=" " disabled=no list=Business_user
add address=10.1.16.241 comment=" " disabled=no list=Normal_user
add address=10.1.21.233 comment=" " disabled=no list=Normal_user
add address=10.1.21.253 comment=" " disabled=no list=Normal_user
add address=10.0.21.100 disabled=yes list=Normal_user
add address=10.1.1.1 disabled=no list=Servers
add address=10.1.1.2 disabled=yes list=Servers
add address=10.1.1.250 disabled=no list=Servers
add address=10.1.16.254 comment=" " disabled=no list=Normal_user
add address=10.1.22.100 comment=" " disabled=no list=Normal_user
add address=10.1.30.254 comment=" " disabled=no list=Normal_user
add address=10.0.18.100 comment=" " disabled=no list=Normal_user
add address=10.1.1.161 comment=" " disabled=no list=Business_user
add address=10.1.1.78 disabled=no list=Normal_user
add address=10.1.1.190 disabled=no list=Normal_user
add address=10.1.1.188 comment=" " disabled=no list=Normal_user
add address=10.1.12.252 comment=" " disabled=no list=Normal_user
add address=10.1.11.101 comment=" " disabled=no list=Normal_user
add address=10.1.1.34 disabled=yes list=Servers
add address=10.1.1.196 comment=" " disabled=no list=Normal_user
add address=10.1.1.232 comment=" " disabled=no list=Normal_user
add address=10.0.18.19 disabled=yes list=Servers
add address=10.1.1.30 disabled=yes list=Servers
#######################################################

fewi · Tue Jun 22, 2010 1:59 am

/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp random=\
3 src-address=10.0.0.0/8 src-address-list=Small_user to-addresses=\
10.99.1.99 to-ports=80

/ip firewall address-list
add address=10.0.0.0/8 disabled=no list=Small_user

I don't see what the problem is. The router is doing exactly what you're telling it to, which is to redirect people whose source address matches 10/8 with a chance of 3%. You're specifically telling it to do that twice, once via a match on src-address and then again with a match on a source address list that contains only 10/8.

If you only want a few people to see the redirect you'll have to specify a source address list that doesn't encompass the entire 10/8 space, but rather has many entries for /32s. I don't understand what you mean by 'unregistered' user in your original post. Are you referring to anyone not on ANY ONE of the other address lists (Normal_user, Business_user, Servers)? You could make that work with a custom chain you bail out of:

/ip firewall nat
add action=jump chain=dstnat disabled=no dst-port=80 protocol=tcp src-address=10.0.0.0/8 jump-target=randomRedirect comment="everyone on 10/8 gets investigated on whether they should be redirected"
add action=return chain=randomRedirect src-address-list=Business_user comment="abort if they are on the Business_user list"
add action=return chain=randomRedirect src-address-list=Normal_user comment="abort if they are on the Normal_user list"
add action=return chain=randomRedirect src-address-list=Servers comment="abort if they are on the Servers list"
add action=dst-nat chain=randomRedirect random=3 to-address=10.99.1.99 to-ports=80 comment="everyone still left is unregistered and has a 3% chance of seeing a redirect"

That first rule (the one in the dstnat chain) should again go to the top of everything.

If that still doesn't help you, please describe in detail what you are trying to achieve.

posix · Tue Jun 22, 2010 2:16 am

I think you hit the nail on the head with your custom chain.
Basically I want to redirect everyone who is NOT in the Business, Normal or Server list. So that means Small_users. But I guess my dst-nat rule was just too simple.
Funny but my queue tree works fine with the exact same address list. Business, Normal, Server and Small users get their respective queues with their own bandwidths and priorities. That works just fine. But the dst-nat doesn't... hmmm?

I'll implement your custom chain but just by looking at it I suspect it will work just the way I want it. Thank you!

fewi · Tue Jun 22, 2010 2:21 am

That should work then, yes.

Order matters. In simple queues there's only one action (rate limit) so if you have more specific entries that match at the top of the list anyone that falls through to the bottom is caught by a very generic entry (such as an address list containing just 10/8) those entries will be caught by that list. Additionally, there's just one list - the list of queues.

You can't apply that to a situation where there's many lists (many chains) and many actions, and particularly not if you put the extremely broad filter (10/8) right at the top instead of putting it at the bottom.

posix · Tue Jun 22, 2010 3:29 am

And indeed, I've implemented it and it's working. Working just fine!
Thanks a lot!

dst-nat not working quite as I'd expect it

dst-nat not working quite as I'd expect it

Re: dst-nat not working quite as I'd expect it

Re: dst-nat not working quite as I'd expect it

Re: dst-nat not working quite as I'd expect it

Re: dst-nat not working quite as I'd expect it

Re: dst-nat not working quite as I'd expect it

Re: dst-nat not working quite as I'd expect it

Re: dst-nat not working quite as I'd expect it

Re: dst-nat not working quite as I'd expect it

Re: dst-nat not working quite as I'd expect it

Re: dst-nat not working quite as I'd expect it

Who is online