Here's the scenario;
ISP has given us a block of IP addresses which we will call 13.14.15.16/29. ISP gateway is at .17. RB1100AH at .18, on a port we renamed "wan1". Usable IP addresses after that are 13.14.15.19, 13.14.15.20, 13.14.15.21, 13.14.15.22
Internal network is 10.0.16.0/21. RB1100AH is at 10.0.16.1 on a port we renamed "lan1".
We have an Asterisk PBX at 10.0.19.50 and several phones connecting to it (internally and externally, but internal connections are the most important). Ports 5060 and 10000-20000 need to be forwarded to the box from 13.14.15.19 to 10.0.19.50 and proper NAT happening. The Asterisk box is NAT aware and basically working since a 1:1 map from 13.14.15.19<>10.0.19.50 on a Cisco 2801 worked absolutely perfectly. However that hardware died horribly, and we replaced it with something we thought would be more flexible (the RB1000AH).
Every device on the internal network (10.0.16.0/21) needs to be src-natted out to the rest of the world. Masquerading won't work here. We will give them a single static IP in the block for the general "boxes want to talk to the rest of the world" scenario, and let's say this is going to be 13.14.15.22.
Some special cases should be forwarded to ports at the other addresses, we have several SSH connections needing to be stay at port 22 accessible publicly for various reasons, couple web interfaces for our staff worldwide.
I'm pretty good with iptables and am a Linux kernel developer and maintainer. But this is really perplexing me. And I have some questions, some RouterOS specific (we're running 15.14 or 6.0beta1), some packet flow specific.
* what's the best way to use these IP addresses at the router? My initial instinct is to give the router the .18 public address and use the prerouting chain with redirect to get packets into the right places. There's absolutely no need for the router to listen on these addresses, right? And as far as I am concerned no actual routing table needs to be set up since the src-nat/dst-nat will handle it once it's gotten past the prerouting chain rewrite.
* is there a fairly reasonable way of disabling/not listening the RouterOS services (winbox, web proxy, dns etc.) on the PUBLIC interface? For instance it only needs to work from inside the LAN, but it exposes open ports on the public interface too. Rather than manually firewall these ports by resetting when they're accessed, I'd rather they didn't listen on WAN addresses at all. I did add "available from" fields but it doesn't seem to have any effect in this regard (I can still see it from outside, even if I can't connect externally, just it gives everyone on the internet a quick way of finding out that it's a RouterOS product since the winbox port is there).
* isn't RouterOS firewall backed by iptables in the Linux kernel? In this case why do we have seperate "Filter" and "NAT" rules when iptables rules in general can be combined? Is it just that the NAT part of the firewall is explicitly set to the pre/postrouting chains for simpler rule setup or is there a more nefarious purpose?
So the big question is, what would be the correct way to set up filter and nat entries for;
* SNAT (NOT masquerade, bound to an IP address and NOT an interface) for all devices in the network worth SNATing out to a single address (which is basically everything, but since all the phone hardware is on the 10.0.19.x part of the network and only 10.0.19.50 needs to be forwarded from the public address, maybe excluding that subnet)
* Either a netmap 1:1 for the PBX to resolve all the weird NAT issues with SIP/RTP or comprehensive port forwarding without using the (broken) SIP ALG (although I have experience that says the ip_conntrack_sip/ip_nat_sip modules work fine!) such that the PBX's external IP is 13.14.15.19 any way you look at it
* port forwarding to any other box, on any other IP address (including the router's address) without anything but the router's address assigned to the wan1 port. The intent would be to have some kind of paucity of IP addresses in use, ostensibly for later expansion, since it doesn't make sense to use 4 perfectly valid IP addresses outside of the router address to forward SSH, when you can't access the router SSH from the outside anyway, to make say 10.0.17.30:22 accessible from the outside as 13.14.15.18:22 replacing the router SSH with an internal box's SSH
Our current setup, which I am not going to post here unless absolutely necessary, is basically a netmap 1:1 to the PBX but the PBX external IP (whatsmyip.com result) ends up on the SNAT for the rest of the network, and it refuses to register on the external SIP provider because of it. Adding a specific SNAT rule for the PBX fixes it's IP address as viewed by the rest of the world, but I would have thought a netmap wouldn't need that (it's specifically rewriting the headers for those two directions anyway). The seperation of "firewall" and "nat" rules is getting in the way of me writing some iptables rules and then converting them to RouterOS entries..
Any advise anyone can give would be much appreciated..
Re: Trouble figuring out port forwarding and NAT
Everything that you are looking to do is fairly easy and straightforward. Here are the basic steps that will get you started and most of the way there.
Assign the IPs you want to forward/the Routerboard to listen on or NAT out of.
Then you want one to one NAT with the PBX
You also want to NAT out everything else out of .22. Also setup your SSH forwarding and others in the dstnat chain like above.
There can sometimes be problems with forwarding active service ports over NAT to another device, though it usually works fine. If it becomes a problem, disable the service on the router, or change the port it listens on. To prevent access to services that you have running on the router from the outside world, set up a firewall and block them. One of the most effective ways of doing so is this:
Only services you explicitly allow in between the drop invalid connections and drop everything else will be allowed. You can narrow down rules by specifying in-interfaces as well so it becomes more restrictive. Keep in mind firewall rules are all processed in order that they appear within the same chain. So if one rule is not doing what you expect or you don't see it's counter incrementing, that means a more general rule further up the chain is likely catching it.
Assign the IPs you want to forward/the Routerboard to listen on or NAT out of.
Code: Select all
/ip address
add address=13.14.15.18/29 interface=WAN1
add address=13.14.15.19/29 interface=WAN1
add address=13.14.15.20/29 interface=WAN1
add address=13.14.15.21/29 interface=WAN1
add address=13.14.15.22/29 interface=WAN1
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=13.14.15.18 to-address=10.0.19.50
add action=src-nat chain=srcnat src-address=10.0.19.50 to-address=13.14.15.18
Code: Select all
/ip firewall nat
add action=src-nat chain=srcnat src-address=10.0.16.0/21 to-address=13.14.15.22
add action=dst-nat chain=dstnat dst-address=13.14.15.19 protocol=tcp dst-port=22 to-address=10.0.17.30
add action=dst-nat chain=dstnat dst-address=13.14.15.19 protocol=tcp dst-port=80 to-address=10.0.19.48
.....
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Accept established connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment="Accept everything from known IP Addresses" disabled=no src-address-list=known
add action=accept chain=input comment="Accept Pings" disabled=no limit=50/5s,2 protocol=icmp
add action=accept chain=input comment="Accept Winbox" disabled=no dst-port=8291 protocol=tcp
add action=drop chain=input comment="Drop everything else" disabled=no
Re: Trouble figuring out port forwarding and NAT
So this is pretty much what we had in there from the day we got the router, this is exactly what I expected it would be with the following weirdo problem; counters never move (not a single packet is matched) for the src-nat rule for the PBX.Everything that you are looking to do is fairly easy and straightforward. Here are the basic steps that will get you started and most of the way there.You also want to NAT out everything else out of .22. Also setup your SSH forwarding and others in the dstnat chain like above.Code: Select all/ip firewall nat add action=dst-nat chain=dstnat dst-address=13.14.15.18 to-address=10.0.19.50 add action=src-nat chain=srcnat src-address=10.0.19.50 to-address=13.14.15.18
Code: Select all/ip firewall nat add action=src-nat chain=srcnat src-address=10.0.16.0/21 to-address=13.14.15.22 add action=dst-nat chain=dstnat dst-address=13.14.15.19 protocol=tcp dst-port=22 to-address=10.0.17.30 add action=dst-nat chain=dstnat dst-address=13.14.15.19 protocol=tcp dst-port=80 to-address=10.0.19.48 .....
Code: Select all
add action=src-nat chain=srcnat src-address=10.0.19.50 to-address=13.14.15.18Just to reiterate, the first thing we did was disable the SIP ALG, and pretty much the exact same 1:1 mapping worked fine on Cisco iOS before (something like ip nat pool wan-19 13.14.15.19 prefix-length 29, ip nat source 13.14.15.19 10.0.19.50 extendable route-map - I would have to take the CF card out of it and get the config back since I can't boot the router anymore..) and before it started to die last week, we did have incoming and outgoing calls working with this setup.. just not with the RB1100AH.
Re: Trouble figuring out port forwarding and NAT
Please post your firewall rules with then with "/ip firewall export". If the rules aren't firing and incrementing there are a few potential causes.
The first most likely one is that there is a rule further up the chain that is already matching them, so they never reach the more specific rule for the PBX. Remember, firewall rules are processed in order, so their placement in the chain is very important. Once a packet matches one rule, it is not processed by other rules within that chain.
The second potential is that your firewall rule is too narrow so it is missing what you want, not likely based off of what you said.
The last option is that there is a filter rule that is explicitly blocking/dropping those packets. Depending on your expected behavior and where your rules are this could be the problem.
http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram
The first most likely one is that there is a rule further up the chain that is already matching them, so they never reach the more specific rule for the PBX. Remember, firewall rules are processed in order, so their placement in the chain is very important. Once a packet matches one rule, it is not processed by other rules within that chain.
The second potential is that your firewall rule is too narrow so it is missing what you want, not likely based off of what you said.
The last option is that there is a filter rule that is explicitly blocking/dropping those packets. Depending on your expected behavior and where your rules are this could be the problem.
http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram
Re: Trouble figuring out port forwarding and NAT
That's the problem; I get where the rules would go if I even had any, but these are so very basic I can't understand why they'd fail. If I add anything on top they invariably work to some degree or not at all, and the reason is just lost somewhere. This is what's running and as you can see it's basically only the NAT portions as above (I didn't even bother with securing it yet).Please post your firewall rules with then with "/ip firewall export". If the rules aren't firing and incrementing there are a few potential causes.
The first most likely one is that there is a rule further up the chain that is already matching them, so they never reach the more specific rule for the PBX. Remember, firewall rules are processed in order, so their placement in the chain is very important. Once a packet matches one rule, it is not processed by other rules within that chain.
The second potential is that your firewall rule is too narrow so it is missing what you want, not likely based off of what you said.
The last option is that there is a filter rule that is explicitly blocking/dropping those packets. Depending on your expected behavior and where your rules are this could be the problem.
http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram
Code: Select all
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=13.14.15.19 to-addresses=10.0.19.50
add action=src-nat chain=srcnat disabled=no src-address=13.14.15.19 to-addresses=10.0.19.50
add action=dst-nat chain=dstnat disabled=no dst-address=13.14.15.20 dst-port=22 protocol=tcp to-addresses=10.0.17.30
add action=src-nat chain=srcnat disabled=no src-address=10.0.16.0/21 to-addresses=13.14.15.22
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061 sip-direct-media=yes
set pptp disabled=yes
Maybe I should also use src-address-list for the final src-nat for .22 and specifically exclude 10.0.19.x?
Re: Trouble figuring out port forwarding and NAT
SRC and DST nat are different chains and processed at different times, so they don't effect each other with order. Your src-nat rule is messed up for the PBX. You want to src-nat the private IP address of the PBX out of a public IP, this means your src-address needs to be the private IP address of the PBX, and the to-address needs to be the public IP you want to send it out of.
Re: Trouble figuring out port forwarding and NAT
SRC and DST nat are different chains and processed at different times, so they don't effect each other with order. Your src-nat rule is messed up for the PBX. You want to src-nat the private IP address of the PBX out of a public IP, this means your src-address needs to be the private IP address of the PBX, and the to-address needs to be the public IP you want to send it out of.
Code: Select all
add action=dst-nat chain=dstnat disabled=no dst-address=13.14.15.19 to-addresses=10.0.19.50
add action=src-nat chain=srcnat disabled=no src-address=10.0.19.50 to-addresses=13.14.15.19
add action=dst-nat chain=dstnat disabled=no dst-address=13.14.15.20 dst-port=22 protocol=tcp to-addresses=10.0.17.30
add action=src-nat chain=srcnat disabled=no src-address=10.0.16.0/21 to-addresses=13.14.15.22
but for some reason nothing ever appears when our incoming SIP provider tries to call us.I'm going to kick around in our Asterisk settings and see what's going on there, and confirm everything with our engineer who set up the PBX.. thanks for your help so far, but we're not done yet I fear :/
Re: Trouble figuring out port forwarding and NAT
What IP addresses do you have assigned to the WAN interface of the router? You need to have any IP address that you want to NAT out of or forward for assigned to the router. If you don't have the address assigned it won't know to listen on that address.
Re: Trouble figuring out port forwarding and NAT
All of them (.18-.22) although my gut says don't assign anything but .18 (for the router), use iptables prerouting chain to make them available before the nat chains run (which is post-prerouting and pre-forward/input chains).What IP addresses do you have assigned to the WAN interface of the router? You need to have any IP address that you want to NAT out of or forward for assigned to the router. If you don't have the address assigned it won't know to listen on that address.
Re: Trouble figuring out port forwarding and NAT
What I'm having real trouble with right now is how do I do the same filter rules (accept certain connection states, accept valid ports, drop everything else) for one of the other IPs? Nothing I do, no chain, no nothing, seems to affect anything but the .18 address and the chain=input rules break if you specify a dst-address.All of them (.18-.22) although my gut says don't assign anything but .18 (for the router), use iptables prerouting chain to make them available before the nat chains run (which is post-prerouting and pre-forward/input chains).What IP addresses do you have assigned to the WAN interface of the router? You need to have any IP address that you want to NAT out of or forward for assigned to the router. If you don't have the address assigned it won't know to listen on that address.
Re: Trouble figuring out port forwarding and NAT
You don't need to touch anything in mangle at all for an IP address to work. Mangle is used for policy based routing functions, and QoS mainly. Only if you had multiple routing tables setup like in a failover or load balancing situation would you need it. And the only reason why you would need it then is to mark packets coming in on one connection so the router remember to send packets back on another connection.
If it's not responding to anything other than .18, what you can do is run torch on your WAN interface to see if the traffic is even getting there. That is a tool built into RouterOS. The only thing that is basically left at this point is your ISP. You can try restarting your modem from them to see if that helps and clears the ARP table, if not then you will need to call them. Some ISPs have problems giving out multiple IP addresses to the same MAC address.
If it's not responding to anything other than .18, what you can do is run torch on your WAN interface to see if the traffic is even getting there. That is a tool built into RouterOS. The only thing that is basically left at this point is your ISP. You can try restarting your modem from them to see if that helps and clears the ARP table, if not then you will need to call them. Some ISPs have problems giving out multiple IP addresses to the same MAC address.
Re: Trouble figuring out port forwarding and NAT
Just as a curiosity what would be the correct ruleset to only allow ports 5060 and 10000-20000 udp through to .19 or 10.0.19.50 from outside, and drop everything else if it's not from the internal network? I'm checking my work just to be sure.You don't need to touch anything in mangle at all for an IP address to work. Mangle is used for policy based routing functions, and QoS mainly. Only if you had multiple routing tables setup like in a failover or load balancing situation would you need it. And the only reason why you would need it then is to mark packets coming in on one connection so the router remember to send packets back on another connection.
If it's not responding to anything other than .18, what you can do is run torch on your WAN interface to see if the traffic is even getting there. That is a tool built into RouterOS. The only thing that is basically left at this point is your ISP. You can try restarting your modem from them to see if that helps and clears the ARP table, if not then you will need to call them. Some ISPs have problems giving out multiple IP addresses to the same MAC address.
If I give any of the current rules a dst-address of anything (and I am running Torch and using those addresses that come in) it simply doesn't work.
So you think the router at the ISP (which ironically is an RB1100AH too) may not be doing something? I'm not sure how that would be, since all traffic gets in and out successfully. I mean, I can see the PBX from the outside, every port I want to not be visible (ssh etc.).
Re: Trouble figuring out port forwarding and NAT
You just basically narrow down the NAT rules to only include the services/ports that you want. "protocol=udp port=5060,10000-20000" if I remember correctly.
The basic question to answer at this point is, "is the traffic even getting to your 1100AH from the outside world on those other IPs?" The simplest way to answer that is to just have the all IPs assigned to the router with the appropriate default gateway in your "/ip route" with no firewall rules at all, and ping each of the addresses from some outside source. If you get replies then you know the addresses are being routed properly and you can use them however you wish. If not, then there is something else going on. You can trying pinging out of various addresses as well just to see if that works properly or not. Since you never see the rule increment at all from what you have told me, that means the traffic is never getting there to the router for it to process the packets, your rule is too narrow (not possible in this case with the rules given), or there is a typo in your rule (not very likely either based off of the information given).
If you see the traffic coming in via torch, and leaving (tx and rx) for a connection, but you never get a reply at your other end. Then that means something up stream is blocking the return packets getting to where they need to be.
The basic question to answer at this point is, "is the traffic even getting to your 1100AH from the outside world on those other IPs?" The simplest way to answer that is to just have the all IPs assigned to the router with the appropriate default gateway in your "/ip route" with no firewall rules at all, and ping each of the addresses from some outside source. If you get replies then you know the addresses are being routed properly and you can use them however you wish. If not, then there is something else going on. You can trying pinging out of various addresses as well just to see if that works properly or not. Since you never see the rule increment at all from what you have told me, that means the traffic is never getting there to the router for it to process the packets, your rule is too narrow (not possible in this case with the rules given), or there is a typo in your rule (not very likely either based off of the information given).
If you see the traffic coming in via torch, and leaving (tx and rx) for a connection, but you never get a reply at your other end. Then that means something up stream is blocking the return packets getting to where they need to be.
Re: Trouble figuring out port forwarding and NAT
There's no problem with routing. It's something to do with the rules and they way they're interacting. I guess what we have right now is (I tried 5060,10000-20000 and also 5060 and 10000-20000 on seperate rules btw)
and in nat, the above. I can't imagine why it's not working. We've run everything from 5.8 (minimum on the RB1100AH) thru 5.15 (just released) to 6.0 betas and nothing works right. I can see packets going through on each rule with the counters (5060 is accessed, which means the external box talks to ours) and the PBX hasn't been touched since the Cisco incident, but something isn't getting through. I'm about to wireshark the whole thing and see what is really going on, but I kind of think there might be some fundamental, screwy bug forwarding and NATing UDP ports...
Code: Select all
filters:
chain=forward action=accept protocol=udp src-address=10.0.19.50
chain=forward action=accept protocol=udp dst-address=10.0.19.50 dst-port=5060
chain=forward action=accept protocol=udp dst-address=10.0.19.50 dst-port=10000-20000
Re: Trouble figuring out port forwarding and NAT
Like I said, you can use the torch tools to see what is going on with traffic. This will tell you what is going on, it may not be able to give you as much information as wireshark, but you don't need that level of information. You don't need explicit accept rules unless you have a catch all drop rule, or if you are seeing if the filter is incrementing for that specific traffic.
What you need to see is the incoming connections, since you know what IP they are coming from and going to, you can narrow it down to only watch for those connections. First watch the WAN interface and see what traffic comes in from that IP. You will see if the router is receiving and transmitting. If it's receiving and not transmitting, then something is going on on the LAN of the router, and if it is receiving and transmitting then there is likely something up stream going on. Look at the LAN interface to the PBX and see if the router is sending and receiving traffic from that. If it is sending, but not receiving then the PBX is not doing something, if it is sending and receiving traffic, then there is something in the 1100 happening. Basically look at each stage of the connection with the torch tool and narrow down where the issue is happening.
We forward UDP all the time, while SIP is more sensitive to NAT, having one-to-one NAT setup usually solves any of those problems.
What you need to see is the incoming connections, since you know what IP they are coming from and going to, you can narrow it down to only watch for those connections. First watch the WAN interface and see what traffic comes in from that IP. You will see if the router is receiving and transmitting. If it's receiving and not transmitting, then something is going on on the LAN of the router, and if it is receiving and transmitting then there is likely something up stream going on. Look at the LAN interface to the PBX and see if the router is sending and receiving traffic from that. If it is sending, but not receiving then the PBX is not doing something, if it is sending and receiving traffic, then there is something in the 1100 happening. Basically look at each stage of the connection with the torch tool and narrow down where the issue is happening.
We forward UDP all the time, while SIP is more sensitive to NAT, having one-to-one NAT setup usually solves any of those problems.
Re: Trouble figuring out port forwarding and NAT
It got fixed; nobody knows how, but magically it started working one morning with 1:1 and then it magically worked forwarding the ports only for SIP/RTP on the box. Nothing's changed on any part of the system, although we did fix something after the fact to fix caller-id and now it works really well.Like I said, you can use the torch tools to see what is going on with traffic. This will tell you what is going on, it may not be able to give you as much information as wireshark, but you don't need that level of information. You don't need explicit accept rules unless you have a catch all drop rule, or if you are seeing if the filter is incrementing for that specific traffic.
What you need to see is the incoming connections, since you know what IP they are coming from and going to, you can narrow it down to only watch for those connections. First watch the WAN interface and see what traffic comes in from that IP. You will see if the router is receiving and transmitting. If it's receiving and not transmitting, then something is going on on the LAN of the router, and if it is receiving and transmitting then there is likely something up stream going on. Look at the LAN interface to the PBX and see if the router is sending and receiving traffic from that. If it is sending, but not receiving then the PBX is not doing something, if it is sending and receiving traffic, then there is something in the 1100 happening. Basically look at each stage of the connection with the torch tool and narrow down where the issue is happening.
We forward UDP all the time, while SIP is more sensitive to NAT, having one-to-one NAT setup usually solves any of those problems.
I'm still kind of at a loss as to why I need to define addresses on the router interface for all these ports to be NATed to the right boxes though. Surely DSTNAT and SRCNAT run in pre/postrouting and therefore long before any interface address is taken into consideration?
Re: Trouble figuring out port forwarding and NAT
I'm glad it's working, though the problems that randomly fix themselves are the most annoying ones to deal with.
The answer to your question has to do with ARP and the traffic getting to the input interface before it can even get to pre/postrouting. When your upstream provider routes one of the IP addresses to you, if it doesn't have an ARP entry in it's table for that IP address, it will send out a broadcast on the subnet and ask who owns that IP. If the router doesn't have that IP assigned to it, it will not reply to that saying it owns it and will therefore never get the traffic to dst-nat to the appropriate location. Similarly if it doesn't have the appropriate IP address assigned to it when doing a src-nat how can it use an address it doesn't own, and when the return traffic gets back, how can it accept traffic for an address it doesn't own?
http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram
The answer to your question has to do with ARP and the traffic getting to the input interface before it can even get to pre/postrouting. When your upstream provider routes one of the IP addresses to you, if it doesn't have an ARP entry in it's table for that IP address, it will send out a broadcast on the subnet and ask who owns that IP. If the router doesn't have that IP assigned to it, it will not reply to that saying it owns it and will therefore never get the traffic to dst-nat to the appropriate location. Similarly if it doesn't have the appropriate IP address assigned to it when doing a src-nat how can it use an address it doesn't own, and when the return traffic gets back, how can it accept traffic for an address it doesn't own?
http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram
Re: Trouble figuring out port forwarding and NAT
Very good point, although I just had an idea about static ARP entries I should go bug the ISP aboutI'm glad it's working, though the problems that randomly fix themselves are the most annoying ones to deal with.
The answer to your question has to do with ARP and the traffic getting to the input interface before it can even get to pre/postrouting. When your upstream provider routes one of the IP addresses to you, if it doesn't have an ARP entry in it's table for that IP address, it will send out a broadcast on the subnet and ask who owns that IP. If the router doesn't have that IP assigned to it, it will not reply to that saying it owns it and will therefore never get the traffic to dst-nat to the appropriate location. Similarly if it doesn't have the appropriate IP address assigned to it when doing a src-nat how can it use an address it doesn't own, and when the return traffic gets back, how can it accept traffic for an address it doesn't own?
http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram
Well I'm not going to mess with it, anyway.