Community discussions

MUM Europe 2020
 
User avatar
mag
Member
Member
Topic Author
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

NAT/masquerading question

Mon Mar 20, 2006 10:52 am

i can't see what is causing the following problem:

{LAN} -- (MT-router, ROS 2.9.17) -- {WAN}

using simple masquerading
chain=srcnat out-interface=to-wan src-address=10.10.1.0/24 action=masquerade
router has 10.10.1.1. now i do
ping www.heise.de src-address=10.10.1.1                                                
193.99.144.85 ping timeout
193.99.144.85 ping timeout
3 packets transmitted, 0 packets received, 100% packet loss
and i'am sure this has been working before...

for clients on the LAN everything is working.
 
cmit
Forum Guru
Forum Guru
Posts: 1552
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Mon Mar 20, 2006 10:59 am

How should this work?

You are instructing your router to go out with its' internal (!) ip address onto the internet - no way that http://www.heise.de (or someone else) will know how to route the answer packets to 10.10.1.1...

Just leave out the src-address in your ping command, and your router will use its' public ip address as source and Everything Will Be Good (tm) ;)

Best regards,
Christian Meis
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24433
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Mon Mar 20, 2006 11:05 am

cmit is right. also i don't think you need src-address in your srcnat rule. what if you have other networks later?
 
User avatar
mag
Member
Member
Topic Author
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Mon Mar 20, 2006 11:27 am

How should this work?
Hm, i thought this should match the masqerading rule? Like for any other Client on the internal side of NAT.

concerning the packet-flow diagramm, i guessed it should go through
local -> output ->postrouting (src-nat/masquerading) -> ... -> out-interface
am i wrong?

@normis: in this particular case there are other subnets inside not allowed for internet. otherwise the rule should of course be (and i tried this too)

chain=srcnat out-interface=to-wan action=masquerade
(btw. its not for fun, this morning we had a support issue where the VPN was working, but no internet access possible. after reboot everything was ok, but i'am still searching for the reason)

thanks (i'll go mad on this... ;-)
 
pekr
Member Candidate
Member Candidate
Posts: 138
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:

Mon Mar 20, 2006 5:21 pm

How should this work?
Hm, i thought this should match the masqerading rule? Like for any other Client on the internal side of NAT.
I thought that too ... maybe normally, if you would use ping without the source address parameter, it would be masqeraded, maybe that parameter is overriding it?

-pekr-
 
cmit
Forum Guru
Forum Guru
Posts: 1552
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Mon Mar 20, 2006 5:25 pm

Yep, the packet flow suggests that, correct.
It doesn't work that way, though :(

In that regard I should probably take back my "How should it?" from my first post - it was just that I took that for granted for a long time for myself...

Anyone from MikroTik wants to shed some light?

Best regards,
Christian Meis
 
User avatar
mag
Member
Member
Topic Author
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Mon Mar 20, 2006 6:30 pm

I thought that too ... maybe normally, if you would use ping without the source address parameter, it would be masqeraded, maybe that parameter is overriding it?
if the ping is send without src-addr-parameter it goes right out of the WAN interface, originating from the public IP-address the WAN-interface has actually, tried this too.
Anyone from MikroTik wants to shed some light?
yes, this would be very kind.
 
User avatar
mag
Member
Member
Topic Author
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Tue Mar 21, 2006 10:40 am

ok, never mind why this is not working...

but, how can one test NAT working from the router itself then?
 
pekr
Member Candidate
Member Candidate
Posts: 138
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:

Tue Mar 21, 2006 3:27 pm

dunno - but what about some firewall rule on outgoing interface? The thing is however, that NAT is being applied after the routing, so not sure what chain you would have to check, as it will be "forward".

Or what about logging wan interface traffic? Looking for particular source address packets .... otherwise you would have to put your machine onto hub with another PC and use tools as Ethereal. (maybe some internal facility in winbox can be used, sending the traffic to such "ethereal server".

But don't take me seriously, I am just routing newbie, if even :-)

-pekr-
 
User avatar
mag
Member
Member
Topic Author
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Thu Mar 23, 2006 9:26 am

dunno - but what about some firewall rule on outgoing interface? The thing is however, that NAT is being applied after the routing, so not sure what chain you would have to check, as it will be "forward".
from the packet flow diagramm src-NAT/Masquerading is applied after that.
Or what about logging wan interface traffic? Looking for particular source address packets .... otherwise you would have to put your machine onto hub with another PC and use tools as Ethereal.
the situation would not be a problem, if i could be on-site or have a remote-controled client inside.

Who is online

Users browsing this forum: chirba4, MSN [Bot], polyzosg and 115 guests