Community discussions

MUM Europe 2020
 
paulchops
newbie
Topic Author
Posts: 42
Joined: Sat Feb 02, 2008 6:33 pm

basic NAT function fail after upgrade to latest ROS 6.9

Tue Feb 04, 2014 10:33 pm

We updated a 433 and a 493 (both non-AH versions). Both of them are doing NAT (src-nat) and both having the same problem. Everything looks 100%, the router can talk through the Internet and the customers (NATd) can talk to the router, but cannot talk through it. Both of these routers were on 4.1.7, and I updated each one to 5.2.6 and ran Routerboard Upgrade, then wen to 6.9

I tried many many things… even called Butch on it. Ended up blowing it out and installed from scratch. Started that process fine, and as I was pasting in some script for the IP addresses it stopped… did another system reset no-default and this time, just adding public and private IP addresses, gateway, and NAT (all done manually) it didn’t work at all.

Swapped to a 493AH, configured from scratch (some of it done through script) and works fine.

Came back to the office to find a 433 that we updated last night have the same problem. Tried downgrading this one on a hunch and still not working.

I even had Butch Evans offer an opinion and came up empty.

??


Paul
 
plisken
Forum Guru
Forum Guru
Posts: 2438
Joined: Sun May 15, 2011 12:24 am
Location: Belgium
Contact:

Re: basic NAT function fail after upgrade to latest ROS 6.9

Thu Feb 06, 2014 6:51 am

Have you reboot the router?
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: basic NAT function fail after upgrade to latest ROS 6.9

Thu Feb 06, 2014 10:18 am

I'm not saying Butch missed anything, but you should post at a minimum:
/ip address
/ip route
/ip firewall nat
/ip dns

And "/ip firewall filter" if anything in there.

Start with the RB433 since you mentioned that first and I have one here.
 
User avatar
florianmulatz
just joined
Posts: 15
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: basic NAT function fail after upgrade to latest ROS 6.9

Thu Feb 06, 2014 10:24 am

Hey Guys,

Similar Problem on my side. Upgrade to 6.9 Masquerading stopped working.

Have some SRC-NAT Rules before the last masquerading rules - any time a activate the masquerading rule - src-nat stops working.
Masquerading disabled - all ok

BR
The signature of this post is posted on the back for technical reasons.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: basic NAT function fail after upgrade to latest ROS 6.9

Thu Feb 06, 2014 10:28 am

Similar Problem on my side. Upgrade to 6.9 Masquerading stopped working.

Have some SRC-NAT Rules before the last masquerading rules - any time a activate the masquerading rule - src-nat stops working.
Masquerading disabled - all ok
Which router are you using? OP reports only non-AH router affected. Maybe a pattern emerging?

What "/ip firewall nat" rules are you using?
 
User avatar
florianmulatz
just joined
Posts: 15
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: basic NAT function fail after upgrade to latest ROS 6.9

Thu Feb 06, 2014 10:55 am

I'm using an x86-Version (placed on an esxi)
/ip firewall nat
add action=src-nat chain=srcnat dst-address-type="" src-address=192.168.2.99 to-addresses=193.33.11x.xxx
add action=src-nat chain=srcnat dst-address-list=!no-nat dst-address-type=! src-address=192.168.2.0/24 to-addresses=193.33.11x.xxx
add action=dst-nat chain=dstnat dst-address=193.33.11x.xxx dst-port=25 in-interface=OUTSIDE protocol=tcp to-addresses=192.168.2.99 to-ports=25
add action=dst-nat chain=dstnat dst-address=193.33.11x.xxx dst-port=22 in-interface=OUTSIDE protocol=tcp to-addresses=192.168.2.99 to-ports=22
add action=dst-nat chain=dstnat dst-address=193.33.11x.xxx dst-port=3389 in-interface=OUTSIDE protocol=tcp to-addresses=192.168.2.92 to-ports=3389
add action=dst-nat chain=dstnat dst-address=193.33.11x.xxx dst-port=8080 in-interface=OUTSIDE protocol=tcp to-addresses=192.168.2.92 to-ports=8080
add action=dst-nat chain=dstnat dst-address=193.33.11x.xxx dst-port=443 in-interface=OUTSIDE protocol=tcp to-addresses=192.168.2.92 to-ports=443
add action=dst-nat chain=dstnat dst-address=193.33.11x.xxx dst-port=3389 in-interface=OUTSIDE protocol=tcp to-addresses=192.168.100.201 to-ports=3389
add action=masquerade chain=srcnat disabled=yes src-address=192.168.2.0/24
When i enable last rule (masquerade) src-nat from first and second rule is dead.

BR
The signature of this post is posted on the back for technical reasons.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: basic NAT function fail after upgrade to latest ROS 6.9

Thu Feb 06, 2014 11:44 am

Since you have your public ip(s) obfuscated, do you have more than one ip assigned to interface OUTSIDE?

BTW, I'm posting this on a RB433 ROS v6.9 localnet with this rule:
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1
So the masquerade rule generally works with v6.9.
 
User avatar
florianmulatz
just joined
Posts: 15
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: basic NAT function fail after upgrade to latest ROS 6.9

Thu Feb 06, 2014 3:17 pm

Hey,

Yes, in sum i have assigned 3 public ip's to the outside interface.
In normal the masquerading is working right - but when I have to ensure that the package is sent out on the same IP it comes in (for example my mailrelay) then I have to use SRC-NAT.
The signature of this post is posted on the back for technical reasons.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: basic NAT function fail after upgrade to latest ROS 6.9

Thu Feb 06, 2014 3:22 pm

The mail relay connections will "go back out" the ip it came in on. That is covered by the dst-nat. At least it is on my systems.

Change the masquerade to a src-nat and specify which ip you want to use as the default.
 
User avatar
florianmulatz
just joined
Posts: 15
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: basic NAT function fail after upgrade to latest ROS 6.9

Fri Feb 07, 2014 7:20 am

Hey Surfertim,

No, that's one of the problems ... it does NOT! When i do no SRC-NAT for my mailrelay it replys with the INSIDE-IP from the router?
Little bit confusing hm?

BR
The signature of this post is posted on the back for technical reasons.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1730
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: basic NAT function fail after upgrade to latest ROS 6.9

Fri Feb 07, 2014 8:57 am

I have a lot of NAT configuration without any problems on 6.9 so from my perspective looks like configuration.
We need more configuration to help you - what is the tasks of te steup and what is /ip address /ip route, /ip firewall masquerade config and connection tracking status.

P.S. Alternative - just write to support@mikrotik.com
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: basic NAT function fail after upgrade to latest ROS 6.9

Fri Feb 07, 2014 12:18 pm

Post "/ip firewall nat print". I need to see the order of the rules and every parameter in those rules.
 
User avatar
florianmulatz
just joined
Posts: 15
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: basic NAT function fail after upgrade to latest ROS 6.9

Fri Feb 07, 2014 1:33 pm

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=src-nat to-addresses=193.33.123.123 src-address=192.168.2.99 dst-address-type="" 
 1   chain=srcnat action=src-nat to-addresses=193.33.123.124 src-address=10.255.255.4 dst-address-type="" 
 2   chain=srcnat action=src-nat to-addresses=193.33.123.124 src-address=192.168.2.0/24 dst-address-list=!local-addr 
 3   chain=dstnat action=dst-nat to-addresses=192.168.2.99 to-ports=25 protocol=tcp dst-address=193.33.123.123 in-interface=OUTSIDE dst-port=25 
 4   chain=dstnat action=dst-nat to-addresses=192.168.2.99 to-ports=22 protocol=tcp dst-address=193.33.123.123 in-interface=OUTSIDE dst-port=22 
 5   chain=dstnat action=dst-nat to-addresses=192.168.2.92 to-ports=3389 protocol=tcp dst-address=193.33.123.124 in-interface=OUTSIDE dst-port=3389 
 6   chain=dstnat action=dst-nat to-addresses=192.168.2.92 to-ports=8080 protocol=tcp dst-address=193.33.123.124 in-interface=OUTSIDE dst-port=8080 
 7   chain=dstnat action=dst-nat to-addresses=192.168.2.92 to-ports=443 protocol=tcp dst-address=193.33.123.125 in-interface=OUTSIDE dst-port=443 
 8   chain=dstnat action=dst-nat to-addresses=192.168.100.201 to-ports=3389 protocol=tcp dst-address=193.33.123.125 in-interface=OUTSIDE dst-port=3389 
 9 X chain=srcnat action=masquerade src-address=192.168.2.0/24 
The Router is my core-router in the datacenter for my personal mailserver-system.
This is my complete NAT-Configuration. (Only the public ip's have been obfuscated - don't want to post the real one's)
The signature of this post is posted on the back for technical reasons.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: basic NAT function fail after upgrade to latest ROS 6.9

Fri Feb 07, 2014 1:49 pm

I use an out-interface parameter on srcnat rules, and no dst-address-type. I don't know what the dst-address-type does to your rule.

If I have localnet ips that use specific public ips,
/ip firewall nat
add chain=srcnat action=src-nat src-address=192.168.2.99 to-addresses=193.33.123.123 out-interface=OUTSIDE
I do not use a masquerade on the OUTSIDE interface srcnat chain if more than one ip is assigned to that interface. I use a src-nat to one specific ip.
/ip firewall nat
add chain=srcnat action=src-nat to-addresses=193.33.123.123 out-interface=OUTSIDE
And when I do use a masquerade, I specify an out-interface instead of a src-address as above.
/ip firewall nat
add chain=srcnat action=masquerade out-interface=OUTSIDE
 
User avatar
florianmulatz
just joined
Posts: 15
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: basic NAT function fail after upgrade to latest ROS 6.9

Fri Feb 07, 2014 1:59 pm

Hey Surfertim,

Seems, that _that_ was really the trick. Specified the OUTSIDE interface for the masquerading as Out.Interface - all is working like before.
But the same rule (without the specified out-interface) worked before with 6.7 (i've skipped 6.8 )

BR
Last edited by florianmulatz on Mon Feb 10, 2014 11:36 am, edited 1 time in total.
The signature of this post is posted on the back for technical reasons.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: basic NAT function fail after upgrade to latest ROS 6.9

Fri Feb 07, 2014 2:02 pm

I have found that some older ROS versions allow "mistakes" in firewall filter and nat rules that newer versions don't. I found over the years that it is best to use correct rules and stick to them.
 
User avatar
karina
Member
Member
Posts: 446
Joined: Sat Feb 06, 2010 2:18 am
Location: Spain

Re: basic NAT function fail after upgrade to latest ROS 6.9

Fri Feb 07, 2014 2:49 pm

I have found that some older ROS versions allow "mistakes" in firewall filter and nat rules that newer versions don't. I found over the years that it is best to use correct rules and stick to them.
I Believe this is the prime cause of upgrade issues. Not just firewall but all kinds of things like VPNs Vlans etc when I look through the posts complaining on the "v6.9 released" thread I suspect a high percentage are down to this fact. I have now upgraded an entire network with all types of devices including CCR's and no issues to report that were not down to mistakes in configs that previous versions forgave.

For example I have an Eoip interface and when I upgraded to V6.9 it stopped working. Turns out I had forgotten to specify the local address at one end. ver 5.25 didn't care about the mistake however 6.9 required the config to be correct
 
User avatar
florianmulatz
just joined
Posts: 15
Joined: Mon Sep 16, 2013 5:02 pm
Location: Klagenfurt am Woerthersee / Austria

Re: basic NAT function fail after upgrade to latest ROS 6.9

Mon Feb 10, 2014 11:36 am

Thanks for helping @ all!
The signature of this post is posted on the back for technical reasons.
 
paulchops
newbie
Topic Author
Posts: 42
Joined: Sat Feb 02, 2008 6:33 pm

Re: basic NAT function fail after upgrade to latest ROS 6.9

Sun Feb 16, 2014 6:46 pm

To follow up on our situation - I was the original poster. I had upset customers - this was a MDU - 6 customers affected, I had to upgrade to an 493AH (from the 493) and solve the problem. I had tried to re-setup the 493 router from scratch - adding bits and pieces at a time, and it would sometimes work for a while and stop, but at any consistent spot at building the config. All on a router that had run on 4.1.7 since it came out without any problems. I had upgraded to 5.26 then to 6.9, then all the problems came. Like I said, after jerking around with it for 2 hours, I had to swap it out.

On the OTHER customer - who is still having issues (433 -non AH) - same thing... though this is customer is very simple setup. One NAT rule.. I upgrade this customer from 4.17 (had been working great) to 5.26 to 6.9. Same problem NAT just stopped "flowing". I wiped config reloaded and it worked for 2 days. It stopped again, and I repeated - wiped, reloaded - was fine for an hour - did one more time - worked 3 days and stopped flowing.

I downgraded to 5.26 and the customer still has issues - but intermittently .. same as above... uggggh... It was rebooted at Friday at 4pm. Not working at all. I told customer to wait until Monday (coming up) as I would swap out the unit.

I just checked on it (Sunday) and its flowing data... what the heck?

/ip firewall nat
add action=src-nat chain=srcnat disabled=no out-interface="WAN Bridge" src-address=10.10.200.0/24 to-addresses=198.172.215.244

How much more simple can you get ? And, no, changing the rule to masquerade didn't help

Who is online

Users browsing this forum: enzain, MSN [Bot], omidkosari, smarttruss and 121 guests