Community discussions

MikroTik App
 
beamer
newbie
Topic Author
Posts: 35
Joined: Mon Aug 20, 2012 12:40 am

Using connection-mark in NAT rule doesn't work?

Wed Mar 19, 2014 8:37 pm

Hello

I have an issue with using a connection-mark in a NAT rule. (Background: We have a webcam behind a static IP and I want to limit access, it should be reachable only if the right subdomain - let's say webcam.domain.tld, revealed by the HTTP Host:-header - was used.)

I have the following basic NAT rule (works):
chain=dstnat action=dst-nat to-addresses=192.168.200.11 to-ports=80 protocol=tcp in-interface=pppoe-out1 dst-port=80

I have the following mangle rule (works):
chain=prerouting action=mark-connection new-connection-mark=webcam passthrough=yes protocol=tcp dst-address=<public_ip> layer7-protocol=webcam dst-port=80 connection-mark=no-mark

I have the following L7 protocol rule (works):
# NAME REGEXP
0 webcam Host: webcam.domain.tld

I can see requests made via the webcam.domain.tld URL to get marked as webcam (in WinBox).

Now, when I change the NAT rule to have the requirement "connection-mark=webcam", it does NOT work anymore. No connection gets marked (and NATed) anymore. :(

It seems things are not happening in the order pre-routing, NAT?! Otherwise I would expect the mangle rule to still work?

EDIT: CCR, ROS 6.7
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 3859
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Using connection-mark in NAT rule doesn't work?

Wed Mar 19, 2014 10:52 pm

Simply set layer 7 protocol on nat without any type of mangle, are useless
/ip firewall layer7-protocol
add name=webcam.domain.tld regexp=webcam.domain.tld
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=80 layer7-protocol=webcam.domain.tld protocol=tcp to-addresses=192.168.200.11 to-ports=80
I have not checked the layer7, write your on forum, but remember:

webcam.domain.tld is equal to:
webcam(any single character)domain(any single character)tld
(really do not matter)

If you find my help useful, please add Karma.
I'm Italian, not English. Sorry for my imperfect grammar.
 
beamer
newbie
Topic Author
Posts: 35
Joined: Mon Aug 20, 2012 12:40 am

Re: Using connection-mark in NAT rule doesn't work?

Thu Mar 20, 2014 12:21 am

Simply set layer 7 protocol on nat without any type of mangle, are useless
Actually, this was my first approach. But since it did not work, I tried the step with the mangle rule inbetween, because there I could see that the connection actually gets marked (hence the rule worked). Or is there a more elegant method to troubleshoot an L7 regex?
webcam(any single character)domain(any single character)tld
Well, good point. I changed it to webcam\.domain\.tld now. (double backslashes when in terminal)

But something is really buggy with this L7 function; try the following:
/ip firewall layer7-protocol
add name=any regexp=.
Now add this to a working NAT rule, and it DOES NOT work anymore.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 3859
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Using connection-mark in NAT rule doesn't work?

Thu Mar 20, 2014 12:31 am

... I have not checked the layer7, write your on forum ...
I hope you have writed your own layer7 rule,

webcam\.domain\.tld = exactly the content "webcam.domain.tld" on layer7

try this:

.*webcam\.domain\.tld.* = any layer 7 contain webcam.domain.tld
I'm Italian, not English. Sorry for my imperfect grammar.
 
beamer
newbie
Topic Author
Posts: 35
Joined: Mon Aug 20, 2012 12:40 am

Re: Using connection-mark in NAT rule doesn't work?

Thu Mar 20, 2014 12:42 am

I hope you have writed your own layer7 rule
The L7 rule itself is working, I can verify this by checking the connections - as long as I do not use the rule in NAT. If I connect using www.domain.tld it's not marked, when I connect to webcam.domain.tld it gets marked. Perfect.

The problem (bug?) is in the NAT rule. It doesn't matter if I add connection-mark or directly l7-protocol there, the NAT stops working.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 3859
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Using connection-mark in NAT rule doesn't work?

Thu Mar 20, 2014 12:50 am

You try this?
/ip firewall nat
add action=dst-nat chain=dstnat content=webcam.domain.tld dst-address=1.1.1.1 dst-port=80 protocol=tcp to-addresses=192.168.200.11 to-ports=80

Sorry, but I can not experiment myself because actually I'm not at the office.

Remember: the layer7 check only the first 2k bit or the first 4 packet [the first happen]
I'm Italian, not English. Sorry for my imperfect grammar.
 
beamer
newbie
Topic Author
Posts: 35
Joined: Mon Aug 20, 2012 12:40 am

Re: Using connection-mark in NAT rule doesn't work?

Thu Mar 20, 2014 1:13 am

You try this?
/ip firewall nat
add action=dst-nat chain=dstnat content=webcam.domain.tld
Doesn't work either. :-(

This feature seems to be a giant clusterf*ck... :evil:
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 3859
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Using connection-mark in NAT rule doesn't work?

Thu Mar 20, 2014 1:44 am

You try this?
/ip firewall nat
add action=dst-nat chain=dstnat content=webcam.domain.tld
Doesn't work either. :-(

This feature seems to be a giant clusterf*ck... :evil:
Thanks for Karma,
but is not ended here, when I have time I retry.
I'm Italian, not English. Sorry for my imperfect grammar.
 
pongko
just joined
Posts: 7
Joined: Wed Apr 30, 2014 2:56 am

Re: Using connection-mark in NAT rule doesn't work?

Wed Apr 30, 2014 4:03 pm

since you tell router to just nat packet that marked with "webcam-mark", and there is no packet to be nat at first packet (SYN) that have mark with "webcam-mark". So, no connection can be established, and then no connection to be mark ... IMHO

Who is online

Users browsing this forum: brmaioli, ingdaka, listowan, machack, minks, tuxedo0801 and 209 guests