Hello all,
We have a hotspot and recently customers are complaining about connection problems.
The board used is a RB433AH, RouterOs v4.14. The system structure is as follows:
Internet ----- WAN-Router 192.168.1.1/24 ---- 192.168.1.200/24 Mikrotik 10.10.1.254/23 ---- About 30 Clients (10.10.0.0/23 network)
Examining the system in order to debug the problem, I encountered that some private network packets (10.10.X.X) are bypassing the NAT masquerade rule without changing Src. Address, causing connectivity problems. In fact, sniffing packets on the 192.168.1.1/24 network some 10.10.X.X scr. address are found:
58 1.079 ether1 188.125.69.43:993 (imaps) 192.168.1.200:56352 tcp 572
66 1.139 ether1 192.168.1.200:56352 188.125.69.43:993 (imaps) tcp 66
67 1.141 ether1 192.168.1.200:56352 188.125.69.43:993 (imaps) tcp 66
68 1.143 ether1 192.168.1.200:56352 188.125.69.43:993 (imaps) tcp 54
69 1.153 ether1 192.168.1.200:56352 188.125.69.43:993 (imaps) tcp 368
70 1.173 ether1 192.168.1.200:56351 65.52.193.252:80 (http) tcp 54
71 1.207 ether1 62.37.163.71:10962 192.168.1.200:8291 (winbox) tcp 128
72 1.209 ether1 108.162.232.202:80 (http) 192.168.1.200:56354 tcp 66
>>> 76 1.23 ether1 10.10.1.38:56294 84.39.153.33:80 (http) tcp 54
77 1.231 ether1 192.168.1.200:56355 84.39.153.33:80 (http) tcp 66
78 1.233 ether1 192.168.1.200:58348 80.58.61.250:53 (dns) udp 81
79 1.272 ether1 188.125.69.43:993 (imaps) 192.168.1.200:56352 tcp 101
80 1.285 ether1 80.58.61.250:53 (dns) 192.168.1.200:58348 udp 113
89 1.323 ether1 192.168.1.200:56355 84.39.153.33:80 (http) tcp 1052
90 1.326 ether1 131.253.40.10:443 (https) 192.168.1.200:56255 tcp 192
114 1.703 ether1 188.125.69.43:993 (imaps) 192.168.1.200:56352 tcp 60 >
>>> 115 1.71 ether1 10.10.1.38:56294 84.39.153.33:80 (http) tcp 54 >
116 1.779 ether1 192.168.1.200:56348 212.58.244.71:80 (http) tcp 133>
I deleted some packets to clarify. 10.10.X.X is not always the same IP. Packet bypassing occurs about 1 per second. Packet content is:
e046 9a28 8943 000c 42c9 5747 0800 4500 .F.(.C..B.WG..E.
0028 2a5d 4000 7f06 5b3d 0a0a 011d d5c7 .(*]@...[=......
9547 c412 01bb 7a9e ff43 6548 3222 5014 .G....z..CeH2"P.
0000 6280 0000 ..b...
Nat configutation is:
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no out-interface=ether1 src-address=\
10.10.0.0/23
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=192.168.1.200 dst-port=8100 protocol=tcp to-addresses=\
10.10.0.100 to-ports=80
Some ideas?
Thank you