Community discussions

MUM Europe 2020
 
alferrar
just joined
Topic Author
Posts: 13
Joined: Thu Mar 27, 2014 2:50 pm

Problem: NAT masquerade is bypassing some packets

Thu Mar 27, 2014 4:44 pm

Hello all,

We have a hotspot and recently customers are complaining about connection problems.
The board used is a RB433AH, RouterOs v4.14. The system structure is as follows:

Internet ----- WAN-Router 192.168.1.1/24 ---- 192.168.1.200/24 Mikrotik 10.10.1.254/23 ---- About 30 Clients (10.10.0.0/23 network)

Examining the system in order to debug the problem, I encountered that some private network packets (10.10.X.X) are bypassing the NAT masquerade rule without changing Src. Address, causing connectivity problems. In fact, sniffing packets on the 192.168.1.1/24 network some 10.10.X.X scr. address are found:

58 1.079 ether1 188.125.69.43:993 (imaps) 192.168.1.200:56352 tcp 572
66 1.139 ether1 192.168.1.200:56352 188.125.69.43:993 (imaps) tcp 66
67 1.141 ether1 192.168.1.200:56352 188.125.69.43:993 (imaps) tcp 66
68 1.143 ether1 192.168.1.200:56352 188.125.69.43:993 (imaps) tcp 54
69 1.153 ether1 192.168.1.200:56352 188.125.69.43:993 (imaps) tcp 368
70 1.173 ether1 192.168.1.200:56351 65.52.193.252:80 (http) tcp 54
71 1.207 ether1 62.37.163.71:10962 192.168.1.200:8291 (winbox) tcp 128
72 1.209 ether1 108.162.232.202:80 (http) 192.168.1.200:56354 tcp 66
>>> 76 1.23 ether1 10.10.1.38:56294 84.39.153.33:80 (http) tcp 54
77 1.231 ether1 192.168.1.200:56355 84.39.153.33:80 (http) tcp 66
78 1.233 ether1 192.168.1.200:58348 80.58.61.250:53 (dns) udp 81
79 1.272 ether1 188.125.69.43:993 (imaps) 192.168.1.200:56352 tcp 101
80 1.285 ether1 80.58.61.250:53 (dns) 192.168.1.200:58348 udp 113
89 1.323 ether1 192.168.1.200:56355 84.39.153.33:80 (http) tcp 1052
90 1.326 ether1 131.253.40.10:443 (https) 192.168.1.200:56255 tcp 192
114 1.703 ether1 188.125.69.43:993 (imaps) 192.168.1.200:56352 tcp 60 >
>>> 115 1.71 ether1 10.10.1.38:56294 84.39.153.33:80 (http) tcp 54 >
116 1.779 ether1 192.168.1.200:56348 212.58.244.71:80 (http) tcp 133>


I deleted some packets to clarify. 10.10.X.X is not always the same IP. Packet bypassing occurs about 1 per second. Packet content is:

e046 9a28 8943 000c 42c9 5747 0800 4500 .F.(.C..B.WG..E.
0028 2a5d 4000 7f06 5b3d 0a0a 011d d5c7 .(*]@...[=......
9547 c412 01bb 7a9e ff43 6548 3222 5014 .G....z..CeH2"P.
0000 6280 0000 ..b...

Nat configutation is:

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no out-interface=ether1 src-address=\
10.10.0.0/23
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=192.168.1.200 dst-port=8100 protocol=tcp to-addresses=\
10.10.0.100 to-ports=80

Some ideas?
Thank you
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Problem: NAT masquerade is bypassing some packets

Sat Mar 29, 2014 1:03 am

4.14 have some problems, install 4.16, the most stable of all 4.x versions,
but consider to go up 5.26.

DO NOT WORRY!

It's normal.

If you want a detailed explanation:

The router not process on outbound the TCP packet if contain "FIN" or "FIN + ACK" or "ACK on reply of FIN".
This packets are used to close the TCP connection.
Is useless to change the IP of source,
because there is not reply from other side, after closing the connection (is not really true, but now for semplicity nevermind)

It's a way to not waste CPU time for useless things.

If someone like the explanation, please add Karma.
I'm Italian, not English. Sorry for my imperfect grammar.
 
alferrar
just joined
Topic Author
Posts: 13
Joined: Thu Mar 27, 2014 2:50 pm

Re: Problem: NAT masquerade is bypassing some packets

Sat Mar 29, 2014 5:05 pm

First of all, I must thank you for your clear response, it sounds very logic and explains perfectly the cause of this behaviour. You are a RouterOS guru :D

In normal situations this packet bypassing will not affect network operation, but this is not my case:
The WAN port of my mikrotik is connected to a Netgear Prosafe SRX5308 router that is load balancing 4 ADSL lines. These frames are confusing this router causing FIN frames to be sent to the wrong WAN interface and even not respecting protocol binding function.
It is possible to avoid this packet bypassing? Some workaround for the problem?

Regarding the routeros version, we use version 4 because version 5 user manager web interface is missing an important feature: when generating batch users for hotspot, vouchers are not automaticaly printed, so you have to go to the user window, manually select the new users and print them. This is very difficult when there's lots of users. I can't understand why mikrotik changed this... I didn't tried v6. Same behaviour?

You didn't mention v6 in your upgrade advice. It is not stable enough?

Thank you again.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Problem: NAT masquerade is bypassing some packets

Sat Mar 29, 2014 5:17 pm

First of all, I must thank you for your clear response, it sounds very logic and explains perfectly the cause of this behaviour. You are a RouterOS guru :D

In normal situations this packet bypassing will not affect network operation, but this is not my case:
The WAN port of my mikrotik is connected to a Netgear Prosafe SRX5308 router that is load balancing 4 ADSL lines. These frames are confusing this router causing FIN frames to be sent to the wrong WAN interface and even not respecting protocol binding function.
It is possible to avoid this packet bypassing? Some workaround for the problem?

Regarding the routeros version, we use version 4 because version 5 user manager web interface is missing an important feature: when generating batch users for hotspot, vouchers are not automaticaly printed, so you have to go to the user window, manually select the new users and print them. This is very difficult when there's lots of users. I can't understand why mikrotik changed this... I didn't tried v6. Same behaviour?

You didn't mention v6 in your upgrade advice. It is not stable enough?

Thank you again.
First the easy:
2) I have the same issue with 5.x, but is really better and I stop to print the voucher, because I switch to "card printer" with scratc... :) I expoort the csv file and the printer program do the remaining! (MagiCard Enduro), But from this season, I go by SMS authentications (provided from 3rd party) but I try to study one solution from myself.

3) I not suggest you 6.x because I do not know if you are practice or not... If you miss to upgrade firmware to 3.10 before go from 5.26 to 6.7 (I suggest THIS version) your hardware is stucked...

One moment, I go to write reply on 1)
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Problem: NAT masquerade is bypassing some packets

Sat Mar 29, 2014 5:27 pm

1) Very hard, I searching in this moment one solution.
If find the soluction, I write on this post.
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Problem: NAT masquerade is bypassing some packets

Sat Mar 29, 2014 7:17 pm

Actually, the only way is put another RB between
and change src of packages
when TCP flags are "FIN" and src ip are 10.10.0.0/23
to 192.168.1.200

:cry:

NAT work when connection are estabilished, not when are closed... :(
I'm Italian, not English. Sorry for my imperfect grammar.
 
reinerotto
Member
Member
Posts: 439
Joined: Thu Dec 04, 2008 2:35 am

Re: Problem: NAT masquerade is bypassing some packets

Sun Mar 30, 2014 9:13 am


In normal situations this packet bypassing will not affect network operation, but this is not my case:
The WAN port of my mikrotik is connected to a Netgear Prosafe SRX5308 router that is load balancing 4 ADSL lines. These frames are confusing this router causing FIN frames to be sent to the wrong WAN interface and even not respecting protocol binding function.
It is possible to avoid this packet bypassing? Some workaround for the problem?
I consider this a bug, so I filed a link to this thread in the list of known bugs.
(Confirms an old principle: Optimize: Do't do it !)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Problem: NAT masquerade is bypassing some packets

Sun Mar 30, 2014 12:14 pm

Netgear Prosafe SRX5308 is able SIMPLY to change src on incoming packet from 10.10.0.0/23 to 192.168.1.200?
If any packet coming from 10.10.0.0/23 are unprocesed packet for nat, regardeless TCP flag...

Good Idea?
I'm Italian, not English. Sorry for my imperfect grammar.
 
alferrar
just joined
Topic Author
Posts: 13
Joined: Thu Mar 27, 2014 2:50 pm

Re: Problem: NAT masquerade is bypassing some packets

Mon Apr 07, 2014 8:11 pm

I'm sorry for the delay in my response. Thank you all for your comments.
I managed to solve the problem by changing the network structure:
I disabled mikrotik NAT and used regular routing instead. Then I placed a static route into the NETGEAR routing table so 10.10.0.0/23 network is accesible through 192.168.1.200 gateway. Now everything seems to be working fine.

Rextended:
I don't think NETGEAR allow this. It's a very simple router. Thank you anyway. On the other hand, I'm very interested in knowing more about the way you print vouchers. Maybe I must evaluate this MagicCard Enduro. About the firmware upgrade, are you meaning that upgrading from 4.x to 6.x can result in a mikrotik bricking? Oh my god!!

Reinerotto:
I agree totally with you. This must be considered a bug, since this behaviour can cause malfunctions in other routers trying to do connection tracking (saturating the number of active connections, for example).

Who is online

Users browsing this forum: eworm, ferastemimi, jebz, memphisgd and 90 guests