Community discussions

 
dominicbatty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Wed Jul 07, 2010 12:26 pm

NAT Session Question

Wed Jul 09, 2014 11:08 am

Hi, I have an odd NAT session problem I was wondering if someone might be able to give me a little guidance on. I link to my VOIP provider by making a connection from an internal address through the firewall which is NAT'd to my external IP and a session created to my VOIP provider.

Lets say for example reasons, internal address 192.168.1.1, source NAT to 217.1.1.1, VOIP provider is 111.111.111.111

If my link to the VOIP provider goes down this fails over to another external link I have ...

Lets say for example reasons, internal address 192.168.1.1, source NAT to 218.1.1.1, VOIP provider is 111.111.111.111

When the original link comes back it switches the traffic back the original route ...

Lets say for example reasons, internal address 192.168.1.1, source NAT to 217.1.1.1, VOIP provider is 111.111.111.111

However, the problem I have is that there is still a stale session in the /ip firewall connections window that is performing NAT using the 218.1.1.1 address that does not seem to drop away. I wait for it to time out but when the time out expires the timeout then, instead of counting down, starts counting up and the rule never seems to disappear hence I am then forever tied to source address 218.1.1.1 and I cannot get the traffic to NAT back based on the rules I have specified and use source address 217.1.1.1. If I manually delete the connection from the /ip firewall connection window my traffic immediately defaults back to the 217.1.1.1 rules I have in place.

I'm wondering if this is working as expected but if this is the case why doesn't the NAT rule timeout and remove itself. It just appears to stay there and start counting up instead of counting down, I also notice a lot of other connections are counting up instead of down as well. I am running v6.15.

Thanks, Dominic.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: NAT Session Question

Wed Jul 09, 2014 1:41 pm

create one script, on route fail, delete natted connections...
I'm Italian, not English. Sorry for my imperfect grammar.
 
dominicbatty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Wed Jul 07, 2010 12:26 pm

Re: NAT Session Question

Thu Jul 10, 2014 11:15 am

yeah, thanks for this. It appears running

/ip firewall connection tracking set enabled="no"
:delay 1
/ip firewall connection tracking set enabled="auto"

appears to reset the list for me.

Thanks for your assistance.

Regards, Dominic.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: NAT Session Question

Thu Jul 10, 2014 11:22 am

Your approach is right, but this method are really bad, can disrupt other connection too (sorry for the english, but I not want use google translation...)
I'm Italian, not English. Sorry for my imperfect grammar.
 
dominicbatty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Wed Jul 07, 2010 12:26 pm

Re: NAT Session Question

Thu Jul 10, 2014 11:35 am

I know but the problem is as follows ...

Interface 1 - normal traffic
Interface 2 - VOIP traffic

Interface 2 goes down, I can therefore detect all connections that had a source IP address associated with interface 2 and delete them so this would be ok.

Interface 2 comes back up, I know have an established NAT connection in the firewall via interface 1 but because the routing has come back up for interface 2 there is a mismatch. So what I basically end up with is traffic going back up interface 2 but the NAT connection doing NAT to interface 1. This connection never times out so I cannot get the traffic to NAT back to interface 2.

I also cannot detect which traffic should be back on interface 2 without cycling every mangle rule and route and working out whether or not the NAT connections that are in place should or should not be going up interface 2 and then delete them which would re-establish them onto interface 2.

What I basically end up with is a stale NAT session that thinks it is correct but is performing NAT from IP1 (interface 1) to my destination but the traffic on which that interface is leaving does not use IP1 but instead uses IP2.

For me this will work ok as our lines are pretty stable and on the rare occasion where they switch a small traffic blip should not cause us too many problems. Certainly less problems than not doing it which leaves our VOIP phone system down.

Who is online

Users browsing this forum: No registered users and 96 guests