Page 1 of 1

NAT Session Question

Posted: Wed Jul 09, 2014 11:08 am
by dominicbatty
Hi, I have an odd NAT session problem I was wondering if someone might be able to give me a little guidance on. I link to my VOIP provider by making a connection from an internal address through the firewall which is NAT'd to my external IP and a session created to my VOIP provider.

Lets say for example reasons, internal address 192.168.1.1, source NAT to 217.1.1.1, VOIP provider is 111.111.111.111

If my link to the VOIP provider goes down this fails over to another external link I have ...

Lets say for example reasons, internal address 192.168.1.1, source NAT to 218.1.1.1, VOIP provider is 111.111.111.111

When the original link comes back it switches the traffic back the original route ...

Lets say for example reasons, internal address 192.168.1.1, source NAT to 217.1.1.1, VOIP provider is 111.111.111.111

However, the problem I have is that there is still a stale session in the /ip firewall connections window that is performing NAT using the 218.1.1.1 address that does not seem to drop away. I wait for it to time out but when the time out expires the timeout then, instead of counting down, starts counting up and the rule never seems to disappear hence I am then forever tied to source address 218.1.1.1 and I cannot get the traffic to NAT back based on the rules I have specified and use source address 217.1.1.1. If I manually delete the connection from the /ip firewall connection window my traffic immediately defaults back to the 217.1.1.1 rules I have in place.

I'm wondering if this is working as expected but if this is the case why doesn't the NAT rule timeout and remove itself. It just appears to stay there and start counting up instead of counting down, I also notice a lot of other connections are counting up instead of down as well. I am running v6.15.

Thanks, Dominic.

Re: NAT Session Question

Posted: Wed Jul 09, 2014 1:41 pm
by rextended
create one script, on route fail, delete natted connections...

Re: NAT Session Question

Posted: Thu Jul 10, 2014 11:15 am
by dominicbatty
yeah, thanks for this. It appears running

/ip firewall connection tracking set enabled="no"
:delay 1
/ip firewall connection tracking set enabled="auto"

appears to reset the list for me.

Thanks for your assistance.

Regards, Dominic.

Re: NAT Session Question

Posted: Thu Jul 10, 2014 11:22 am
by rextended
Your approach is right, but this method are really bad, can disrupt other connection too (sorry for the english, but I not want use google translation...)

Re: NAT Session Question

Posted: Thu Jul 10, 2014 11:35 am
by dominicbatty
I know but the problem is as follows ...

Interface 1 - normal traffic
Interface 2 - VOIP traffic

Interface 2 goes down, I can therefore detect all connections that had a source IP address associated with interface 2 and delete them so this would be ok.

Interface 2 comes back up, I know have an established NAT connection in the firewall via interface 1 but because the routing has come back up for interface 2 there is a mismatch. So what I basically end up with is traffic going back up interface 2 but the NAT connection doing NAT to interface 1. This connection never times out so I cannot get the traffic to NAT back to interface 2.

I also cannot detect which traffic should be back on interface 2 without cycling every mangle rule and route and working out whether or not the NAT connections that are in place should or should not be going up interface 2 and then delete them which would re-establish them onto interface 2.

What I basically end up with is a stale NAT session that thinks it is correct but is performing NAT from IP1 (interface 1) to my destination but the traffic on which that interface is leaving does not use IP1 but instead uses IP2.

For me this will work ok as our lines are pretty stable and on the rare occasion where they switch a small traffic blip should not cause us too many problems. Certainly less problems than not doing it which leaves our VOIP phone system down.