Community discussions

User avatar
just joined
Topic Author
Posts: 8
Joined: Sat May 02, 2009 7:13 pm
Location: East Texas

NATed addresses showing up in a torch

Tue Aug 23, 2011 12:16 am

I have several wireless towers with Mikrotik routers broadcasting and Mikrotik clients connecting. This is an example of what I'm seeing and I'm hoping someone has seen this and can point me in the right direction.

Example IP in my AP:

Example IP in the Mikrotik client radio:

Masquerade DHCP server in the client radio handing out addresses like

The torch in my AP Mikrotik sees the address of a client's PC, masqueraded in the client radio.

Why would the tower see the address that's in the client radio? :shock:
User avatar
Posts: 232
Joined: Fri Jan 30, 2009 11:41 am
Location: Reading, UK

Re: NATed addresses showing up in a torch

Tue Aug 23, 2011 12:27 am

Probably it's because of the "invalid" packets, for example - TCP packets sent after the connection is finished (FIN). You should block "invalid" packets in the beginning of the firewall filter (on each router that has connection-tracking enabled), as in the example from ... protection :
/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid \
 	action=drop comment="drop invalid connections"  
add chain=forward connection-state=established action=accept \ 
 	comment="allow already established connections"  
add chain=forward connection-state=related action=accept \
 	comment="allow related connections"  
Just drop packets with connection-state=invalid on the client radios. If the 10.10. addresses disappear from the torch on AP completely - there is a little "+" button near my karma waiting ;-) .

I had the same problem, my MT router kept sending packets with private addresses, although there was NAT on the outgoing interface, so everything "should" be NATted. I couldn't imagine, why was that possible - so I finished sniffing everything and then analyzing in WireShark... And the packets were mainly "doubled" TCP-FIN packets, probably treated by MikroTik as "invalid". If a packet is invalid, it doesn't belong to any connection, and - so - cannot be NATted (as NAT is working on connections in connection-tracker). The rule always suggested by MikroTik (first rule of /ip firewall filter, chain=forward, connection-state=invalid, action=drop) solved the case :).

I think that your problem is the same. Torch shows only outgoing and single packets from the addresses, not carrying much data.

Who is online

Users browsing this forum: No registered users and 17 guests