Community discussions

MikroTik App
 
MicroNoob
just joined
Topic Author
Posts: 8
Joined: Wed Jan 26, 2022 11:18 pm

Traceroute not showing the inbound IP

Wed Jan 26, 2022 11:34 pm

When I perform a traceroute to the LAN...my traceroute doesn't show the inbound interface IP of the Microtik as expected. This is only happening on one of my Microtik Routers and I could use some help figuring out why this is occurring. Examples:

Normal behavior:

traceroute to 10.147.101.129 (10.147.101.129), 30 hops max, 60 byte packets
1 (10.52.5.2) 0.465 ms 0.601 ms 0.723 ms
2 (172.16.1.245) 0.139 ms 0.126 ms 0.109 ms
Output truncated
12 (10.47.254.50) 8.294 ms 8.262 ms 8.113 ms
13 (10.47.254.58) 10.657 ms 8.266 ms 10.442 ms
14 (10.47.254.62) 11.747 ms 10.023 ms 11.139 ms
15 10.47.254.70 (10.47.254.70) 15.579 ms 14.921 ms 18.790 ms <-------------Microtik Router inbound interface
16 10.147.101.129 (10.147.101.129) 30.357 ms 30.321 ms 29.854 ms <-----------------------Microtik Router LAN host IP

Strange behavior I'm trying to fix:

traceroute to 10.148.5.11 (10.148.5.11), 30 hops max, 60 byte packets
1 (10.52.5.2) 9.805 ms 9.786 ms 10.943 ms
2 (172.16.1.245) 0.111 ms 0.110 ms 0.115 ms
Output truncated
12 (10.47.254.50) 8.369 ms 8.437 ms 8.266 ms
13 (10.47.254.58) 9.362 ms 8.309 ms 8.276 ms
14 10.148.5.11 (10.148.5.11) 29.023 ms * 31.884 ms <---------------------Microtik Router is not showing me the inbound interface like it did above, instead it shows the LAN IP twice.
15 10.148.5.11 (10.148.5.11) 31.851 ms 30.289 ms 35.024 ms<-------------------------Microtik Router LAN host IP

Much thanks for any help...first time caller!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Traceroute not showing the inbound IP

Fri Jan 28, 2022 6:20 pm

There can be different address if route to <source of ping> has pref-src set to some other router's address. But it can't be address of external device. NAT shouldn't touch it either. Try to add this and check what it logs:
/ip firewall mangle
add chain=output dst-address=<source of ping> protocol=icmp action=log
 
MicroNoob
just joined
Topic Author
Posts: 8
Joined: Wed Jan 26, 2022 11:18 pm

Re: Traceroute not showing the inbound IP

Sat Jan 29, 2022 12:13 am

Here's the mangle log output. As shown below, I changed the rule in the middle and started pinging/tracerouting from a different source to compare.

15:45:31 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.47.32.250->172.16.210.34, NAT (192.168.1.17->10.148.5.17)->172.16.210.34, len 120
15:45:32 firewall,info dstnat: in:ether1 out:(unknown 0), src-mac 78:ba:f9:fc:36:c0, proto ICMP (type 8, code 0), 172.16.210.34->10.148.5.17, len 92
15:46:04 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 0, code 0), 10.148.5.1->172.16.210.34, len 92
15:46:04 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 0, code 0), 10.148.5.1->172.16.210.34, len 92
15:46:04 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 0, code 0), 10.148.5.1->172.16.210.34, len 92
15:47:17 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.47.32.250->172.16.210.34, NAT (192.168.1.11->10.148.5.11)->172.16.210.34, len 84
15:47:19 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.47.32.250->172.16.210.34, NAT (192.168.1.11->10.148.5.11)->172.16.210.34, len 84
15:47:22 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.47.32.250->172.16.210.34, NAT (192.168.1.11->10.148.5.11)->172.16.210.34, len 84
15:49:08 system,info mangle rule changed by admin
15:49:10 system,info mangle rule changed by admin
15:49:32 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.47.32.250->10.52.5.69, NAT (192.168.1.11->10.148.5.11)->10.52.5.69, len 88
15:49:32 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.47.32.250->10.52.5.69, NAT (192.168.1.11->10.148.5.11)->10.52.5.69, len 88
15:49:32 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.47.32.250->10.52.5.69, NAT (192.168.1.11->10.148.5.11)->10.52.5.69, len 88
15:51:14 system,error,critical login failure for user admin from 172.16.210.34 via web
15:51:17 system,info,account user admin logged in from 172.16.210.34 via web
15:52:42 system,info,account user admin logged out from 172.16.210.34 via web
15:55:03 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.47.32.250->10.52.5.69, NAT (192.168.1.11->10.148.5.11)->10.52.5.69, len 88
15:55:03 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.47.32.250->10.52.5.69, NAT (192.168.1.11->10.148.5.11)->10.52.5.69, len 88
15:55:03 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.47.32.250->10.52.5.69, NAT (192.168.1.11->10.148.5.11)->10.52.5.69, len 88
15:57:21 firewall,info dstnat: in:ether1 out:(unknown 0), src-mac 78:ba:f9:fc:36:c0, proto ICMP (type 8, code 0), 10.52.5.69->10.148.5.17, len 84
15:58:43 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.47.32.250->10.52.5.69, NAT (192.168.1.13->10.148.5.13)->10.52.5.69, len 88
15:58:43 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.47.32.250->10.52.5.69, NAT (192.168.1.13->10.148.5.13)->10.52.5.69, len 88
15:58:43 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.47.32.250->10.52.5.69, NAT (192.168.1.13->10.148.5.13)->10.52.5.69, len 88
Last edited by MicroNoob on Wed Feb 02, 2022 4:40 pm, edited 1 time in total.
 
MicroNoob
just joined
Topic Author
Posts: 8
Joined: Wed Jan 26, 2022 11:18 pm

Re: Traceroute not showing the inbound IP

Sat Jan 29, 2022 12:22 am

Something I found that is notable...when i ping 10.148.5.11...the Mikrotik doesn't show anything in the mangle logs at all. But the ping is successful. If I traceroute from the same source, however, the logs show up again.

$ ping 10.148.5.1 <-------------------------------------------showing a successful ping from source 10.52.5.69, but nothing shows in the Mikrotik logs when i do this.
PING 10.148.5.1 (10.148.5.1) 56(84) bytes of data.
64 bytes from 10.148.5.1: icmp_seq=1 ttl=51 time=22.1 ms
64 bytes from 10.148.5.1: icmp_seq=2 ttl=51 time=27.5 ms
64 bytes from 10.148.5.1: icmp_seq=3 ttl=51 time=27.9 ms
64 bytes from 10.148.5.1: icmp_seq=4 ttl=51 time=20.3 ms


But when I traceroute from the same source...the Mikrotik shows this:

16:07:44 firewall,info output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.47.32.250->10.52.5.69, NAT (192.168.1.11->10.148.5.11)->10.52.5.69, len 88
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Traceroute not showing the inbound IP

Sat Jan 29, 2022 12:39 am

Some legend would be nice. You may know those addresses, what is where, etc, but nobody else does.

10.148.5.11 = target of traceroute
10.52.5.69 = source of traceroute
10.47.32.250 = the address you want to see in traceroute (?)
192.168.1.11 = ?
 
MicroNoob
just joined
Topic Author
Posts: 8
Joined: Wed Jan 26, 2022 11:18 pm

Re: Traceroute not showing the inbound IP

Wed Feb 02, 2022 4:49 pm

Sorry, here ya go...thanks for helping!

10.148.5.11 = target of traceroute, dstnat NAT'd global IP
192.168.1.11 = target of traceroute, dstnat NAT'd local IP

172.16.210.34 = original source of traceroute

10.52.5.69 = source of traceroute after changing sources shown in middle of my log output here> (15:49:08 system,info mangle rule changed by admin)

10.47.32.250 = the address I want/expected to see once traceroute reaches my router (ie, inbound interface IP)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Traceroute not showing the inbound IP

Wed Feb 02, 2022 5:39 pm

I think I'm a bit lost. So 10.148.5.11 is another device behind router, but you're doing dstnat for this address on router and changing destination to 192.168.1.11, which is where exactly? Can you export and post config? My imagination seems to fail me.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Traceroute not showing the inbound IP

Wed Feb 02, 2022 5:57 pm

Yeah, that's it:
/ip address
add interface=ether1 address=10.47.32.250/24
add interface=ether2 address=10.148.5.1/24
add interface=ether2 address=192.168.1.1/24
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.148.5.11 to-addresses=192.168.1.11
And I get the same as you do:
output: in:(unknown 0) out:ether1, proto ICMP (type 11, code 0), 10.47.32.250->x.x.x.x, NAT (192.168.1.11->10.148.5.11)->x.x.x.x, len 84
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Traceroute not showing the inbound IP

Wed Feb 02, 2022 6:45 pm

Actually, nothing special is required, it seems that dstnat for icmp does this with any address. I don't normally use it, so I missed this behaviour. But to be honest, it seems weird, and I'm not sure why it happens.
 
MicroNoob
just joined
Topic Author
Posts: 8
Joined: Wed Jan 26, 2022 11:18 pm

Re: Traceroute not showing the inbound IP

Thu Feb 03, 2022 12:56 am

Ok, thanks...this is the first router I've seen behave this way out of my large environment...we nat on every router in order to standardize on the 192.168 addresses. I'll pay more attention to see if any others behave this way. I don't like this behavior, because normally I can just trace to a host address...and grab the hop before it to be able to log into the associated router. With this 'issue' occurring, I don't get the router's WAN IP in the trace, so it takes me longer.

Yes, the 192.168.1.11 address is natting to 10.148.5.11.
 
MicroNoob
just joined
Topic Author
Posts: 8
Joined: Wed Jan 26, 2022 11:18 pm

Re: Traceroute not showing the inbound IP

Thu Feb 03, 2022 1:03 am

Here is my nat config:

chain=dstnat action=dst-nat to-addresses=192.168.1.11 dst-address=10.148.5.11

And just in case you can find anything else wrong with this inherited config...please let me know if any of this config could be better:

# feb/02/2022 16:47:01 by RouterOS 6.42.11
# software id = 0AY3-S3JY
#
# model = 2011UiAS
# serial number = 7DD60A83BDE1
/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none
add fast-forward=no name=bridge40 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1520 speed=1Gbps
set [ find default-name=ether2 ] l2mtu=1520 speed=1Gbps
set [ find default-name=ether3 ] l2mtu=1520 speed=1Gbps
set [ find default-name=ether4 ] l2mtu=1520 speed=1Gbps
set [ find default-name=ether5 ] l2mtu=1520 speed=1Gbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full l2mtu=\
1520
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full l2mtu=\
1520
set [ find default-name=ether8 ] l2mtu=1520
set [ find default-name=ether9 ] l2mtu=1520
set [ find default-name=ether10 ] l2mtu=1520
set [ find default-name=sfp1 ] disabled=yes mac-address=74:4D:28:02:F1:39
/interface vlan
add interface=bridge1 mtu=1516 name=vlan1 vlan-id=1
add interface=bridge40 mtu=1516 name=vlan40 vlan-id=40
/interface ethernet switch port
set 1 default-vlan-id=0 vlan-mode=fallback
set 2 default-vlan-id=0 vlan-mode=fallback
set 3 default-vlan-id=0 vlan-mode=fallback
set 4 default-vlan-id=0 vlan-mode=fallback
set 5 default-vlan-id=0 vlan-mode=fallback
set 6 vlan-mode=fallback
set 7 vlan-mode=fallback
set 8 vlan-mode=fallback
set 9 vlan-mode=fallback
set 10 vlan-mode=fallback
set 11 default-vlan-id=0 vlan-mode=fallback
set 12 vlan-mode=fallback
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool40 ranges=192.168.1.128-192.168.1.254
add name=dhcp1 ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp1 authoritative=after-2sec-delay disabled=no \
interface=bridge1 lease-time=1d name=dhcp1
add add-arp=yes address-pool=dhcp_pool40 authoritative=after-2sec-delay disabled=no \
interface=bridge40 lease-time=1d name=dhcp40
/routing ospf area
set [ find default=yes ] disabled=yes
add area-id=0.0.0.20 default-cost=1 inject-summary-lsas=no name=area20 type=stub
/routing ospf instance
set [ find default=yes ] router-id=10.47.32.250
/snmp community
set [ find default=yes ] name=nunya write-access=yes
add addresses=172.x.x.x/32,172.x.x.x/32 name=nunya security=authorized
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=ether2 learn=no
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge40 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge40 interface=ether8
add bridge=bridge40 interface=ether9
add bridge=bridge40 interface=ether10 learn=no
add bridge=bridge1 broadcast-flood=no interface=vlan1 learn=no unknown-multicast-flood=\
no unknown-unicast-flood=no
add bridge=bridge40 broadcast-flood=no interface=vlan40 learn=no \
unknown-multicast-flood=no unknown-unicast-flood=no
add bridge=bridge1 disabled=yes interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,ether2,ether3,ether4,ether5 switch=\
switch1 vlan-id=40
add independent-learning=no ports=switch1-cpu,ether2,ether3,ether4,ether5 switch=\
switch1 vlan-id=1
add ports=switch2-cpu,ether6,ether7,ether8,ether9,ether10 switch=switch2 vlan-id=40
add ports=switch2-cpu,ether6,ether7,ether8,ether9,ether10 switch=switch2 vlan-id=1
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=192.168.1.1/24 interface=bridge40 network=192.168.1.0
add address=10.47.32.250/23 interface=ether1 network=10.47.32.0
add address=10.147.29.193/27 interface=bridge1 network=10.147.29.192
add address=10.148.5.1/25 interface=bridge1 network=10.148.5.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=172.1.1.1,10.51.1.1 domain=nunya.com \
gateway=192.168.1.1
add address=192.168.88.0/24 dns-server=172.1.1.1,10.51.1.1 domain=nunya.com \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall mangle
add action=log chain=output dst-address=10.52.5.69 protocol=icmp
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.148.5.9 to-addresses=192.168.1.9
add action=dst-nat chain=dstnat dst-address=10.148.5.10 to-addresses=192.168.1.10
add action=dst-nat chain=dstnat dst-address=10.148.5.11 to-addresses=192.168.1.11
add action=dst-nat chain=dstnat dst-address=10.148.5.12 to-addresses=192.168.1.12
add action=dst-nat chain=dstnat dst-address=10.148.5.13 to-addresses=192.168.1.13
add action=dst-nat chain=dstnat dst-address=10.148.5.14 to-addresses=192.168.1.14
add action=dst-nat chain=dstnat dst-address=10.148.5.15 to-addresses=192.168.1.15
add action=dst-nat chain=dstnat dst-address=10.148.5.16 to-addresses=192.168.1.16
add action=dst-nat chain=dstnat dst-address=10.148.5.17 log=yes to-addresses=\
192.168.1.17
add action=dst-nat chain=dstnat dst-address=10.148.5.18 to-addresses=192.168.1.18
add action=dst-nat chain=dstnat dst-address=10.148.5.19 to-addresses=192.168.1.19
add action=dst-nat chain=dstnat dst-address=10.148.5.20 to-addresses=192.168.1.20
add action=dst-nat chain=dstnat dst-address=10.148.5.21 to-addresses=192.168.1.21
add action=dst-nat chain=dstnat dst-address=10.148.5.22 to-addresses=192.168.1.22
add action=dst-nat chain=dstnat dst-address=10.148.5.23 to-addresses=192.168.1.23
add action=dst-nat chain=dstnat dst-address=10.148.5.24 to-addresses=192.168.1.24
add action=dst-nat chain=dstnat dst-address=10.148.5.25 to-addresses=192.168.1.25
add action=dst-nat chain=dstnat dst-address=10.148.5.26 to-addresses=192.168.1.26
add action=dst-nat chain=dstnat dst-address=10.148.5.27 to-addresses=192.168.1.27
add action=dst-nat chain=dstnat dst-address=10.148.5.28 to-addresses=192.168.1.28
add action=dst-nat chain=dstnat dst-address=10.148.5.29 to-addresses=192.168.1.29
add action=dst-nat chain=dstnat dst-address=10.148.5.30 to-addresses=192.168.1.30
add action=dst-nat chain=dstnat dst-address=10.148.5.31 to-addresses=192.168.1.31
add action=dst-nat chain=dstnat dst-address=10.148.5.32 to-addresses=192.168.1.32
add action=dst-nat chain=dstnat dst-address=10.148.5.33 to-addresses=192.168.1.33
add action=dst-nat chain=dstnat dst-address=10.148.5.34 to-addresses=192.168.1.34
add action=dst-nat chain=dstnat dst-address=10.148.5.35 to-addresses=192.168.1.35
add action=dst-nat chain=dstnat dst-address=10.148.5.36 to-addresses=192.168.1.36
add action=dst-nat chain=dstnat dst-address=10.148.5.37 to-addresses=192.168.1.37
add action=dst-nat chain=dstnat dst-address=10.148.5.38 to-addresses=192.168.1.38
add action=dst-nat chain=dstnat dst-address=10.148.5.39 to-addresses=192.168.1.39
add action=dst-nat chain=dstnat dst-address=10.148.5.40 to-addresses=192.168.1.40
add action=dst-nat chain=dstnat dst-address=10.148.5.41 to-addresses=192.168.1.41
add action=dst-nat chain=dstnat dst-address=10.148.5.42 to-addresses=192.168.1.42
add action=dst-nat chain=dstnat dst-address=10.148.5.43 to-addresses=192.168.1.43
add action=dst-nat chain=dstnat dst-address=10.148.5.44 to-addresses=192.168.1.44
add action=dst-nat chain=dstnat dst-address=10.148.5.45 to-addresses=192.168.1.45
add action=dst-nat chain=dstnat dst-address=10.148.5.46 to-addresses=192.168.1.46
add action=dst-nat chain=dstnat dst-address=10.148.5.47 to-addresses=192.168.1.47
add action=dst-nat chain=dstnat dst-address=10.148.5.48 to-addresses=192.168.1.48
add action=dst-nat chain=dstnat dst-address=10.148.5.49 to-addresses=192.168.1.49
add action=dst-nat chain=dstnat dst-address=10.148.5.50 to-addresses=192.168.1.50
add action=dst-nat chain=dstnat dst-address=10.148.5.51 to-addresses=192.168.1.51
add action=dst-nat chain=dstnat dst-address=10.148.5.52 to-addresses=192.168.1.52
add action=dst-nat chain=dstnat dst-address=10.148.5.53 to-addresses=192.168.1.53
add action=dst-nat chain=dstnat dst-address=10.148.5.54 to-addresses=192.168.1.54
add action=dst-nat chain=dstnat dst-address=10.148.5.55 to-addresses=192.168.1.55
add action=dst-nat chain=dstnat dst-address=10.148.5.56 to-addresses=192.168.1.56
add action=dst-nat chain=dstnat dst-address=10.148.5.57 to-addresses=192.168.1.57
add action=dst-nat chain=dstnat dst-address=10.148.5.58 to-addresses=192.168.1.58
add action=dst-nat chain=dstnat dst-address=10.148.5.59 to-addresses=192.168.1.59
add action=dst-nat chain=dstnat dst-address=10.148.5.60 to-addresses=192.168.1.60
add action=dst-nat chain=dstnat dst-address=10.148.5.61 to-addresses=192.168.1.61
add action=dst-nat chain=dstnat dst-address=10.148.5.62 to-addresses=192.168.1.62
add action=dst-nat chain=dstnat dst-address=10.148.5.63 to-addresses=192.168.1.63
add action=dst-nat chain=dstnat dst-address=10.148.5.64 to-addresses=192.168.1.64
add action=dst-nat chain=dstnat dst-address=10.148.5.65 to-addresses=192.168.1.65
add action=dst-nat chain=dstnat dst-address=10.148.5.66 to-addresses=192.168.1.66
add action=dst-nat chain=dstnat dst-address=10.148.5.67 to-addresses=192.168.1.67
add action=dst-nat chain=dstnat dst-address=10.148.5.68 to-addresses=192.168.1.68
add action=dst-nat chain=dstnat dst-address=10.148.5.69 to-addresses=192.168.1.69
add action=dst-nat chain=dstnat dst-address=10.148.5.70 to-addresses=192.168.1.70
add action=dst-nat chain=dstnat dst-address=10.148.5.71 to-addresses=192.168.1.71
add action=dst-nat chain=dstnat dst-address=10.148.5.72 to-addresses=192.168.1.72
add action=dst-nat chain=dstnat dst-address=10.148.5.73 to-addresses=192.168.1.73
add action=dst-nat chain=dstnat dst-address=10.148.5.74 to-addresses=192.168.1.74
add action=dst-nat chain=dstnat dst-address=10.148.5.75 to-addresses=192.168.1.75
add action=dst-nat chain=dstnat dst-address=10.148.5.76 to-addresses=192.168.1.76
add action=dst-nat chain=dstnat dst-address=10.148.5.77 to-addresses=192.168.1.77
add action=dst-nat chain=dstnat dst-address=10.148.5.78 to-addresses=192.168.1.78
add action=dst-nat chain=dstnat dst-address=10.148.5.79 to-addresses=192.168.1.79
add action=dst-nat chain=dstnat dst-address=10.148.5.80 to-addresses=192.168.1.80
add action=dst-nat chain=dstnat dst-address=10.148.5.81 to-addresses=192.168.1.81
add action=dst-nat chain=dstnat dst-address=10.148.5.82 to-addresses=192.168.1.82
add action=dst-nat chain=dstnat dst-address=10.148.5.83 to-addresses=192.168.1.83
add action=dst-nat chain=dstnat dst-address=10.148.5.84 to-addresses=192.168.1.84
add action=dst-nat chain=dstnat dst-address=10.148.5.85 to-addresses=192.168.1.85
add action=dst-nat chain=dstnat dst-address=10.148.5.86 to-addresses=192.168.1.86
add action=dst-nat chain=dstnat dst-address=10.148.5.87 to-addresses=192.168.1.87
add action=dst-nat chain=dstnat dst-address=10.148.5.88 to-addresses=192.168.1.88
add action=dst-nat chain=dstnat dst-address=10.148.5.89 to-addresses=192.168.1.89
add action=dst-nat chain=dstnat dst-address=10.148.5.90 to-addresses=192.168.1.90
add action=dst-nat chain=dstnat dst-address=10.148.5.91 to-addresses=192.168.1.91
add action=dst-nat chain=dstnat dst-address=10.148.5.92 to-addresses=192.168.1.92
add action=dst-nat chain=dstnat dst-address=10.148.5.93 to-addresses=192.168.1.93
add action=dst-nat chain=dstnat dst-address=10.148.5.94 to-addresses=192.168.1.94
add action=dst-nat chain=dstnat dst-address=10.148.5.95 to-addresses=192.168.1.95
add action=dst-nat chain=dstnat dst-address=10.148.5.96 to-addresses=192.168.1.96
add action=dst-nat chain=dstnat dst-address=10.148.5.97 to-addresses=192.168.1.97
add action=dst-nat chain=dstnat dst-address=10.148.5.98 to-addresses=192.168.1.98
add action=dst-nat chain=dstnat dst-address=10.148.5.99 to-addresses=192.168.1.99
add action=dst-nat chain=dstnat dst-address=10.148.5.100 to-addresses=192.168.1.100
add action=dst-nat chain=dstnat dst-address=10.148.5.101 to-addresses=192.168.1.101
add action=dst-nat chain=dstnat dst-address=10.148.5.102 to-addresses=192.168.1.102
add action=dst-nat chain=dstnat dst-address=10.148.5.103 to-addresses=192.168.1.103
add action=dst-nat chain=dstnat dst-address=10.148.5.104 to-addresses=192.168.1.104
add action=dst-nat chain=dstnat dst-address=10.148.5.105 to-addresses=192.168.1.105
add action=dst-nat chain=dstnat dst-address=10.148.5.106 to-addresses=192.168.1.106
add action=dst-nat chain=dstnat dst-address=10.148.5.107 to-addresses=192.168.1.107
add action=dst-nat chain=dstnat dst-address=10.148.5.108 to-addresses=192.168.1.108
add action=dst-nat chain=dstnat dst-address=10.148.5.109 to-addresses=192.168.1.109
add action=dst-nat chain=dstnat dst-address=10.148.5.110 to-addresses=192.168.1.110
add action=dst-nat chain=dstnat dst-address=10.148.5.111 to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-address=10.148.5.112 to-addresses=192.168.1.112
add action=dst-nat chain=dstnat dst-address=10.148.5.113 to-addresses=192.168.1.113
add action=dst-nat chain=dstnat dst-address=10.148.5.114 to-addresses=192.168.1.114
add action=dst-nat chain=dstnat dst-address=10.148.5.115 to-addresses=192.168.1.115
add action=dst-nat chain=dstnat dst-address=10.148.5.116 to-addresses=192.168.1.116
add action=dst-nat chain=dstnat dst-address=10.148.5.117 to-addresses=192.168.1.117
add action=dst-nat chain=dstnat dst-address=10.148.5.118 to-addresses=192.168.1.118
add action=dst-nat chain=dstnat dst-address=10.148.5.119 to-addresses=192.168.1.119
add action=dst-nat chain=dstnat dst-address=10.148.5.120 to-addresses=192.168.1.120
add action=dst-nat chain=dstnat dst-address=10.148.5.121 to-addresses=192.168.1.121
add action=dst-nat chain=dstnat dst-address=10.148.5.122 to-addresses=192.168.1.122
add action=dst-nat chain=dstnat dst-address=10.148.5.123 to-addresses=192.168.1.123
add action=dst-nat chain=dstnat dst-address=10.148.5.124 to-addresses=192.168.1.124
add action=dst-nat chain=dstnat dst-address=10.148.5.125 to-addresses=192.168.1.125
add action=dst-nat chain=dstnat dst-address=10.148.5.126 to-addresses=192.168.1.126
add action=masquerade chain=srcnat dst-address=!0.0.0.0 src-address=192.168.1.0/24
add action=masquerade chain=srcnat dst-address=!0.0.0.0 src-address=192.168.88.0/24
/ip proxy
set parent-proxy=0.0.0.0
/ip route
add distance=1 gateway=10.47.32.1
/ip service
set www-ssl disabled=no
/lcd
set time-interval=daily
/routing ospf interface
add interface=ether1 network-type=broadcast priority=0
add interface=bridge1 network-type=broadcast passive=yes
/routing ospf network
add area=area20 network=10.147.29.192/27
add area=area20 network=10.47.32.0/23
add area=area20 network=10.148.5.0/25
/snmp
set enabled=yes location="nunya"
/system clock
set time-zone-name=America/Chicago
/system identity
set name=nunya-router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Traceroute not showing the inbound IP

Thu Feb 03, 2022 9:05 am

Do you mean that you have same dstnat on other routers, but this doesn't happen on them? If so, do you see any difference between configs? So far no matter what I try, if I dstnat icmp, it happens. But I don't see why it should...

As for other things in config, you could probably replace that long list of dstnat rules with fewer netmap rules. Either make them from smaller subnets, or add exceptions like this:
/ip firewall nat
add chain=dstnat dst-address=10.148.5.0/29 action=accept
add chain=dstnat dst-address=10.148.5.8/31 action=accept
add chain=dstnat dst-address=10.148.5.127/32 action=accept
add chain=dstnat dst-address=10.148.5.0/25 action=netmap to-addresses=192.168.1.0/25
On the other hand, separate dstnat rules give you per-address counters, it's easier to do separate logging, ...
 
MicroNoob
just joined
Topic Author
Posts: 8
Joined: Wed Jan 26, 2022 11:18 pm

Re: Traceroute not showing the inbound IP

Thu Feb 03, 2022 7:11 pm

Do you mean that you have same dstnat on other routers, but this doesn't happen on them? If so, do you see any difference between configs? So far no matter what I try, if I dstnat icmp, it happens. But I don't see why it should...
Well I thought that wasn't happening on other Mikrotiks...but I just looked at 5 others and they behave the exact same way...so my original premise must be wrong and I'm an idiot. But I did learn some valuable Mikrotik knowledge so thanks for that! But using a Cisco router, i get my desired traceroute behavior...so now i wonder why the difference between Cisco and Mikrotik.

One unrelated question...how should i read the below srcnat config in regards to the 'dst-address=!0.0.0.0' part? I read it as 'don't allow any destination networks' since it's the default route with an exclamation mark. I would think removing the exclamation mark would be the correct configuration. But I must be wrong since it works.

chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=!0.0.0.0
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Traceroute not showing the inbound IP

Thu Feb 03, 2022 7:30 pm

If it makes you feel better, it surprised me too, and I still didn't find an explanation why it happens.

dst-address=!0.0.0.0 matches when destination address is not 0.0.0.0, but I'm not sure what's the point, where would such address come from anyway?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Traceroute not showing the inbound IP

Thu Feb 03, 2022 8:00 pm

Quick test says that Linux with iptables does the same thing. Which is not suprising, because RouterOS is based on it, but it shows that the behaviour comes from there, it's not just RouterOS doing it. But why...
 
Monava
just joined
Posts: 1
Joined: Sun Jan 16, 2022 11:44 pm

Re: Traceroute not showing the inbound IP

Thu Feb 03, 2022 8:11 pm

TRACERT can be used to find out where packets stop on the network. In the following example, the default gateway has detected that there is not a valid path to host on 22.110.0.1. It is likely that either the router has a configuration problem or the 22.110.0.0 network does not exist, reflecting the wrong IP address.
 
MicroNoob
just joined
Topic Author
Posts: 8
Joined: Wed Jan 26, 2022 11:18 pm

Re: Traceroute not showing the inbound IP

Fri Feb 11, 2022 11:59 pm

Thanks again for all the help...good to know it's just a Linux thing most likely.
If it makes you feel better, it surprised me too, and I still didn't find an explanation why it happens.

dst-address=!0.0.0.0 matches when destination address is not 0.0.0.0, but I'm not sure what's the point, where would such address come from anyway?
Ok, that was my 2nd guess...so probably just a misconfiguration...the desired behavior is just to translate all outbound traffic from that subnet.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Traceroute not showing the inbound IP

Sat Feb 12, 2022 2:54 pm

I'd still like to know why it happens. It probably makes sense when there's simple NAT 1:1, aka "DMZ", where you have exactly one address and it's dstnatted to some internal address. If that address was used as source, traceroute might not like it, because if it's the target, it may not expect response from it about expired TTL. I'm not sure, just guessing. But if there is another address that can be used as source, I don't see any possible problem with that, and I think NAT shouldn't touch it.

Who is online

Users browsing this forum: oliverlexis, Renfrew and 54 guests