Community discussions

MikroTik App
 
OlofL
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

NAT only NAT'ing 99% of packets.

Mon May 30, 2022 5:06 pm

Issue: not all packets are NAT'et on the mikrotik router. It seems like 99.9% of packets are NAT'et.
But the upstream firewall are seeing lots of martian source packets (rp_filter strict)

I have this setup with Mikrotik router.
/system/routerboard/print
       routerboard: yes
             model: CCR1036-8G-2S+
     serial-number: 4466022F4CCF
     firmware-type: tilegx
  factory-firmware: 3.10
  current-firmware: 7.2.3
  upgrade-firmware: 7.2.3
This is config on mikrotik
/interface vlan
add interface=sfp-sfpplus1 name=v128 vlan-id=128

/interface list
add name=WAN
add name=CUST
add name=GUEST
/interface list member
add interface=sfp-sfpplus2 list=CUST
add interface=ether6 list=GUEST
add interface=v128 list=WAN


/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface-list=CUST out-interface-list=WAN
add action=accept chain=forward in-interface-list=GUEST out-interface-list=WAN
add action=drop chain=forward log=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

/ip address
add address=192.168.213.1/24 interface=ether6 network=192.168.213.0
add address=172.16.31.1/24 interface=sfp-sfpplus2 network=172.16.31.0
add address=xxx.xxx.xxx.xxx/25 interface=v128 network=xxx.xxx.xxx.xxx

On our firewall, we are seeing lots of martitian source packets.
From non-mikrotik firewall:
May 30 15:36:06 firewall-1 kernel: [12077613.285312] IPv4: martian source xxx.xxx.xxx.xxx from 192.168.212.158, on dev eth1.128
This means that the Mikrotik did NOT properly NAT all packets. I would say 99.9% of all packets are properly NAT'ed, but many are not.
I have many mikrotiks with this setup - but they are all failing at the same rates - and they have identical nat rules with interface-lists and VLAN.


Picture for easier explanation:
J57w86a - Imgur.png
You do not have the required permissions to view the files attached to this post.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: NAT only NAT'ing 99% of packets.

Mon May 30, 2022 5:56 pm

Try adding a firewall rule add action=drop chain=forward connection-state=invalid after the accept established/related.
 
OlofL
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

Re: NAT only NAT'ing 99% of packets.

Mon May 30, 2022 6:04 pm

Try adding a firewall rule add action=drop chain=forward connection-state=invalid after the accept established/related.
I can try. But explain please why you think this will help?
Even if packet is "invalid" and accepted by outgoing firewall rule - it should still be NAT'ed - right?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: NAT only NAT'ing 99% of packets.

Mon May 30, 2022 6:33 pm

NAT does rely on connection tracking classification. If connection tracking machinery can't classify packet leaving packet with connection state invalid, also NAT can't do it's job properly.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: NAT only NAT'ing 99% of packets.  [SOLVED]

Mon May 30, 2022 6:35 pm

When the Mikrotik connection tracking sees the end of a TCP conversation (FIN -> ACK+FIN -> ACK) the tracking entry is removed. Any repeated or unsolicited invalid transmissions from a client, e.g. FIN+ACK, RST+ACK or RST will not create a new connection tracking entry so no NAT will be applied. This is not a bug, just normal linux behaviour.
 
User avatar
ingdaka
Trainer
Trainer
Posts: 452
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: NAT only NAT'ing 99% of packets.

Mon May 30, 2022 7:56 pm

How did you measured that 99.9%?
 
OlofL
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

Re: NAT only NAT'ing 99% of packets.

Mon May 30, 2022 8:28 pm

How did you measured that 99.9%?
I didn't. Just a wild guestimate:)
It's probably closer to 99.999%
 
OlofL
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

Re: NAT only NAT'ing 99% of packets.

Mon May 30, 2022 8:30 pm

When the Mikrotik connection tracking sees the end of a TCP conversation (FIN -> ACK+FIN -> ACK) the tracking entry is removed. Any repeated or unsolicited invalid transmissions from a client, e.g. FIN+ACK, RST+ACK or RST will not create a new connection tracking entry so no NAT will be applied. This is not a bug, just normal linux behaviour.
Thanks 👍🙏
Does fast track change this behaviour in any way?
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: NAT only NAT'ing 99% of packets.

Mon May 30, 2022 10:50 pm

No, fasttrack is a connection tracking attribute.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: NAT only NAT'ing 99% of packets.

Tue May 31, 2022 8:19 am

No, fasttrack is a connection tracking attribute.

Indeed. And if packet is fasttracked, it skips vast majority of packet flow boxes and skips from connection tracking box output directly to output interface, see fasttrack description. Which means that those surplus packets with connection already closed will still be declared invalid by connection tracking machinery. They won't be fasttracked because not individual packets are fasttracked, fasttracked is connection (and consequently packets belonging to it).

Who is online

Users browsing this forum: No registered users and 22 guests