Community discussions

MikroTik App
 
jollo
just joined
Topic Author
Posts: 2
Joined: Fri Sep 23, 2022 11:45 am

How local traffic can jump throught NAT ?

Fri Sep 23, 2022 12:03 pm

Don't understand how local traffic from my LAN can jump throught NAT rule on mikrotik and go to the DMZ ?

/ip firewall nat add action=masquerade chain=srcnat out-interface=DMZ src-address=10.10.0.0/16 to-addresses=0.0.0.0

i don't have no more rules in filter, mangle or raw
exept /ip firewall filter add action=accept chain=forward

by the way ! this wrong traffic flows only to 443 dst port

for example

11:33:32.992004 IP 10.10.231.53.37698 > 87.250.250.207.443: Flags [R], seq 2920141894, win 0, length 0
11:33:33.547967 IP 10.10.154.87.46466 > 213.180.193.230.443: Flags [R], seq 611987300, win 0, length 0
11:33:33.548239 IP 10.10.154.87.46466 > 213.180.193.230.443: Flags [R], seq 611987300, win 0, length 0
11:33:33.885430 IP 10.10.145.16.51837 > 54.205.60.226.443: Flags [R], seq 1323507005, win 0, length 0
11:33:33.885763 IP 10.10.145.16.51837 > 54.205.60.226.443: Flags [R], seq 1323507005, win 0, length 0
11:33:33.890503 IP 10.10.145.16.51841 > 54.205.60.226.443: Flags [R], seq 3018220698, win 0, length 0
11:33:33.890863 IP 10.10.145.16.51841 > 54.205.60.226.443: Flags [R], seq 3018220698, win 0, length 0
11:33:34.433547 IP 10.10.111.135.36300 > 87.250.250.207.443: Flags [R], seq 3053875660, win 0, length 0
11:33:34.433764 IP 10.10.111.135.36300 > 87.250.250.207.443: Flags [R], seq 3053875660, win 0, length 0
11:33:34.434848 IP 10.10.111.135.36300 > 87.250.250.207.443: Flags [R], seq 3053875660, win 0, length 0
11:33:34.444327 IP 10.10.3.150.39194 > 213.180.193.230.443: Flags [R], seq 1263754677, win 0, length 0
11:33:34.444873 IP 10.10.3.150.39194 > 213.180.193.230.443: Flags [R], seq 1263754677, win 0, length 0
11:33:34.710503 IP 10.10.156.46.64118 > 17.57.12.243.443: Flags [R], seq 3260872821, win 0, length 0
11:33:35.230764 IP 10.10.146.13.38828 > 173.194.179.31.443: Flags [R], seq 874401182, win 0, length 0
11:33:35.230909 IP 10.10.146.13.38828 > 173.194.179.31.443: Flags [R], seq 874401182, win 0, length 0
11:33:35.230971 IP 10.10.146.13.38828 > 173.194.179.31.443: Flags [R], seq 874401182, win 0, length 0
11:33:35.241811 IP 10.10.146.13.38828 > 173.194.179.31.443: Flags [R], seq 874401182, win 0, length 0
11:33:35.242625 IP 10.10.146.13.38828 > 173.194.179.31.443: Flags [R], seq 874401182, win 0, length 0


routeros v 6.48.6
CCR1036-8G-2S+
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How local traffic can jump throught NAT ?

Fri Sep 23, 2022 7:43 pm

You would see the same if doing the NAT on any other Linux box (maybe something has changed with nft, not sure). The src-nat (and also dst-nat) rule only handles the initial packet of each connection, which is the SYN one in case of TCP. The [R] in the tcpdump output indicates that the packet has a Reset flag set, so it looks like there was a connection (which was src-NATed properly), then it ended so the connection tracking module of firewall has removed it from its table, and then the client has sent a reset packet for some reason, but since the connection was gone and the packet was not a SYN one, it packet got forwarded without getting src-nated.

So far it seems pretty normal, but what I don't like about it is that many of those packets are sent repeatedly, which normally only happens if some mid-session packets arrive where they are not expected (i.e. the recipient at 10.10.146.13 has no session open from port 38828 towards 173.194.179.31:443 but receives a packet from 173.194.179.31:443 to port 38828). No idea what was your capture filter, but it looks to me as if those packets from pu.bl.ic.ip:443 towards the private addresses, triggering the sending of the Reset ones, were spoofed and didn't actually come from the WAN side, i.e. as if it was some kind of attack to the servers running on those public addresses.

Or maybe you have multiple WANs so they did come from the outside but the Reset ones are routed via the other WAN?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How local traffic can jump throught NAT ?

Fri Sep 23, 2022 10:40 pm

I would contemplate helping if there was a network diagram and a full config /export (minus serial number and any ISP public IP , gatewayIP info )
 
emunt6
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Fri Feb 02, 2018 7:00 pm

Re: How local traffic can jump throught NAT ?

Sat Sep 24, 2022 5:12 pm

/ip firewall filter add action=accept chain=forward
This rule allow traffic going trough between interfaces, unless you make some rule that block it.

You can fix that, last rule needs to be DROP.
/ip firewall filter add action=accept chain=forward src-ip=10.10.0.0/16
/ip firewall filter add action=accept chain=forward dst-ip=10.10.0.0/16
/ip firewall filter add action=DROP chain=forward
 
jollo
just joined
Topic Author
Posts: 2
Joined: Fri Sep 23, 2022 11:45 am

Re: How local traffic can jump throught NAT ?

Tue Sep 27, 2022 11:57 am


Or maybe you have multiple WANs so they did come from the outside but the Reset ones are routed via the other WAN?

thanks for answers.

I have one network, one uplink

Who is online

Users browsing this forum: patrikg, xristostsilis and 87 guests