Community discussions

MikroTik App
 
netmk
just joined
Topic Author
Posts: 6
Joined: Mon Aug 31, 2020 9:31 pm

NAT, Fasttrack and Out Interface

Thu Dec 01, 2022 11:54 pm

Hello friends

I would like help to understand how RouterOS treats packets in a CCR that has only NAT and Fasttrackk.

Scenario: a CCR with 2 ports. The first port is connected to user with private IP 100.64.10.10. The second port is connected to the internet.
On the CCR there is a NAT (chain=srcnat src.address=100.64.10.10 action=srcnat to-address=X.Y.X.Y) and FastTrack is enabled.
Note that I didn't enter any "Out. Interface" in the NAT configuration.

When the 1st packet from USER arrives via SFP2, the packet goes through the NAT rule and is tagged, right?! So the next packet from USER and from the same connection no longer needs to pass the NAT rule, right?

Question 1: Will the packet coming from the internet (entering the SFP1 port) pass the NAT rule as well (I know the MATCH won't happen, because the src-address doesn't match)?
Or will a packet coming from the internet be identified as belonging to a connection that is already open and thus will not pass through the NAT rule?


Question 2: Would there be any processing gain when informing the output port (SFP1) in the NAT rule? After all, packets that are coming from the internet will definitely not pass the NAT rule.
You do not have the required permissions to view the files attached to this post.
Last edited by netmk on Fri Dec 02, 2022 3:41 pm, edited 2 times in total.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: NAT, Farttrack and Out Interface

Fri Dec 02, 2022 12:24 am

connection tracking is responsible for identifying that the return packets belong to the connection that was previously established and NATed so there is no need to evaluate the nat rule again
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NAT, Farttrack and Out Interface

Fri Dec 02, 2022 12:36 am

Flatulence often follows trying to configure an MT router. Surely you know which out interface is involved?

{Subject - Re: NAT, Farttrack and Out Interface}
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: NAT, Farttrack and Out Interface

Fri Dec 02, 2022 12:39 am

:lol:
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NAT, Farttrack and Out Interface  [SOLVED]

Fri Dec 02, 2022 9:31 am

To elaborate on @chechito's hint - connection tracking inspects every single packet and finds it to fit into one of the following categories (connection tracking states):
  • new (doesn't match any known connection)
  • established (belongs to one of the known connections)
  • related (doesn't belong to any known connection but is related to one, such as an ICMP "fragmentation needed" that arrives in response to a TCP packet that is too large to fit to outgoing interface's MTU on a remote router)
  • invalid (a packet that matches the addresses and ports of a known connection but not its logical state, such as a SYN packet that arrives after a corresponding TCP session has already been negotiated)
Packets that are identified as new are the only ones to be sent to the dstnat and srcnat rule chains. But the connection tracking remembers the verdict of those chains for that connection, so all subsequent downstream packets of that connection (those sent from the initiator of the connection to the responder) are handled the same way like the initial one, and all the upstream packets are treated symmetrically, i.e. "un-src-nated" and "un-dst-nated" accordingly.

There is no benefit in adding an out-interface match to the action=src-nat rule as you have the src-address match there. Any of these is sufficient in your particular setup, so the other one just wastes CPU cycles. But as it does so only for the initial packet of each connection, it's probably impossible to notice the difference.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: NAT, Farttrack and Out Interface

Fri Dec 02, 2022 10:58 am

The last paragraph in last post by @sindy applies in particular case illustrated in OP. If router had multiple interfaces with multiple networks attached, then specifying src-address as criterion property of src-nat rule may make sense (depending on the rest of config).
 
netmk
just joined
Topic Author
Posts: 6
Joined: Mon Aug 31, 2020 9:31 pm

Re: NAT, Farttrack and Out Interface

Fri Dec 02, 2022 2:10 pm

THanks, sindy, mkx and chechito,


Sindy, your answer was very detailed and constructive, thank you, it helped me to confirm my understanding.

Thank you all for taking the time to help a stranger.


"Teaching is learning"
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: NAT, Farttrack and Out Interface

Fri Dec 02, 2022 2:13 pm

Farttrack?

Is better fix the title....


edit: fixed, thanks...
Last edited by rextended on Fri Dec 02, 2022 9:50 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NAT, Farttrack and Out Interface

Fri Dec 02, 2022 4:40 pm

Farttrack?

Is better fix the title....
Sometimes a potentially shitty title attracts bees, just like honey. ;-)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: NAT, Fasttrack and Out Interface

Fri Dec 02, 2022 9:51 pm

(⊙_⊙;)

Who is online

Users browsing this forum: Ahrefs [Bot], johnson73, StephenDig and 77 guests