Community discussions

MikroTik App
 
myke1124
just joined
Topic Author
Posts: 24
Joined: Fri Mar 28, 2014 2:15 am

NAT killing OSPF

Mon Jan 16, 2017 11:08 pm

/interface bridge add name=loopback
/interface bridge settings set use-ip-firewall=yes
/ip address
 add address=123.123.123.208/32 interface=loopback
 add address=10.100.100.117/29 interface=ether1-gateway
 add address=10.212.1.1/29 interface=ether2-south_tower
 add address=10.212.8.1/24 interface=ether3-north_AP
/ip route add gateway=10.100.100.113
Basic OSPF setup.
/routing ospf interface
 add network-type=broadcast passive=yes
 add authentication=md5 authentication-key=myOSPFkey interface=ether1-gateway network-type=broadcast priority=0
 add authentication=md5 authentication-key=myOSPFkey interface=ether2-south_tower network-type=broadcast priority=0
I got OSPF working. I then added a NAT rule to the configuration.
/ip firewall address-list
 add list=my_network address=10.0.0.0/8
 add list=my_network address=123.123.123.0/24
/ip firewall nat
 add action=src-nat chain=srcnat dst-address-list=!my_network src-address=10.0.0.0/8 to-addresses=123.123.123.208
After adding my nat statement my OSPF neighbor is lost. I have tried adding protocol=!ospf dst-address-type=unicast out-interface=ether1-gateway to my nat statement. I have also added 224.0.0.0/23 and 255.255.255.255 to the my_network address list. I have tried several router OS versions and different routerboard models.

My conclusion is the nat statement is matching the osfp traffic.
 
patrick7
Member
Member
Posts: 341
Joined: Sat Jul 20, 2013 2:40 pm

Re: NAT killing OSPF

Mon Jan 16, 2017 11:40 pm

Are you sure it's only /23?
You could add the following rule before nat:
add chain=srcnat protocol=ospf action=accept
 
myke1124
just joined
Topic Author
Posts: 24
Joined: Fri Mar 28, 2014 2:15 am

Re: NAT killing OSPF

Thu Jan 30, 2020 2:02 am

Years later this bug is still present.

/routing ospf area
set [ find default=yes ] disabled=yes
add area-id=0.0.0.101 name=101
/routing ospf instance
set [ find default=yes ] name=101 redistribute-connected=as-type-2 router-id=\
10.101.4.5
/routing ospf interface
add network-type=broadcast passive=yes
add authentication=none interface=ether3 network-type=broadcast
/routing ospf network
add area=101 network=10.0.0.0/8

OSPF works with this config.

This brakes ospf:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp+1 \
src-address=169.254.1.1

169.254.1.1 is not active on the network anywhere. Interface spf+1 is not active on this device or have an address or route associated. This rule does not match any traffic. The nat rules shows 0 bytes and 0 packets. Disabling the nat rule fixes ospf.
I have also tried adding the sugested "add chain=srcnat protocol=ospf action=accept " rule as the only rule. It breaks OSPF too.

log print:
17:14:53 system,info nat rule changed by admin
17:15:26 route,ospf,info OSPFv2 neighbor 10.108.255.254: state change from 2-Way t
o Init
17:15:27 route,ospf,info OSPFv2 neighbor 10.132.2.1: state change from 2-Way to In
it
17:15:27 route,ospf,info OSPFv2 neighbor 10.116.1.1: state change from 2-Way to In
it
17:15:27 route,ospf,info OSPFv2 neighbor 10.101.4.3: state change from 2-Way to In
it
17:15:29 route,ospf,info OSPFv2 neighbor 10.108.40.1: state change from 2-Way to I
nit
17:15:30 route,ospf,info OSPFv2 neighbor 10.101.255.255: state change from 2-Way t
o Init
17:15:30 route,ospf,info OSPFv2 neighbor 10.100.0.15: state change from 2-Way to I
nit
17:15:30 route,ospf,info OSPFv2 neighbor 10.101.4.39: state change from 2-Way to I
nit
17:15:33 route,ospf,info OSPFv2 neighbor 10.140.32.1: state change from 2-Way to I
nit
17:15:33 route,ospf,info OSPFv2 neighbor 10.102.8.1: state change from 2-Way to In
it
17:15:34 route,ospf,info OSPFv2 neighbor 10.140.60.1: state change from 2-Way to I
nit
17:15:34 route,ospf,info OSPFv2 neighbor 10.101.4.25: state change from 2-Way to I
nit
 
MCN
just joined
Posts: 16
Joined: Thu Feb 21, 2019 8:57 pm

Re: NAT killing OSPF

Mon Mar 09, 2020 11:58 pm

What I did was to add to the NAT rule:
protocol=!ospf

So, an example src nat rule may look like:
add action=src-nat chain=srcnat comment="my new nat rule" protocol=!ospf src-address=192.168.88.0/24 to-address=192.168.1.11

This really threw me for a long while - If there is a better way to do this - please let me know, as I have very little mikrotik experience.
 
User avatar
sri2007
Member Candidate
Member Candidate
Posts: 205
Joined: Wed May 20, 2015 10:14 pm
Location: Lake Grove, NY

Re: NAT killing OSPF

Mon Mar 30, 2020 7:26 am

What I did was to add to the NAT rule:
protocol=!ospf

So, an example src nat rule may look like:
add action=src-nat chain=srcnat comment="my new nat rule" protocol=!ospf src-address=192.168.88.0/24 to-address=192.168.1.11

This really threw me for a long while - If there is a better way to do this - please let me know, as I have very little mikrotik experience.
That solution works too, another one available is to use this one:

/ip firewall raw add chain=prerouting protocol=ospf action=notrack
 
User avatar
Mantic
just joined
Posts: 12
Joined: Fri Jan 24, 2014 5:47 am

Re: NAT killing OSPF

Sat Mar 20, 2021 12:53 pm

Confirmed. Just happened to me. Enabling any NAT rule changed the outbound IP OSPF was using, even if the NAT rule had nothing to do with that IP. Disabling the IP, removing it from OSPF networks, etc: nothing worked. Adding a raw rule to no-track the ospf protocol was the only way I could get it running again.

edit: this is on a CCR1009-7G-1C-1S+ running 6.48.1
 
Mihawk95
just joined
Posts: 9
Joined: Mon Jan 14, 2019 10:46 am

Re: NAT killing OSPF

Wed Apr 06, 2022 4:46 pm

2022 Edit :)

The bug is till persistent in 6.49.5 and 7.1.5 -too. At our setup the firewall raw prerouting action does not work but adding a rule to output chain OSPF starts working ....
Really annoying because the bug was not showing up in our 6.47.1 setup but after upgrading the software the bug showed up...
 
User avatar
UplinkLLC
just joined
Posts: 15
Joined: Sun May 15, 2022 7:29 am
Location: USA

Re: NAT killing OSPF

Sun May 15, 2022 7:34 am

In case this helps someone else....

We are using OSPF and NAT on a router running Router OS v7.2.3. This was causing problems where NAT was changing the outbound OSPF IP Address to the IP address we were using to NAT customer traffic. We tried some of the suggestions in this post with varying degrees of success. Sometimes when we rebooted the router, all the OSPF neighbor states would be stuck at init. The fix for us was to disable connection tracking for OSPF using the Router OS code below.

/ip firewall raw
add action=notrack chain=prerouting protocol=ospf
add action=notrack chain=output protocol=ospf

With both of those RAW rules in place everything has been stable.
 
User avatar
CCIS
just joined
Posts: 11
Joined: Wed May 28, 2008 2:04 am
Location: B.C. Canada

Re: NAT killing OSPF

Mon May 23, 2022 5:54 am

/ip firewall raw
add action=notrack chain=prerouting protocol=ospf
add action=notrack chain=output protocol=ospf

With both of those RAW rules in place everything has been stable.
+1 This works for us as well, thanks!
 
samPC
just joined
Posts: 10
Joined: Wed Sep 18, 2019 5:08 pm

Re: NAT killing OSPF

Fri Sep 23, 2022 5:34 am

In case this helps someone else....

We are using OSPF and NAT on a router running Router OS v7.2.3. This was causing problems where NAT was changing the outbound OSPF IP Address to the IP address we were using to NAT customer traffic. We tried some of the suggestions in this post with varying degrees of success. Sometimes when we rebooted the router, all the OSPF neighbor states would be stuck at init. The fix for us was to disable connection tracking for OSPF using the Router OS code below.

/ip firewall raw
add action=notrack chain=prerouting protocol=ospf
add action=notrack chain=output protocol=ospf

With both of those RAW rules in place everything has been stable.
+1 works here too, finally after many hours of struggle I found this.
 
User avatar
Joni
Member Candidate
Member Candidate
Posts: 156
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: NAT killing OSPF

Sun Oct 08, 2023 2:29 pm

(2017 calling, posting keywords for search results, referencing finding in viewtopic.php?p=1029269#p1029269)

Between any RouterOS v7.11.2.
default-v2 { version: 2 router-id: x.x.x.13 } backbone { 0.0.0.0 } interface { p2p x.x.x.13%l2tp-x} neighbor { router-id: x.x.x.254 state: Full } received wrong LS Ack for router x.x.x.13 x.x.x.13 0x80000382 expected 0x80000383
(the so called +1 , 2 -> 3)

Masqurade / nat seems to cause this (internal interfaces), probably shouldn't, quite certainly a default type of logic bug as the IPs are correct.

Who is online

Users browsing this forum: No registered users and 20 guests