Community discussions

MUM Europe 2020
 
User avatar
rules
just joined
Topic Author
Posts: 22
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Routing terms perspective ... which side is which?

Sun Feb 24, 2019 9:04 pm

Hi All

I'm going for the "most ridiculous question asked" award, but I'm learning the hard way so it will help tremendously if I can grasp this, so here goes ...

When looking at the routing/NAT/Mangle etc. configs, from which perspective to we look at things like src and dst (interface/address/port etc.)? From the main Router? from the "local" side of the main Router to the "remote" side of the Router? To give some perspective on my question, I'm playing with VPN connections (server & client) and trying to figure the routing between them.

Thanks and good night,
R
 
mkx
Forum Guru
Forum Guru
Posts: 3380
Joined: Thu Mar 03, 2016 10:23 pm

Re: Routing terms perspective ... which side is which?

Sun Feb 24, 2019 9:39 pm

src and dst refer to source and destination of each individual packet passing through router. Or of a connection as a whole ...

E.g. NAT: src-nat is when you want to mangle source address (and port). Usually that means connection initiated by some device in private LAN ... but doesn't need to be.
Likewise dst-nat is when you want to mangle destination address and port which usually happens when connection is initiated by some internet host and you want to forward it to device in private LAN.
BR,
Metod
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Routing terms perspective ... which side is which?

Mon Feb 25, 2019 1:47 am

It is the side that started the connection.

Imagine two networks: 10.0.0.0/24 and 10.11.0.0/24
Computer at 10.0.0.2 wants to open a web site, at the address 10.11.0.5.
In THIS case, src address is 10.0.2.2, and dst address is 10.11.0.5

Now, imagine you have a web server, at address 10.0.0.2, and someone at 10.11.0.5 wants to open it.
In THIS case, src address would be 10.11.0.5 and dst address would be 10.0.0.2. See? They changed places! That's because the side opening the connection changed, from on example to another.
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 648
Joined: Fri Nov 10, 2017 8:19 am

Re: Routing terms perspective ... which side is which?

Mon Feb 25, 2019 5:49 am

It is the side that started the connection.
Thats true only for conntrack.
(proof: on computer 1.1.1.1 I will write: "ping 2.2.2.2". If you capture such packets you will see ICMP packet ECHO_REQUEST with SRC_IP 1.1.1.1 and DST_IP 2.2.2.2 and after that there will be second ICMP packet, this time ECHO_REPLY with SRC_IP 2.2.2.2 and DST_IP 1.1.1.1 ... as you can see, despite the fact that 1.1.1.1 started the connection, there was a packet with opposite src/dst because it was a reply within the same connection)

That's because the side opening the connection changed
Thats the most confusing sentence in whole post where you mix packets and connections.

To simplify:
For firewall, routing and most of other settings, the packet perspective applies. SRC says where the particular packet originates, DST says where the particular packet goes.. Does not matter who started the connection because connection usually expects packets going both ways. You can obviously simplify your firewall with rule "accept established/related" which will automatically accept any reply to a packet, which was already recorded in conntrack.

That corresponds with real fields in IP header of each datagram:
Image
 
User avatar
rules
just joined
Topic Author
Posts: 22
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: Routing terms perspective ... which side is which?

Mon Feb 25, 2019 8:40 am

Ah ok, so my understanding was somewhat correct in that source and destination continually changes due to it being a two way communication. Would it then be correct to overly simply things by saying that the source and destination referred to in the NAT/Mangle etc. settings, are from the perspective of the point of origin (which ever side starts the conversation)?

I have a somewhat related question then, where exactly does the NAT reside? as in if you had to split an active network into segments, VPN/WAN/Router/LAN, where does the NAT take action? I suppose the reason for this question is that with a VPN setup for instance, you end up with multiple networks (IP ranges) and because you end up slicing the "Router' portion into smaller bits (physical connections, virtual connections, DHCP pools) it's tricky understanding where the rules take effect. Maybe making this more complicated than it is, but I like understanding things inside and out :wink:

Thanks,
R
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 648
Joined: Fri Nov 10, 2017 8:19 am

Re: Routing terms perspective ... which side is which?

Mon Feb 25, 2019 10:44 am

Would it then be correct to overly simply things by saying that the source and destination referred to in the NAT/Mangle etc. settings, are from the perspective of the point of origin (which ever side starts the conversation)?
I guess you could say that but it is really overly simplified and thus bit ambiguous.
In NAT, the decision whether and how to translate any addresses actually happens ONLY during the first packet of the connection. The decision is then saved into conntrack entry and applied to any subsequent packet. Due to that, NAT rules won't ever see any reply or any subsequent packet. (therefore your statement is true)
in firewall filter, USUALLY only first packet is taken into account for filtering while reply and any subsequent packets are USUALLY handled by "accept established/related" which will simply accept any packet which belongs to the same connection, no matter whether it goes from A to B or from B to A. (this applies for usual configurations and again, in such case your statement is true. There may be situations where it does not apply)
in RAW, every packet is processed (unless the whole connection is fasttracked) and therefore I wouldn't dare to simplify it same way as you did because it becomes imprecise. RAW focuses purely on separate packets and occurs before each packet gets assigned to its relevant connection (very simply said)
in Mangle, it depends on user's needs and very simply said, it may be considered as a mix of filter+raw - it is often used to process each packet separately but unlike RAW, it is aware of connections so it really depends how people set it up.


in regard to your second question, You seem to be curious soul! I like that :) I would definitely recommend you to go through following article:
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
If you really understand this in every detail, it can be used to explain practically every process, which happens in your router. There are also some examples on the bottom including VPN, tunnels and VLANs :) hopefully that helps
 
User avatar
rules
just joined
Topic Author
Posts: 22
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: Routing terms perspective ... which side is which?

Mon Feb 25, 2019 11:07 am

Thanks a million Rainbow Dash ... I'll make sense of all this stuff yet :wink:
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 648
Joined: Fri Nov 10, 2017 8:19 am

Re: Routing terms perspective ... which side is which?

Mon Feb 25, 2019 11:45 am

You are welcome Twinkle Toes 8)
ps: I am not filly. Notice the slight difference in shape of the head
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Routing terms perspective ... which side is which?

Mon Feb 25, 2019 3:16 pm

It is the side that started the connection.
Thats true only for conntrack.
Which he is using: the question was about NAT and port forwarding. Since it was a basic question, and he IS using conntrack, seemed better to talk about this possibility. The odds of someone using a stateless firewall in a home environment are quite low.
That's because the side opening the connection changed
Thats the most confusing sentence in whole post where you mix packets and connections.
Why? They are two examples of two completely independent connections.

Who is online

Users browsing this forum: No registered users and 31 guests