Community discussions

MikroTik App
 
Rfulton
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Aug 08, 2017 2:17 am

DNS DST-NAT to adguard Intermittent Issue

Thu Jan 06, 2022 7:55 pm

Having an issue where my DNS redirection isn’t working correctly.

my client at 192.168.91.5 asks for a dns request from 1.1.1.1

when it finally reaches 192.168.255.1 (ccr2004) it should be DST-NAT to the adguard server at 192.168.90.38.

The rules should be correct, when it comes in from anything !Adguard and to !adguard it should DST-NAT to adguard.

From there it decides that if anything goes to adguard it should masquerade. I see the adguard entry from the request which is attached.

the request for purple.com hits the adguard at 192.168.90.38 from 192.168.255.1

From here it should send it back to the mikrotik at 192.168.255.1 and the mikrotik should send it back to the client at 192.168.91.5.

When I do a packet capture on the client, it only works “sometimes”
    /ip firewall nat add action=dst-nat chain=dstnat dst-address=!192.168.90.38 dst-port=53 in-interface=UplinkToCisco-LAN protocol=udp src-address=!192.168.90.38 to-addresses=192.168.90.38 to-ports=53
    /ip firewall nat add action=dst-nat chain=dstnat dst-address=!192.168.90.38 dst-port=53 in-interface=UplinkToCisco-LAN protocol=tcp src-address=!192.168.90.38 to-addresses=192.168.90.38 to-ports=53
    /ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.90.38 dst-port=53 out-interface=UplinkToCisco-LAN protocol=udp src-address=!192.168.90.38 to-ports=53
    /ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.90.38 dst-port=53 out-interface=UplinkToCisco-LAN protocol=tcp src-address=!192.168.90.38 to-ports=53

You do not have the required permissions to view the files attached to this post.
 
Rfulton
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Aug 08, 2017 2:17 am

Re: DNS DST-NAT to adguard Intermittent Issue

Thu Jan 06, 2022 8:14 pm

Forgot to attach image
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS DST-NAT to adguard Intermittent Issue

Thu Jan 06, 2022 8:38 pm

Posted rules don't have any condition that would make them sometimes work and sometimes not. So it's probably something else in your config.
 
Rfulton
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Aug 08, 2017 2:17 am

Re: DNS DST-NAT to adguard Intermittent Issue

Thu Jan 06, 2022 8:39 pm

Could you please point out the rule that is having the issue?
# serial number = D4F10D99618F
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=dst-nat chain=dstnat comment=Plex dst-port=32400 in-interface-list=WAN protocol=tcp to-addresses=192.168.90.186 to-ports=32400
/ip firewall nat add action=dst-nat chain=dstnat comment="Rocketchat-NetwatchRule 2" dst-address=x.x.x.x dst-port=3000 in-interface=UplinkToCisco-LAN protocol=tcp to-addresses=192.168.106.18 to-ports=443
/ip firewall nat add action=masquerade chain=srcnat disabled=yes dst-address=192.168.106.18 dst-port=443 protocol=tcp to-ports=443
/ip firewall nat add action=dst-nat chain=dstnat comment="Free Orion" disabled=yes dst-port=12346 in-interface-list=WAN protocol=tcp to-addresses=192.168.90.199 to-ports=12346
/ip firewall nat add action=dst-nat chain=dstnat comment=SFTP disabled=yes dst-port=69 in-interface-list=WAN limit=1,3:packet log=yes log-prefix="SFTP ATTEMPT" protocol=udp to-addresses=192.168.90.193 to-ports=69
/ip firewall nat add action=dst-nat chain=dstnat comment=Terraria disabled=yes dst-port=7777 in-interface-list=WAN limit=5/1m,3:packet log=yes log-prefix=TERRARIA protocol=tcp to-addresses=192.168.90.186 to-ports=7777
/ip firewall nat add action=accept chain=dstnat comment="Accept Guest" disabled=yes dst-port=53 in-interface=UplinkToCisco-LAN protocol=udp src-address=192.168.91.0/28
/ip firewall nat add action=accept chain=dstnat comment="Accept Guest" disabled=yes dst-port=53 in-interface=UplinkToCisco-LAN protocol=tcp src-address=192.168.91.0/28
/ip firewall nat add action=dst-nat chain=dstnat dst-address=!192.168.90.38 dst-port=53 in-interface=UplinkToCisco-LAN protocol=udp src-address=!192.168.90.38 to-addresses=192.168.90.38 to-ports=53
/ip firewall nat add action=dst-nat chain=dstnat dst-address=!192.168.90.38 dst-port=53 in-interface=UplinkToCisco-LAN protocol=tcp src-address=!192.168.90.38 to-addresses=192.168.90.38 to-ports=53
/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.90.38 dst-port=53 out-interface=UplinkToCisco-LAN protocol=udp to-ports=53
/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.90.38 dst-port=53 out-interface=UplinkToCisco-LAN protocol=tcp to-ports=53
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS DST-NAT to adguard Intermittent Issue

Thu Jan 06, 2022 8:52 pm

Correction: So it's probably something else in your whole config.

RouterOS is complex system, there are so many ways how to (mis)configure something, you never know what will influence what.
 
Rfulton
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Aug 08, 2017 2:17 am

Re: DNS DST-NAT to adguard Intermittent Issue

Thu Jan 06, 2022 8:57 pm


# jan/06/2022 13:54:52 by RouterOS 7.1.1
# software id = BB3F-L5VJ
#
# model = CCR2004-1G-12S+2XS
# serial number = D4F10D99618F
/interface bridge
add name=VPN-Bridge
/interface ethernet
set [ find default-name=sfp-sfpplus12 ] name=SFP12-WAN
set [ find default-name=sfp-sfpplus1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full \
    name=UplinkToCisco-LAN

/interface list
add comment=defconf name=WAN
add name=Family
add comment=defconf include=Family name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Guest ranges=192.168.91.1-192.168.91.12
add name=Home ranges=192.168.90.10-192.168.90.200
add name=VPN ranges=192.168.94.10-192.168.94.50
add name=Work ranges=192.168.93.10-192.168.93.200
add name=WIFI ranges=192.168.92.10-192.168.92.200
/ip dhcp-server
add address-pool=Guest interface=UplinkToCisco-LAN lease-time=1d name=Guest \
    relay=192.168.91.14
add address-pool=Home interface=UplinkToCisco-LAN lease-time=1w name=Home \
    relay=192.168.90.254
add address-pool=WIFI interface=UplinkToCisco-LAN lease-time=1w name=Wifi \
    relay=192.168.92.254
add address-pool=Work interface=UplinkToCisco-LAN lease-time=1w name=Work \
    relay=192.168.93.254
/ipv6 dhcp-server option
add code=23 name=dns value=0x26006C48467F6E0202155DFFFE5A2403
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *FFFFFFFE bridge=VPN-Bridge dns-server=192.168.90.38 interface-list=LAN \
    local-address=192.168.94.254 remote-address=VPN use-ipv6=no
/queue type
add cake-nat=yes kind=cake name=Cake
add cake-bandwidth=1400.0Mbps cake-nat=yes kind=cake name=Cake_Home_D
add cake-bandwidth=40.0Mbps cake-nat=yes kind=cake name=Cake_Home_U
add cake-bandwidth=20.0Mbps kind=cake name=Cake_Chance_U
add cake-bandwidth=20.0Mbps kind=cake name=Cake_Dad_U
add kind=pfifo name=Default_U pfifo-limit=1300
/queue simple
add max-limit=0/40M name=Parent_VPN queue=default-small/Cake_Dad_U target=\
    DadNet,Chance,ChanceWG total-queue=Cake
add limit-at=0/5M max-limit=200M/20M name=Dad parent=Parent_VPN priority=7/7 \
    queue=Cake/Cake_Dad_U target=DadNet total-queue=Cake
add max-limit=200M/20M name=Chance parent=Parent_VPN queue=Cake/Cake_Dad_U \
    target=Chance,ChanceWG total-queue=Cake
/queue tree
add name=Global_In parent=UplinkToCisco-LAN queue=Cake_Home_D
add max-limit=40M name=Global_Out parent=SFP12-WAN queue=Cake_Home_U
add burst-time=9s limit-at=25M max-limit=900M name=Wifi_Download packet-mark=\
    Wifi parent=Global_In priority=3 queue=Cake
add limit-at=3M max-limit=40M name=Wifi_Upload packet-mark=Wifi parent=\
    Global_Out priority=3 queue=Cake_Home_U
add max-limit=900M name=Guest_Download packet-mark=Guest parent=Global_In \
    priority=7 queue=Cake
add max-limit=10M name=Guest_Upload packet-mark=Guest parent=Global_Out \
    priority=7 queue=Cake
add name=Home_Download packet-mark=Home parent=Global_In priority=2 queue=\
    Cake
add limit-at=5M max-limit=40M name=Home_Upload packet-mark=Home parent=\
    Global_Out priority=4 queue=Cake_Home_U
add max-limit=900M name=Catchall_Download packet-mark=no-mark parent=\
    Global_In priority=5 queue=Cake
add max-limit=30M name=Catchall_Upload packet-mark=no-mark parent=Global_Out \
    priority=3 queue=Cake
add max-limit=600M name=Tor_Download packet-mark=Tor parent=Global_In queue=\
    default
add max-limit=35M name=Tor_Upload packet-mark=Tor parent=Global_Out queue=\
    Default_U
/routing bgp template
set default disabled=yes output.network=bgp-networks
/routing id
add disabled=no id=1.1.1.1 name=OSPF select-dynamic-id=""
/routing ospf instance
add in-filter-chain=ospf-in name=Reid-Home router-id=OSPF
/routing ospf area
add instance=Reid-Home name=Backbone
add area-id=0.0.0.2 instance=Reid-Home name=ReidHome no-summaries type=stub
/routing pimsm instance
add afi=ipv4 disabled=no name=PIM vrf=main
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes identity="69f4a1a640:0:2a874989b43e2c35a2db768af\
    50bc4ef887efc2f6c015f992ac334711bf05755908e2a98fba5eb6a54c46d9cdb1e9921ae6\
    a6796c5c899096c7f559c466ecca9:ac3a900e2acfabe4beb94a52f23f6129702ac3d3b733\
    36f042a95e482d57e2abb9bc125bfd60fe7c9a490a696fdc1235ad3f5ac7aa5f0f1a959d27\
    4fc92cf5ed" name=zt1 port=9993
/zerotier interface
add disabled=yes instance=zt1 mac-address=A6:7A:74:A5:32:D3 name=zerotier1 \
    network=1d719394048013a7
/caps-man access-list
add allow-signal-out-of-range=10s comment=Roku disabled=yes mac-address=\
    8C:49:62:57:EA:58 ssid-regexp=""
add allow-signal-out-of-range=10s comment="Roku " disabled=yes mac-address=\
    8C:49:62:50:3C:35 ssid-regexp=""
add allow-signal-out-of-range=10s comment="Neighbor Phone" disabled=yes \
    mac-address=64:BC:0C:96:2E:A6 ssid-regexp=""
add allow-signal-out-of-range=10s comment="Neighbor Iphone" disabled=yes \
    mac-address=0E:C3:7D:F6:7D:87 ssid-regexp=""
add allow-signal-out-of-range=10s comment="Natalie Phone" disabled=yes \
    mac-address=38:6A:77:0C:2A:11 ssid-regexp=""
add allow-signal-out-of-range=10s comment="Reid Phone" disabled=yes \
    mac-address=96:11:5D:52:62:07 ssid-regexp=""
add allow-signal-out-of-range=10s comment=Kindle disabled=yes mac-address=\
    00:BB:3A:E7:97:BD ssid-regexp=""
add allow-signal-out-of-range=10s comment="Reid Phone" disabled=yes \
    mac-address=38:6A:77:19:78:81 ssid-regexp=""
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=UplinkToCisco-LAN
add disabled=no forbid=yes interface=SFP12-WAN
/caps-man provisioning
add action=create-enabled comment=Audience disabled=yes radio-mac=\
    C4:AD:34:B7:41:56 slave-configurations=*1,*4
add action=create-enabled comment=Audience disabled=yes radio-mac=\
    C4:AD:34:B7:41:58 slave-configurations=*1,*4
add action=create-enabled comment=Audience disabled=yes radio-mac=\
    C4:AD:34:B7:41:57 slave-configurations=*1,*4
add action=create-enabled comment="AC lite 2.4 GHZ" disabled=yes radio-mac=\
    C4:AD:34:09:4C:BA slave-configurations=*1,*4
add action=create-enabled comment="AC lite 5GHZ" disabled=yes radio-mac=\
    C4:AD:34:09:4C:B9 slave-configurations=*1,*4
add action=create-enabled comment="AC\B3 2.4GHZ" disabled=yes radio-mac=\
    08:55:31:D0:11:0C slave-configurations=*1,*4
add action=create-enabled comment="AC\B3 5.0GHZ" disabled=yes radio-mac=\
    08:55:31:D0:11:0D slave-configurations=*1,*4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set allow-fast-path=no max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface l2tp-server server
set use-ipsec=required
/interface list member
add interface=SFP12-WAN list=WAN
add interface=Chance list=LAN
add interface=VPN-Bridge list=LAN
add interface=Chance list=Family
add interface=UplinkToCisco-LAN list=LAN
add interface=DadNet list=LAN
add interface=DadNetV6 list=LAN
add interface=DadNetV6 list=Family
add interface=DadNet list=Family
add interface=ChanceWG list=LAN
add interface=ChanceWG list=Family
/interface sstp-server server
set certificate="cert_export_SSTP Server.p12_0" default-profile=\
    default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
    192.168.88.0
add address=192.168.94.254/24 interface=VPN-Bridge network=192.168.94.0
add address=10.10.38.1/30 interface=Chance network=10.10.38.0
add address=192.168.255.1/29 interface=UplinkToCisco-LAN network=\
    192.168.255.0
add address=172.28.0.1/30 interface=DadNet network=172.28.0.0
add address=172.28.0.5/30 interface=ChanceWG network=172.28.0.4
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add default-route-distance=10 interface=SFP12-WAN use-peer-dns=no
/ip dhcp-server lease
add address=192.168.90.60 client-id=1:0:15:5d:1:fe:3 comment="Chance Farm" \
    mac-address=00:15:5D:01:FE:03 server=Home
add address=192.168.90.182 comment="Chance Linux" mac-address=\
    00:15:5D:01:FE:02 server=Home
add address=192.168.90.180 client-id=1:c8:63:f1:30:50:ee mac-address=\
    C8:63:F1:30:50:EE server=Home
add address=192.168.90.52 client-id=1:0:15:5d:1:fe:5 mac-address=\
    00:15:5D:01:FE:05 server=Home
add address=192.168.90.59 comment="Roku Premium" mac-address=\
    8C:49:62:57:EA:59 server=Home
add address=192.168.90.58 client-id=1:0:15:5d:5a:c7:1 mac-address=\
    00:15:5D:5A:C7:01 server=Home
add address=192.168.90.51 client-id=1:0:15:5d:5a:c7:0 mac-address=\
    00:15:5D:5A:C7:00 server=Home
add address=192.168.90.50 client-id=1:0:15:5d:5a:c7:2 mac-address=\
    00:15:5D:5A:C7:02 server=Home
add address=192.168.90.48 client-id=1:0:15:5d:5a:c7:3 mac-address=\
    00:15:5D:5A:C7:03 server=Home
add address=192.168.90.46 client-id=1:0:15:5d:5a:c7:4 mac-address=\
    00:15:5D:5A:C7:04 server=Home
add address=192.168.90.47 client-id=1:c0:48:e6:e8:b5:78 mac-address=\
    C0:48:E6:E8:B5:78 server=Home
add address=192.168.90.42 client-id=1:0:15:5d:5a:c7:6 comment=PIHOLE \
    mac-address=00:15:5D:5A:C7:06 server=Home
add address=192.168.90.41 comment=Onion mac-address=00:E7:5C:68:26:8F server=\
    Home
add address=192.168.90.193 client-id=1:0:15:5d:5a:24:0 mac-address=\
    00:15:5D:5A:24:00 server=Home
add address=192.168.90.40 client-id=1:0:15:5d:5a:c7:8 comment=FultonSnoop \
    mac-address=00:15:5D:5A:C7:08 server=Home
add address=192.168.92.11 mac-address=8C:49:62:57:EA:58 server=Wifi
add address=192.168.92.14 client-id=1:38:6a:77:c:2a:11 mac-address=\
    38:6A:77:0C:2A:11 server=Wifi
add address=192.168.93.200 client-id=1:78:2b:cb:49:f6:43 mac-address=\
    78:2B:CB:49:F6:43 server=Work
add address=192.168.92.18 client-id=1:38:6a:77:19:78:81 mac-address=\
    38:6A:77:19:78:81 server=Wifi
add address=192.168.92.19 mac-address=00:BB:3A:E7:97:BD server=Wifi
add address=192.168.90.199 client-id=1:fc:34:97:2e:ca:6c mac-address=\
    FC:34:97:2E:CA:6C server=Home
add address=192.168.90.186 client-id=1:f0:2f:74:65:ad:ea mac-address=\
    F0:2F:74:65:AD:EA server=Home
add address=192.168.92.13 comment=Switch mac-address=5C:0C:E6:F5:43:EC \
    server=Wifi
add address=192.168.90.39 comment=Nin-Switch mac-address=80:D2:E5:89:83:28 \
    server=Home
add address=192.168.90.38 client-id=\
    ff:ad:19:67:e5:0:2:0:0:ab:11:dc:b:62:90:85:14:bd:ee comment=Adguard \
    mac-address=00:15:5D:5A:24:03 server=Home
add address=192.168.90.37 client-id=1:d4:9d:c0:ed:d9:7d comment=\
    "Livingroom TV" mac-address=D4:9D:C0:ED:D9:7D server=Home
add address=192.168.90.36 client-id=1:0:e:c6:5f:19:dd mac-address=\
    00:0E:C6:5F:19:DD server=Home
add address=192.168.90.34 client-id=1:ec:71:db:82:17:da comment=\
    "Livingroom Camera" mac-address=EC:71:DB:82:17:DA server=Home
add address=192.168.90.33 comment=Roku mac-address=84:EA:ED:8F:ED:95 server=\
    Home
add address=192.168.92.10 comment="Roku Bedroom I think" mac-address=\
    8C:49:62:50:3C:35 server=Wifi
add address=192.168.90.32 client-id=1:0:15:5d:5a:24:4 mac-address=\
    00:15:5D:5A:24:04 server=Home
/ip dhcp-server network
add address=192.168.90.0/24 dns-server=192.168.90.38 domain=fultonit.net \
    gateway=192.168.90.254 netmask=24
add address=192.168.91.0/28 dns-server=1.1.1.1 gateway=192.168.91.14 netmask=\
    28
add address=192.168.92.0/24 dns-server=192.168.90.38 domain=fultonit.net \
    gateway=192.168.92.254 netmask=24
add address=192.168.93.0/24 dns-server=192.168.90.38 domain=fultonit.net \
    gateway=192.168.93.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.150.198 name=fultonserver.fultonit.ddns.net
add address=192.168.90.186 name=athens.fultonit.net
add address=2600:6c48:467f:6e02:7967:db8b:4ff1:b85 name=athens.fultonit.net \
    type=AAAA
add address=192.168.90.186 name=athens
add address=127.0.0.1 name=facebook.com
add address=192.168.90.193 name=fultonisland.fultonit.net
add address=192.168.90.193 name=fultonisland
add address=2600:6c48:467f:6e02:7967:db8b:4ff1:b85 name=athens type=AAAA
add address=2600:6c48:467f:6e02:7967:db8b:4ff1:b85 name=plex.fultonit.net \
    type=AAAA
add address=192.168.90.186 name=plex.fultonit.net
/ip firewall filter
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "Bullshit Devices that don't need to reach internet" out-interface-list=\
    WAN src-address-list=Internal
add action=tarpit chain=forward disabled=yes protocol=tcp src-address-list=\
    Malicious
add action=tarpit chain=input disabled=yes log-prefix=TARPIT protocol=tcp \
    src-address-list=Malicious
add action=drop chain=input comment="DNS from WAN" dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input comment="DNS from WAN" dst-port=53 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" limit=1,5:packet \
    protocol=icmp
add action=accept chain=input comment="Bootp Guest" dst-port=67 protocol=udp \
    src-address=192.168.91.14
add action=drop chain=input comment="Guest into Mikrotik" log=yes log-prefix=\
    "Guest Into Tik" src-address-list=Guest
add action=drop chain=forward comment="Block Guest from Family" \
    out-interface-list=Family src-address-list=Guest
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=SSTP dst-port=443 in-interface=\
    SFP12-WAN limit=1,2:packet protocol=tcp
add action=accept chain=input comment=ipsec limit=1,5:packet protocol=\
    ipsec-esp
add action=accept chain=input comment=l2tp/ipsec limit=1,3:packet log=yes \
    log-prefix="IPSEC ATTEMPT" port=500,1701,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix="Drop Invalid"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix=Drop
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    new-connection-mark=Tor_Conn passthrough=yes src-address=192.168.90.193
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=192.168.90.193 new-connection-mark=Tor_Conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Tor_Conn \
    new-packet-mark=Tor passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    new-connection-mark=Home_Conn passthrough=yes src-address=192.168.90.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=192.168.90.0/24 new-connection-mark=Home_Conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Home_Conn \
    new-packet-mark=Home passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    new-connection-mark=Wifi_Conn passthrough=yes src-address=192.168.92.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=192.168.92.0/24 new-connection-mark=Wifi_Conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Wifi_Conn \
    new-packet-mark=Wifi passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    new-connection-mark=Guest_Conn passthrough=yes src-address=\
    192.168.91.0/28
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=192.168.91.0/28 new-connection-mark=Guest_Conn passthrough=\
    yes
add action=mark-packet chain=prerouting connection-mark=Guest_Conn \
    new-packet-mark=Guest passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.90.186 to-ports=\
    32400
add action=dst-nat chain=dstnat comment="Rocketchat-NetwatchRule 2" \
    dst-address=192.30.153.190 dst-port=3000 in-interface=UplinkToCisco-LAN \
    protocol=tcp to-addresses=192.168.106.18 to-ports=443
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.106.18 \
    dst-port=443 protocol=tcp to-ports=443
add action=dst-nat chain=dstnat comment="Free Orion" disabled=yes dst-port=\
    12346 in-interface-list=WAN protocol=tcp to-addresses=192.168.90.199 \
    to-ports=12346
add action=dst-nat chain=dstnat comment=SFTP disabled=yes dst-port=69 \
    in-interface-list=WAN limit=1,3:packet log=yes log-prefix="SFTP ATTEMPT" \
    protocol=udp to-addresses=192.168.90.193 to-ports=69
add action=dst-nat chain=dstnat comment=Terraria disabled=yes dst-port=7777 \
    in-interface-list=WAN limit=5/1m,3:packet log=yes log-prefix=TERRARIA \
    protocol=tcp to-addresses=192.168.90.186 to-ports=7777
add action=accept chain=dstnat comment="Accept Guest" disabled=yes dst-port=\
    53 in-interface=UplinkToCisco-LAN protocol=udp src-address=\
    192.168.91.0/28
add action=accept chain=dstnat comment="Accept Guest" disabled=yes dst-port=\
    53 in-interface=UplinkToCisco-LAN protocol=tcp src-address=\
    192.168.91.0/28
add action=dst-nat chain=dstnat dst-address=!192.168.90.38 dst-port=53 \
    in-interface=UplinkToCisco-LAN protocol=udp src-address=!192.168.90.38 \
    to-addresses=192.168.90.38 to-ports=53
add action=dst-nat chain=dstnat dst-address=!192.168.90.38 dst-port=53 \
    in-interface=UplinkToCisco-LAN protocol=tcp src-address=!192.168.90.38 \
    to-addresses=192.168.90.38 to-ports=53
add action=masquerade chain=srcnat dst-address=192.168.90.38 dst-port=53 \
    out-interface=UplinkToCisco-LAN protocol=udp to-ports=53
add action=masquerade chain=srcnat dst-address=192.168.90.38 dst-port=53 \
    out-interface=UplinkToCisco-LAN protocol=tcp to-ports=53
/ip firewall raw
add action=drop chain=prerouting src-address=192.168.108.0/24
add action=drop chain=prerouting disabled=yes dst-address=206.221.180.138
add action=drop chain=prerouting comment="Outside Malicious" disabled=yes \
    protocol=udp src-address-list=Malicious
add action=drop chain=prerouting comment=Countries disabled=yes \
    src-address-list=CountryIPBlocks
/ip firewall service-port
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add peer="Chance 2"
add peer=Chance
add peer=Dad
/ip route
add disabled=no distance=160 dst-address=192.168.90.0/24 gateway=\
    192.168.255.2
add disabled=no distance=90 dst-address=192.168.50.0/30 gateway=\
    172.28.0.2%DadNet pref-src="" routing-table=main scope=20 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=160 dst-address=192.168.91.0/28 gateway=\
    192.168.255.2%UplinkToCisco-LAN routing-table=main scope=20 \
    suppress-hw-offload=no target-scope=10
/ipv6 route
add disabled=no distance=1 dst-address=2600:6c48:427f:1900::/56 gateway=\
    DadNetV6 scope=30 target-scope=10
add disabled=yes distance=1 dst-address=\
    2600:6c48:700c:100:385f:ca27:89df:e2f7/128 gateway=DadNetV6 scope=30 \
    target-scope=10
/ip service
set telnet disabled=yes
set www address=192.168.90.0/24
/ip upnp interfaces
add interface=SFP12-WAN type=external
add interface=UplinkToCisco-LAN type=internal
/ipv6 address
add address=2600:6c48:467f:6e01::2 interface=UplinkToCisco-LAN
add address=2600:6c48:467f:6e06::1 advertise=no interface=DadNetV6
/ipv6 dhcp-client
add add-default-route=yes interface=SFP12-WAN pool-name=Home \
    pool-prefix-length=56 prefix-hint=::/56 request=address,prefix \
    use-peer-dns=no
/ipv6 dhcp-server
add address-pool=Home dhcp-option=dns interface=UplinkToCisco-LAN name=\
    REID-HOME
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=2600:6c48:467f:6e02:f886:f4:a0a9:6559/128 list=Athens
add address=d1270beda968.sn.mynetname.net list=Dad
/ipv6 firewall filter
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input in-interface=SFP12-WAN protocol=udp \
    src-address=2600:6c48:700c:100:385f:ca27:89df:e2f7/128 src-port=13232
add action=accept chain=forward comment=Plex dst-address-list=Athens \
    dst-port=443 in-interface=SFP12-WAN out-interface=UplinkToCisco-LAN \
    protocol=tcp
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=input comment="Drop Guest into Router" src-address=\
    2600:6c48:467f:6e05::/64
add action=accept chain=input in-interface=SFP12-WAN protocol=gre \
    src-address=2600:6c48:700c:100:385f:ca27:89df:e2f7/128
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=\
    500,1701,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix=Drop
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 firewall mangle
add action=mark-connection chain=prerouting comment=Home connection-mark=\
    no-mark new-connection-mark=Home_Conn passthrough=yes src-address=\
    2600:6c48:467f:6e02::/64
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=2600:6c48:467f:6e02::/64 new-connection-mark=Home_Conn \
    passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Home_Conn \
    new-packet-mark=Home packet-mark=no-mark passthrough=no
add action=mark-connection chain=prerouting comment=Wifi connection-mark=\
    no-mark new-connection-mark=Wifi_Conn passthrough=yes src-address=\
    2600:6c48:467f:6e03::/64
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=2600:6c48:467f:6e03::/64 new-connection-mark=Wifi_Conn \
    passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Wifi_Conn \
    new-packet-mark=Wifi packet-mark=no-mark passthrough=no
add action=mark-connection chain=prerouting comment=Guest connection-mark=\
    no-mark new-connection-mark=Guest_Conn passthrough=yes src-address=\
    2600:6c48:467f:6e05::/64
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=2600:6c48:467f:6e05::/64 new-connection-mark=Guest_Conn \
    passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Guest_Conn \
    new-packet-mark=Guest packet-mark=no-mark passthrough=no
add action=mark-connection chain=prerouting comment=Catchall connection-mark=\
    no-mark disabled=yes new-connection-mark=Home_Conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Home_Conn disabled=\
    yes new-packet-mark=Home packet-mark=no-mark passthrough=no
/ipv6 firewall nat
add action=dst-nat chain=dstnat dst-port=53 in-interface=UplinkToCisco-LAN \
    protocol=tcp src-address=!2600:6c48:467f:6e02:215:5dff:fe5a:2403/128 \
    to-address=2600:6c48:467f:6e02:215:5dff:fe5a:2403/128 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 in-interface=UplinkToCisco-LAN \
    protocol=udp src-address=!2600:6c48:467f:6e02:215:5dff:fe5a:2403/128 \
    to-address=2600:6c48:467f:6e02:215:5dff:fe5a:2403/128 to-ports=53
add action=masquerade chain=srcnat dst-address=\
    2600:6c48:467f:6e02:215:5dff:fe5a:2403/128 dst-port=53 out-interface=\
    UplinkToCisco-LAN protocol=tcp to-ports=53
add action=masquerade chain=srcnat dst-address=\
    2600:6c48:467f:6e02:215:5dff:fe5a:2403/128 dst-port=53 out-interface=\
    UplinkToCisco-LAN protocol=udp to-ports=53
/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=SFP12-WAN
add interface=UplinkToCisco-LAN
/ipv6 nd prefix
add interface=UplinkToCisco-LAN
/ppp secret
add name=Reid profile=default-encryption
add name=Chance profile=default-encryption
add name=Dad profile=default-encryption
add name=Nat profile=default-encryption
/routing filter rule
add chain=ospf-in disabled=no rule="if (dst in 10.10.102.1 ) { reject;}\r\
    \nif (dst in 10.10.110.1) {\
    \n  reject;\
    \n} \r\
    \nif (dst in 10.8.1.0/24) {\
    \n  reject;\
    \n} \r\
    \nif (dst in 192.168.1.0/24) {\
    \n  reject;\
    \n} \r\
    \nif (dst in 192.168.108.0/24) {\
    \n  reject;\
    \n} \r\
    \nif (dst in 192.168.2.0/24) {\
    \n  reject;\
    \n} \r\
    \n\r\
    \nelse {accept}"
/routing igmp-proxy interface
add interface=UplinkToCisco-LAN
add interface=Chance
add disabled=yes
add interface=DadNet
/routing ospf area range
add area=ReidHome prefix=192.168.90.0/21
/routing ospf interface-template
add area=ReidHome interfaces=UplinkToCisco-LAN networks=192.168.255.0/29
add area=Backbone cost=50 interfaces=Chance networks=10.10.38.0/30
add area=Backbone interfaces=DadNet networks=172.28.0.0/30
add area=Backbone networks=192.168.94.0/24 passive
add area=Backbone interfaces=ChanceWG networks=172.28.0.4/30
/routing pimsm interface-template
add disabled=no instance=PIM interfaces=DadNet source-addresses=""
add disabled=no instance=PIM interfaces=UplinkToCisco-LAN source-addresses=""
/system clock
set time-zone-name=America/Detroit
/system identity
set name=ReidTik
/system logging
set 0 topics=info,!ipsec
set 1 topics=error,!ipsec
add disabled=yes topics=ospf
add disabled=yes topics=dhcp
/system note
set note="They Don't Think It Be Like It Is, But It Do.\r\
    \n"
/system resource irq rps
set ether1 disabled=no
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=Chance store-on-disk=no
add store-on-disk=no
add store-on-disk=no
add interface=SFP12-WAN store-on-disk=no
add interface=UplinkToCisco-LAN store-on-disk=no
add interface=VPN-Bridge store-on-disk=no
/tool graphing resource
add store-on-disk=no
/tool netwatch
add comment="RocketChat NAT RULE" down-script="/ip/firewall/nat/ disable 2" \
    host=192.168.106.18 interval=10s timeout=15s up-script=\
    "/ip/firewall/nat/ enable 2"
/tool sniffer
set file-name=Test filter-ip-address=192.168.91.5/32


Let me know if you find the rule in question.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS DST-NAT to adguard Intermittent Issue

Thu Jan 06, 2022 10:05 pm

And important question, how exactly it fails? In other words, you described steps that should happen, so which one doesn't?
 
Rfulton
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Aug 08, 2017 2:17 am

Re: DNS DST-NAT to adguard Intermittent Issue

Fri Jan 07, 2022 12:23 am

The requests reach the adguard 100% of the time.

the response reaches the client maybe 25% of the time.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS DST-NAT to adguard Intermittent Issue

Fri Jan 07, 2022 12:37 am

That's in fact great if it fails so reliably, you can trace it back and see where it gets lost.
 
Rfulton
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Aug 08, 2017 2:17 am

Re: DNS DST-NAT to adguard Intermittent Issue

Fri Jan 07, 2022 12:45 am

Sob, you have a great point. I've tracked it back to the CCR2004 which is why I've made this forum post.

If it was having issues on my cisco 9200, I'd be on the cisco forums and not here.
 
Rfulton
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Aug 08, 2017 2:17 am

Re: DNS DST-NAT to adguard Intermittent Issue

Fri Jan 07, 2022 1:11 am

The requests reach the adguard 100% of the time.

the response reaches the client maybe 25% of the time.
Let me actually correct this, It's only NATing to the Adguard around 25% of the time.

If i do a packet capture with these parameters. I can see the successes.

On the failures I have no entry from 192.168.255.1 to 192.168.90.38, so it appears to be failing to NAT around 75% of the time.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS DST-NAT to adguard Intermittent Issue

Fri Jan 07, 2022 1:43 am

What if you add these at the beginning of chains:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 log=yes log-prefix=q: protocol=udp src-address=192.168.91.5 to-addresses=192.168.90.38
add action=masquerade chain=srcnat dst-port=53 log=yes log-prefix=q: protocol=udp src-address=192.168.91.5
/ip firewall mangle
add action=mark-packet chain=prerouting dst-port=53 log=yes log-prefix=q: new-packet-mark=dns passthrough=no protocol=udp src-address=192.168.91.5
add action=mark-packet chain=prerouting log=yes log-prefix=r: new-packet-mark=dns passthrough=no protocol=udp src-address=192.168.90.38 src-port=53
add action=log chain=forward log-prefix=1: packet-mark=dns
add action=log chain=postrouting log-prefix=2: packet-mark=dns
When 192.168.91.5 sends dns query, you should see something like this in log:
q: prerouting: in:UplinkToCisco-LAN out:(unknown 0), ..., proto UDP, 192.168.91.5:xxxxx->1.1.1.1:53, ...
q: dstnat: in:UplinkToCisco-LAN out:(unknown 0), ..., proto UDP, 192.168.91.5:xxxxx->1.1.1.1:53, ...
1: forward: in:UplinkToCisco-LAN out:UplinkToCisco-LAN, ..., proto UDP, 192.168.91.5:xxxxx->192.168.90.38:53, NAT 192.168.91.5:xxxxx->(1.1.1.1:53->192.168.90.38:53), ...
2: postrouting: in:(unknown 0) out:UplinkToCisco-LAN, ..., proto UDP, 192.168.91.5:xxxxx->192.168.90.38:53, NAT 192.168.91.5:xxxxx->(1.1.1.1:53->192.168.90.38:53), ...
q: srcnat: in:(unknown 0) out:UplinkToCisco-LAN, ..., proto UDP, 192.168.91.5:xxxxx->192.168.90.38:53, NAT 192.168.91.5:xxxxx->(1.1.1.1:53->192.168.90.38:53), ...
r: prerouting: in:UplinkToCisco-LAN out:(unknown 0), ..., proto UDP, 192.168.90.38:53->192.168.255.1:xxxxx, NAT (192.168.90.38:53->1.1.1.1:53)->(192.168.255.1:xxxxx->192.168.91.5:xxxxx), ... 
1: forward: in:UplinkToCisco-LAN out:UplinkToCisco-LAN, ..., proto UDP, 192.168.90.38:53->192.168.91.5:xxxxx, NAT (192.168.90.38:53->1.1.1.1:53)->(192.168.255.1:xxxxx->192.168.91.5:xxxxx), ... 
2: postrouting: in:(unknown 0) out:UplinkToCisco-LAN, ..., proto UDP, 192.168.90.38:53->192.168.91.5:xxxxx, NAT (192.168.90.38:53->1.1.1.1:53)->(192.168.255.1:xxxxx->192.168.91.5:xxxxx), ...
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS DST-NAT to adguard Intermittent Issue

Fri Jan 07, 2022 1:48 am

Another thing, does the client always use IPv4? You have srcnat/dstnat for IPv6 too, so if shoudn't matter, but just to be sure that you're watching IPv6 too...
 
Rfulton
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Aug 08, 2017 2:17 am

Re: DNS DST-NAT to adguard Intermittent Issue

Fri Jan 07, 2022 3:08 am

I disabled IPV6 for testing.
 
Rfulton
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Aug 08, 2017 2:17 am

Re: DNS DST-NAT to adguard Intermittent Issue

Fri Jan 07, 2022 4:04 pm

Here's the captures, my cisco 9200 gets 100% of the DNS requests on the packet capture.

The ccr2004 only services about 25% of them i can tell in the packet capture.

0x0072 was serviced,
0x0073-77 wasn't
0x0078 was serviced
You do not have the required permissions to view the files attached to this post.
 
Rfulton
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Tue Aug 08, 2017 2:17 am

Re: DNS DST-NAT to adguard Intermittent Issue

Fri Jan 07, 2022 4:13 pm

When I do a packet capture on the CCR2004 *BEFORE NAT*

I can see 10 requests for purple.com on both the 9200 and ccr2004.

It appears to be an intermittent issue with NAT
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS DST-NAT to adguard Intermittent Issue  [SOLVED]

Fri Jan 07, 2022 4:19 pm

Now I see, it's the to-ports=53 in srcnat rules, it shouldn't be there.

Who is online

Users browsing this forum: No registered users and 15 guests