Community discussions

MikroTik App
 
joschwe
just joined
Topic Author
Posts: 17
Joined: Sun Aug 22, 2021 5:16 pm

NAT behaviour

Mon Aug 15, 2022 6:17 pm

Hi,

as of lately clients that connect to 2 different servers on either port 80 or 8080 within the same network experience frequent connection losses (the web applications stop working and kick them out and reconnect again). I haven't found out why yet.
One thing I noticed is that I get the following NAT behaviour
Screenshot 2022-08-15 164642.jpg
where SYN messages are sent to ip adresses that aren't in use. Starting from lets say x.x.x.98 going to x.x.x.107 .
Is this behaviour expected? Let me know which configuration details you need.
Also while looking for the version number of RouterOS I got the following:
Screenshot 2022-08-15 171419.jpg
which looks as though I haven't upgraded RouterOS but I am pretty sure I did this already.


thanks and best
You do not have the required permissions to view the files attached to this post.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: NAT behaviour

Mon Aug 15, 2022 7:21 pm

Provide an anonymized config export.
7.2.1 is rather old, and by the screenshot provided it looks you didn't upgrade the firmware (from the RouterBOARD menu, the exact one you've posted).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NAT behaviour

Mon Aug 15, 2022 7:26 pm

Yup, config is required,
Nice to have network diagram.

Two main issues with port forwarding,
How public is your WAN IP
Are you using WANIP for internal LAN users.
viewtopic.php?t=179343
 
joschwe
just joined
Topic Author
Posts: 17
Joined: Sun Aug 22, 2021 5:16 pm

Re: NAT behaviour

Fri Aug 19, 2022 4:45 pm

Hello,

Thank you a lot for the replies. I suspected NAT hairpin and will read into it. Also I will make a network diagram and attach it.
Please find attached an anonymized config file.

Are you using WANIP for internal LAN users
Yes, some users do, some don't. But using the local ip of the servers didn't fix the issue.

best,
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NAT behaviour

Fri Aug 19, 2022 4:56 pm

(1) You should update to 7.4.1 firmware, less bugs and more stable.
(2) Someone else can assist, I dont help those who configure vlan-id=1
(3) Cannot understand your pool structure
(4) Do not understand why you need two bridge
(5) Do not understand the lack of consistency in number of vlans, dhcp-server, dhcp-server-networkls, IP pools, and IP addresses
(6) I think your mixing up use of forward chain and NAT chain for port forwarding.
(7) Total lack of default and expected firewall rules
(8) Not sure why you have a route rule for a public DNS server?
(9) Not clear why you are mangling as dont understand your wan situation.

In summary I find this is a confusing config that is either genius put together and above my limited knowledge or a hodge podge of internet searched rules cobbled together. ?????
 
joschwe
just joined
Topic Author
Posts: 17
Joined: Sun Aug 22, 2021 5:16 pm

Re: NAT behaviour

Fri Aug 19, 2022 5:40 pm

In summary I find this is a confusing config that is either genius put together and above my limited knowledge or a hodge podge of internet searched rules cobbled together. ?????
It's neither. Most things aren't active/in use. I mean it's obviously a double NAT configuration. I can clean this up, though. I tested a lot of stuff in the beginning and was confused on how to delete some of the things or didn't bother.
The only things that are important is the bridge with 192.168.178.0/24 ip pool and the 2 wan interfaces.
And the question is why the connection between a server on 192.168.178.3 and the clients on 192.168.178.20-150 is getting interrupted every now and then.

(1) You should update to 7.4.1 firmware, less bugs and more stable.
Ok.
(2) Someone else can assist, I dont help those who configure vlan-id=1
I don't use any VLans
(3) Cannot understand your pool structure
Only DHCP pool #10 is in use.
(4) Do not understand why you need two bridge
There is one bridge for the 192.168.178.0/24 adresses and another one that was a default for configuring a connection to the router I think.
(5) Do not understand the lack of consistency in number of vlans, dhcp-server, dhcp-server-networkls, IP pools, and IP addresses
192.168.178.0/24 - Clients and Server
192.168.176.254 - Wan 1 goes to a Fritzbox
192.168.179.254 - Wan 2 goes to another Fritzbox
(6) I think your mixing up use of forward chain and NAT chain for port forwarding.
How would I port forward otherwise? Let's say from 192.168.176.254:8080 to 192.168.178.3:8080
(7) Total lack of default and expected firewall rules
It's a double NAT setup. Firewall rules are in place on the routers connected to the ISPs
(8) Not sure why you have a route rule for a public DNS server?
Recursive routing failover.
(9) Not clear why you are mangling as dont understand your wan situation.
I wanted load balancing between the 2 WAN ports but didn't manage to make sure that the gateway where the request came in was the same gateway the response was sent to. So I configured one line as failover instead of load balancing. All mangling rules are disabled, I thought its visible in the config. I don't want to delete them as I think they worked mostly and I may need them again.


best

Who is online

Users browsing this forum: Bing [Bot], h1ghrise, HugoCar, xristostsilis and 72 guests