We have been running RouterOS 3.20 on a PC for so time and yesterday was compelled to restore after a "freak" crash that saw the majority of the NAT rules disappearing and the router rebooting. Before the crash I was editing a NAT rule and soon after applying the changes the router timed out and on accessing it via mac-telnet it showed a 3mins uptime and could not undo anything.
The worrying part is several recent backups restored are missing important NAT rules. Is this normal?
Re: Mikrotik restore missing NAT rules
No, it's not. How can backups be affected by this? Information doesn't magically go missing from completely unrelated files (that are hopefully stored on a separate system).
Re: Mikrotik restore missing NAT rules
It seams it can. I just had an incident with old 3.22 version that ate NAT rules. 2-3 backups I have done for security all show NAT rules empty. It looks like only NAT rules are gone.No, it's not. How can backups be affected by this? Information doesn't magically go missing from completely unrelated files (that are hopefully stored on a separate system).
Is there any way that I or someone else can pull those NAT rules out of Config/Backup file?
Re: Mikrotik restore missing NAT rules
I've never experienced this myself. As per the Mikrotik Wiki, make sure you are restoring from a backup file created on the EXACT SAME device.We have been running RouterOS 3.20 on a PC for so time and yesterday was compelled to restore after a "freak" crash that saw the majority of the NAT rules disappearing and the router rebooting. Before the crash I was editing a NAT rule and soon after applying the changes the router timed out and on accessing it via mac-telnet it showed a 3mins uptime and could not undo anything.
The worrying part is several recent backups restored are missing important NAT rules. Is this normal?
Backups are the exact data that RouterOS uses during it's running operations.
You mentioned a crash. It could be possible that the changes were somehow cached before being applied if using winbox to make changes. Also, it might be possible that your backup did not include those nat rules that disappeared.
Just some thoughts. I've had good success with the restore process on the same device.
Re: Mikrotik restore missing NAT rules
Doug, OP's post is 2 years old.
I've had it happen last night (GMT+1). Backup files were on the same unit, never leaving it.
I even pulled backup files accross the network and loaded up to RB600A with 5.10 but it also failed to show any NAT rules.
There were 2 backup files taken 20 minutes appart. First was around 50KB larger then the second. I guess NAT rules were not stored properly on the first try and then they were left out on the second. But I am not such an expert on MT, I like StarOS better.
Since both reports are made against 3.2x version I guess it was a bug then. I am going to recomend the owner to upgrade to 4.x or 5.x if license allows it.
Luckly there was backup from 2009 and that they havent changed DNAT 1:1 rules much from that time. We even managed to fix a problem where one of the SNAT rules would masq one locally connected subnet even for the rest of the network (that unit is a main gateway). They had a totall of around 75 rules NAT and they said maybe this was for the best, a clean slate.
At the end I used /export command to create working backup of present config.
I've had it happen last night (GMT+1). Backup files were on the same unit, never leaving it.
I even pulled backup files accross the network and loaded up to RB600A with 5.10 but it also failed to show any NAT rules.
There were 2 backup files taken 20 minutes appart. First was around 50KB larger then the second. I guess NAT rules were not stored properly on the first try and then they were left out on the second. But I am not such an expert on MT, I like StarOS better.
Since both reports are made against 3.2x version I guess it was a bug then. I am going to recomend the owner to upgrade to 4.x or 5.x if license allows it.
Luckly there was backup from 2009 and that they havent changed DNAT 1:1 rules much from that time. We even managed to fix a problem where one of the SNAT rules would masq one locally connected subnet even for the rest of the network (that unit is a main gateway). They had a totall of around 75 rules NAT and they said maybe this was for the best, a clean slate.
At the end I used /export command to create working backup of present config.
Re: Mikrotik restore missing NAT rules
DrLove73,
When you rebooted the router, did you have any settings missing?
I'm wondering if it's either a problem with the restore, or a problem with the created backup file itself.
The backup file is supposed to be literally the same settings the router uses directly for configuration. I've had some issues with interfaces not showing up, and problems with proxy settings before (where I couldn't even go to /ip proxy, the router would hang). This was while the router was running though.
Very odd, indeed. Kind of scary as well.
When you rebooted the router, did you have any settings missing?
I'm wondering if it's either a problem with the restore, or a problem with the created backup file itself.
The backup file is supposed to be literally the same settings the router uses directly for configuration. I've had some issues with interfaces not showing up, and problems with proxy settings before (where I couldn't even go to /ip proxy, the router would hang). This was while the router was running though.
Very odd, indeed. Kind of scary as well.
Re: Mikrotik restore missing NAT rules
First of all, Please note that this happend on 3.2x version, I would guess from 2009.
Absolutely everithing else was there, we checked, only NAT rules where missing. Backup from 2009 (I guess before router was upgraded to that 3.2x version) had those NAT rules. I uploaded that old backup to another RB and sent a screenshot to owners of the router, so they can see what they need and what not.
They upgraded to 4.17 after my last post and had a horrible night after upgrade. Here is what he mailed to me:
Absolutely everithing else was there, we checked, only NAT rules where missing. Backup from 2009 (I guess before router was upgraded to that 3.2x version) had those NAT rules. I uploaded that old backup to another RB and sent a screenshot to owners of the router, so they can see what they need and what not.
They upgraded to 4.17 after my last post and had a horrible night after upgrade. Here is what he mailed to me:
After that I showed them how to use /export command just in case, and I am going to add that option to my maintanance progam next to the regular backups of MT units. I might even drop encrepted backup and go with /export command, so I can compare files and delete exact copies (I backup all of my Star and MT units every 1h and each month I run diff program to delete exact copies and compress textual files).We went ahead and upraded the MT box last night about 10:45 our time. Big problems. I had read the MT boards and people cautioned about using the newest 5.x because it was not stable and everyone suggested we use 4.17. Did the upgrade and nothing. Couldnt get into box at all. THought that maybe it died. Was able to Logmein to Todd's laptop attached to the Todd router on the cable internet and could get into the MT box via 192.168.253.1 just fine. But absolutely no traffic coming in or out of any of the three interfaces to the internet. Very wierd. Tried deleting the masq and recreating them. Messed with it a couple of hours with nothing. Thanks to your iptables rules, we were able to switch the whole network to go out the cable so at least our clients had internet. (created a 192.168.0.0/16 rule on each star unit.) Worked like a charm.
Tried restoring all the backups and even imported the running config that you had me export ( I had even exported another one later before the problem started) but nothing.
If you looked at the counters in the nat screen for the masq statements, it looked like they were being hit but absolutely nothing was going across the interfaces. Could ping the public ip addresses on the interfaces from within the MT box but that was it. I made a post on the MT forum about it.
As a last resort, we thought that we had nothing to lose by trying the latest 5.x version. Downloaded it into the laptop that I was remote connected to via the cable internet and upgraded to the latest 5.x version and rebooted. Figured we had nothing to lose. The next step was to setup another MT box or a star box in a hurry and use it temporarily.
The seas parted, the sun started shining and all was well with the world. Started working like it should ! Perfect! Disabled the 192.168.0.0/16 firewall rules and everyone back to going out the correct path.
Good thing that I didn't have a gun and had been on site or I would have shot that MT box.