Hi,
I'm using MT 5.7 on 711-5Hn-MMCX.
1. /system reset-configuration
2. On startup: Remove (default) configuration.
3. Add bridge1 with ports: ether1, wlan1 and IP address on bridge1 interface.
4. /interface bridge nat add chain=dstnat action=dst-nat to-dst-mac-address=MAC2 src-mac-address=MAC1/ff:ff:ff:ff:ff:ff
5. Monitor on MAC2 with tcpdump
6. Ping a host behind this MT.
I want all traffic from MAC1 to any host behind the MT to be redirected to MAC2. Instead it is dropped. No traffic arrives at MAC1. It's not an ARP problem - ping is lost right after adding the rule.
That's the simplest rule of dst-nat and I guess it's just a bug. Correct me.
-
-
WirelessRudy
Forum Guru
- Posts: 3119
- Joined:
- Location: Spain
Re: action=dst-nat NOT working
Well, I don't know. All your router's interfaces are bridged. So all (mac) traffic passes. The whole dst-nat has no meaning imho.
Re: action=dst-nat NOT working
http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
"dstnat - used for redirecting some pakets to another destinations"
I forgot to tell that the traffic is dropped.
"dstnat - used for redirecting some pakets to another destinations"
I forgot to tell that the traffic is dropped.
-
-
WirelessRudy
Forum Guru
- Posts: 3119
- Joined:
- Location: Spain
Re: action=dst-nat NOT working
Bringing both interfaces in a bridge means all packets pass router transparent like both connected LAN's are part of one big LAN. So packages travel from one mac to another like in one big network.http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
"dstnat - used for redirecting some pakets to another destinations"
I forgot to tell that the traffic is dropped.
The setting for nat is only valid if you would have another interface that is outside the bridge, and thus routed, and a package with destination to that ´non-bridged´ interface has to get another mac. That how it works imho.
Re: action=dst-nat NOT working
He's using bridge NAT: http://wiki.mikrotik.com/wiki/Manual:In ... Bridge_NAT
supermega, can you post your configuration rather than describe it, together with a network diagram that shows links and devices with their ports, IPs, and MACs labeled? The configuration should include, at minimum, the output of "/interface bridge export" and "/interface print detail".
supermega, can you post your configuration rather than describe it, together with a network diagram that shows links and devices with their ports, IPs, and MACs labeled? The configuration should include, at minimum, the output of "/interface bridge export" and "/interface print detail".
-
-
WirelessRudy
Forum Guru
- Posts: 3119
- Joined:
- Location: Spain
Re: action=dst-nat NOT working
Maybe he forgot to enable the bridge firewall:
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
But what is the purpose of using a bridge if you actually are routing all traffic from certain mac/IP to one other mac/IP?
In bridge all traffic is still broadcast over the whole network? Even the answer from the recipient is broadcast LAN wide again.
Would it not more economic to use the router as router to do this? But maybe indeed it depends on how his network is setup and how much traffic he has to deviate.
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
But what is the purpose of using a bridge if you actually are routing all traffic from certain mac/IP to one other mac/IP?
In bridge all traffic is still broadcast over the whole network? Even the answer from the recipient is broadcast LAN wide again.
Would it not more economic to use the router as router to do this? But maybe indeed it depends on how his network is setup and how much traffic he has to deviate.
Re: action=dst-nat NOT working
Code: Select all
# jan/02/1970 00:04:21 by RouterOS 5.7
# software id = T585-J63M
#
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
disabled=no forward-delay=15s l2mtu=1600 max-message-age=20s mtu=1500 \
name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface bridge nat
add action=dst-nat chain=dstnat disabled=no src-mac-address=\
00:1A:4D:9E:03:B0/FF:FF:FF:FF:FF:FF to-dst-mac-address=00:02:A5:4E:44:A9
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=wlan1 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether1 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=no
Code: Select all
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name="wlan1" type="wlan" mtu=1500 l2mtu=2290
1 R name="ether1" type="ether" mtu=1500 l2mtu=1600 max-l2mtu=4076
2 R name="bridge1" type="bridge" mtu=1500 l2mtu=1600
Hosts on LAN:
10.1.0.1 (00:02:a5:4e:44:a9) - tcpdump
10.1.0.5 (00:1A:4D:9E:03:B0) - ping
MT has 10.1.0.200 on bridge1, output config above is from this one
CPE has 10.1.0.201 on bridge1, mode: station-bridge
I need this for broadcast separation. This is not my final configuration - I would rather redirect all traffic not from whitelisted MACs.
Re: action=dst-nat NOT working
Is there anything in the IP firewall that could block traffic?
Also, this is a shot in the dark - I don't have much experience with bridge NAT - but I vaguely remember seeing somewhere that the admin MAC should be set for bridge filters and NAT. Can you try setting a locally administered MAC address on that?
Otherwise that looks good to me. I wouldn't scream bug - it's unlikely you've hit a bug. Misconfiguration is more likely, though right now I'm unfortunately not seeing it.
Also, this is a shot in the dark - I don't have much experience with bridge NAT - but I vaguely remember seeing somewhere that the admin MAC should be set for bridge filters and NAT. Can you try setting a locally administered MAC address on that?
Otherwise that looks good to me. I wouldn't scream bug - it's unlikely you've hit a bug. Misconfiguration is more likely, though right now I'm unfortunately not seeing it.
Re: action=dst-nat NOT working
No IP firewall rules, 100% default config with changes stated.
MAC filtering itself works - action=drop/accept/jump/return. In this configuration traffic is dropped.
I've set admin MAC - no change.
MAC filtering itself works - action=drop/accept/jump/return. In this configuration traffic is dropped.
I've set admin MAC - no change.
Code: Select all
add admin-mac=11:0C:42:BF:67:19 ageing-time=5m arp=enabled auto-mac=no disabled=no forward-delay=15s l2mtu=1600 \
max-message-age=20s mtu=1500 name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface bridge nat
add action=dst-nat chain=dstnat disabled=no src-mac-address=00:1A:4D:9E:03:B0/FF:FF:FF:FF:FF:FF to-dst-mac-address=\
00:02:A5:4E:44:A9
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=wlan1 path-cost=10 point-to-point=auto \
priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=ether1 path-cost=10 point-to-point=auto \
priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
-
-
kirshteins
MikroTik Support
- Posts: 592
- Joined:
Re: action=dst-nat NOT working
Bridge Dst-NAT works fine for me. Are counters increasing for this rule? How do you determine that packets get dropped and where they get dropped?
Re: action=dst-nat NOT working
Counters are increased.
I determinate by observing ping - it's lost when I activate the rule. What you mean where?
LAN --- MT --- CPE --- WLAN-HOST
I've done some more tests: when I ping WLAN-HOST and dnat to CPE MAC it's redirected well - packets go to CPE and then are forwarded in layer 3 to WLAN-HOST. Main difference with this setup is that output interface for dst-nated packet isn't changed, while in previous setup it was changed from wlan1 to ether1.
kirshteins, do you also use dst-nat to change destination interface?
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
0 dstnat dst-nat 4554 99LAN --- MT --- CPE --- WLAN-HOST
I've done some more tests: when I ping WLAN-HOST and dnat to CPE MAC it's redirected well - packets go to CPE and then are forwarded in layer 3 to WLAN-HOST. Main difference with this setup is that output interface for dst-nated packet isn't changed, while in previous setup it was changed from wlan1 to ether1.
kirshteins, do you also use dst-nat to change destination interface?
Re: action=dst-nat NOT working
Still get no results for dst-nat. Thing is, it's very simple to reproduce by anyone who has any MT device. Commands below are for devices with at least 2 ethernet ports, otherwise you need to change ether2 for example to wlan1.
Comments:
dst-mac-address=!FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF - not to lose communication with MT (connecting to MAC address is via broadcast)
mac-protocol=!arp - to be sure that problem is not arp issue
DST_MAC - is MAC of a device able to monitor traffic: tcpdump, Wireshark, MT with Torch, etc.
Now we ping any host behind the MT:
1. When out-interface is different from in-interface - redirection works OK.
2. When out-interface is same as in-interface - packets are dropped.
Topology:
1a. Pinging host on ether1, monitoring host on ether2, pinged host on ether2
1b. Pinging host on ether1, monitoring host on ether3, pinged host on ether2
2. Pinging host and monitoring host on same interface.
Code: Select all
/system reset-configuration no-defaults=yes skip-backup=yes
/interface bridge add name=bridge1
/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=ether2
/interface bridge nat add chain=dstnat action=dst-nat to-dst-mac-address=DST_MAC dst-mac-address=!FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF mac-protocol=!arpdst-mac-address=!FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF - not to lose communication with MT (connecting to MAC address is via broadcast)
mac-protocol=!arp - to be sure that problem is not arp issue
DST_MAC - is MAC of a device able to monitor traffic: tcpdump, Wireshark, MT with Torch, etc.
Now we ping any host behind the MT:
1. When out-interface is different from in-interface - redirection works OK.
2. When out-interface is same as in-interface - packets are dropped.
Topology:
1a. Pinging host on ether1, monitoring host on ether2, pinged host on ether2
1b. Pinging host on ether1, monitoring host on ether3, pinged host on ether2
2. Pinging host and monitoring host on same interface.
You do not have the required permissions to view the files attached to this post.