Hi all,

I've put RB951 onto my workplace(made some kind of private network inside corporate)
On WAN interface(ether1) i have public IP and all other(ether2-5+wlan1) are in bridge-lan and has 192.168.18.1/24

So my PC, Laptop and Mobile phone have ip addresses from private range.
configuration is simple just static public ip on ether1 and dhcp server on bridge-lan with NAT

Problem is that our corporate firewall detected packets from my private range:
tcpdump output of port-mirror on switch:
16:36:39.629595 vlan 102, p 0, IP 192.168.18.254.49868 > 212.24.43.44.80: R 1:1(0) ack 1 win 0
16:36:39.629599 vlan 102, p 0, IP 192.168.18.254.49829 > 159.148.147.201.80: R 1:1(0) ack 1 win 0
16:36:39.629779 vlan 102, p 0, IP 192.168.18.254.49782 > 86.59.118.148.80: R 1:1(0) ack 1 win 0
which causes log file violation records:
2013-03-29T16:40:51+01:00 rtr-wan-01 list from-OFFICE denied tcp 192.168.18.254(49868)(Ethernet 1/1 d4ca.6d2b.ab6b) -> 212.24.43.44(http), 7 event(s)
2013-03-29T16:40:52+01:00 rtr-wan-01 list from-OFFICE denied tcp 192.168.18.254(49782)(Ethernet 1/1 d4ca.6d2b.ab6b) -> 86.59.118.148(http), 7 event(s)
and so on.

seems like some of the packets are not being masqueraded and they are arriving from ether1 with internal IP address.
Maybe somebody knows how to fix it?

Firstly router had 5.22 and then I've upgraded it to 6rc12 but nothing had changed.
Here you can see compact export of configuration:
# jan/02/1970 03:33:05 by RouterOS 6.0rc12
#
/interface bridge
add l2mtu=1598 name=bridge-lan
/ip pool
add name=dhcp_pool1 ranges=192.168.18.2-192.168.18.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge-lan lease-time=1d name=dhcp1
/interface bridge port
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=wlan1
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
/ip address
add address=192.168.18.1/24 interface=bridge-lan network=192.168.18.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.18.0/24 gateway=192.168.18.1
/ip settings
set accept-redirects=yes rp-filter=loose
/ip firewall nat
add action=src-nat chain=srcnat comment="default NAT rule" out-interface=ether1-gateway src-address=192.168.18.0/24 to-addresses=x.x.x.x

What masquerade does, is substitute the source address with the address of the interface the packet is leaving the router. I am not sure if the last rule you have posted actually does that. Try it this way:

Also check which device is using .254 and what its IP settings are.

What masquerade does, is substitute the source address with the address of the interface the packet is leaving the router. I am not sure if the last rule you have posted actually does that. Try it this way:

Code: Select all

/ip firewall nat
add action=masquerade chain=srcnat comment="default NAT rule" out-interface=ether1-gateway 

Yes you're right masquerade does it, in my rules you can see SNAT what is almost the same like masquerade but you can define what IP address to put into the src field of arriving packet(masquerade takes first one from interface dynamically)
But as i can see some packets arriving with original(private) address and next router rejects them. It is not a problem for me, but if somebody from security will see this record i will have problems(as you can see in log file there is also MAC address)

PS and I tried rule that you have proposed - the same behavior

Also check which device is using .254 and what its IP settings are.

.254 is my PC which got IP address using DHCP on RB. So there is nothing weird. I have also SIP phone and its packets also I can see with original private IP arrives from ether1(WAN)

Is it only occasional packets that arrive upstream with the private IP? Does the NAT seem to operate normally from the LAN side - i.e. you can use internet service etc. without problems?

If so, you can avoid the log entries upstream by dropping any packets with the RFC1918 src. address on the WAN interface

Is it only occasional packets that arrive upstream with the private IP? Does the NAT seem to operate normally from the LAN side - i.e. you can use internet service etc. without problems?

If so, you can avoid the log entries upstream by dropping any packets with the RFC1918 src. address on the WAN interface

Yes this is only occasional packets, and all services inside lan segment is working without any problems.
1. is this normal behavior or this is problem with kernel/iptables etc?
2. how can i filter them? could you suggest some rule to apply? looks like it should be postrouting chain but how can i block them?

Do you have any forwarding filter entries in IP Firewall? Typically you would be allowing connections from the LAN side to the WAN side and only allowing ESTABLISHED and RELATED connections coming back WAN>LAN.

Try adding such filter entries and make sure that the NAT entry matches the same traffic as the forwarding filter allows.

Do you have any forwarding filter entries in IP Firewall? Typically you would be allowing connections from the LAN side to the WAN side and only allowing ESTABLISHED and RELATED connections coming back WAN>LAN.

Try adding such filter entries and make sure that the NAT entry matches the same traffic as the forwarding filter allows.

Yes, i had these rules in my previous configuration before i've reset the routerboard. You are talking about incoming connections in the input chain. But I have problem with outgoing packets.
It is interesting to know if this hardware/software issue, i have no opportunity to replicate this on other routerboards with the different sw releases.

I've checked on my WAN interface with Wireshark and yes some packets from LAN forwarded to WAN without NAT. ROS 5.19, x86 on Intel Atom DN2800MT.

I've checked on my WAN interface with Wireshark and yes some packets from LAN forwarded to WAN without NAT. ROS 5.19, x86 on Intel Atom DN2800MT.

Looks like this is not a hardware issue, so maybe this is linux(kernel or iptables) problem.
Do you have any ideas?

I've contacted Mikrotik support and got and answer to add rule
/ip firewall filter add action=drop connection-state=invalid

I've added it to the router for all 3 chains(input, output and forward)
and now i can see that these rules are blocking invalid packets.

So this is not actually the routeros issue but common iptables problem, so on linux routers you can also filter this packets using:
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

@maxxch
Thanks for sharing. As a matter of fact I always put those rules in the firewall filter, but now I know something about what they do .

frankie have you installed the ROS 5.24 in an Intel Atom DN2800MT motherboard?
Thanks.