No SNAT rules applied for packets from VLAN interface

hraphrap · Wed Oct 19, 2016 3:03 pm

RouterBOARD RB3011UiAS-RM
Firmware: 3.27
RouterOS: 6.36.3

Hello people.
There is a network as described on scheme:

L3 (1).png

/interface vlan
add interface=eth5 name=vlan2 vlan-id=2
/ip address
add address=4.4.4.4/24 interface=eth1 network=4.4.4.0
add address=192.168.1.1/24 interface=eth5 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
/ip firewall nat
add action=src-nat chain=srcnat out-interface=eth1 src-address=192.168.1.0/24 to-addresses=4.4.4.4
add action=src-nat chain=srcnat out-interface=eth1 src-address=192.168.2.0/24 to-addresses=4.4.4.4
/ip firewall mangle
add action=accept chain=postrouting connection-nat-state="" log=yes src-address=192.168.1.0/24
add action=accept chain=postrouting connection-nat-state="" log=yes src-address=192.168.2.0/24

All connections are acceped (no filter rules set).

As you can see Mangle rules are set only for journalling purpose. First mangle rule makes log print following (when i ping 8.8.8.8 from 192.168.1.2 machine):

postrouteing: in:(none) out:eth1, src-mac: af:01:32:55:8a:cc, proto ICMP (type 8, code 0), 192.168.1.2->8.8.8.8, NAT (192.168.1.2->4.4.4.4)->8.8.8.8, len 60

everything is fine, i can ping 8.8.8.8 from 192.168.1.2.

But second mangle rule print this (when i ping 8.8.8.8 from 192.168.2.2 machine:

postrouteing: in:(none) out:eth1, src-mac: af:01:32:55:8a:cc, proto ICMP (type 8, code 0), 192.168.2.2->8.8.8.8, prio 2->0, len 60

and nat rule for these packets does not applied at all, so no one icmp packet comming back...

What's wrong with my configuration?

Wiki says http://wiki.mikrotik.com/wiki/Manual:Packet_Flow that after Mangle postrouting table Source NAT table should be applied, why my

/ip firewall nat
add action=src-nat chain=srcnat out-interface=eth1 src-address=192.168.2.0/24 to-addresses=4.4.4.4

rule has no effect?

Sob · Wed Oct 19, 2016 4:27 pm

Use out-interface=vlan2 for srcnat rule.

Wed Oct 19, 2016 4:38 pm

Use out-interface=vlan2 for srcnat rule.

I think you meant out-interface=ether1

...
OP:
You don't need a srcnat rule for each LAN range. Just use one NAT rule that applies to both cases:
/ip firewall nat
add chain=srcnat out-interface=ether1 action=src-nat to-address=4.4.4.4

This one rule will match any packet leaving towards the Internet. That's what you want.
If you want to limit which LAN segments/hosts may actually go to the Internet, block those sources in the filter table.

Sob · Wed Oct 19, 2016 7:21 pm

Oops, sorry, I didn't look carefully, my aswer was complete nonsense.

I'm trying to do better job now, but I don't see any obvious reason why wouldn't the second srcnat rule work. Is the config really like this, or is it maybe a little too simplified? Are there perhaps some other rules in nat table between these two?

Wed Oct 19, 2016 7:23 pm

He could have some accept rules in the raw table. That would bypass the stateful stuff like NAT.

hraphrap · Wed Oct 19, 2016 10:04 pm

Oops, sorry, I didn't look carefully, my aswer was complete nonsense.

I'm trying to do better job now, but I don't see any obvious reason why wouldn't the second srcnat rule work. Is the config really like this, or is it maybe a little too simplified? Are there perhaps some other rules in nat table between these two?

Hi, thanks for replying. I don't see that reason too. Config is not really like this, of course. It is have been simplified a lot. But i have checked all the rules many times, and no one should match packets from 192.168.2.0/24. All other rules are simple destination nat rules.

Please, take a look at these records from journal once more:

postrouteing: in:(none) out:eth1, src-mac: af:01:32:55:8a:cc, proto ICMP (type 8, code 0), 192.168.1.2->8.8.8.8, NAT (192.168.1.2->4.4.4.4)->8.8.8.8, len 60

I have one question, that was printed by mangle postrouting rule, why it knows about NAT, if sequence is Mangle Postrouting -> Source NAT? But OK, no problem with packets comming from eth5 interface. I have problem with packets comming from vlan2, mangle rule for it printed:

postrouteing: in:(none) out:eth1, src-mac: af:01:32:55:8a:cc, proto ICMP (type 8, code 0), 192.168.2.2->8.8.8.8, prio 2->0, len 60

What is prio 2->0 which rule did it? I have no one rule, changing priorities. What do you think about it? If routeros has special poorly documented feature, that makes packets comming from vlan interfaces use other packet routes on flow diagram?

kujo · Wed Oct 19, 2016 10:34 pm

Hi, maybe you can try this: On dlink move uplink port in tagged vlan1,vlan2,default. On roteros create vlan1 and move address 192.168.1.1 to vlan1 interface .

Sent from my iPhone using Tapatalk

Sob · Thu Oct 20, 2016 3:59 am

I have one question, that was printed by mangle postrouting rule, why it knows about NAT, if sequence is Mangle Postrouting -> Source NAT??

I'd say you're not looking at the same packet. If I have this config:

/ip firewall mangle
add action=log chain=postrouting dst-address=192.168.240.4
/ip firewall nat
add action=src-nat chain=srcnat dst-address=192.168.240.4 log=yes to-addresses=192.168.80.199

Then ping to 192.168.240.4 logs this:

firewall,info postrouting: in:(none) out:internal, proto ICMP (type 8, code 0), 192.168.80.182->192.168.240.4, len 50 
firewall,info srcnat: in:(none) out:internal, proto ICMP (type 8, code 0), 192.168.80.182->192.168.240.4, len 50 
firewall,info postrouting: in:(none) out:internal, proto ICMP (type 8, code 0), 192.168.80.182->192.168.240.4, NAT (192.168.80.182->192.168.80.199)->192.168.240.4, len 50 
firewall,info postrouting: in:(none) out:internal, proto ICMP (type 8, code 0), 192.168.80.182->192.168.240.4, NAT (192.168.80.182->192.168.80.199)->192.168.240.4, len 50

So the order is fine, first postrouting doesn't know about NAT, but following ones do, because they are already part of "connection".

What is prio 2->0 which rule did it? I have no one rule, changing priorities. What do you think about it?

It did catch my attention, but so far that's all I can say about it.

-

You have two options:

a) Post your config and don't simplify anything. Mask your public addresses if you wish, but keep the rest untouched.

b) If you don't want to post your config, or if it's too long (then there's a change people won't be very interested in going through all of it), do some more debugging on your router. Add logging rule to nat chain. Put one at the beginning and it should match something. Then keep moving it further and find out where it doesn't get hit, even though you think it should. Eventually you should find out which rule catches your packets. The only problem is that even pure logging rule in nat chain will get only one hit, and then you have to wait few seconds, before the connection expires. But you can make unique rule using dst-address=<some random address> and change it every time you move the rule. Even with hundereds of rules before the srcnat one you're interested in, it shouldn't take much time.

hraphrap · Tue Oct 25, 2016 5:44 pm

I'd say you're not looking at the same packet

Hi, thanks. It's clear to me now. Restart solved the problem, it looks like new NAT rules didn't work before i rebooted it. I can't replay the bug, i have added new VLAN interface and SNAT rules to it. Everything works fine.

No SNAT rules applied for packets from VLAN interface

No SNAT rules applied for packets from VLAN interface

Re: No SNAT rules applied for packets from VLAN interface

Re: No SNAT rules applied for packets from VLAN interface

Re: No SNAT rules applied for packets from VLAN interface

Re: No SNAT rules applied for packets from VLAN interface

Re: No SNAT rules applied for packets from VLAN interface

Re: No SNAT rules applied for packets from VLAN interface

Re: No SNAT rules applied for packets from VLAN interface

Re: No SNAT rules applied for packets from VLAN interface