Hey guys

First time poster here - go easy

So I've recently installed a MT as the router for a small ISP-type setup that is serving internet to a bunch of residential buildings around a private property.

Basic gist, the router gets a nice beefy business grade ISP connection, along with a /28 network of public IP's. It's configured as a PPPoE server and all of the residents come in on a PPPoE vlan over wireless links, authenticate to the MT and each get given a public IP address.

So basically there is no NATing on our side of things, it's all routed IP to the CPE. They can then do whatever they want with their router locally.

Everything works sweet - except for NAT issues in games. Any of those residents trying to game behind their routers (which have a public IP, and have uPNP enabled) cannot game online due to Strict NAT issues.

If one of these residents swaps back to their (currently still live but not for long) shitty DSL connection, it works perfectly.

Something about the routing/Mikrotik/connection/something! is playing havoc with the NAT required at the residences.

Banging my head against the wall here - any help appreciated!

Cheers
Chris

Hi,
I have two questions:
- Are PPPoE client devices MikroTik?
- What do you have on your main router on your NAT table?

Osman

Hi,
I have two questions:
- Are PPPoE client devices MikroTik?
- What do you have on your main router on your NAT table?

Osman

Hey

PPPoE client devices are not Mikrotik - they are various consumer routers. Like I said - we are effectively an ISP to these residences, they supply their own router and can do what they want with it.

The NAT table on the Mikrotik shows a whole bunch of entries, all with a remote IP on the internet as either the source or destination address, and an IP of one of the residence PPPoE IP addresses as the other IP in the translation. Not sure what other info you wanted from that?

Excuse my ignorance, this stuff is not my strength - but why are there any NAT translations happening at all... This is a 100% routed IP setup. I literally have zero NAT rules configured on this router, and my understanding is that they should not be required at all.

Hi,
Can you export your NAT table and paste the output here?

/ip firewall nat export

Hi,
Can you export your NAT table and paste the output here?

/ip firewall nat export

All I get is:

# apr/06/2017 20:52:18 by RouterOS 6.35.4
# software id = 1EWC-LCQX
#

Hi,
This means you do not have any NAT rule on your router.

Yes, that is what I was trying to say

And yet the problem exists for the residents on my network..

Do you have a firewall on your router?
Maybe it allows only outgoing connects and established/related, and software or clients
confuse this with NAT issues?

Nope, no firewall rules whatoever..

So what do you mean by "The NAT table on the Mikrotik shows a whole bunch of entries" then?
Describe where you are seeing it, or post a screenshot or something.

So what do you mean by "The NAT table on the Mikrotik shows a whole bunch of entries" then?
Describe where you are seeing it, or post a screenshot or something.

Sorry I was a little unclear on that one. I ran the /ip firewall connection print detail command, found here: viewtopic.php?t=97720

But as per that thread it seems that if the reply-src-address is the same as the dst-address, it's not NATing. Which is definitely the case for me.

So yeah, it's as I believe it should be. And yet the problem exists...

When you have connections registered in the router, either you have a firewall (which you deny), or you have
connection tracking forced to "yes" instead of "no" or "auto". (the default is auto)
Try to correct this situation and see if it helps.

Does the customer IP appears if the open whatismyip.com? Fastest way to see if there's an unexpected NAT further up...

Yep customer IP shows when doing a whatsmyip from the customer lan.

It's not NAting...

Try doing a packet capture and further analyze it in Wireshark while doing the nat test on the game console...