Preserve client IP when dst-nat to other server

rechandler · Thu Jun 10, 2021 6:27 pm

Hi!
I want to force wi-fi clients to use my own NTP server (which is not really important). I have dst-nat and src-nat rules:

add action=dst-nat chain=dstnat comment="Force using local NTP Server" \
    dst-port=123 in-interface-list=LAN protocol=udp src-address-list=\
    "!NTP Server" to-addresses=10.0.0.100 to-ports=123
add action=masquerade chain=srcnat comment="Force using local NTP Server" \
    dst-address-list="NTP Server" dst-port=123 out-interface-list=LAN protocol=\
    udp

And I have one problem with my rules, in NTP server client is always my router (10.0.0.1) and not my real client, eg. 10.0.0.10. I know that src-nat is doing this stuff, is there any other method to achieve my goals?

mkx · Thu Jun 10, 2021 6:50 pm

When you're doing dst-nat to server (10.0.0.100) which is in the same subnet as original client (10.0.0.10), then it is essential to perform src-nat as well (without it, server would reply to client directly and client would reject replies because they would be coming back from IP address it did not contact in the first place. But src-nat also means your server doesn't see IP addresses of real clients.

The only way out is to move NTP server to another subnet, in that case src-nat would not be necessary and server would see IP addresses of real clients.

anav · Thu Jun 10, 2021 6:52 pm

Not sure what you mean by own NTP server? Time servers are actually on the internet or do you have an atomic clock in your house? ;-)
The MT router has its own capability to be an NTP server, so on my network I just point the devices to the subnet gateway they are on and done!!

rextended · Thu Jun 10, 2021 7:08 pm

>inappropriate, removed<

mkx · Thu Jun 10, 2021 7:28 pm

Not sure what you mean by own NTP server?

A raspberry pi, running NTP service ... or something like that. Or even own atomic clock, why not? After all, observability of NTP server in ROS is nil, but some of us do care about proper functioning of services.

anav · Thu Jun 10, 2021 8:18 pm

Sorry I didnt know ROS NTP server was so unstable, non-functioning and unreliable. ;-)
I really do need to invest in a better atomic clock for my bitcoin transactions!!

hi rextended
/ip fire nat
add action=dst-nat chain=dstnat comment="Force using local NTP Server" dst-address-list="!NTP Server" dst-port=123 \
in-interface-list=LAN protocol=udp src-address-list="!NTP Server" to-addresses=10.0.0.100 to-ports=123

Are you assuming one has to also make two firewall address lists?? Why not.....
/ip fire nat
add action=dst-nat chain=dstnat comment="Force using local NTP Server" dst-port=123 \
in-interface-list=LAN protocol=udp to-addresses=10.0.0.100 to-ports=123

I suppose one might also need (assuming drop all rule in forward chain)
/ip fire nat
add action=accept chain=forward allow access to NTP servers in-interface-list=LAN \
dst-port=123 dst-address=10.0.0.100

rextended · Thu Jun 10, 2021 8:26 pm

observability of NTP server in ROS

I do not understand how traduce that on Italian but...

From 2007 I have two MikroTik NTP Server than sincronize all my devices and 4000 users CPE
and other 4 * 4000 (average number of devices for each user * users) = 16000 devices and no one single problem
(both are sincronized with official Italian atomic clock)

anav · Thu Jun 10, 2021 8:30 pm

Well, I was basing my profound knowledge on one router and three devices over several months............ but cannot hold a candle to that IN UR FACE comment.
MKX-0 Rextended-1

rextended · Thu Jun 10, 2021 8:31 pm

>inappropriate, removed<

anav · Thu Jun 10, 2021 9:01 pm

Ahh Okay I see that but find the syntax the OP used VERY VERY confusing on the dst nat rule he uses "!list" and on the other he uses "list"
Both being between the quotes are just text and not functioning items. In fact if NTP_Server is a list of those that should use the local NTP (aka his wifi clients)
then why is the quote !NTP_Server ?????

So are we to assume that what the op means is that he has ONE firewall address list for all subnets/devices that should use NTP (the wifi ones).
and thus his rule should have been instead of this........
add action=dst-nat chain=dstnat comment="Force using local NTP Server" \
dst-port=123 in-interface-list=LAN protocol=udp src-address-list=\
"!NTP Server" to-addresses=10.0.0.100 to-ports=123

Should be written as such
add action=dst-nat chain=dstnat comment="Force using local NTP Server" \
dst-port=123 in-interface-list=LAN protocol=udp src-address-list=\
NTP_Server to-addresses=10.0.0.100 to-ports=123

What I dont understand is your use of 127.0.0.1 ? What does that in effect do as the TO address is no longer the NTP server??

rextended · Thu Jun 10, 2021 9:01 pm

...

@anav,
tomorrow I'ts my turn for COVID-19 vaccine (Pfizer)

anav · Thu Jun 10, 2021 9:02 pm

Gluck, if its the first dose, should be okay. Its the second shot that gives you issues.
I know two doctors with 4000 adult patients each family has approx 4 kids = 16000 devices, with the same results ;-)

rextended · Thu Jun 10, 2021 9:04 pm

>inappropriate, removed<

rextended · Thu Jun 10, 2021 9:05 pm

Gluck, if its the first dose, should be okay. Its the second shot that gives you issues.

My mother already have 1st, but nothnig, nada, zero, problem...

mkx · Thu Jun 10, 2021 9:51 pm

observability of NTP server in ROS
I do not understand how traduce that on Italian but...

I'm talking about ....

[user@MTrouter] > /system ntp client print
          enabled: yes
             mode: unicast
      primary-ntp: 192.168.42.10
    secondary-ntp: 2001:1470:8000::92
  dynamic-servers:
           status: synchronized

versus

user@192.168.42.10:~$ ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 127.127.1.0     .LOCL.          10 l   5d   64    0    0.000    0.000   0.000
 ntp.ISP.TLD     .POOL.          16 p    -   64    0    0.000    0.000   0.000
-10.253.47.11    95.176.233.15    4 u  818 1024  377    6.100    0.502  20.134
-2001:1470:8000: .shm0.           1 u  836 1024  377   12.356    0.892   8.422
*84.255.251.189  .PPS0.           1 u  502 1024  377    6.867   -0.028   1.283
 2a00:ee2:400:42 .XFAC.          16 s  20d 1024    0    0.000    0.000   0.000
+2a00:ee0:e::15  200.123.255.157  3 u  580 1024  377    8.409   -0.021   0.132
-193.77.204.19   172.25.3.2       2 u  632 1024  377    6.393    0.283  11.424
+95.176.233.15   200.123.255.157  3 u  230 1024  377    7.935    0.075   0.152

Anybody (but me) notices the difference?

anav · Thu Jun 10, 2021 10:10 pm

Yes, the top half is clean and uncluttered and easy on my 60yr old eyes.
The bottom half seems like its full of noise and information I dont really need.

In other words, you are 100% right in terms of performance and usage fidelity.
I just never thought that level of granularity was required as it was a simple thing.........and should just work.

mkx · Thu Jun 10, 2021 10:20 pm

You're right ... as long as it works, we don't need any logs, debugging information or any other nonsense. But sometimes it doesn't work ... and then we need all the noise we can get ... and if there's no noise to filter, we're in troubles.

rextended · Fri Jun 11, 2021 12:19 am

>ignored, removed<

mkx · Fri Jun 11, 2021 8:18 am

@rextended: I'll just ignore your last post, it's quite off topic already. The post is directed at me (concrete examples of "right" choices) and I think I can master my own subnet of NTP servers just fine (I've been running public NTP servers for the last 25 years). You don't know the reasons I've had when making the choice of particular NTP servers I'm using for synchronisation so your arguments might be void (they might be very reasonable as well, but let's not go into this).

My case came on the table just to illustrate the need for running proper NTP server as @OP does.

rechandler · Fri Jun 11, 2021 10:10 am

Oh wow, I didn't expect so extensive discussion.
Let me clarify things:
Here's my motivation to have own NTP server: https://askubuntu.com/questions/14558/h ... ntp-server
I don't have atomic clock, but I want to have Stratum 1 time server, so I have GPS module.

Now the rules:

add action=dst-nat chain=dstnat comment="Force using local NTP Server" \
    dst-port=123 in-interface-list=LAN protocol=udp src-address-list=\
    "!NTP Server" to-addresses=10.0.0.100 to-ports=123
add action=masquerade chain=srcnat comment="Force using local NTP Server" \
    dst-address-list="NTP Server" dst-port=123 out-interface-list=LAN protocol=\
    udp

@rextended I can't have only dst-nat because it just don't work. @mkx explained it in his first post.

@anav about rules:
dst-port=123 -> port of NTP Server
in-interface-list=LAN -> all my LAN clients, wifi, guests, ethernet
protocol=udp -> protocol of NTP Server
src-address-list="!NTP Server" -> I don't want to rely only on GPS, I want to use also sources from Internet so I have to allow connect my NTP Server with other public NTP Servers. Without this my NTP Server could only communicate with himself

srcnat -> same config but for other chain.

@mkx I want to ask, what do you mean by another subnet, for eq. 10.1.0.0? Or some public IP from internet? I need to leave my own LAN?

rextended · Fri Jun 11, 2021 10:20 am

>useless, removed<

rechandler · Fri Jun 11, 2021 10:30 am

@rextended I have read you're post, but you've posted to-addresses=127.0.0.1 which is localhost and I don't want to change destination to router but another server. If I'm guessing correctly when I change 127.0.0.1 to eg. 192.168.1.100, it will work, right?

rextended · Fri Jun 11, 2021 1:28 pm

@rextended I have read you're post, but you've posted to-addresses=127.0.0.1 which is localhost and I don't want to change destination to router but another server. If I'm guessing correctly when I change 127.0.0.1 to eg. 192.168.1.100, it will work, right?

I'm understand than for you
"Force using local NTP Server"
mean
"Force using ANOTHER NTP Server on same local network".

Local, for me, mean LOCAL (not another device)
the LOCAL NTP Server on the RouterBOARD

mkx · Fri Jun 11, 2021 4:10 pm

By referring to "another subnet for NTP server" I was thinking of this LAN setup:

                   --> LAN (10.0.0.0/16 or whatever the subnet mask)
                  /
                  |
internet <--> router
                  |
                  \
                   --> "NTP lan" (NTP server with IP address e.g. 10.254.254.2/24 or any other IP address outside LAN subnet mask)

The best would be to dedicate a port on router for "NTP subnet". If you can't afford one, you could go with VLANs and get needed port on a managed switch. The last resort would be to add "NTP subnet" to the same interface as LAN. In any of these cases NTP server would not try to return packets directly to clients (because they would be from different subnet), instead it would happily pass return packets back to router (which in turn would be able to undo dst-nat action).

anav · Fri Jun 11, 2021 4:20 pm

Yes, I am thoroughly confused as I have no idea what the OP actually has and what Rextended was suggesting.
If the NTP server is hosted on a device on a subnet on the router, two things have to be true:
(and assuming that the device is not an atomic clock but one, like the router NTP server, that just points to a clock on the internet)

a. the device "LocalServer" needs access to the internet.
b. all smart devices that can read time (firewall address list - NTP_Devices) need to be directed to the LocalServer for port 123 (client to server checking).

There is no need for dstnat or sourcenat in the above from what I can tell.
Its all forward chain rules and assuming a drop all rule at end of forward chain!!
accept src-address= LocalServer out-interface-list= wan
accept input src-address-list=NTP-Devices dst-port123 dst-address=LocalServer

Where does anything else come into play (dstnat, srcnat, routing, 127.0.0.1)
Clearly I am missing something basic ???

rextended · Fri Jun 11, 2021 4:27 pm

...

yes, the OP say than the server is another machine on local network,
and I'm confused because for local NTP (on the nat comment) I mean "local installed NTP package on RouterOS"
understand now? :(

Preserve client IP when dst-nat to other server

Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server

Re: Preserve client IP when dst-nat to other server