Page 1 of 1
Nasty problem with src-nat and external DNS
Posted: Fri May 26, 2017 10:43 am
by LP006688
Hello all,
I have faced a nasty problem: I have several public IP addresses and several internal subnets; each subnet uses a separate IP to access the Internet. I use "src-nat", but this effectively kills all UDP(53) traffic through NAT. If I set NAT to "masquerade" (which picks the first IP from the pool) -- everything is fine.
What might be the issue here? Any solutions available or is it a RouterOS bug?
Kind regards, Vadim.
Re: Nasty problem with src-nat and external DNS
Posted: Sat May 27, 2017 9:38 am
by pukkita
unless you post your configuration export, it will be difficult to say what's your specific case: if this is a bug or a configuration flaw.
Re: Nasty problem with src-nat and external DNS
Posted: Sun May 28, 2017 3:37 pm
by LP006688
I am sorry, what file are you talking about? Will it contain passwords?
Re: Nasty problem with src-nat and external DNS
Posted: Sun May 28, 2017 3:52 pm
by BartoszP
As Mikrotik admin you should be aware of export command.
Re: Nasty problem with src-nat and external DNS
Posted: Mon May 29, 2017 2:04 am
by Sob
It won't contain system user accounts at all, and will filter stuff like wireless or ppp passwords. And you can always censor other stuff like IP addresses manually if you want to. But try not to go overboard there. If you do, it will be hard to help you, we need to see what's public address, tell one from other, etc..
Re: Nasty problem with src-nat and external DNS
Posted: Mon May 29, 2017 11:08 am
by LP006688
Here we go:
# may/29/2017 10:56:01 by RouterOS 6.39.1
#
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/queue tree
add max-limit=256M name=Inbound packet-mark=Inbound parent=global queue=default
add max-limit=256M name=Outbound packet-mark=Outbound parent=global queue=default
/snmp community
set [ find default=yes ] addresses=10.0.0.150/32
/interface l2tp-server server
set caller-id-type=ip-address
/ip address
add address=10.0.100.100/16 interface=ether1 network=10.0.0.0
add address=192.168.100.62/26 interface=ether2 network=192.168.100.0
add address=192.168.111.1/30 interface=ether3 network=192.168.111.0
add address=82.135.232.173/29 interface=combo1 network=82.135.232.168
add address=82.135.237.86/29 interface=combo1 network=82.135.237.80
add address=213.190.53.86/28 interface=combo1 network=213.190.53.80
add address=192.168.101.62/26 interface=ether4 network=192.168.101.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input in-interface=combo1 src-address=82.135.232.168/29
add action=drop chain=input in-interface=combo1 protocol=icmp
add action=drop chain=input dst-port=21,22,23,80 in-interface=combo1 protocol=tcp
add action=drop chain=input dst-port=21,22,23,80 in-interface=ether2 protocol=tcp
/ip firewall mangle
add action=mark-packet chain=prerouting in-interface=combo1 new-packet-mark=Inbound passthrough=yes
add action=mark-packet chain=postrouting new-packet-mark=Outbound out-interface=combo1 passthrough=yes
add action=mark-routing chain=prerouting new-routing-mark=NEETV passthrough=yes src-address=192.168.100.0/26
add action=mark-routing chain=prerouting new-routing-mark=WiFi passthrough=yes src-address=192.168.111.0/30
add action=mark-routing chain=prerouting new-routing-mark=Test passthrough=yes src-address=192.168.101.0/26
/ip firewall nat
add action=src-nat chain=srcnat comment=NEETV: out-interface=combo1 src-address=192.168.100.0/26 to-addresses=82.135.237.86
add action=src-nat chain=srcnat comment=Test: out-interface=combo1 src-address=192.168.101.0/26 to-addresses=82.135.237.86
add action=src-nat chain=srcnat comment=WiFi: out-interface=combo1 src-address=192.168.111.0/30 to-addresses=213.190.53.86
/ip route
add distance=1 gateway=82.135.232.172
/ip traffic-flow
set cache-entries=32k enabled=yes
/ip traffic-flow target
add dst-address=10.0.0.150 port=10000
/lcd
set color-scheme=dark default-screen=stat-slideshow flip-screen=yes read-only-mode=yes
/snmp
set enabled=yes trap-version=3
/system clock
set time-zone-name=Europe/Vilnius
/system identity
set name=RouterOS.ois.lt
/system ntp client
set enabled=yes primary-ntp=10.0.0.2 secondary-ntp=10.0.0.20
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool bandwidth-server
set authenticate=no enabled=no
If I set NAT action to "masquerade" it picks the wrong address, but passes DNS packets through. Cannot understand what's wrong here. Unless there is some undocumented difference between "masquerade" and "src-nat" except predefined address setting.
The "out" addresses are different subnets from the default gateway. Weird, but this is our provider configuration.
Re: Nasty problem with src-nat and external DNS
Posted: Mon May 29, 2017 11:12 am
by LP006688
Should mention as well that identical configuration implemented with a Fortigate-800C works fine.
Re: Nasty problem with src-nat and external DNS
Posted: Mon May 29, 2017 11:18 am
by LP006688
As Mikrotik admin you should be aware of export command.
Thank you so much
I just started with them. Perhaps, you are a lucky man and were born with a knowledge of everything in the world
Re: Nasty problem with src-nat and external DNS
Posted: Mon May 29, 2017 11:49 am
by BartoszP
I wish I could be so lucky ... "I should be so lucky, lucky, lucky, lucky ...."
Re: Nasty problem with src-nat and external DNS
Posted: Mon May 29, 2017 12:15 pm
by pukkita
If you want to get help, you'd better provide all the possible details...
What is connected to combo1? I assume this is a CCR1009-7G-1C-*?
Is that the full export? what is this for?
add action=mark-routing chain=prerouting new-routing-mark=NEETV passthrough=yes src-address=192.168.100.0/26
add action=mark-routing chain=prerouting new-routing-mark=WiFi passthrough=yes src-address=192.168.111.0/30
add action=mark-routing chain=prerouting new-routing-mark=Test passthrough=yes src-address=192.168.101.0/26
Look for outgoing DNS connections at IP > Firewall > Connections tab when using masquerade and when using src-nat, (click on the funnel icon to filter outgoing DNS and paste screenshots)
Suggestion: ask your provider about the possibility to set a private IP /30 for transit so that you can "float" the public IPs on loopbacks and avoid the need of binding them to external interfaces.