Community discussions

MikroTik App
  4. RouterOS
  5. General

masquerade with protocol=icmp and to-ports

Post Reply
 
lorne
just joined
Topic Author
Posts: 3
Joined: Mon Aug 20, 2012 6:56 am

masquerade with protocol=icmp and to-ports

Tue Oct 30, 2018 3:40 pm

I would like to be able to specify a masquerade rule with protocol=icmp and to-ports. RouterOS refuses to do so:

Code: Select all
/ip firewall nat> add chain=jpne-nat action=masquerade to-ports=64624-64639 protocol=icmp out-interface=sonet-jpne
failure: to-ports valid only for tcp/udp/sctp/dccp

Some quick context: My internet connection is delivered as native ipv6, with ipv4 tunneled via MAP-E (RFC7597). I share a single ipv4 address with 256 other customers, where the middle 8 bits of the port identify the customer. I can get functioning UDP and TCP by defining a sequence of rules with the nth matcher that load balances across my 16 port-sets. Concretely this looks like

Code: Select all
...
chain=jpne-nat action=masquerade to-ports=56432-56447 protocol=tcp out-interface=sonet-jpne nth=3,1
chain=jpne-nat action=masquerade to-ports=56432-56447 protocol=udp out-interface=sonet-jpne nth=3,1
chain=jpne-nat action=masquerade to-ports=60528-60543 protocol=tcp out-interface=sonet-jpne nth=2,1
chain=jpne-nat action=masquerade to-ports=60528-60543 protocol=udp out-interface=sonet-jpne nth=2,1
chain=jpne-nat action=masquerade to-ports=64624-64639 protocol=tcp out-interface=sonet-jpne
chain=jpne-nat action=masquerade to-ports=64624-64639 protocol=udp out-interface=sonet-jpne

It would be nice to have ICMP echo requests as well. iptables has supported masquerading icmp with to-ports since 2005 https://git.netfilter.org/iptables/comm ... 5e0fb0a0ab. Could the routeros restriction be modified to match?
Top
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 997
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:
Contact cdiedrich

Re: masquerade with protocol=icmp and to-ports

Tue Oct 30, 2018 3:58 pm

icmp doesn't use ports.
-Chris
Top
 
lorne
just joined
Topic Author
Posts: 3
Joined: Mon Aug 20, 2012 6:56 am

Re: masquerade with protocol=icmp and to-ports

Tue Oct 30, 2018 4:24 pm

When natting ICMP, the query ID is used in place of port. See RFC5088 Section 3 https://tools.ietf.org/html/rfc5508#section-3 and RFC7597 Section 8.2 for my particular case. https://tools.ietf.org/html/rfc7597#section-8.2
Top
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 997
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:
Contact cdiedrich

Re: masquerade with protocol=icmp and to-ports

Tue Oct 30, 2018 4:37 pm

Sorry - I guess I was a bit too quick :-)
Top
 
liteforce
newbie
Posts: 45
Joined: Sun Aug 16, 2009 8:06 pm

Re: masquerade with protocol=icmp and to-ports

Mon Jan 27, 2020 1:23 pm

I opened a ticket with MikroTik Support - #[SUP-6586]

The response received was:

Hello,

Thank you for your request. I will forward this information to the people in charge. Unfortunately, I cannot promise we will add such a feature in RouterOS.

Best regards,
Artūrs C.

I will not be holding my breath seeing as my almost 10-year old iBGP bug reported when RouterOS 4.x was still current is still not fixed but apparently 'might' be fixed in RouterOS 7.

Investigating alternative CPEs at this point because MikroTik's attitude towards IPv6 (and transition technologies) is abysmal.
Top
Post Reply

Who is online

Users browsing this forum: jompha, leechiing, yhfung and 10 guests
  4. RouterOS
  5. General