routeros no masquerade on udp

nagylzs · Tue Apr 23, 2024 5:09 pm

Trying to access a public wireguard server from an internal computer:

public server -> internet -> ISP dumb router -> mikrotik HAP AX3 -> LAN -> internal computer

* The public server is 213.199.36.19 running wireguard on port 51830
* The internal computer has address 10.240.0.94/24

The router has two WAN interfaces, called ether5-wan and ether4-lte. The lte is the backup connection, and it has a default route with higher distance. For this example, I have disabled the ether4-lte interface completely. But I have to mention it here, you will see why in a moment.

* The dumb router of the ISP also does NAT, so the LAN is behind double NAT. (It is not possible to put the ISP router into passthrough mode.) The ISP's router gives 192.168.0.0/24.
* The lte modem also does NAT (actually CGNAT), and its LAN side has 10.14.100.0/24

Interface addresses:

Flags: I - INVALID, D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS            NETWORK       INTERFACE  
0   10.240.0.1/24      10.240.0.0    BASE_VLAN  
1   10.240.1.1/24      10.240.1.0    BLUE_VLAN  
2   10.240.2.1/24      10.240.2.0    GREEN_VLAN 
3   10.240.3.1/24      10.240.3.0    RED_VLAN   
4   10.240.4.1/24      10.240.4.0    ORANGE_VLAN
5 I 10.14.100.2/24     10.14.100.0   ether4-lte 
6   10.240.5.1/32      10.240.5.0    wg-vpn     
7   10.240.208.2/24    10.240.208.0  wg-vpn     
8   192.168.88.200/24  192.168.88.0  BASE_VLAN  
9 D 192.168.0.15/24    192.168.0.0   ether5-wan

The internal computer is inside the base vlan.

Masquerade rules:

/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether5-wan
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether4-lte

If I try to ping the wireguard server from the internal computer, then I see this with packet sniffer:

/tool sniffer
set filter-ip-address=213.199.36.19/32 filter-ip-protocol=icmp
start
stop
packet/print

#  TIME   INTERFACE     SRC-ADDRESS    DST-ADDRESS    IP-PROTOCOL  SIZE  CPU
0  2.414  ether1-trunk  10.240.0.94    213.199.36.19  icmp          102    0
1  2.414  BR1           10.240.0.94    213.199.36.19  icmp          102    0
2  2.414  BASE_VLAN     10.240.0.94    213.199.36.19  icmp           98    0
3  2.414  ether5-wan    192.168.0.15   213.199.36.19  icmp           98    0
4  2.454  ether5-wan    213.199.36.19  192.168.0.15   icmp           98    0
5  2.454  BASE_VLAN     213.199.36.19  10.240.0.94    icmp           98    0
6  2.454  BR1           213.199.36.19  10.240.0.94    icmp          102    0
7  2.454  ether1-trunk  213.199.36.19  10.240.0.94    icmp          102    0

This is good so far: packet comes in on ether1-trunk, enters the bridge, then goes though the vlan interface of the base vlan, then goes out on ether5-wan. At this point, the source address is changed to 192.168.0.15 as it should.

However, if I try to connect to the server with wireguard, then I see this.

/tool sniffer
set filter-ip-address=213.199.36.19/32 filter-ip-protocol=udp
start
stop
packet/print detail 
 0 time=1.486 num=1 direction=rx src-mac=64:00:6A:55:FE:24 dst-mac=78:9A:18:02:60:CD vlan=99 interface=ether1-trunk src-address=10.240.0.94:51830 dst-address=213.199.36.19:51830 protocol=ip 
   ip-protocol=udp size=194 cpu=2 ip-packet-size=176 ip-header-size=20 dscp=34 identification=37198 fragment-offset=0 ttl=64 

 1 time=1.486 num=2 direction=rx src-mac=64:00:6A:55:FE:24 dst-mac=78:9A:18:02:60:CD vlan=99 interface=BR1 src-address=10.240.0.94:51830 dst-address=213.199.36.19:51830 protocol=ip 
   ip-protocol=udp size=194 cpu=2 ip-packet-size=176 ip-header-size=20 dscp=34 identification=37198 fragment-offset=0 ttl=64 

 2 time=1.486 num=3 direction=rx src-mac=64:00:6A:55:FE:24 dst-mac=78:9A:18:02:60:CD interface=BASE_VLAN src-address=10.240.0.94:51830 dst-address=213.199.36.19:51830 protocol=ip 
   ip-protocol=udp size=190 cpu=2 ip-packet-size=176 ip-header-size=20 dscp=34 identification=37198 fragment-offset=0 ttl=64 

 3 time=1.486 num=4 direction=tx src-mac=78:9A:18:02:60:D1 dst-mac=2C:00:AB:72:36:77 interface=ether5-wan src-address=10.14.100.2:51830 dst-address=213.199.36.19:51830 protocol=ip 
   ip-protocol=udp size=190 cpu=2 ip-packet-size=176 ip-header-size=20 dscp=34 identification=37198 fragment-offset=0 ttl=63

In the last step, source address is rewritten: src-address=10.14.100.2:51830 which seems to be a bug (???) I'm not sure what is happening here, but the source address is rewritten to the address of an interface that is disabled.

Flags: X - DISABLED, R - RUNNING; S - SLAVE
Columns: NAME, MTU, MAC-ADDRESS, ARP, SWITCH
#    NAME           MTU  MAC-ADDRESS        ARP      SWITCH 
0 RS ether1-trunk  1500  78:9A:18:02:60:CD  enabled  switch1
1  S ether2-gray   1500  78:9A:18:02:60:CE  enabled  switch1
2  S ether3-gray   1500  78:9A:18:02:60:CF  enabled  switch1
3 X  ether4-lte    1500  78:9A:18:02:60:D0  enabled  switch1
4 R  ether5-wan    1500  78:9A:18:02:60:D1  enabled  switch1

Side note: originally, the masquerade rule looked like this:

add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN

But I wanted to rule out every possible error on my end, so I added two masquerade rules for the two WAN interfaces, and disabled the ether4-lte interface completely. But it seems that this is not helping.

What am I doing wrong?

Thank you

nagylzs · Tue Apr 23, 2024 6:54 pm

After spending some hours (!!!) trying to solve this problem, I rebooted the HAP AX3 router and magically it started to work.

I don't think that I can reproduce this error on purpose. Should I submit a bug report?

routeros no masquerade on udp

routeros no masquerade on udp

Re: routeros no masquerade on udp

Who is online