Why does Mikrotik confuse src-NAT addresses?

K

Kerneus2021-04-03 16:57:54

VPN

Kerneus, 2021-04-03 16:57:54

Greetings, comrades.
In my organization I use Mikrotik equipment as access points and basic network routers, they also hold VPN tunnels between branches. As a PBX - vps on hosting with Asterisk on board and L2tp / IPsec server. As subscriber devices - Grandstream GXP-2135.
There are tunnels between the branches and the "cloud" PBX:

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1280
        inet ##.##.1.12  netmask 255.255.255.255  destination ##.##.1.102
        ppp  txqueuelen 3  (Point-to-Point Protocol)
ppp1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1280
        inet ##.##.1.12  netmask 255.255.255.255  destination ##.##.1.106
        ppp  txqueuelen 3  (Point-to-Point Protocol)
ppp2: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1280
        inet ##.##.1.12  netmask 255.255.255.255  destination ##.##.1.101
        ppp  txqueuelen 3  (Point-to-Point Protocol)
 > /interface l2tp-client print detail
 2  R name="pbx.domainname.ru" max-mtu=1450 max-mru=1450 mrru=disabled 
      connect-to=#.##.##.### user="#######-home-hap" 
      password="********************************" profile=default-encryption 
      keepalive-timeout=60 use-peer-dns=no use-ipsec=yes 
      ipsec-secret="***************************" allow-fast-path=no 
      add-default-route=no dial-on-demand=no allow=chap,mschap1,mschap2
 > /ip route print detail
 6 ADC  dst-address=##.##.1.12/32 pref-src=##.##.1.106 gateway=pbx.domainname.ru 
        gateway-status=pbx.domainname.ru reachable distance=0 scope=10
> /ip firewall nat print detail
 0    chain=srcnat action=masquerade out-interface=pbx.domainname.ru log=no 
      log-prefix=""

The same config on the other routers, everything goes up and works, until some point, which I have not been able to track for a month: at one fine moment, packets with the wrong source-IP start to arrive at the PBX PBX
log:

апр 03 16:37:23 sip asterisk[9056]: [Apr  3 16:37:23] NOTICE[9116]: acl.c:715 ast_apply_acl: SIP Peer ACL: Rejecting '10.28.4.9' due to a failure to pass ACL '(BASELINE)'
апр 03 16:37:23 sip asterisk[9056]: [Apr  3 16:37:23] NOTICE[9116]: chan_sip.c:28633 handle_request_register: Registration from '<sip:####@##.##.1.12>' failed for '10.28.4.9:5060' - Device does not match ACL

tcpdump -vv -i ppp1:

16:39:59.614710 IP (tos 0x68, ttl 63, id 7729, offset 0, flags [none], proto UDP (17), length 600)
    10.28.4.9.sip > sip.sip: [udp sum ok] SIP, length: 572
        REGISTER sip:##.##.1.12 SIP/2.0
        Via: SIP/2.0/UDP 10.28.4.9:5060;branch=z9hG4bK836453010;rport
        From: <sip:####@##.##.1.12>;tag=27982579
        To: <sip:####@##.##.1.12>
        Call-ID: [email protected]
        CSeq: 2041 REGISTER
        Contact: <sip:####@10.28.4.9:5060>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-1000-8000-C074AD094B07>"
        X-Grandstream-PBX: true
        Max-Forwards: 70
        User-Agent: Grandstream GXP2135 1.0.11.16
        Supported: path
        Expires: 3600
        Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
        Content-Length: 0

Interception from the router side:

> tool torch interface=pbx.domainname.ru src-address=0.0.0.0/0 dst-address=0.0.0
.0/0 dscp=any
MAC-PROTOCOL    DSCP SRC-ADDRESS                               DST-ADDRESS                              
ip                             26 ##.##.1.12             	                      10.28.4.9

Mikrotik address:

> /ip address print detail 
Flags: X - disabled, I - invalid, D - dynamic 
 3 D address=10.28.4.9/24 network=10.28.4.0 interface=ether2-wan
     actual-interface=ether2-wan

The symptom is absolutely identical on all routers, after some time the microt starts to confuse source addresses when working out the masking rule and break into the PBX with the WAN interface address, but with all this, the problem is observed only with SIP:

##.##.1.106.59995 > sip.ssh: Flags [.], cksum 0xd181 (correct), seq 1, ack 144, win 509, length 0
16:39:51.606533 IP (tos 0x68, ttl 63, id 7727, offset 0, flags [none], proto UDP (17), length 600)

I tried this crutch - it did not help:

> /ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic 
 1    chain=srcnat action=src-nat to-addresses=##.##.1.106 
      dst-address=##.##.1.12 out-interface=pbx.domainname.ru log=no 
      log-prefix=""

The problem, of course, temporarily, is fixed by rebooting the router, restarting the tunnel / firewall rules does not give any result.
Now there is an idea to add masking rules directly to the VPS, but this is not the answer to the original question - why does Mikrotik ignore the NAT rule, and why does it confuse SOURCE IP?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

K

kerneus, 2021-04-03
@kerneus

And here is the answer to the question:

In the process of "undefined events", most likely, for some time there is a break on the provider's side, at this time the tunnel is interrupted and the route to the PBX disappears, at the same time there is a 0.0.0.0/0 route towards gw provider. After the connection is restored, the route to the PBX appears again and what happens is what is described in the screenshots.
The solution is to prohibit the microt to route packets to the PBX through the WAN interface:

> /ip firewall filter print detail 
Flags: X - disabled, I - invalid, D - dynamic 
12    chain=forward action=reject reject-with=icmp-network-unreachable 
       dst-address=##.##.1.12 out-interface-list=WAN 
      log=no log-prefix=""