Ubnt NAT

Mike Davis

I have a Meraki MX90 behind a Ubnt EdgeRouter. The Meraki has a public IP on the WAN side so I figured the EdgeRouter didn't have NAT turned on. How ever when I go to NAT, I have the default "masquerade to eth0" rule. (eth0 is my WAN port)

show nat rules

returns the default

MASQ eth0 saddr ANY to xx.213.214.137

rule. Any ideas as to how traffic can be getting through un-NATed? What else should I be looking for?

thwr

@Mike-Davis Isn't that a source NAT rule? That would affect outbound traffic only

Mike Davis

@thwr yes, it's only a "Source NAT rule" Doesn't that mean that anything coming in on eth0 is going to be NATed?

JaredBusch

@Mike-Davis said in Ubnt NAT:

@thwr yes, it's only a "Source NAT rule" Doesn't that mean that anything coming in on eth0 is going to be NATed?

Inbound rules are destination NAT rules.
Inbound traffic does not NAT unless it matches an outbound packet or an above rule.

What is your problem? Can you post a redacted or sanitized config?

Dashrender

how do you know the Meraki has a public IP? I'm guessing it shows up in the Meraki control panel as such?

Mike Davis

@Dashrender The Meraki WAN address is a public one that is assigned by DHCP.

@JaredBusch

Show Tech-Support



CONFIGURATION



EdgeOS Version and Package Changes

Version:      v1.6.0
Build ID:     4716006
Build on:     10/31/14 17:31
Copyright:    2012-2014 Ubiquiti Networks, Inc.
HW model:     EdgeRouter PoE 5-Port
HW S/N:       44D9E7058BC3
Uptime:       15:55:52 up 2 days, 14:30,  2 users,  load average: 0.29, 0.25, 0. 26


UBNT offload
:

IP offload module   : loaded
IPv4
  forwarding: enabled
  vlan      : disabled
  pppoe     : disabled
IPv6
  forwarding: disabled
  vlan      : disabled
  pppoe     : disabled

IPSec offload module: loaded


Configuration File

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
:
    name WAN_IN {
        default-action accept
        description ""
        rule 1 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
:
                new disable
                related disable
            }
        }
        rule 3 {
            action accept
            description "Allow Traffic To client-Web01"
            destination {
                address 192.168.2.120
            }
            log disable
            protocol all
        }
        rule 4 {
            action accept
            description "Allow traffic to RDS"
            destination {
                address 192.168.2.115
            }
            log disable
            protocol all
        }
    }
:
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 1 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
:
                new disable
                related disable
            }
        }
        rule 3 {
            action accept
            description 5060
            destination {
                port 5060
            }
            log enable
            protocol udp
        }
        rule 4 {
            action accept
            description "Allow 10000-20000"
            destination {
                port 10000-20000
            }
            log enable
            protocol udp
        }
        rule 5 {
:
            action accept
            description "Allow L2TP"
            destination {
                port 500,1701,4500
            }
            log enable
            protocol udp
        }
        rule 6 {
            action accept
            description ESP
            log disable
            protocol esp
        }
        rule 7 {
            action accept
            description "Accept Ext ICMP"
            log enable
            protocol icmp
        }
        rule 8 {
            action accept
            description saphttps
:
            destination {
                port 443
            }
            log disable
            protocol tcp
        }
        rule 9 {
            action accept
            description RDS2
            destination {
                port 3389
            }
            log disable
            protocol tcp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
:
        address [redacted].83.168.51/22
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
:
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
:
        address 192.168.2.253/23
        mtu 1500
        switch-port {
            interface eth2
            interface eth3
            interface eth4
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    rule 1 {
        description PBX-RTP
        forward-to {
            address 192.168.1.92
            port 10000-20000
        }
        original-port 10000-20000
        protocol udp
    }
    rule 2 {
:
        description PBX-SIP
        forward-to {
            address 192.168.1.92
            port 5060
        }
        original-port 5060
        protocol udp
    }
    rule 3 {
        description SAP
        forward-to {
            address 192.168.2.120
            port 443
        }
        original-port 443
        protocol tcp
    }
    rule 4 {
        description RDS
        forward-to {
            address 192.168.2.115
            port 3389
        }
:
        original-port 3389
        protocol tcp
    }
    wan-interface eth0
}
protocols {
    static {
        route 192.168.1.0/24 {
            next-hop 192.168.2.254 {
            }
        }
    }
}
service {
    gui {
        https-port 443
    }
    nat {
        rule 5001 {
            log disable
            outbound-interface eth0
            type masquerade
        }
:
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 2048
        hash-size 32768
        modules {
            sip {
                disable
            }
        }
        table-size 262144
    }
    gateway-address [redacted].83.168.1
    host-name ubnt
   
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
:
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipsec enable
        ipv4 {
            forwarding enable
        }
        ipv6 {
            forwarding disable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
:
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                  

                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.2.180
                stop 192.168.2.199
            }
:
            dns-servers {
                server-1 192.168.2.3
                server-2 192.168.2.117
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret [redacted]
                }
                ike-lifetime 3600
            }
            outside-address [redacted].83.168.51
            outside-nexthop [redacted].83.168.1
        }
    }
}

JaredBusch

@Mike-Davis said in Ubnt NAT:

@Dashrender The Meraki WAN address is a public one that is assigned by DHCP.

@JaredBusch

Couple things unrelated to your question:
You did not sanitize your L2TP PSK
Your PBX firewall rules are on the WAN_LOCAL and should have zero hits ever.
You setup port-forward rules for the PBX ports and those auto create firewall rules on the WAN_IN to allow traffic. You are working by accident IMO. Also, by using port-forward, you are unable to restrict the SIP/RTP to your provider. All SIP/RTP are forwarded to your PBX, no matter the source.

On to your issue asked about:

There is no DHCP server active in this config, so this router is not providing DHCP to the Meraki. Look elsewhere.

Your WAN is marked as eth0 and on the ER-PoE eth0 and eth1 cannot be part of the switch so there is nothing happening there either.

I assume eth1 has nothing at all plugged into it because it has no address assigned.

The switch is setup with your LAN network and is enabled on eth2, eth3, & eth4. I assume the Meraki is plugged in here?

Mike Davis

@JaredBusch Thank you for all the tips. I inherited this config and didn't understand why some things were done the way they were. Between your information and a firmware update we should be able to get this router in to shape.

Between what you said and some information from @coliver I learned that the Meraki is not behind the Edge, but in fact there is a switch between each of the routers and the ISP, so they both have direct access to the internet. Information from a tech on site lead me to believe otherwise, which is why the config didn't make sense.

scottalanmiller

@Mike-Davis said in Ubnt NAT:

Between what you said and some information from @coliver I learned that the Meraki is not behind the Edge, but in fact there is a switch between each of the routers and the ISP, so they both have direct access to the internet. Information from a tech on site lead me to believe otherwise, which is why the config didn't make sense.

I said this repeatedly when looking at the configurations.