ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    Ubnt NAT

    IT Discussion
    5
    9
    1109
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Mike Davis
      Mike Davis last edited by

      I have a Meraki MX90 behind a Ubnt EdgeRouter. The Meraki has a public IP on the WAN side so I figured the EdgeRouter didn't have NAT turned on. How ever when I go to NAT, I have the default "masquerade to eth0" rule. (eth0 is my WAN port)

      show nat rules

      returns the default

      MASQ eth0 saddr ANY to xx.213.214.137

      rule. Any ideas as to how traffic can be getting through un-NATed? What else should I be looking for?

      thwr 1 Reply Last reply Reply Quote 1
      • thwr
        thwr @Mike Davis last edited by

        @Mike-Davis Isn't that a source NAT rule? That would affect outbound traffic only

        Mike Davis 1 Reply Last reply Reply Quote 0
        • Mike Davis
          Mike Davis @thwr last edited by

          @thwr yes, it's only a "Source NAT rule" Doesn't that mean that anything coming in on eth0 is going to be NATed?

          JaredBusch 1 Reply Last reply Reply Quote 0
          • JaredBusch
            JaredBusch @Mike Davis last edited by

            @Mike-Davis said in Ubnt NAT:

            @thwr yes, it's only a "Source NAT rule" Doesn't that mean that anything coming in on eth0 is going to be NATed?

            Inbound rules are destination NAT rules.
            Inbound traffic does not NAT unless it matches an outbound packet or an above rule.

            What is your problem? Can you post a redacted or sanitized config?

            1 Reply Last reply Reply Quote 1
            • Dashrender
              Dashrender last edited by

              how do you know the Meraki has a public IP? I'm guessing it shows up in the Meraki control panel as such?

              1 Reply Last reply Reply Quote 0
              • Mike Davis
                Mike Davis last edited by Mike Davis

                @Dashrender The Meraki WAN address is a public one that is assigned by DHCP.

                @JaredBusch

                Show Tech-Support
                
                
                
                CONFIGURATION
                
                
                
                EdgeOS Version and Package Changes
                
                Version:      v1.6.0
                Build ID:     4716006
                Build on:     10/31/14 17:31
                Copyright:    2012-2014 Ubiquiti Networks, Inc.
                HW model:     EdgeRouter PoE 5-Port
                HW S/N:       44D9E7058BC3
                Uptime:       15:55:52 up 2 days, 14:30,  2 users,  load average: 0.29, 0.25, 0. 26
                
                
                UBNT offload
                :
                
                IP offload module   : loaded
                IPv4
                  forwarding: enabled
                  vlan      : disabled
                  pppoe     : disabled
                IPv6
                  forwarding: disabled
                  vlan      : disabled
                  pppoe     : disabled
                
                IPSec offload module: loaded
                
                
                Configuration File
                
                firewall {
                    all-ping enable
                    broadcast-ping disable
                    ipv6-receive-redirects disable
                    ipv6-src-route disable
                    ip-src-route disable
                    log-martians enable
                :
                    name WAN_IN {
                        default-action accept
                        description ""
                        rule 1 {
                            action accept
                            description "Allow established/related"
                            log disable
                            protocol all
                            state {
                                established enable
                                invalid disable
                                new disable
                                related enable
                            }
                        }
                        rule 2 {
                            action drop
                            description "drop invalid state"
                            log disable
                            protocol all
                            state {
                                established disable
                                invalid enable
                :
                                new disable
                                related disable
                            }
                        }
                        rule 3 {
                            action accept
                            description "Allow Traffic To client-Web01"
                            destination {
                                address 192.168.2.120
                            }
                            log disable
                            protocol all
                        }
                        rule 4 {
                            action accept
                            description "Allow traffic to RDS"
                            destination {
                                address 192.168.2.115
                            }
                            log disable
                            protocol all
                        }
                    }
                :
                    name WAN_LOCAL {
                        default-action drop
                        description "WAN to router"
                        rule 1 {
                            action accept
                            description "Allow established/related"
                            log disable
                            protocol all
                            state {
                                established enable
                                invalid disable
                                new disable
                                related enable
                            }
                        }
                        rule 2 {
                            action drop
                            description "Drop invalid state"
                            log disable
                            protocol all
                            state {
                                established disable
                                invalid enable
                :
                                new disable
                                related disable
                            }
                        }
                        rule 3 {
                            action accept
                            description 5060
                            destination {
                                port 5060
                            }
                            log enable
                            protocol udp
                        }
                        rule 4 {
                            action accept
                            description "Allow 10000-20000"
                            destination {
                                port 10000-20000
                            }
                            log enable
                            protocol udp
                        }
                        rule 5 {
                :
                            action accept
                            description "Allow L2TP"
                            destination {
                                port 500,1701,4500
                            }
                            log enable
                            protocol udp
                        }
                        rule 6 {
                            action accept
                            description ESP
                            log disable
                            protocol esp
                        }
                        rule 7 {
                            action accept
                            description "Accept Ext ICMP"
                            log enable
                            protocol icmp
                        }
                        rule 8 {
                            action accept
                            description saphttps
                :
                            destination {
                                port 443
                            }
                            log disable
                            protocol tcp
                        }
                        rule 9 {
                            action accept
                            description RDS2
                            destination {
                                port 3389
                            }
                            log disable
                            protocol tcp
                        }
                    }
                    receive-redirects disable
                    send-redirects enable
                    source-validation disable
                    syn-cookies enable
                }
                interfaces {
                    ethernet eth0 {
                :
                        address [redacted].83.168.51/22
                        duplex auto
                        firewall {
                            in {
                                name WAN_IN
                            }
                            local {
                                name WAN_LOCAL
                            }
                        }
                        poe {
                            output off
                        }
                        speed auto
                    }
                    ethernet eth1 {
                        duplex auto
                        poe {
                            output off
                        }
                        speed auto
                    }
                    ethernet eth2 {
                :
                        duplex auto
                        poe {
                            output off
                        }
                        speed auto
                    }
                    ethernet eth3 {
                        duplex auto
                        poe {
                            output off
                        }
                        speed auto
                    }
                    ethernet eth4 {
                        duplex auto
                        poe {
                            output off
                        }
                        speed auto
                    }
                    loopback lo {
                    }
                    switch switch0 {
                :
                        address 192.168.2.253/23
                        mtu 1500
                        switch-port {
                            interface eth2
                            interface eth3
                            interface eth4
                        }
                    }
                }
                port-forward {
                    auto-firewall enable
                    hairpin-nat enable
                    lan-interface switch0
                    rule 1 {
                        description PBX-RTP
                        forward-to {
                            address 192.168.1.92
                            port 10000-20000
                        }
                        original-port 10000-20000
                        protocol udp
                    }
                    rule 2 {
                :
                        description PBX-SIP
                        forward-to {
                            address 192.168.1.92
                            port 5060
                        }
                        original-port 5060
                        protocol udp
                    }
                    rule 3 {
                        description SAP
                        forward-to {
                            address 192.168.2.120
                            port 443
                        }
                        original-port 443
                        protocol tcp
                    }
                    rule 4 {
                        description RDS
                        forward-to {
                            address 192.168.2.115
                            port 3389
                        }
                :
                        original-port 3389
                        protocol tcp
                    }
                    wan-interface eth0
                }
                protocols {
                    static {
                        route 192.168.1.0/24 {
                            next-hop 192.168.2.254 {
                            }
                        }
                    }
                }
                service {
                    gui {
                        https-port 443
                    }
                    nat {
                        rule 5001 {
                            log disable
                            outbound-interface eth0
                            type masquerade
                        }
                :
                    }
                    ssh {
                        port 22
                        protocol-version v2
                    }
                }
                system {
                    conntrack {
                        expect-table-size 2048
                        hash-size 32768
                        modules {
                            sip {
                                disable
                            }
                        }
                        table-size 262144
                    }
                    gateway-address [redacted].83.168.1
                    host-name ubnt
                   
                    name-server 8.8.8.8
                    name-server 8.8.4.4
                    ntp {
                        server 0.ubnt.pool.ntp.org {
                        }
                        server 1.ubnt.pool.ntp.org {
                        }
                :
                        server 2.ubnt.pool.ntp.org {
                        }
                        server 3.ubnt.pool.ntp.org {
                        }
                    }
                    offload {
                        ipsec enable
                        ipv4 {
                            forwarding enable
                        }
                        ipv6 {
                            forwarding disable
                        }
                    }
                    syslog {
                        global {
                            facility all {
                                level notice
                            }
                            facility protocols {
                                level debug
                            }
                        }
                :
                    }
                    time-zone UTC
                }
                vpn {
                    ipsec {
                        auto-firewall-nat-exclude enable
                        ipsec-interfaces {
                            interface eth0
                        }
                        nat-networks {
                            allowed-network 0.0.0.0/0 {
                            }
                        }
                        nat-traversal enable
                    }
                    l2tp {
                        remote-access {
                            authentication {
                                local-users {
                                  
                
                                    }
                                }
                                mode local
                            }
                            client-ip-pool {
                                start 192.168.2.180
                                stop 192.168.2.199
                            }
                :
                            dns-servers {
                                server-1 192.168.2.3
                                server-2 192.168.2.117
                            }
                            ipsec-settings {
                                authentication {
                                    mode pre-shared-secret
                                    pre-shared-secret [redacted]
                                }
                                ike-lifetime 3600
                            }
                            outside-address [redacted].83.168.51
                            outside-nexthop [redacted].83.168.1
                        }
                    }
                }
                JaredBusch 1 Reply Last reply Reply Quote 0
                • JaredBusch
                  JaredBusch @Mike Davis last edited by JaredBusch

                  @Mike-Davis said in Ubnt NAT:

                  @Dashrender The Meraki WAN address is a public one that is assigned by DHCP.

                  @JaredBusch

                  Couple things unrelated to your question:
                  You did not sanitize your L2TP PSK
                  Your PBX firewall rules are on the WAN_LOCAL and should have zero hits ever.
                  You setup port-forward rules for the PBX ports and those auto create firewall rules on the WAN_IN to allow traffic. You are working by accident IMO. Also, by using port-forward, you are unable to restrict the SIP/RTP to your provider. All SIP/RTP are forwarded to your PBX, no matter the source.

                  On to your issue asked about:

                  There is no DHCP server active in this config, so this router is not providing DHCP to the Meraki. Look elsewhere.

                  Your WAN is marked as eth0 and on the ER-PoE eth0 and eth1 cannot be part of the switch so there is nothing happening there either.

                  I assume eth1 has nothing at all plugged into it because it has no address assigned.

                  The switch is setup with your LAN network and is enabled on eth2, eth3, & eth4. I assume the Meraki is plugged in here?

                  1 Reply Last reply Reply Quote 2
                  • Mike Davis
                    Mike Davis last edited by

                    @JaredBusch Thank you for all the tips. I inherited this config and didn't understand why some things were done the way they were. Between your information and a firmware update we should be able to get this router in to shape.

                    Between what you said and some information from @coliver I learned that the Meraki is not behind the Edge, but in fact there is a switch between each of the routers and the ISP, so they both have direct access to the internet. Information from a tech on site lead me to believe otherwise, which is why the config didn't make sense.

                    scottalanmiller 1 Reply Last reply Reply Quote 3
                    • scottalanmiller
                      scottalanmiller @Mike Davis last edited by

                      @Mike-Davis said in Ubnt NAT:

                      Between what you said and some information from @coliver I learned that the Meraki is not behind the Edge, but in fact there is a switch between each of the routers and the ISP, so they both have direct access to the internet. Information from a tech on site lead me to believe otherwise, which is why the config didn't make sense.

                      I said this repeatedly when looking at the configurations.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post