topic Re: No internet with NAT and internal routing problem in Spark Firewall (SMB)

No internet with NAT and internal routing problem

MatWre — Wed, 12 May 2021 18:58:43 GMT

we've installed a FW 1530 with R80.20.25. The problem seems to be near to R80.10 NAT issue but it's not the same.

We defind a switch for LAN1-4 with local network 192.168.0.0/24 (network1) and the subnet 192.168.1.0/24 (network2) on LAN5.

We've a static IP un WAN and the connection works fine. Updates are loaded and Ping/Traceroute from web-gui are working correct. We did'nt define manual policies.

The problem is, that the clients won't connect to internet, as long as NAT is enabled. The connections only works, while NAT for outgoing traffic is disabled with manual NAT rules.
- <network1>, any, any, <wan ip (hide)>, original, original
- <network2>, any, any, <wan ip (hide)>, original, original

From this moment on, both networks are working, but the problem is, that we're not able to connect from one internal network to another.

When I heve a look at the routing table, everything seems to be fine:
1. <network1>, any, any, LAN1, 0, directly attached
2. <network2>, any, any, LAN5, 0, directly attached
3. <wan subnet>, any, any, WAN, 0, directly attached
4. Default, any, any, <wan gateway>, 0, default ...

The routing table from the command output is showing the result in reverse order. It's confusing.

All traceroutes from <network1> to <network2> are routing directly to wan and the connection fails.

Thanks for your ideas.

Re: No internet with NAT and internal routing problem

PhoneBoy — Thu, 13 May 2021 01:45:48 GMT

But those rules don’t look like NAT is disabled but rather configured with a manual NAT rule?
Also, so you have an explicit rule permitting the two networks to talk to one another?

Re: No internet with NAT and internal routing problem

MatWre — Fri, 14 May 2021 13:58:21 GMT

The routing problem is resolved. It was a problem with the network adapter of network2. Changed to another adapter and everything ist fine.

What I still don't quite understand is the behavior of the NAT settings. As long as the switch for outgoing traffic is set to ON under "Access Policy -> NAT", requests go out, but no responses come back.
Unfortunately, the only option that helps is to define your own NAT rules: Translate traffic from network1 to any destination on any service, as if the traffic is hidden behind gateway_ip to original destination on original service.
And the same with the other networks.

It works, but it didn't feel right.

Re: No internet with NAT and internal routing problem

MatWre — Fri, 14 May 2021 14:04:44 GMT

Thanks for your reply. Routing was a problem of the NIC of network2. With another NIC this problem ist solved.

I have described the NAT behavior again in a direct reply to my post.