Interesting NAT behavior...

I have an ER-Pro 8 that I rebooted last night.  This morning, half of the IP phones in the office fail to register.

Everything behaves as before EXCEPT that now some traffic that I expect to be SNAT to outside address traverses the outside address as ROUTED traffic.

Assume a VoIP Provider ip address of p.p.p.p

Assume an Public WAN address of x.x.x.x

Assume an Internal Subnet of y.y.y.0/24

10:46:29.479324 44:d9:e7:95:f6:54 > 00:a0:c8:b3:1b:28, ethertype IPv4 (0x0800), length 639: y.y.y.70.5060 > p.p.p.p.5060: SIP: REGISTER sip:p.p.p.p:5060 SIP/2.0
10:46:33.509131 44:d9:e7:95:f6:54 > 00:a0:c8:b3:1b:28, ethertype IPv4 (0x0800), length 639: y.y.y.70.5060 > p.p.p.p.5060: SIP: REGISTER sip:p.p.p.p:5060 SIP/2.0
10:46:38.489155 44:d9:e7:95:f6:54 > 00:a0:c8:b3:1b:28, ethertype IPv4 (0x0800), length 640: y.y.y.54.5060 > p.p.p.p.5060: SIP: REGISTER sip:p.p.p.p:5060 SIP/2.0
10:46:49.274006 44:d9:e7:95:f6:54 > 00:a0:c8:b3:1b:28, ethertype IPv4 (0x0800), length 640: y.y.y.64.5060 > p.p.p.p.5060: SIP: REGISTER sip:p.p.p.p:5060 SIP/2.0
10:46:50.127639 44:d9:e7:95:f6:54 > 00:a0:c8:b3:1b:28, ethertype IPv4 (0x0800), length 640: y.y.y.54.5060 > p.p.p.p.5060: SIP: REGISTER sip:p.p.p.p:5060 SIP/2.0
10:46:51.304007 44:d9:e7:95:f6:54 > 00:a0:c8:b3:1b:28, ethertype IPv4 (0x0800), length 640: y.y.y.64.5060 > p.p.p.p.5060: SIP: REGISTER sip:p.p.p.p:5060 SIP/2.010:46:51.379316 44:d9:e7:95:f6:54 > 00:a0:c8:b3:1b:28, ethertype IPv4 (0x0800), length 906: x.x.x.x.1095 > p.p.p.p.5060: SIP: REGISTER sip:p.p.p.p:5060 SIP/2.0

The bold packet is an example of a working phone.  Below, I can confirm that it is going through NAT as expected.

ubnt@hostname:~$show nat translations  | grep 1095
y.y.y.39:5060       x.x.x.x:1095      snat  udp   173

It's very interesting to me that only some of the phones are behaving this way.  Some and not all made me think that it might be because my LAN interface is actual a bonded LACP link.  Sure enough, a common factor is that the phones that are NOT working are on the same link.  However, some of the phones that AREworking are on that link as well - I can watch calls take place over both links.

show nat translations | grep<internal ip of broken phone>

 yields nothing, but working phones all have the appropriate translation:

y.y.y.71:5060       x.x.x.x:1099      snat  udp   172
y.y.y.53                x.x.x.x       snat  tcp   7438
y.y.y.58:5060       x.x.x.x:1034      snat  udp   172
y.y.y.26:5060       x.x.x.x:1087      snat  udp   172
y.y.y.34                x.x.x.x       snat  udp   45
y.y.y.59:5062       x.x.x.x:1083      snat  udp   172

nat rules below make me feel like I should be seeing the entire subnet translating properly..

ubnt@hostname:~$show nat rules

Type Codes:  SRC - source, DST - destination, MASQ - masquerade
              X at the front of rule implies rule is excluded

rule   type  intf     translation
----   ----  ----     -----------
1      DST   WAN      daddr ANY to y.y.z.26
    proto-tcp         dport 636 to 636

2      DST   WAN      daddr ANY to y.y.z.27
    proto-udp         dport ANY

3      DST   WAN      daddr ANY to y.y.z.27
    proto-esp         dport ANY

4      DST   WAN      daddr ANY to y.y.z.27
    proto-tcp         dport ANY

5      DST   WAN      daddr ANY to y.y.z.27
    proto-gre         dport ANY

5000   MASQ  bond0    saddr v.v.v.v/24 to i.i.i.i
    proto-all         sport ANY

5020   MASQ  bond0    saddr u.u.u.u/30 to i.i.i.i
    proto-all         sport ANY

5030   MASQ  WAN      saddr y.y.y.y/24 to x.x.x.x
    proto-all         sport ANY

5040   MASQ  WAN      saddr y.y.x.y/24 to x.x.x.x
    proto-all         sport ANY

5050   MASQ  WAN      saddr t.t.t.t/24 to x.x.x.x
    proto-tcp_udp     sport ANY

I'm tempted to flush the connection table and restart the iptables service to see if that makes a difference, but I can't do that in the middle of the day...