Yeah, probably not clear from the title..
My Mikrotik routers have multiple IP addresses on different interfaces.. How do I specify which IP is used for outgoing traffic for the router itself?
For ‘fetch’ I can use src-address= but how do I set a default for all of the router’s traffic.. ‘Cloud Service’ Updates, Packages-Updater, ect
As per the routing table
Huh? Can you be a little more specific? Any hints?
My 0.0.0.0/0 route works for forwarding traffic, but RouterOS uses the wrong IP for it’s own traffic, still going out the 0.0.0.0/8 route. My edge RouterOS, I need it to use a different 0.0.0.0/0 route than the forwarded traffic. My edge router, incoming traffic, say unsolicited from the internet, connects and works in both directions, but outgoing traffic originating from RouterOS uses a different IP.
What I am saying is traffic from the router will use same routes available to it as per what is in the routing table, same as traffic flowing through it, i.e. Forward.
Can you provide the route, nat and mangle rules to see where your problem can be.
Yes.. Which is what I expect, it is going to use the routing table.
I can assign the router multiple IP addresses on different interfaces.. How do I set which one it uses for it’s own outgoing traffic?
As I said, with ‘fetch’ I can use src-address to specify the IP, how do i set this system wide for stuff like the package updater, DNS client, and the SNTP client?
If you really need it, I will get this together.. I have a feeling this is something I haven’t set somewhere yet, or maybe just hoping.
The router doing NAT works great for the NAT’d traffic, but for it’s own traffic, it picks an IP from an another interface which is not internet accessible.
“The router doing NAT works great for the NAT’d traffic, but for it’s own traffic, it picks an IP from an another interface which is not internet accessible.”
That’s what I meant, fix your routing / NATing, without you providing the necessary info, I can’t guess where the problem is to correct it.
Else if you really want to put a plaster on it instead of correcting, you can try and add a mangle rule, with chain as output, connection state as new and action as mark routing = NFR (New From Router)
Add a default route with routing mark NFR to specified gateway IP
The problem is that this still doesn’t set the IP used on the outgoing connection, just the gateway..
Right now my primary router is using an RFC1918 IP for the 0.0.0.0/0 route, which it is supposed to do, but also using it’s own RFC1918 IP, rather than a public IP. I have a public /30 subnet that uses a private address for the next hop.
If I use the Ping tool it fails, until I also set the source IP. Same with fetch.
Change the srcnat / masquerade rule to specify outgoing interface instead of source addresses, etc, should correct it
Each route has a parameter pref-src whose value specifies the local IP address of the router which should be used for locally originated packets sent down that route.
I was looking at that with the mangle suggestion.. Added a routing mark on the Output chain, setup a 0.0.0.0/0 route to the gateway with the pref-source one of the public IPs, but still failed..
Logging the traffic, it is adding the mark to all outgoing NAT’d traffic.. I don’t see a way to separate just the traffic the router generates..
Am I seriously the first with this issue? I thought maybe just my search terms were lacking. Why do some tools have the ability to set the source address but not a place to set a default?
The traffic the router generates itself goes through the output chain, the traffic which the router forwards goes through the forward chain. So a marking rule in chain=output only marks the traffic generated by the router itself, and a marking rule in chain=forward only marks the transit traffic. So if you only mark packets in chain=output and only src-nat the marked ones, the src-nat doesn’t apply on the transit packets.
But how exactly do you test what is the source address of the packets as they leave your 'Tik? The point is that both the pref-src and src-nat normally do work, so do you use packet sniffing (capturing) on the 'Tik itself or on the destination device to visualise the actual source address or some other method?
Post your config Kevinds, otherwise playing hide and seek is no fun with bits of information.
I will be posting both routers’ configuration today.
Literally doing the redactions now.
Ha, I can only handle one router at a time… x&Y chromosomes you know!
Primary Router 2011UiAS
# model = 2011UiAS
/interface ethernet
set [ find default-name=ether1 ]
set [ find default-name=ether2 ]
set [ find default-name=ether3 ]
set [ find default-name=ether4 ]
set [ find default-name=ether5 ]
set [ find default-name=ether6 ]
set [ find default-name=ether7 ]
set [ find default-name=ether8 ]
set [ find default-name=ether9 ]
set [ find default-name=ether10 ]
set [ find default-name=sfp1 ] mtu=1460
/ip address
add address=192.168.2.1/24 interface=ether2-bridge network=192.168.2.0
add address=172.18.2.1/30 interface=gre-Family1 network=172.18.2.0
add address=172.18.2.5/30 interface=gre-Family2 network=172.18.2.4
add address=172.18.2.13/30 interface=gre-Mikrotik-Mimic network=172.18.2.12
add address=172.18.2.9/30 interface=sfp1 network=172.18.2.8
add address=208.210.216.90/30 interface=ether3 network=208.210.216.88
add address=192.168.3.1/24 interface=ether7 network=192.168.3.0
add address=65.120.1.133/30 interface=ether3 network=65.120.1.132
add address=65.120.1.137/30 interface=ether4 network=65.120.1.136
/ip dns
set servers=8.8.8.8,192.168.2.6,192.168.2.20
/ip firewall address-list
add address=192.168.2.25 list=Allow-SMTP
add address=192.168.2.21 list=Allow-SMTP
add address=192.168.2.22 list=Allow-SMTP
add address=208.210.216.90 list=Allow-SMTP
add address=208.210.216.89 list=Allow-SMTP
add address=192.168.3.28 list=Allow-SMTP
/ip firewall filter
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=accept chain=forward comment="SMTP-Allow Outgoing" dst-port=25 \
protocol=tcp src-address-list=Allow-SMTP
add action=accept chain=forward comment="SMTP-Allow Incoming" \
dst-address-list=Allow-SMTP dst-port=25 protocol=tcp
add action=accept chain=forward comment="SMTP Drop" dst-port=25 log=yes \
protocol=tcp
add action=drop chain=forward comment="Drop Cam AM Packet" packet-mark=\
Cameron time=0s-12h,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=drop chain=forward comment="Drop Cam PM Packet" packet-mark=\
Cameron time=22h-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=input
add action=accept chain=forward
/ip firewall mangle
add action=mark-routing chain=output disabled=yes new-routing-mark=Heatwave \
passthrough=no src-address=173.254.239.128/26
add action=mark-packet chain=prerouting comment="Phone Block" \
new-packet-mark=Cameron passthrough=yes src-mac-address=D8:6C:02:96:3E:D2
add action=mark-packet chain=prerouting comment="3DS Block" new-packet-mark=\
Cameron passthrough=yes src-mac-address=40:F4:07:DB:CD:93
add action=mark-packet chain=prerouting comment="Ethernet Block" \
new-packet-mark=Cameron passthrough=yes src-mac-address=34:97:F6:68:77:CF
add action=mark-packet chain=prerouting comment="Netgear Block" \
new-packet-mark=Cameron passthrough=yes src-mac-address=E0:91:F5:95:B3:C6
add action=mark-packet chain=prerouting comment="WiFi Block" new-packet-mark=\
Cameron passthrough=yes src-mac-address=00:1F:D0:4A:7B:62
add action=mark-packet chain=prerouting comment=Spare disabled=yes \
new-packet-mark=Cameron passthrough=yes src-mac-address=7C:2F:80:E5:AC:7D
/ip firewall nat
add action=src-nat chain=srcnat dst-address=172.18.2.10 to-addresses=\
172.18.2.9
add action=accept chain=srcnat dst-address=192.168.0.0/16
add action=accept chain=srcnat dst-address=172.16.0.0/12
add action=src-nat chain=srcnat comment="mail.example.com Outgoing NAT" \
src-address=192.168.3.0/24 to-addresses=208.210.216.89
add action=dst-nat chain=dstnat comment="mail.example.com Incoming Traffic" \
dst-address=208.210.216.89 to-addresses=192.168.3.28
add action=src-nat chain=srcnat comment="Robin Outgoing NAT rule" disabled=\
yes src-address=192.168.2.21 to-addresses=69.165.226.53
add action=src-nat chain=srcnat comment="Batman Outgoing NAT rule" disabled=\
yes src-address=192.168.2.22 to-addresses=69.165.226.54
add action=src-nat chain=srcnat comment="Main Outgoing NAT rule" src-address=\
192.168.2.0/24 to-addresses=208.210.216.90
add action=dst-nat chain=dstnat comment="Batman Incoming 143" dst-address=\
208.210.216.90 dst-port=143 protocol=tcp to-addresses=192.168.2.22 \
to-ports=143
add action=dst-nat chain=dstnat comment="Batman Incoming 110" dst-address=\
208.210.216.90 dst-port=110 protocol=tcp to-addresses=192.168.2.22 \
to-ports=110
add action=dst-nat chain=dstnat comment="Batman Incoming 443" dst-address=\
208.210.216.90 dst-port=443 protocol=tcp to-addresses=192.168.2.22 \
to-ports=443
add action=dst-nat chain=dstnat comment="Batman Incoming 587" dst-address=\
208.210.216.90 dst-port=587 protocol=tcp to-addresses=192.168.2.22 \
to-ports=587
add action=dst-nat chain=dstnat comment="QNAP SSH" dst-address=208.210.216.90 \
dst-port=223 protocol=tcp to-addresses=192.168.2.25 to-ports=22
add action=dst-nat chain=dstnat comment="Robin Incoming 25" dst-address=\
208.210.216.90 dst-port=25 protocol=tcp to-addresses=192.168.2.21 \
to-ports=25
add action=dst-nat chain=dstnat comment="Incoming SSH" dst-address=\
208.210.216.90 dst-port=22 protocol=tcp to-addresses=192.168.2.14 \
to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-address=184.64.32.79 \
dst-port=25 protocol=tcp to-addresses=192.168.2.21 to-ports=25
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=53 \
protocol=udp to-addresses=192.168.2.14 to-ports=1196
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=53 \
protocol=tcp to-addresses=192.168.2.14 to-ports=943
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=69 \
protocol=udp to-addresses=192.168.2.25 to-ports=69
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=80 \
protocol=tcp to-addresses=192.168.2.22 to-ports=80
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=81 \
protocol=tcp to-addresses=192.168.2.25 to-ports=80
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=110 \
protocol=tcp to-addresses=192.168.2.22 to-ports=110
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=143 \
protocol=tcp to-addresses=192.168.2.22 to-ports=143
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=443 \
protocol=tcp to-addresses=192.168.2.22 to-ports=443
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=514 \
protocol=udp to-addresses=192.168.2.12 to-ports=514
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=514 \
protocol=tcp to-addresses=192.168.2.12 to-ports=514
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=943 \
protocol=tcp to-addresses=192.168.2.14 to-ports=943
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=993 \
protocol=tcp to-addresses=192.168.2.22 to-ports=993
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=995 \
protocol=tcp to-addresses=192.168.2.22 to-ports=995
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=1194 \
protocol=udp to-addresses=192.168.2.14 to-ports=1194
add action=dst-nat chain=dstnat disabled=yes dst-address=184.64.32.79 \
dst-port=1194 protocol=udp to-addresses=192.168.2.14 to-ports=1194
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=1194 \
protocol=tcp to-addresses=192.168.2.14 to-ports=1194
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=1196 \
protocol=udp to-addresses=192.168.2.14 to-ports=1196
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=1196 \
protocol=tcp to-addresses=192.168.2.14 to-ports=943
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=8282 \
protocol=tcp to-addresses=192.168.2.25 to-ports=8282
add action=dst-nat chain=dstnat comment="Heatwave Winbox" disabled=yes \
dst-address=208.210.216.90 dst-port=8292 protocol=tcp to-addresses=\
172.18.2.10 to-ports=8291
add action=dst-nat chain=dstnat dst-address=208.210.216.90 dst-port=8243 \
protocol=tcp to-addresses=192.168.2.25 to-ports=8243
add action=dst-nat chain=dstnat disabled=yes dst-address=184.64.32.79 \
dst-port=10000 protocol=tcp to-addresses=192.168.2.14 to-ports=10000
add action=dst-nat chain=dstnat disabled=yes dst-address=69.165.226.49 \
dst-port=3389 protocol=tcp to-addresses=192.168.2.126 to-ports=3389
/ip firewall service-port
set sip disabled=yes
/ip route
add distance=1 gateway=172.18.2.10 pref-src=208.210.216.90 routing-mark=NFR
add distance=1 gateway=172.18.2.10
add distance=1 dst-address=192.168.12.0/24 gateway=172.16.211.18
add distance=1 dst-address=192.168.15.0/24 gateway=172.16.211.18
add distance=1 dst-address=192.168.17.0/24 gateway=172.18.2.6
add distance=1 dst-address=192.168.20.0/24 gateway=172.18.2.10
add distance=1 dst-address=192.168.88.0/24 gateway=172.18.2.10
add distance=1 dst-address=192.168.128.0/24 gateway=*36
add distance=1 dst-address=192.168.200.0/24 gateway=172.18.2.2
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether2-bridge type=internal
add forced-ip=208.210.216.90 interface=sfp1 type=external
Edge Router RB750Gr3
# model = RouterBOARD 750G r3
/interface pppoe-client
add add-default-route=yes default-route-distance=25 interface=ether4 name=\
pppoe-out1 password=kevinds user=kevinds@pppoe.net
/interface l2tp-client
add add-default-route=yes connect-to=209.205.90.194 disabled=no name=\
Static-IP-VPN password=kevindsL2TP profile=default user=svpn.kevinds@pppoe.net
/ip address
add address=172.18.2.10/30 interface=ether3 network=172.18.2.8
/ip dhcp-client
add add-default-route=special-classless default-route-distance=20 dhcp-options=hostname,clientid disabled=no interface=ether1
/ip firewall address-list
add address=1.109.178.156 list="sbl blocklist.de"
add address=95.181.219.0/24 list="sbl spamhaus"
add address=109.248.9.0/24 list="sbl dshield"
add address=241.0.10.0/24 list="custome-block"
/ip firewall filter
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid
/ip firewall raw
add action=drop chain=prerouting comment="memcached - TCP" dst-port=11211 protocol=tcp
add action=drop chain=prerouting comment="memcached - UDP" dst-port=11211 protocol=udp
add action=accept chain=prerouting comment="209.205.90.194 Bypass" src-address=209.205.90.194
add action=drop chain=prerouting src-address-list="sbl blocklist.de"
add action=drop chain=prerouting src-address-list="sbl spamhaus"
add action=drop chain=prerouting src-address-list="sbl dshield"
add action=drop chain=prerouting src-address-list=custom-block
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 dst-address=65.120.1.132/28 gateway=172.18.2.9
add distance=1 dst-address=172.16.0.0/12 gateway=172.18.2.9
add distance=1 dst-address=192.168.0.0/16 gateway=172.18.2.9
add distance=1 dst-address=208.210.216.88/30 gateway=172.18.2.9
add distance=1 dst-address=209.205.90.194/32 gateway=172.103.193.1
/system clock
set time-zone-autodetect=no time-zone-name=America/Edmonton
/system routerboard settings
set silent-boot=no
/system scheduler
add interval=30m name="Fetch Blacklist" on-event="/tool fetch address=www.squi\
dblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/d\
rop.malicious.rsc src-address=172.103.193.102" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=may/20/1979 start-time=00:15:00
add interval=30m name="Import Blacklist" on-event=\
"/import file-name=drop.malicious.rsc" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=may/20/2018 start-time=00:18:13
The Edge router uses the VPN connection, which also gives a RFC1918 IP, and the VPN server does NAT for.. The VPN server is a ‘bad’ IP on the internet (why I put the bypass into the Mangle rules) so connections are often refused when using the VPN server’s public IP for connections. Using the source-IP as the DHCP IP, using the source-IP from the DHCP (cable) or PPPoE (DSL) fixes this. The Cloud DDNS update though, uses the VPN server IP, which then can’t be used to remotely connect..
Yes, cable and DSL, when one goes down, I manually switch over to the other connection.. Figuring out automated switching is planned for the future.
So if you only mark packets in chain=output and only src-nat the marked ones, the src-nat doesn’t apply on the transit packets.
I didn’t src-nat the marked ones, I setup a routing-mark, and setup a route for the marked traffic. As per CZFan
But how exactly do you test what is the source address of the packets as they leave your 'Tik?
Mikrotik’s Cloud DDNS was an easy way on my edge router, after trying to figure out why some traffic was blocked and other’s wasn’t (VPN server’s public IP frequently gets blacklisted)
Well, I’m afraid that might be another can of worms, as I have no idea which of the local addresses the Mikrotik Cloud DDNS client choses to indicate as the WAN one in the body of the DDNS update. So in the warning coming back, DDNS server received request from IP 123.123.123.123 but your local IP was 192.168.88.23; DDNS service might not work, the 123.123.123.123 is the address from which the request actually came, so it should be your 208.x.x.90 if the pref-src on the routing-marked route works properly (are you sure you wanted to publish all your public IPs here)? I’m not sure whether the DDNS client looks at pref-src of the route towards the DDNS server when creating the update request. But if it does, it is for sure the route with no routing mark (the client definitely doesn’t analyse the configuration completely to find out that the update request will be routed using a marked route).
are you sure you wanted to publish all your public IPs here)?
I don’t like posting this much of my configuration in general, why I was so hesitant.. But part of my redaction process, I changed all the IPs, RFC1918 and public IPs, except the last octet so I could still read and keep track of them in this discussion. Normally I would use RFC5737 IPs.
Otherwise, that is my original question.. How do I specify a default source-IP for the router’s own traffic.
The router isnt designed to forward traffic from itself, traffic is forwarded through the router internet to lan or lan to internet.
Traffic to the router is input chain, traffic out of the router is output chain.
Input and output I see as administrative chains not to be used for the bulk of router work (forwarding).
I am much to green to contemplate using marks in source NAT rules, in fact I think thats fundamentally wrong.
Use routes to determine where traffic goes forwarded to the WAN.
Use marks in routes to isolate source on router to specific output IPs.
SrcNat is to identify public IP associated with traffic going out that WAN interface (to translate private IPs and then return traffic to same private IP).
It is not the funtion of source nat to identify the sources from my limited experience.
DstNat is to direct where unsolicited traffic is forwarded to when it reaches the router
I bear this in mind all the time. What I wanted to point out was that the actual source address of router’s own traffic, placed to the IP header of the packet, is one thing and is handled by the routing process (by means of pref-src) and/or by the firewall (by means of src-nat), but the address indicated in the payload of the DDNS update request is a different thing and I don’t know how the associated magic works. So if it is not too complex, disable the routing-marking rule per @CZfan, set pref-src on the default route in the default routing table (i.e. the default route with no routing-mark) to the address you want to registed using DDNS, and try again. And feed back whether you’ve got the warning message from the cloud DDNS or not and if yes, paste it here after substituting the real addresses by the aliases you’ve used in your config export.