I have been trying to figure out the issue with using the a bridge interface as a loopback port. My RB750G is configured as follows:

1. xxx.xxx.7.167/27
2. xxx.xxx.62.122/29
3. 10.10.10.1/24
loopback xxx.xxx.54.1/28

I want to NAT the 10.10.10.0 network with the out interface being the 54.1/28 (loopback). Port 1 is connected via wireless and port 3 is a dsl line. The intent is to have a router which provides failover to the dsl if the wireless link fails. I have added default routes and increased the cost for the dsl line. Once I added the loopback I am unable to NAT. Is this possible with RouterOS? I do have IP firewall checked. Also srcnat is set to masquarade. I tried using the out port as the loopback but it does not work.

-Brian

Does any body know if you can NAT a bridge port which is acting as a non physical port with an IP address? I can ping the port from the outside and ping the 53.1 interface from the inside but I can't get to the public side of the network when I have the NAT rule set to use the loopback interface. Thanks in advance

-Brian

Try using an explicit src-nat action rather than masquerade. Masquerade is tied to interfaces, and you don't want to NAT on the loopback interface itself, you just want to use its IP addresses when pushing out to the WAN.

Assuming four interfaces named 'wireless', 'dsl', 'lan' and 'loopback' with the following IP addresses:
wireless - 1.1.1.1/24
dsl - 2.2.2.1/24
lan - 10.10.10.1/24
loopback - 3.3.3.1/24

and assuming that you can reach 3.3.3.1 via the wireless and dsl interfaces, something like the below should work: Unfortunately I'm out of lab units right now or I'd try it out.

Fewi,
I tried it out but I am not seeing the bridge stats increase. I can ping out etc. I have 2 static routes with the wireless as my primary and dsl as my secondary with a cost of 5. Here is my NAT rules
/ip firewall nat
add action=src-nat chain=srcnat comment="" disabled=no out-interface=ether1 \
src-address=10.10.10.0/24 to-addresses=xxx.xxx.54.1
add action=src-nat chain=srcnat comment="" disabled=no out-interface=ether2 \
src-address=10.10.10.0/24 to-addresses=xxx.xxx.54.1

/ip route
add comment="Default Route" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=xxx.xxx.7.166 scope=30 target-scope=10
add comment="" disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\
xxx.xxx.62.121 scope=30 target-scope=10

I started a ping on my laptop which is connected to the port 3 or the 750G which has an IP address of 10.10.10.220. The ping goes out port 1 and if I disconnect the cable to port 1 (simulating a wireless outage) the dsl port does not pick up and continue. I get timeouts on my laptop until I plug the wireless cable back in. Strange problem...

-Brian

Fewi,
Here is some more data. When I use the terminal in winbox the 750G does what it is supposed to do which is switch default routes to the backup. The problems lies with NAT. When the laptop is on Port 3 which is the NAT'd port and I disconnect port 1. The pings on port 3 from the laptop stop until the cable is plugged in. But the pings on the winbox terminal keep going. Should I send a message to support?

-Brian

Does a ping from the router directly (via terminal) when you specify the source address and make it the loopback IP?

Yes the ping does work. I can ping the 54.1 address and remove the cable and it does continue to ping. I can also ping from the NAT'd LAN.

-Brian

Fewi,
Correction to the ping
If I ping 54.1 using a source of 54.2 it fails from the terminal.

-Brian

Fewi,
More data.. I had to log on to another 750 to add a simple queue and the address showed up as 54.1 in the log. So the nat outbound is actually giving me the correct IP address. So now the remaining problem is the failover using static default routes.

-Brian

add 'check-gateway=' parameter to your default routes

Chupaka,
I added check gateway=ping and the problem still occurs. When I disconnect port 1 while I have a ping going from my laptop it times out but the routing table says port 1 is unreachable and port 2 is reachable. It also works when I have a terminal in winbox doing a ping. I disabled the default route manually and the router performed as expected. There were no ping timeouts. I checked and the trace routes showed the correct routes before and after. As another check I disable the physical port via winbox and it exhibited the same problem. I suspect from my QA background that when the port is physically disabled that it is not signalling the upper layers to flush the route. It may have to do with that I am using a loopback port via the bridge. Many thanks for jumping in and helping me. I did enter a support ticket.

-Brian

so where are your packets going? if you have many uplinks and one address space - do you have BGP sessions with your uplinks?

Chupaka,
Port 1 is a wireless link and Port 2 is a DSL. Port 3 is the NAT'd 10.10.10.0 network. The first step was to ensure the router acted correctly on a simple fail over by unplugging the Ethernet cable. I thought is worked when only using winbox terminal but when I actually plugged into the LAN on port 3 and ran the same test it failed. I plan on using BGP and I was actuallly testing BGP when this problem serviced. I still think it is a bug that when the port is disabled that the bridge port does not get notified to switch routes. Sorry that I didn't respond earlier last evening. I didn't check the forum last night. I did open a trouble ticket

[Ticket#2010052066000043] RB750G Failover Static Routes using Loopback

-Brian

so, xxx.xxx.54.1/28 is advertised to both wireless and DSL uplinks? did you wait for BGP session timeout on unplugged interface?..

p.s. I still don't understand, why you need loopback interface...

Chupaka,
The customers has a /28 subnet. They want to have the 54.1 network available to the internet since they have various servers which they host. Currently they are using a /29 which is also NAT'd to the 10.10.10.x/24. The need more upload bandwidth than is available via DSL. I sold them 3 Mbps wireless internet connectivity and they wanted to keep the DSL as a backup. So I set up the 750G with port 1 as the wireless and port 2 as the DSL, added a bridge with an IP subnet of 54.1 and port 3 has the 10.10.10.0/24 network. My goal was that I would have routes to or from the 54.1 for primary and backup. The only way to have the 54.1/28 available was to add a bridge and add the 54.1 as its address. I used static default routes with the cost being higher on the DSL. I was going to use iBGP to notify the upstream that the DSL is the route to use for incoming request to the 54.1 network. Do you have another idea to make this work? Also I have a number of port forwarded ports that they are currently using. They are not an issue yet. I used port map and netmap feature of the RouterOS. I believe in Mikrotik and I want to stay with this router. Once I get this figured out I will be able to use the same concept for other clients.

-Brian

so, you own both DSL and wireless on both ends?

Chupaka,
Yes we own both ends. The DSL is routed to a different router but is on the same LAN as the wireless main router. Can you make any other suggestions on my network design instead of using a bridge and assigning it an ip subnet?

if you control both ends of both links, you should just route that subnet, like

/ip route add dst-address=xxx.xxx.54.1/28 gateway=xxx.xxx.7.167/27

on one uplink and

/ip route add dst-address=xxx.xxx.54.1/28 gateway=xxx.xxx.62.122/29

on another one. and use 'check-gateway' option. dynamic routing protocol should do the rest (or create static routes with higher distance)

Chupaka,
I have Cisco 7200's as my main routers. They are configured correctly. Everything was routing correctly until I realized that bridge interface which had the 54.1 subnet was not switching over to the backup route when the primary cable was removed. Do you have an opinion on whether I should have the bridge interface handling the 54.1 subnet? If I attached the subnet to an Ethernet interface and that interface becomes unavailable then the subnet is not available via the the secondary route. So is using the bridge interface is the correct configuration?

-Brian

huh... I see - you don't have 'check-gateway' in your routes. just add 'check-gateway=ping' - that should solve your problem. w/o checking, route will not become inactive

Just a quick update on my problem. I have it now working after fully understanding Cisco and Mikrotik BGP speak. I enabled BGP on the Cisco end and made ethernet 1 and eithernet 2 neighbors using ebgp and multihop. Since the main dsl router is a cisco 7200 which handles the connections from the local telco was giving the routes from dsl a lower cost I had to change the metrics and local preferences to favor the wireless route on ethernet 1.

My latest problem is the number of routes in the the routing table equals about 1500. I will add a filter to the ciscos to limit the number of routes. I can't use default-orginate on the cisco because I need to to change the cost for one of the default routes to make fail-over work using BGP generated default routes. In the mean time it works with the static default routes and changing the cost.

Lastly do anyone know what the min values for holdtimer and keep alive in BGP on a Mikrotik?

Thanks everyone who repsonded.

-Brian

Lastly do anyone know what the min values for holdtimer and keep alive in BGP on a Mikrotik?

WinBox says that holdtimer := [3;3600]