Hello,

Scenario:


On central router:
Interface to border A IP 10.0.1.2/24
Interface to border B IP 10.0.2.2/24
Interface to workstation IP 10.0.3.1/24 (this is the LAN gateway IP)
No NAT on this example scenario. Assume all IP are internet valid for this example purpose.
No Bridge.
Default gateway: 10.0.2.1 (BORDER B)


Workstation: IP 10.0.3.2

Traceroute from workstation to internet, it goes well, every hop it show the correct ip, passing by Border B:
1 - Workstation
2 - 10.0.3.1
3 - 10.0.2.1
4 - Internet


The problem is when i do a traceroute, from internet to 10.0.3.2
1 - Internet
2 - Border B
3 - 10.0.1.2 (Should be 10.0.2.2)
4 - Workstation (10.0.3.2)

This is the problem, it respond using the IP on the other interface, not the interface used.
It answer using the interface IP for border A, but the packet goes really to BORDER B.

I did sniff packets on both border routers and it packet go back using router B, only the packet contain the wrong IP in reply.
Sniffing on border A, no packets found.
Sniffing on border B, traceroute packets found. Also the replies.


So, if the packet goes back to the right router, why it does inform a wrong ip address on reply headers??
Is there a solution?

Tested in RB1100 Version 5 (latest)
Tested in CCR-1016-12G version 6.1
Same issue.

Please help.


Some people would ask why i care...
I just want to understand and make it reply with correct IP address.

I also have a VPN to do some home office work and allocated a /30 CIDR to this VPN. And another /30 to one machine in home.
If you traceroute from internet to this machine in home, i will go trough VPN correctly, but it reports my ADSL ip in the middle.
I don't want that, but i also don't want to just drop the packet in filters.

Help me with any information you can.

Thank you.

EDIT:
Forgot to mention, i have the scenario in the image, and ALSO another one with a VPN client at another RB in HOME and VPN server is at CENTRAL Router.
Same issue with RB in HOME.

Anyone please?

Studying more and sniffing packets i found out the packets flow are correct going from and to the VPN, but when the TTL expire, the icmp packet mikrotik answer using it's default route. So it is not answering using the VPN.

So my question is more specific now.
Is there a way to identify a packet comming from the VPN with TTL expired and Answer it using the same VPN stead of the router's default route?
Is it OK to drop that incoming packet?

I have seen a similar issue when Tracerouting one Mikrotik router behind another, my TTL Expired responses to traceroutes are going out the correct interface, with the wrong IP.

I am using NAT for some private IP Blocks so I do have a few src-nat rules, however interestingly if I purposefully force the NAT rules to dst-nat the WRONG IP, the 'rogue' IP still appears in the traceroute. It doesnt seem to to be a src-nat issue at all.

Im relatively inexperienced so Im not 100% on packet flow through the router, but from what I can tell the TTL Expired replies are defaulting to the default route IP, even though they are not going out that route.

Very odd indeed, any help appreciated.