Bug in routerOS while matching interfaces?

RouterOS General
1

Hi there,

I have two mikrotiks:

  1. RB2011UAS-2HnD version 6.43.4
  2. RB2011UiAS-2HnD version 6.47.8

both have masquarading in to their ISP.
both had the same config having eth9 connected to ISP CPE. both had “External” bridge and eth9 connected to that bridge. Both had a masquarading whith the condition when OUT interface is “External Bridge”.

first one working perfectly, the second one stopped working after an upgrade to the existing version 6.47.8. the workaround was to assign “eth9” instead of “External” bridge on the secod MT for masquarading to start working correctly. Otherwise it would masquarade everything regardless of what is the “out” interface is.

The biggest issue was that these devices has a site-to-site SSTP (MT1 is SSTP server) as described here: https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP#Server_configuration and the packets were only reaching one way from MT2 to MT1 but not from MT1 to MT2. eventually after a couple of days of troubleshooting and after looking at tcpdump on the MT1’st network i noticed an external IP on VoIP SIP packets coming from MT2’s network as a source. Switched to eth9 on MT2 masquarading rule, and everything worked perfectly since.

I’m not sure if this is a bug or as per design…

Hopefully the above will save someone days of troubleshooting as i endured.

–Andy

2

What are quoted “external bridge”?

Your topic only confuse me, also after all description, “Bug in routerOS while matching interfaces?”, without any export of config, it’s hard to understand.

Only confusion left, for me.

3

Hi there,

thank you very much for your reply...

"external brige" is just that - a bridge with ports assignment:


[admin@MikroTik] > /interface bridge print detail
Flags: X - disabled, R - running 
 0 R name="External" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto 
     mac-address=E4:8D:8C:24:33:09 protocol-mode=rstp fast-forward=yes igmp-snooping=no 
     auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s 
     transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no 

 1 R name="Internal" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto 
     mac-address=E4:8D:8C:24:33:05 protocol-mode=rstp fast-forward=yes igmp-snooping=no 
     auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s 
     transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no 
[admin@MikroTik] >

and this is the ports before i removed eth9 from "external" bridge:

[admin@MikroTik] > /interface bridge port print       
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE      BRIDGE     HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0 I   ether1         Internal   yes    1     0x80         10                 10       none
 1 I   ether2         Internal   yes    1     0x80         10                 10       none
 2     ether10        Internal   yes    1     0x80         10                 10       none
 3     wlan1          Internal          1     0x80         10                 10       none
 4     ether3         Internal   yes    1     0x80         10                 10       none
 5 I   ether4         Internal   yes    1     0x80         10                 10       none
 6 I H ether5         External   yes    1     0x80         10                 10       none
 7   H ether9         External   yes    1     0x80         10                 10       none
[admin@MikroTik] >

and this is masquarading NAT rule after changing "external" to "ether9":

[admin@MikroTik] > /ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface=ether9 log=no log-prefix="" 
[admin@MikroTik] >

My apologies for your confusion. If it is confusing, i believe, it will be to everyone's benefit to just delete this thread. I tried, but could not find the way to do that.

Otherwise, I probably could open Visio, create a detailed network diagram with all the hosts, export 1000s lines of configs, and we spend another couple of weeks in getting a 200% understanding on this very simple 2 MTs network, however, i'm not absolutely certain that will in the end bear any fruit, and most certainly would frustrate and confuse participants of this anyways.