An existing firewall is directly connected to a dsl router with a /29 subnet public ip address
I have to interpose a routerboard used as a loadbalancer/failover with other two dsl routers.
Is there a way to keep the public ip address coming from original router ?
Proxy ARP is your friend. If dsl router is connected to RB’s etherX and firewall to etherY, then set arp=proxy-arp for both and add:
/ip route
add dst-address=a.b.c.1/32 gateway=etherX
add dst-address=a.b.c.6/32 gateway=etherY
But , from firewall point of view, is it like routerboard didn’t exist ??
I would have to set up pcc/loadbalancing like eth facing wirewall was LAN and other eth as WANs.
Would any internet packet destinated to a.b.c.6 hit the firewall ?
Yes, for firewall (the device with a.b.c.6) it’s like RB isn’t there. But for RB it’s regular routing, it sees the traffic and can do anything it wants with it.
I’m not sure that I understand what exactly you want to do with load balancing.
Nice to know…
with PCC I let firewall (thus machines behind it) to use all three DSL line to achieve more bandwidth and failover like I’m actually doing in few systems (but without firewall in the middle).
Honestly, I don’t know if :
lan_machines----routerboard_pcc------three_wans
lan_machines—firewall—routerboard_pcc------three_wans
behave the same way about pcc method.
It depends. If you’d have firewall machine, but you’d let original LAN addresses through (so RB would see them), it would be exactly the same. If firewall machine already does srcnat, then RB sees only one source address and distribution over WANs is going to be be slightly different.
One more thing you need to think about with this config is that public address a.b.c.6 can only work with one dsl router (most likely) and you’ll need to srcnat it something else for outgoing connections via other dsl routers.
There’s also question if you really need a.b.c.6 directly on firewall machine (there are some possible reasons), or if you could just put it on RB.
Yes, firewall already does srcnat so routerboar would see all traffic coming only from a.b.c.6 address.
Some incoming services hitting a.b.c.6 are dst-natted by firewall to some lan machines
Maybe a vpn can be established from internet client to a.b.c.6
No need for incoming services on other two routers (just used for bandwidth and failover), they are there, just doing nothing, included by ISP in other paid service bundles
I’m not the firewall manager, it was asked me if it is possible to manage thing this way without any firewall modification and loss of services.
That’s why I would really need to keep a.b.c.6 on the firewall.
I’ve tested it with a PC instead of firewall:
I can ping 10.0.0.1 from 10.0.0.9 and vice-versa
PC arp table says 10.0.0.1 is B8:69:F4:BC:BB:32 (routerboard ether3)
Dsl router arp table says 10.0.0.9 is B8:69:F4:BC:BB:31 (routerboard ether2)
On PC , default gateway and dns server is 10.0.0.1 (dsl router)
However, trying to ping any internet ip address , I get
Reply from 0.0.0.0: Destination net unreachable.
Trying to ping www.google.it I get
Pinging www.google.com [216.58.198.4] with 32 bytes of data:
Reply from 0.0.0.0: Destination net unreachable.
(domain name is resolved)
What’s the problem ?
Problem is missing default route on RB. You can try:
/ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.1
But question, are the other dsls supposed to be used for this firewall device, or are they for some other network not shown in diagram? Because unless you have some special deal with ISP, you won’t be able to use a.b.c.6 with them anyway. If only original dsl would be enough for a.b.c.6, it would be easier to simply bridge the two ports. Although if that was the case, it would be easiest to just not involve RB at all, so maybe I’m getting wrong idea.
Already tried, 10.0.0.1 gateway is “unreachable”, also tried gateway=ether2 , same issue.
About other dsls, i want to tie them together with working one to achieve more bandwidth and failover like already done (i.e. https://mum.mikrotik.com/presentations/US12/steve.pdf).
I haven’t yet tried an exixsting firewall cascaded with a such configured routerboard.
Doing tests with a single pc as lan device to a three-wan rb works great.
Not sure if PC----natting firewall------pcc_routerboard—three_dsls could works the same.
Ok, I see it. I normally use this when there are more addresses, e.g. provider has x.x.x.1/24 on their router, I’m allowed to use x.x.x.2-10/24, but I don’t want them all on router, and for some reason I can’t connect all devices directly to provider’s router. With proxy ARP, I can route some of x.x.x.2-10 further to internal network. But I always keep at least one on router connected to ISP. In your case there’s none and there’s some problem with that. I’ll take a look at it later.
So the router won’t send ARP request if it doesn’t have IP address on interface. One way it could be solved is to remove this route:
/ip route
add dst-address=10.0.0.1/32 gateway=ether2
and instead add point to point address:
/ip address
add address=x.x.x.x/32 interface=ether2 network=10.0.0.1
It will create dynamic route, will send ARP for 10.0.0.1, and the address can be used as gateway. But I’m not completely sure about x.x.x.x. It can be any unique address (I used 10.10.10.10) and it will be fine for RB. The problem is, I can’t guarantee that the other router won’t complain when it sees ARP request from address that doesn’t belong to subnet on the interface. My testing router (also RouterOS) has no problem with that, but some other possibly could.
Ok, It works , connection from firewall to internet are ok, I haven’t yet checked in real environment if a.b.c.6 (firewall public ip) is reachable transparently from internet , I’ll keep you updated…
Unfortunately on the real test it fails:
ether1 facing dsl router
ether2 facing firewall
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
set [ find default-name=ether2 ] arp=proxy-arp
/ip address
add address=10.10.10.10 interface=ether1 network=<dslrouter_ip_address>
/ip route
add distance=1 dst-address=<firewall_ip_address>/32 gateway=ether2
when firewall (a routerboard in this case) pings internet devices, it gets back:
SEQ HOST SIZE TTL TIME STATUS
0 10.10.10.10 84 64 0ms net unreachable
Any possible solution ?
Thanks
Noob question… Is it possible a different approach, something like a double routing/nat inside the same RB ??
Short answer: no
Long answer: Maybe with loop hack (IPIP tunnel from router back to router), but you don’t want that. My head hurts every time I think about it. And you’d still have problems with same addresses being both local and remote at the same time, router doesn’t like that.
About the previous post, check what exactly is failing:
a) Does ARP succeed on firewall, i.e. does it get MAC address for gateway? It should be MAC address of router’s ether2.
b) Does ARP succeed on router? Try to ping gateway (it’s ok if it doesn’t work) and check “/ip arp” if MAC address of gateway is there.
Thank you for patience,
Arp table of firewall (actually a RB) sees both and 10.10.10.10 with MT ether2 mac address
Arp table of MT sees with on ether2 and with on ether1
If I ping from firewall I get replies,
If I hard-disconnect ether1 facing isp router while pinging, firewall gets “net unreachable” from 10.10.10.10
Anyway, no access to internet
In the meanwhile, I got it working with two separated routerboards each dst-natted from in-interface to the address of router behind it
It works totally transparent, but the goal is to use , if possible, a single routerboard in the middle…