Forwarding broadcast packets through router when using 2 bridges (Public and Intra)

politick · February 16, 2015, 7:35pm

Hi there,

Hardware : RB2011
SW Version: 5.20

My problem is fairly simple, I have created 2 bridges {SwPublic and SwIntra} and there is
GPS information being broadcasted on SwPublic on port 3002 that needs to be forwarded back to SwIntra.

SwPublic : eth1, eth2, eth3
SwIntra : eth4, eth5 … eth9, eth10
I’ve added an IP address to SwPublic {172.22.66.100} and one to SwIntra{192.168.77.1}

Then I tried to forward the SwPublic broadcast to a broadcast to SwIntra like so:
/ip firewall nat add action=dst-nat chain=dstnat in-interface=SwPublic dst-address-type=broadcast dst-port=3002 protocol=udp to-addresses=192.168.77.255 protocol=udp dst-address-type=broadcast

That didn’t work so then I tried to redirect to a particular intranet IP like so:
/ip firewall nat add action=dst-nat chain=dstnat in-interface=SwPublic dst-port=3002 protocol=udp to-addresses=192.168.77.2 protocol=udp

For testing purposes, I’m using this script on my Linux server to broadcast the packets:

#!/bin/sh
while :
do
  date -u | socat - UDP4-DATAGRAM:172.22.127.255:3002,broadcast
  sleep 1
done

and this script does form nice broadcast packets using Wireshark I can see:

Ethernet address = ff:ff:ff:ff:ff:ff
IPV4Dst=172.22.127.255
Dst Port= UDP 3002

But wireshark on the IntraNet does not show ANY packets with destination = 3002

I can see packets coming in in RB2011 /ip/firewall counters, I see my packet count increment for that rule, but NO packet broadcast or unicast on the SwIntra…
How can I follow the path of my packet and how it “disappears” in the IPChains ?
What did I misconfigure ?

Kind Regards,
Martin Politick.

This is the script I apply for a Virgin RB2011, if you have comments to bettrt this script in other areas (like removing the default configuration) please let me know:

/
#-- Set this manually for each RB2011
global MachineName   Vehicle100
global MachineIp     172.22.66.100
global MachineMask   255.255.192.0

#-- Set this manually for each site
global MachineDns    172.22.64.9
global MachineGw     172.22.64.1

#-- This should be fixed for all vehicles
global IntranetIp   192.168.77.1
global IntranetMask 255.255.255.0
global IntranetNet  192.168.77.0/24
global DhcpdRange   192.168.77.200-192.168.77.254
global NAV          192.168.77.2



/system identity
set name=$MachineName


#----------------------------------------------------------------
#--- Removing old configurations
#----------------------------------------------------------------

#--- Renaming Interfaces
/interface set 0 name="eth1"
/interface set 1 name="eth2" 
/interface set 2 name="eth3" 
/interface set 3 name="eth4" 
/interface set 4 name="eth5" 
/interface set 5 name="eth6"
/interface set 6 name="eth7" 
/interface set 7 name="eth8" 
/interface set 8 name="eth9" 
/interface set 9 name="eth10"

	
# Remove bridge between all ports
/interface bridge port
:foreach k in=[/interface bridge port find] do={
              remove $k 
           }
/interface bridge
:foreach k in=[/interface bridge find] do={
              remove $k 
           }

#remove slave ports
/interface ethernet 
set eth7  master-port=none
set eth8  master-port=none
set eth9  master-port=none
set eth10 master-port=none


#--- Setting up virtual switches
/interface bridge add name="SwIntra"  comment="Vehicle Intranet switch firewalled"
/interface bridge add name="SwPublic" comment="Public radio side switch"
#--- Public side
/interface bridge port add bridge=SwPublic interface=eth1
/interface bridge port add bridge=SwPublic interface=eth2
/interface bridge port add bridge=SwPublic interface=eth3
#--- Intranet side
/interface bridge port add bridge=SwIntra  interface=eth4
/interface bridge port add bridge=SwIntra  interface=eth5
/interface bridge port add bridge=SwIntra  interface=eth6
/interface bridge port add bridge=SwIntra  interface=eth7
/interface bridge port add bridge=SwIntra  interface=eth8
/interface bridge port add bridge=SwIntra  interface=eth9
/interface bridge port add bridge=SwIntra  interface=eth10


#--- Removing all IP addresses    
/ip address
:foreach k in=[/ip address find] do={
      /ip address remove $k
}

#--- DHCP Client --- Don't ask for an IP address
/ip dhcp-client
:foreach k in=[/ip dhcp-client find] do={
              remove $k 
           }
   
#--- dhcpd --- DHCP SERVER on Intranet 
/ip pool
:foreach k in=[/ip pool find] do={
              remove $k 
           }
/ip pool add name=DHCPd ranges=$DhcpdRange
 
#--- Change default DHCP IP address range so we know OUR config is applied
/ip dhcp-server
:foreach k in=[/ip dhcp-server find] do={
              remove $k 
           }
/ip dhcp-server network
:foreach k in=[/ip dhcp-server network find] do={
              remove $k 
           }
 
#--- DNS
/ip dns static 
:foreach k in=[/ip dns static find] do={
              remove $k 
           }

#--- Remove NATTING
/ip firewall nat 
:foreach k in=[/ip firewall nat find] do={
              remove $k 
           }

#--- Disable SIP from service ports ---
/ip firewall service-port
:foreach k in=[/ip firewall service-port find name~"sip"] do={
              :put [/ip firewall service-port get $k ports]
              disable $k 
           }
#---- Remove routing
/ip route
:foreach k in=[/ip route find] do={
              remove $k 
           }
 
 
 
#----------------------------------------------------------------
#--- Rebuilding configuration
#----------------------------------------------------------------
#--- Add IP addresses to the swithces so we can reach the RB2011
/ip address add address $IntranetIp netmask $IntranetMask interface SwIntra  comment="Intranet";
/ip address add address $MachineIp  netmask $MachineMask  interface SwPublic comment="Public";

#--- static DNS on private intranet
/ip dns static add address=$IntranetIp disabled=no name=router

#--- DHCP Setup
/ip dhcp-server add interface=SwIntra address-pool=DHCPd authoritative=yes disabled=no name=dhcpd
/ip dhcp-server network add address $IntranetNet dns-server $IntranetIp domain politick.com gateway $IntranetIp

#--- Set Routing
/ip route add dst-address=0.0.0.0/0   gateway=$MachineGw


#--- Enable NATting for TCP and UDP
/ip firewall nat add chain=srcnat action=masquerade out-interface=SwPublic

#--- Secure the rest of the ports from the radio ----------------
/ip firewall filter add action=drop   chain=input  disabled=no in-interface=SwPublic dst-address=$IntranetNet  comment="Radio"
 


#--- GPS info
#/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=3002 to-ports=3002 in-interface=SwPublic to-addresses=$IntranetBrod protocol=udp dst-address-type=broadcast  
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=3002 to-ports=3002 in-interface=SwPublic to-addresses=$NAV protocol=udp  


#--- Remote Desktop
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=3389 to-ports=3389 in-bridge-port=SwPublic to-addresses=$NAV        protocol=tcp comment=Remote.Desktop

politick · February 18, 2015, 1:30am

I’ve finally figured it out looking at :
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow

There is this insidious “Use IP Firewall” in this flow…
To enable Layer 3 dst-nat, you need to set:

/interface bridge settings set use-ip-firewall yes

With that I was able to redirect to a unicast address behind the NAT,
but I was not able to redirect to 192.168.77.255 (broadcast address of NATed subnet)

Enjoy & Kind Regards,
Martin Politick.

bph · March 19, 2015, 7:11pm

The closest I’ve come to solving this problem is a very complex bastardized concoction where all of my ports are in a bridge but also routing between them. A filter on the bridge blocks all the broadcast packets except the one particular set that I need.

I would much rather have a rule of some sort (in dst-nat?) that simply says “A UDP Packet matching this” (which I can define easily) needs to routed and flooded out all of these ports. It’s that last part that kills me.

Or, in other words, something like a DHCP relay, except that instead of relaying to unicast, i need to relay to a broadcast.

ZeroByte · March 24, 2015, 10:28pm

This is exactly the type of scenario that multicast is designed for.

You should look into sending your GPS data out to a multicast group, and enabling IGMP on the Mikrotik so that it will forward the packets to other interfaces when there are clients subscribing to the multicast group.