Hi guys,
We have an IP Directed Broadcast In CISCO Router to broadcast packets between two interfaces that are not in the same subnet and not bridge to each other. So what is equivalent in mikrotik? I want to do it on the Mikrotik router ?
Thanks so much.
Yeah, it’s doable with ROS but you should be aware that it might be a security risk as mentioned in the Cisco manuals. It’s also disabled by default. What’s the use case?
I know it has Security Risk. How can we enable it?
Thanks so much.
There isn’t a specific setting, you build it using arp proxy, broadcast forwarding and so on depending on what you’re aiming for. What’s the use case?
Thanks for your attention.
I have a device connected to interface of ether5 a router and a subnet(192.168.5.0/24) that need to be configured. and a pc connected to other router interface ether1 and other subnet (192.168.1.0/24) that wants to config device A. if i know device A ip address it can be easily configured. But I dont know its ip address and want to configure it with a broadcast udp packet. I don’t want to use the bridge. In Cisco we have an ip directed broadcast. I need an equivalent in mikrotik.
Does “interface ethernet/set 1 arp=proxy-arp” solve my problem ?
Thanks so much.
You can use bridge filters (i.e bridge ip firewall) or just set up a simple dst-nat broadcast forwarding like the example below. Use a specific destination port number to limit the scope of the ip directed broadcast:
/ip firewall nat add action=dst-nat chain=dstnat in-interface=ether1 dst-address-type=broadcast dst-port=xxxx protocol=udp to-addresses=192.168.5.255
If the device on ether5 replies using broadcast instead of unicast, you might need a matching broadcast rule on that side as well. But try without this at first.
/ip firewall nat add action=dst-nat chain=dstnat in-interface=ether5 dst-address-type=broadcast dst-port=xxxx (or src-port) protocol=udp to-addresses=192.168.1.255
Thanks to your attention
can we change "/ip firewall nat add action=dst-nat chain=dstnat in-interface=ether1 dst-address-type=broadcast dst-port=xxxx protocol=udp to-addresses=192.168.5.255 " that you suggested to-addresses=255.255.255.255 ? because when i want to configure a device that is connected to ether5 its ip address is not known and when with udp broadcast(255.255.255.255) it is configured it will get ip in range 192.168.5.0/24. i want for the first time config this device when i dont know its ip address after settings ip address it can easily configured.
Thanks so much.
It didn’t worked for me.
What type of device are you using and what does the dst-nat rule look like? Have you checked with the built-in packet sniffer to see if any broadcast traffic is reaching the interfaces?
I’m not sure there is an “equivalent”. While the Linux kernel has “bc_forwarding” sysctl that is the linux version of cisco’s “ip directed-broadcast”. But… RouterOS does not directly expose the sysctl, and I’d imagine it’s disabled by default per RFC2644 inside RouterOS’s kernel.
bc_forwarding enables the feature described in rfc1812#section-5.3.5.2 and rfc2644. It allows the router to forward directed broadcast. To enable this feature, the ‘all’ entry and the input interface entry should be set to 1. Default: 0
Depending on the exact specifics of your situation, using firewall nat might work. Although I’m not 100% it’s possible, and would take some experimentation and sniffer likely. But I’m not sure you need to specify the ports as @Larsa suggest, directed broadcasts in cisco are NOT specific like that.
The other RouterOS approach is just to create a new [dumb] bridge using two/most VLANs to bridge subnet from main bridge to “broadcast bridge”. A RouterOS bridge filter can limited 2nd “broadcast bridge” to only allow traffic to 255.255.255.255 and drop all other bridge traffic (unicast+multicast) on this 2nd bridge. That’s not the same as a directed broadcast per se. But essentially bridging everything THEN restricting it to only broadcast, be another approach.
You may want to file a feature request for it at help.mikrotik.com… since it may be not be hard to expose the native Linux support for bc_forwarding sysctl (e.g. in /ip/settings). And duplicating broadcast traffic between VLANs/subnet/etc has come up in other context (recently HDHomeRun devices, but a few others). It still not a great idea to re-broadcast broadcasts… but sometime there is a need.
It works. Use this simple test below where ether1 sends 192.168.90.255 to port 2000 (but any port will do) => dst-nat broadcast => to ether2 as 192.168.80.255. Bridging the two interfaces with a filter that allows udp with an optional port number works just as well.
/ip firewall nat add action=dst-nat chain=dstnat dst-address-type=broadcast in-interface=ether1 protocol=udp to-addresses=192.168.80.255
# netcat command running on linux connected to ether1 with addr 192.168.90.1
$ nc -v -u -n -b 192.168.90.255 20000
log:
10:07:43 firewall,info dstnat: in:ether1 out:(unknown 0), connection-state:new src-mac 00:00:00:09:17:26, proto UDP, 192.168.90.1:54787->192.168.90.255:20000, len 29
10:07:44 firewall,info pre: in:ether1 out:(unknown 0), connection-state:new,dnat src-mac 00:00:00:09:17:26, proto UDP, 192.168.90.1:54787->192.168.90.255:20000, NAT 192.168.90.1:54787->(192.168.90.255:20000->192.168.80.255:20000), len 29
Hi, thanks for your attention.
/ip firewall nat add action=dst-nat chain=dstnat in-interface=ether1 dst-address-type=broadcast dst-port=xxxx protocol=udp to-addresses=192.168.5.255
this code works when
to-addresses=192.168.5.2
and udp sender must send to 192.168.5.255 not 255.255.255.255 it is not useful for me because I want
to address
send to all device connected to that interface and udp sender destination IP 255.255.255.255.
Thanks so much.
Hi guys
/ip firewall nat add action=dst-nat chain=dstnat in-interface=ether1 dst-address-type=broadcast dst-port=xxxx protocol=udp to-addresses=192.168.5.255
code works when
to-addresses
is
=192.168.5.254
not broadcast address just unicast address. and additionally
ip arp add address=192.168.5.254 mac-address=FF:FF:FF:FF:FF:FF interface=ether5
helps to broadcast but lots of problems I have. If the sender of broadcast set the ip address of packet 255.255.255.255 it doesn’t work. and
to-addresses=192.168.5.255
can’t set to
192.168.5.255
. Would you please help me ? When I use
toaddresses=192.168.5.254
with
ip arp add address=192.168.5.254 mac-address=FF:FF:FF:FF:FF:FF interface=ether5
it broadcast but i think standard UDP socket cant receive its data but wireshark capture it because ip is not broadcast but mac is broadcast. I need a dst nat set
to-addresses
broadcast ip.
Thanks so much.