Hi,

I use the RB450G with software version: 6.15

Config:

ether1-gateway (ether2 - ether 5) as switch with dhcp and masquerading for browsing

I do have:
set [ find default-name=ether6 ] mac-address=00:0C:DE:AD:BE:BB name=
ether1-gateway speed=1Gbps
set [ find default-name=ether2 ] name=ether2-local speed=1Gbps
/interface ethernet switch
set 0 switch-all-ports=no

The provider router ion the wan port sais that I am leaking internal IP addresses. and I see internal IP addresses with the MAC address of my WAN port on the provider router.

I tried everything in power including different bridge groups , complete factory reset …
whats wrong and how can I fix it ?

Help gladly appreciated.

I guess your WAN port is member of a bridge, or put as slave to a master port.

just take a look at your default configuration using /export command

and check what you have set up and where.

things to check:
if you have NAT configured,
if WAN interface is not a port of some bridge/switch group,
if you have firewall rule that drops invalid packets.

Thanks guys for your suggestions. I tried all of it …
even creating a separate bridge group with only the wan port in.

jul/17/2014 07:58:24 by RouterOS 6.15

• if you have NAT configured, → YES

/ip firewall nat
...
add action=dst-nat chain=dstnat dst-address=x.x.185.53 dst-port=47120 \
    in-interface=ether1-gateway protocol=udp to-addresses=192.168.0.10 \
    to-ports=47120
add action=masquerade chain=srcnat comment="default NAT" out-interface=\
    ether1-gateway to-addresses=0.0.0.0

• if WAN interface is not a port of some bridge/switch group, → no

set [ find default-name=ether6 ] mac-address=00:0C:DE:AD:BE:BB name=\
    ether1-gateway speed=1Gbps
/interface ethernet switch
set 0 switch-all-ports=no

• if you have firewall rule that drops invalid packets. → YES

/ip firewall filter
add action=drop chain=input in-interface=ether1-gateway

It also happens on the factory-reset even after the command:

/interface ethernet switch
set 0 switch-all-ports=no

–
The only way a local IP does not overwrite the MAC of the ether1 is when I activate:

/interface ethernet switch
set 0 switch-all-ports=yes

but then I see the MAC addresses of the LAN on the Provider modem on the WAN port.

Have you found the problem, I have a similar problem, I have three BGP links and the BGP works. But the providers at Napafrica are saying that I am mac address leak / leakage. I have no bridge in place, I am using a CCR1036 router and it seems that the three ports are showing each others mac address, witch places our router in quarantine.

The same problem here. Have you solved?

How is IP obtained for WAN interface ?

Is fast-path enabled? It could leak MAC addresses.

Could you tell more about this?

Thanks!

Wan port should not be in a bridge, nor a slave to any other port. Goto IP > Firewall, NAT There should be 1 masquerade rule tied to the wan port (usually ether1).

I would like to add that many times on the forums, I’ve seen people post their configurations where their src-nat rule for going out on the Internet has some condition like “src-address=192.168.88.0/24” - because they don’t want other internal networks to be able to access the Internet. The problem with this is that it doesn’t stop the packets from being forwarded - it only prevents them from being natted… in the end, it has 95% of the same effect - that being the other private networks can’t use the internet, but their packets still go out the WAN interface.

Make sure that the srcnat rule for your WAN will unconditionally do srcnat for any packet going in that direction. If you want to block some internal networks from the Internet, then use the filter table for that.