LAN can go to WAN via PBR - but with public IP disabled

RouterOS General
1

Hi, I wonder why the following works:

For example, we have a public subnet like 1.1.1.1/27.
I PBR via Mangle that my LAN goes out via a own Routing-Mark/Table (“WAN-.5”) via 1.1.1.5, NAT rule (SNAT) is created too. The IP (1.1.1.5) itself is DISABLED (under IP/Addresses).

But the LAN-clients can reach the internet via 1.1.1.5 (checked via myip.com). I am sure this was not possible under ROSv6?! By disabling the IP, everything else was disabled too.

Is this somehow an intended behaviour of ROSv7? It feels not right tbh…

2

Hi,

Just magic? :slight_smile:

Without full configuration it's hard to judge what happens.

3

A local IP address is only needed for packets to and from the Mikrotik itself, it is unnecessary for forwarded packets. And yes, ROSv6 behaves the same way.

4

Fot the config:

/ip address
add address=A.B.111.111/27 interface=VLAN887 network=A.B.111.96
add address=A.A.111.113/27 disabled=yes interface=VLAN887 network=A.B.111.96
add address=A.A.111.114/27 disabled=yes interface=VLAN887 network=A.B.111.96
add address=A.B.111.115/27 disabled=yes interface=VLAN887 network=A.B.111.96
add address=A.B.111.116/27 disabled=yes interface=VLAN887 network=A.B.111.96
add address=A.B.111.117/27 disabled=yes interface=VLAN887 network=A.B.111.96

/routing table
add disabled=no fib name=WAN-111
add disabled=no fib name=WAN-113
add disabled=no fib name=WAN-114
add disabled=no fib name=WAN-115
add disabled=no fib name=WAN-116
add disabled=no fib name=WAN-117

/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=no-mark dst-address-list=!reserved-IP-Range dst-address-type=!local in-interface-list=VLAN->WAN-111 new-routing-mark=WAN-111 passthrough=no
add action=mark-routing chain=prerouting connection-mark=no-mark dst-address-list=!reserved-IP-Range dst-address-type=!local in-interface-list=VLAN->WAN-113 new-routing-mark=WAN-113 passthrough=no
add action=mark-routing chain=prerouting connection-mark=no-mark dst-address-list=!reserved-IP-Range dst-address-type=!local in-interface-list=VLAN->WAN-114 new-routing-mark=WAN-114 passthrough=no
add action=mark-routing chain=prerouting connection-mark=no-mark dst-address-list=!reserved-IP-Range dst-address-type=!local in-interface-list=VLAN->WAN-115 new-routing-mark=WAN-115 passthrough=no
add action=mark-routing chain=prerouting connection-mark=no-mark dst-address-list=!reserved-IP-Range dst-address-type=!local in-interface-list=VLAN->WAN-116 new-routing-mark=WAN-116 passthrough=no
add action=mark-routing chain=prerouting connection-mark=no-mark dst-address-list=!reserved-IP-Range dst-address-type=!local in-interface-list=VLAN->WAN-117 new-routing-mark=WAN-117 passthrough=no

/ip firewall nat
add action=src-nat chain=srcnat routing-mark=WAN-111 to-addresses=A.B.111.111
add action=src-nat chain=srcnat routing-mark=WAN-113 to-addresses=A.B.111.113
add action=src-nat chain=srcnat routing-mark=WAN-114 to-addresses=A.B.111.114
add action=src-nat chain=srcnat routing-mark=WAN-115 to-addresses=A.B.111.115
add action=src-nat chain=srcnat routing-mark=WAN-116 to-addresses=A.B.111.116
add action=src-nat chain=srcnat routing-mark=WAN-117 to-addresses=A.B.111.117

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=A.B.111.97 pref-src=A.B.111.111 routing-table=WAN-111
add distance=1 dst-address=0.0.0.0/0 gateway=A.B.111.97 pref-src=A.B.111.113 routing-table=WAN-113
add distance=1 dst-address=0.0.0.0/0 gateway=A.B.111.97 pref-src=A.B.111.114 routing-table=WAN-114
add distance=1 dst-address=0.0.0.0/0 gateway=A.B.111.97 pref-src=A.B.111.115 routing-table=WAN-115
add distance=1 dst-address=0.0.0.0/0 gateway=A.B.111.97 pref-src=A.B.111.116 routing-table=WAN-116
add distance=1 dst-address=0.0.0.0/0 gateway=A.B.111.97 pref-src=A.B.111.117 routing-table=WAN-117

Why can the LAN-cliients reach the internet via the DISABLED IPs .113 to .117?
I am quite sure this was not possible with ROSv6.

5

Can you check what SRC IP is seen on WAN side for these packets?

IMHO packets would be seen with the lowest WANs' active IP.

6

Why?
For example:

If you change the SRC it appear to be .113 also if 113 is disabled...

7

Assuming that VLAN887 is an ethernet interface, and not a point-to-point interface:

  • From your posted configuration, it's normal that packets sent by the clients in the VLANs to remote hosts in the internet will be able to be forwarded by your router (to the next hop A.B.111.97), while having the source addresses translated to one of those .113 to .117 addresses. This only depends on your source NAT rules. The rules are normal action=src-nat rules, and not action=masquerade ones, so it doesn't matter what IP addresses are configured under /ip address for VLAN887.

    One active A.B.111.111/27 assignment under /ip address is enough to have the dynamic connected route for A.B.111.96/27 needed for the A.B.111.97 lookup.

  • For packets in the other direction (for example response packets from the remote hosts) it depends on your provider:

    • If your provider is one of those that request that you register your static MAC address with them, then it might be possible that they don't need to use ARP and can just simply send everything destined for the .111-.117 range to your MAC address. Because ARP is not used, you don't need to assign the addresses to your VLAN887 interface.

      The response packets arriving at your router will be handled by connection tracking, that will undo the NAT-ing and restore the original IP address to be put in the dst-address field before routing lookup. Which means the presence of the .111-.117 addresses on your router is not necessary for the response packets to be correctly forwarded to the clients in your VLANs.

    • If your provider is one of those who routes all addresses in the A.B.111.112-A.B.111.117 range through A.B.111.111 (usually for configuration with "routed subnet" + "main IP") then they only need to use ARP for A.B.111.111. In that case your router having the A.B.111.111/27 entry configured on VLAN887 is also enough for it to work, because the router will be able to answer all the required ARP requests. Once the packets arrive at the router, it will be like described above with conntrack undoing the NAT-ing.

    • But if the provider requires working ARP responses for every single addresses in the A.B.111.111-A.B.111.117 range, then the response packets destined for A.B.111.112-A.B.111.117 with not be able to reach your router if you disable the /ip address entries like in the export. The clients in the VLANs are able to send out packets to the outside but will not get any response back. It appears that this is not the configuration used by your ISP because the connections work normally as you said.

      Note: another way for it to work without the /ip address entries in this situation is to either have arp=proxy-arp on VLAN887 or published=yes ARP entries added for the addresses, and having routes to the address ranges in your main routing table. With that configuration the router will also reply to ARP requests for the A.B.111.112-A.B.111.117 addresses.

If instead of the above, your connection is a point-to-point connection then it's also normal that everything works, because it's a similar situation like the first case above, where all packets are routed to your router without ARP involved.

8

Very interesting explanation @CGGXANNX !

If I rember correctly, the “pref-src” like pref-src=A.B.111.113 in the routes was responsible in ROSv6 that it did not work with the disabled IPs. But I am not 100% sure. It seems there was some change from v6 to v7??

They are not point-to-point interfaces. VLAN887 is a transfer-VLAN to the ISP-Router, who is physically not at the same place as the main-router.

9

You can even NAT to a specific IP address that is not assigned or bind to specific interface as long as the upstream route that subnet back to you so I think what you are experiencing is normal just my 0.002$