Assuming that VLAN887 is an ethernet interface, and not a point-to-point interface:
-
From your posted configuration, it's normal that packets sent by the clients in the VLANs to remote hosts in the internet will be able to be forwarded by your router (to the next hop
A.B.111.97), while having the source addresses translated to one of those.113to.117addresses. This only depends on your source NAT rules. The rules are normalaction=src-natrules, and notaction=masqueradeones, so it doesn't matter what IP addresses are configured under/ip addressforVLAN887.One active
A.B.111.111/27assignment under/ip addressis enough to have the dynamic connected route forA.B.111.96/27needed for theA.B.111.97lookup. -
For packets in the other direction (for example response packets from the remote hosts) it depends on your provider:
-
If your provider is one of those that request that you register your static MAC address with them, then it might be possible that they don't need to use ARP and can just simply send everything destined for the
.111-.117range to your MAC address. Because ARP is not used, you don't need to assign the addresses to yourVLAN887interface.The response packets arriving at your router will be handled by connection tracking, that will undo the NAT-ing and restore the original IP address to be put in the
dst-addressfield before routing lookup. Which means the presence of the.111-.117addresses on your router is not necessary for the response packets to be correctly forwarded to the clients in your VLANs. -
If your provider is one of those who routes all addresses in the
A.B.111.112-A.B.111.117range throughA.B.111.111(usually for configuration with "routed subnet" + "main IP") then they only need to use ARP forA.B.111.111. In that case your router having theA.B.111.111/27entry configured onVLAN887is also enough for it to work, because the router will be able to answer all the required ARP requests. Once the packets arrive at the router, it will be like described above with conntrack undoing the NAT-ing. -
But if the provider requires working ARP responses for every single addresses in the
A.B.111.111-A.B.111.117range, then the response packets destined forA.B.111.112-A.B.111.117with not be able to reach your router if you disable the/ip addressentries like in the export. The clients in the VLANs are able to send out packets to the outside but will not get any response back. It appears that this is not the configuration used by your ISP because the connections work normally as you said.Note: another way for it to work without the
/ip addressentries in this situation is to either havearp=proxy-arponVLAN887orpublished=yesARP entries added for the addresses, and having routes to the address ranges in your main routing table. With that configuration the router will also reply to ARP requests for theA.B.111.112-A.B.111.117addresses.
-
If instead of the above, your connection is a point-to-point connection then it's also normal that everything works, because it's a similar situation like the first case above, where all packets are routed to your router without ARP involved.