Hi all!
I have an RB4011 that I use as a home router for a fiber connection from my ISP. The fiber comes in to an ONT owned by the ISP outside of my home (so I don’t know exactly what model it is I’m afraid), and then a single ethernet line comes into my home that I have connected to ether1 on the router. I have configured the router for a fairly basic NAT and Firewall with ether1 being the WAN port and all other ports being LAN ports; this was mostly done using the documentation from the wiki.
The problem I am having is that this particular ONT internally has a table of MAC addresses of devices on the other end of the ethernet connection, and this table only has room for 6-10 entries, and when it fills up the ONT starts misbehaving. The only way to clear the MAC address table is to call the ISP and ask their tech support to clear it. This should not be a problem because the only MAC address that the ONT should ever see should be that of the RB4011’s ether1 port. However, 1-3 times a year, something seems to happen and the ONT falls over and I have to call support and lo and behold the MAC address table on the ONT is full, so they clear it, and everything goes back to normal. The last time this happened I asked them if they could list me some of the MAC addresses in there, and much to my surprise the MAC addresses they listed were all devices on my LAN.
So here is my question: with a basic NAT configuration, how is it possible at all that MAC addresses from devices on my LAN ports are getting to the device on the other side of the WAN port ethernet connection at all? That sounds more like the RB4011 is behaving like a switch, which is not at all how it is configured to the best of my knowledge. Is this likely to be some sort of misconfiguration on my end? Is it possible this happens when the router has its power interrupted or some other such rare event, explaining why it only seems to happen so rarely?
Thanks in advance for any assistance.
> /interface/list/member/print
Columns: LIST, INTERFACE
# LIST INTERFACE
;;; defconf
0 LAN bridge
;;; defconf
1 WAN ether1
> /interface/bridge/print
Flags: X - disabled, R - running
0 R ;;; defconf
name="bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=2C:C8:1B:69:DD:FF protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=2C:C8:1B:69:DD:FF ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no
> /interface/bridge/port/print
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
;;; defconf
0 IH ether2 bridge yes 1 0x80 10 10 none
;;; defconf
1 IH ether3 bridge yes 1 0x80 10 10 none
;;; defconf
2 IH ether4 bridge yes 1 0x80 10 10 none
;;; defconf
3 H ether5 bridge yes 1 0x80 10 10 none
;;; defconf
4 IH ether6 bridge yes 1 0x80 10 10 none
;;; defconf
5 H ether7 bridge yes 1 0x80 10 10 none
;;; defconf
6 H ether8 bridge yes 1 0x80 10 10 none
;;; defconf
7 H ether9 bridge yes 1 0x80 10 10 none
;;; defconf
8 IH ether10 bridge yes 1 0x80 10 10 none
;;; defconf
9 I sfp-sfpplus1 bridge yes 1 0x80 10 10 none /ip/ad
> /ip/firewall/nat/print
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
> /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; Drop Invalid connections
chain=input action=drop connection-state=invalid log=no log-prefix=""
2 ;;; Allow Established, Related, and Untracked connections
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
3 ;;; Allow ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
4 ;;; Drop everything not coming from the LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
5 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
6 ;;; Drop Invalid connections
chain=forward action=drop connection-state=invalid log=no log-prefix=""
7 ;;; Allow Established, Related, and Untracked connections
chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
8 ;;; Drop everything from the WAN that is not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
9 ;;; Drop connections to private IPs on the WAN
chain=forward action=drop dst-address-list=private-subnet out-interface-list=WAN log=no log-prefix=""
10 ;;; Drop connections from private IPs coming in from the WAN
chain=forward action=drop src-address-list=private-subnet in-interface-list=WAN log=no log-prefix=""
> /ip/firewall/address-list/print
Columns: LIST, ADDRESS, CREATION-TIME
# LIST ADDRESS CREATION-TIME
0 private-subnet 192.168.0.0/24 2021-08-24 22:39:04
1 private-subnet 172.16.0.0/12 2021-08-24 22:39:33
2 private-subnet 10.0.0.0/8 2021-08-24 22:40:39
3 private-subnet 127.0.0.0/8 2021-08-24 22:41:16
4 private-subnet 169.254.0.0/16 2021-08-24 22:41:44
5 private-subnet 0.0.0.0/8 2021-08-25 08:54:16