hello for all mikrotik people there..! i have two question in loopback topic.
the First one
is it a mandatory to create a loopback in mikrotik router..? so what if i dont want to do that..?
so what is the advantages and disadvantages..?
the second
in preconfigured router when i torch the Eth1 interface which is the out interface -(the internet came from this interface)- the distination was the ip address of the loopback interface.however, when i create loopback on my router and torch the Eth1 the distination was the ip address of my Eth1.
so please anyone can explain to me why this happen and what it mean, and who is the right my config or the other router config..?
Please specify what you mean exactly for loopback interface, and what IP you “see” or “set” on that interface.
it is a bridge interface with zero member ports,The interface will always be active and thus will function as a regular loopback interface.
What is the use case for such functionality. What does it allow users/devices to do or not to do?
By the way it reminds me of an existing default rule…
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
Not sure of its purpose outside of capsman but rextended is capable of explaining it as I see no need for it.
To the first question, I’d start from the fact that the popular name “loopback address” is technically wrong - it is a shortcut obfuscating the actual point.
The idea behind a “loopback address” is that this address is always active on the device. Addresses attached to a physical interfaces become inactive if the interface they are attached to goes down. So on bare Linux systems, long before bridges were implemented, people started attaching addresses they needed to stay active no matter what to a loopback interface, and from there the shortcut “loopback address” comes.
There is a “real” loopback interface on Mikrotik too, but it is not made visible in the RouterOS configuration. So when you want to configure an IP address that will not depend on a state of any physical interface, you have to create a bridge interface with no member ports and attach the address to it. So the “interface-state-independent” address exists, but it is not attached to a loopback interface as such.
It makes sense to use an “interface-state-independent” address in mesh topology networks with dynamic routing protocols, where you require path redundancy - if there is an outage on a link between nodes, the traffic gets routed via some other path instead. And you need that an outage of any link does not invalidate an IP address used by the dynamic routing protocols to talk to the router. If there are no alternative paths in your network, there is no point in using interface-state-independent addresses.
To the second question - the interface-state-independent address only exists in the L3 domain. So a neighbor router only knows how to send a packet to that address if it has a route to it. Even if the address fits into a subnet attached to some physical interface, Mikrotik will not respond ARP requests about that address even if they come through that physical interface.
What torch shows depends on the addresses in the packets, not on what address is attached to the interface. So the question is what traffic you were torching in the latter case and whether there were any NAT rules configured. I’d suppose there were NAT rules, so even packets sent from the interface-state-independent address got src-nated to the address attached to the WAN interface when routed out through that interface.
Sweet explanation, I think I understood what you were saying but with my limited experience see no need for it in my lifetime.
What it didnt answer is what is the purpose of the capsman default rule, and is it just limited to capsman usage…seems more generic in nature.
As I have already written to you other times, 127.0.0.1 means “itself”, that is the loopback interface (localhost / 127.0.0.1/32)
always exists, is not deletable, and is used by the CPU for packets that are sent between internal services of the RouterBoard,
for example, The Dude, RADIUS, user-manager, CAPsMAN on a wireless interface on the routerboard itself, Wireguard.
Blocking 127.0.0.1 is bullshit, because it is an address that cannot be forwarded, cannot be received, and cannot be sent,
but it is needed to make the services work properly.
Probably on english can exist a better description, but for semplicity take this and hope that “someone” write a better “guide”. 
Mr sindy Mr anav im very grateful.. Thanks a lot for your time and response..
Thanks rextended maybe this time the valuable information will stick!!
however i have never used any loopback in any of my wireguard configs or useful article.
Please let me know where I can use it.
Mr rextended also very very thanksful for you, and for your time
My sincerly regards.
Really your info is so helpful.
Maybe it helps to look at it from the another perspective.
Loopback interface with 127.0.0.1 exists on every PC and is accessible from that machine only.
Useful for pointing any software to reference your PC regardless if you change IP of the actual interface.
Imagine link to access local webserver which points to http://127.0.0.1 which works even when your DHCP issues different LAN IP.
Also if you change between WiFi or LAN or take PC to another location and different network this link would always work.
Similarly routers based on Linux like Mikrotik have the same loopback interface and IP.
Similar to PC that interface/IP can only be useful when you access things within the router, either through CLI/Winbox/possibly plugins.
But note that interface/IP is not switched/routed so that the other networked devices could access it through the network.
So for Capsman… the CAP (client) running on the same router can use this IP in settings to always point and connect to the local Capsman (manager).
As both are running on the same router this IP will always work, regardless if any other IPs change or their interfaces get disabled.
To take things further, when you create multiple VLANs on the router and you assign it with different IPs in each VLAN you get to a point where same router in Winbox can be saved as multiple IPs with the same password and each IP is accessible only from a single VLAN.
This works but when troubleshooting you need to think to which VLAN you connect to select proper IP that will work to get you connected to the router (unless routing between VLANs is allowed, but let’s assume it is forbidden).
So instead you can create the loopback adapter and assign it with the router management IP that wll be:
a) unique through the routable network
b) always on, regardless of the state of particular other router interfaces
c) routeable and reachable through any interface on the router (so survives any interface down if other interfaces are routable)
d) useful for any automation, management and similar purposes as statically assigned.
This simplifies management, as each router now got the single (ideally routable) IP address to allow access to it through the network.
Now to take things further, this IP address can in similar manner also be used for the network automation, such as use of dynamic routing protocols and advertisments and is as such part of setup instructions for those. If you want to know more on that check OSPF or BGP.
Another note would be that recent firmware updates started adding lo interface to the router configuration.
As a word of caution I would stick to using that interface, rather than creating additional bridge without ports assigned per some older instructions.
This would be due to limit of a single bridge support for hardware offloading (traffic switching for mikrotiks that have cpu and switch), though I have no real life experience if using one or the other has any differences to the functionality of dynamic routing protocols… so advise you to check further on this if required.