I have been trying to figure out the issue with using the a bridge interface as a loopback port. My RB750G is configured as follows:
xxx.xxx.7.167/27
xxx.xxx.62.122/29
10.10.10.1/24
loopback xxx.xxx.54.1/28
I want to NAT the 10.10.10.0 network with the out interface being the 54.1/28 (loopback). Port 1 is connected via wireless and port 3 is a dsl line. The intent is to have a router which provides failover to the dsl if the wireless link fails. I have added default routes and increased the cost for the dsl line. Once I added the loopback I am unable to NAT. Is this possible with RouterOS? I do have IP firewall checked. Also srcnat is set to masquarade. I tried using the out port as the loopback but it does not work.
Does any body know if you can NAT a bridge port which is acting as a non physical port with an IP address? I can ping the port from the outside and ping the 53.1 interface from the inside but I can’t get to the public side of the network when I have the NAT rule set to use the loopback interface. Thanks in advance
Try using an explicit src-nat action rather than masquerade. Masquerade is tied to interfaces, and you don’t want to NAT on the loopback interface itself, you just want to use its IP addresses when pushing out to the WAN.
Assuming four interfaces named ‘wireless’, ‘dsl’, ‘lan’ and ‘loopback’ with the following IP addresses:
wireless - 1.1.1.1/24
dsl - 2.2.2.1/24
lan - 10.10.10.1/24
loopback - 3.3.3.1/24
and assuming that you can reach 3.3.3.1 via the wireless and dsl interfaces, something like the below should work:
Fewi,
I tried it out but I am not seeing the bridge stats increase. I can ping out etc. I have 2 static routes with the wireless as my primary and dsl as my secondary with a cost of 5. Here is my NAT rules
/ip firewall nat
add action=src-nat chain=srcnat comment=“” disabled=no out-interface=ether1
src-address=10.10.10.0/24 to-addresses=xxx.xxx.54.1
add action=src-nat chain=srcnat comment=“” disabled=no out-interface=ether2
src-address=10.10.10.0/24 to-addresses=xxx.xxx.54.1
I started a ping on my laptop which is connected to the port 3 or the 750G which has an IP address of 10.10.10.220. The ping goes out port 1 and if I disconnect the cable to port 1 (simulating a wireless outage) the dsl port does not pick up and continue. I get timeouts on my laptop until I plug the wireless cable back in. Strange problem…
Fewi,
Here is some more data. When I use the terminal in winbox the 750G does what it is supposed to do which is switch default routes to the backup. The problems lies with NAT. When the laptop is on Port 3 which is the NAT’d port and I disconnect port 1. The pings on port 3 from the laptop stop until the cable is plugged in. But the pings on the winbox terminal keep going. Should I send a message to support?
Fewi,
More data.. I had to log on to another 750 to add a simple queue and the address showed up as 54.1 in the log. So the nat outbound is actually giving me the correct IP address. So now the remaining problem is the failover using static default routes.
Chupaka,
I added check gateway=ping and the problem still occurs. When I disconnect port 1 while I have a ping going from my laptop it times out but the routing table says port 1 is unreachable and port 2 is reachable. It also works when I have a terminal in winbox doing a ping. I disabled the default route manually and the router performed as expected. There were no ping timeouts. I checked and the trace routes showed the correct routes before and after. As another check I disable the physical port via winbox and it exhibited the same problem. I suspect from my QA background that when the port is physically disabled that it is not signalling the upper layers to flush the route. It may have to do with that I am using a loopback port via the bridge. Many thanks for jumping in and helping me. I did enter a support ticket.
Chupaka,
Port 1 is a wireless link and Port 2 is a DSL. Port 3 is the NAT’d 10.10.10.0 network. The first step was to ensure the router acted correctly on a simple fail over by unplugging the Ethernet cable. I thought is worked when only using winbox terminal but when I actually plugged into the LAN on port 3 and ran the same test it failed. I plan on using BGP and I was actuallly testing BGP when this problem serviced. I still think it is a bug that when the port is disabled that the bridge port does not get notified to switch routes. Sorry that I didn’t respond earlier last evening. I didn’t check the forum last night. I did open a trouble ticket
[Ticket#2010052066000043] RB750G Failover Static Routes using Loopback
Chupaka,
The customers has a /28 subnet. They want to have the 54.1 network available to the internet since they have various servers which they host. Currently they are using a /29 which is also NAT’d to the 10.10.10.x/24. The need more upload bandwidth than is available via DSL. I sold them 3 Mbps wireless internet connectivity and they wanted to keep the DSL as a backup. So I set up the 750G with port 1 as the wireless and port 2 as the DSL, added a bridge with an IP subnet of 54.1 and port 3 has the 10.10.10.0/24 network. My goal was that I would have routes to or from the 54.1 for primary and backup. The only way to have the 54.1/28 available was to add a bridge and add the 54.1 as its address. I used static default routes with the cost being higher on the DSL. I was going to use iBGP to notify the upstream that the DSL is the route to use for incoming request to the 54.1 network. Do you have another idea to make this work? Also I have a number of port forwarded ports that they are currently using. They are not an issue yet. I used port map and netmap feature of the RouterOS. I believe in Mikrotik and I want to stay with this router. Once I get this figured out I will be able to use the same concept for other clients.
Chupaka,
Yes we own both ends. The DSL is routed to a different router but is on the same LAN as the wireless main router. Can you make any other suggestions on my network design instead of using a bridge and assigning it an ip subnet?
Chupaka,
I have Cisco 7200’s as my main routers. They are configured correctly. Everything was routing correctly until I realized that bridge interface which had the 54.1 subnet was not switching over to the backup route when the primary cable was removed. Do you have an opinion on whether I should have the bridge interface handling the 54.1 subnet? If I attached the subnet to an Ethernet interface and that interface becomes unavailable then the subnet is not available via the the secondary route. So is using the bridge interface is the correct configuration?
huh… I see - you don’t have ‘check-gateway’ in your routes. just add ‘check-gateway=ping’ - that should solve your problem. w/o checking, route will not become inactive