Noncontinuous netmask

RouterOS General
1

Hi

How to add noncontinuous network mask? I have 6 interfaces - from 10.0.0.1/24 to 10.0.5.1/24 and each subnet has reserved some IP’s for dhcp for unregistered users - IP’s 248-254. I want to redirect such IP’s to my captive portal. I know I can use 6 rules - 10.0.0.248/29 to 10.0.5.248/29, but I would like to use only one rule 10.0.0.248/255.255.0.248 (as I have used to do with Linux).

Mikrotik allows me to enter such mask but seems to not understand it:

[admin@MikroTik] > /ip firewall nat add chain=dstnat src-address=10.0.0.248/255.255.0.248 dst-port=80 protocol=tcp action=dst-nat to-addresses=89.219.226.6

[admin@MikroTik] > /ip firewall nat print
1 chain=dstnat src-address=10.0.0.248-10.0.255.255 protocol=tcp dst-port=80
action=dst-nat to-addresses=89.219.226.6 to-ports=0-65535

Thanks for any help.

non-continuous netmask: feature or bug?
2

A access list perhaps?

3

try :

/ip firewall address-list add list=net address=10.0.1.248/29
/ip firewall address-list add list=net address=10.0.2.248/29
/ip firewall address-list add list=net address=10.0.3.248/29
/ip firewall address-list add list=net address=10.0.4.248/29
/ip firewall address-list add list=net address=10.0.5.248/29

/ip firewall nat add chain=dstnat src-address-list=net dst-port=80 protocol=tcp action=dst-nat to-addresses=89.219.226.6
4

Yes, that is what i try to avoid. In Linux I just use 10.0.0.248/255.255.0.248. I see no reason that Mikrotik rejects/breaks such mask.

5

From RFC1812:

The classical IP addressing architecture used addresses and subnet
masks to discriminate the host number from the network prefix. With
network prefixes, it is sufficient to indicate the number of bits in
the prefix. Both representations are in common use. Architecturally
correct subnet masks are capable of being represented using the
prefix length description. They comprise that subset of all possible
bits patterns that have
o a contiguous string of ones at the more significant end,
o a contiguous string of zeros at the less significant end, and
o no intervening bits.


Routers SHOULD always treat a route as a network prefix, and SHOULD
reject configuration and routing information inconsistent with that
model.

Regards

Andrew

6

I don’t think that you have read my previous post. I don’t want to add a route with noncontinuous mask. I know that is incorrect. I want to use such mask ONLY for filtering purposes and in that case noncontinuous mask is nothing wrong. In filtering mask is used only to match the rule or not. It is only a match, it doesn’t create any subnet nor route.

Gregor

7

You should probably email support asking for a feature request as this is not part of their algorithm right now.

8

Gregor

I’d say that want you’re trying to do is still against the rules.

Architecturally correct subnet masks are capable of being represented using the prefix length description.

In your case, clearly they do not.

Whilst it’s possible to set non-contiguous subnet masks on some clients (but not all), and it is a neat trick, I’d not recommend it’s use anywhere. There are clearer ways of achieving the same thing.

Regards

Andrew

9

Against WHAT rules? It is ONLY a match. You can match packets basing on their tcp flags, ports and so on. Address/mask matching is a simple bitwise operation resulting in “true” or “false”. Tell me what rules do you mean?
Who said, that packet maching should base only for continuous mask?
And remember one very important thing: Mikrotik is Linux based - Linux allows noncontinuous mask in matching.

I would say that null interface on Mikrotik is also a trick. I can’t use network statement in bgp definition, I have to use tricks with redistribute connected. Mikrotik forces mi to use tricks. Why this one trick is bad, while some others are good? :slight_smile:

Gregor