pref src not honored in rOS7

RouterOS Beginner Basics
1

Hello ,
i have a rb5009 with a particular internet connection,
With my config , the clients connected to the mikotik all have acces to internet without issues , but the mikrotik himself doesn’t.

here is the anonymised config

# may/06/2022 11:27:06 by RouterOS 7.2.2
# model = RB5009UG+S+
/ip address
add address=192.168.16.1/24 interface=br-lan network=192.168.16.0
add address=198.198.198.50 comment="interco private network" interface=ether1 network=198.198.198.51
add address=109.109.109.110 comment="ip pub 1" interface=ether1 network=109.109.109.110
add address=109.109.109.111 comment="ip pub 2" interface=ether1 network=109.109.109.111

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=198.198.198.51 pref-src=109.109.109.110 routing-table=main suppress-hw-offload=no

/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 src-address=192.168.0.0/16 to-addresses=109.109.109.110/31

So has you can see this is one of these /31 interconnection ,
I ping my Gateway fine , and my 2 public IP’s are pingable from the wan.
my nat is working fine and my client are all accessing internet without issue ,
the problem is with the pref-src in the /ip route section
when i try to ping 1.1.1.1 from my RB3011

[root@5009] > ping 1.1.1.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                                                    
    0 1.1.1.1                                                      timeout                                                                                                                                                                   
    1 1.1.1.1                                                      timeout                                                                                                                                                                   
    2 1.1.1.1                                                      timeout

and when i use the sniffer i see that the wrong address is used as src adresss , and my route setting (pref-src) is ignored

[root@5009] > tool/sniffer/quick ip-address=1.1.1.1
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE  TIME   NUM  DIR  SRC-MAC            DST-MAC            SRC-ADDRESS   DST-ADDRESS  PROTOCOL  SIZE  CPU
ether1     0.198    1  ->   DC:2C:6E:3C:E4:A9  F0:4A:02:F5:43:F4  198.198.198.50  1.1.1.1      ip:icmp     70    1
ether1     1.201    2  ->   DC:2C:6E:3C:E4:A9  F0:4A:02:F5:43:F4  198.198.198.50  1.1.1.1      ip:icmp     70    1
ether1     2.202    3  ->   DC:2C:6E:3C:E4:A9  F0:4A:02:F5:43:F4  198.198.198.50  1.1.1.1      ip:icmp     70    2
ether1     3.203    4  ->   DC:2C:6E:3C:E4:A9  F0:4A:02:F5:43:F4  198.198.198.50  1.1.1.1      ip:icmp     70    2
ether1     4.205    5  ->   DC:2C:6E:3C:E4:A9  F0:4A:02:F5:43:F4  198.198.198.50  1.1.1.1      ip:icmp     70    2

I did a similar config on a RB3011 on ROS6 at an other place , and it was working perfectly
do you guy’s have any idéa how can i change my source address on that router ?

2

I am no expert in these things but you may want to try using another table for the first item and for the second item dont get why using such a wide source address, when your LAN subnet is much smaller??

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=198.198.198.51 pref-src=109.109.109.110 routing-table=main suppress-hw-offload=no

/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 src-address=192.168.0.0/16 to-addresses=109.109.109.110/31
(/ip address
add address=192.168.16.1/24 interface=br-lan network=192.168.16.0)

For the first item suggest
/routing table add name=usePref fib
/routing rule add src-address=109.109.109.110 action=lookup-only-in-table table=usePref
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=198.198.198.51 table=usePref

3

thanks anav , i will try that and update that post with results

4

I tried your exact addresses with CHR 7.2.3 and it works as expected (uses route’s pref-src as source).

5

I will never understand pref source sigh… no matter how many times you explain it LOL.

6

Just for example,
If on ether1 WAN you have 3 public IP addresses (ignoring why)
until no other specific settings are involved, the interface use the IP with lowest value,
If the 3 IP are 2.255.255.1, 2.0.0.1 and 2.0.1.1, is used 2.0.0.1 because it have the lowest value.
With pref-src you can specify, when valid, what of the 3 IP must be used.

7

Well that was easy!!!
https://www.youtube.com/watch?v=3YmMNpbFjp0

I wish Sob could be so clear! :stuck_out_tongue_winking_eye:
Seriously, is that the only time to use it (multiple IPs for one WAN).
Try one a little more complex, to make me think a tad harder.

8

I guess @anav is waiting for this one:

when router has one or more point-to-point interfaces and one doesn’t assign IP addresses to those interfaces, then when router needs to create and send a packet through that interface, it uses IP address of one of (randomly?) selected interfaces as source address (which might even be completely wrong for given scope, peer might use different route for that IP address). One can override that by setting pref-src on route config:

/ip route
add distance=1 dst-address=192.168.13.0/24 gateway=wg-if pref-src=192.168.42.1
9

Yes, thats a good start, what the heck is a point to point interface and furthermore one that doesnt get assigned IP addresses? I didnt know you were greek!! :wink:

10

Hello , i’ve taken a look this morning , and my pref src thing is still not working ,
what funny is i can connect to the public ip via ssh , but when inside the router i can’t ping outside since the router wants to use the bad adress as src
the issue might be because the ip that i added are in /32

if you want to take a look i can open a ssh acces , the public ip’s are working

11

I’d expect that IP you want to use as pref src has to be routable via interface used … In most trivial case this means that IP address belongs to same IP subnet as upstream gateway which means that /32 addresses are useless. And AFAIK SRC-NAT doesn’t apply when you manually set pref-src address.

12

i just went on an other site where we have the same hardware and a similar config ,
and on the other site , the pref-src is working ,

i’m baffled

13

According to https://help.mikrotik.com/docs/display/ROS/How+Packets+Are+Routed#HowPacketsAreRouted-ConnectedRoutes, there were some changes:

The > preferred source > is not used anymore for connected routes. FIB chooses the source address based on the out-interface. This allows making setups that in ROS v6 and older were considered invalid. See examples for more details.

But it talks only about connected routes, where you couldn’t set pref-src anyway (except maybe with routing filters). Other manual routes shouldn’t be affected. But perhaps under some circumstances something may not work as intended, it’s possible, but so far what I tried worked.

14

Not to help your question but also help anav

I use pref-src with my loopback IP for most things. Consider my sites are as follows

Internet<–>10.0.0.1<–>10.0.1.1<–>10.0.2.1<–>10.0.3.1<–>Customer

In a normal scenario of customer tracerouting to internet, you’d see the IP respond on the interface pointing towards customer on each hop. I set my pref-src for as many routes as I can to be the loopback site IP, so when I traceroute through my network, no matter the interface it comes in/out of, it shows 10.0.x.1 - makes a nice clean traceroute. Its only really applicable for input/output data as forwarded data will already have its own src-address set, and there’s some advantage to it if you are load balancing to control which link it comes back in on but other than that in a ‘router’ that mostly does just forwarding, you wouldn’t use it much.