Source address for Updates and NTP

hophead84 · October 8, 2013, 1:57am

Hi there

I have a RB750 setup as my home firewall/router, PPPoE to an ADSL modem in bridge mode. Firewall and NAT rules setup to my liking and everything is working well, except one thing - external connectivity from the RB750 itself.

I cannot seem to successfully connect to an external NTP server or the RouterOS updates. Running a packet snif on the attempts I see the traffic leaving from the device with the source IP of the WAN service, which I’d imagine would be fine but it doesn’t get a response. I’ve tried a variety of firewall and srcNAT rules to get it working to no avil.

Is there a way to ensure the RouterOS system uses a particular internal IP as its source address for these connections so the existing firewall and nat rules should apply?

Thanks for any help.

rickfrey · February 17, 2014, 5:34am

Can you post your config, please?

SurferTim · February 17, 2014, 11:52am

Check “/ip firewall nat”. Insure the masquerade covers the router. This does not.

/ip firewall nat
chain=srcnat action=masquerade src-address=192.168.0.0/24

This does.

/ip firewall nat
chain=srcnat action=masquerade out-interface=ether1

Change ether1 to the name of your WAN interface. In your case, it may be the name of the PPPoE interface.

artemk · March 27, 2018, 12:22pm

Hi all,

Question is still open - Is there a way to ensure the RouterOS system uses a particular internal IP as its source address?

My addresses list looks like below:

/ip address
add address=192.168.88.254/24 comment=defconf interface=bridge network=192.168.88.0
add address=aa.bb.dd.243/29 interface=vlan762 network=aa.bb.dd.240
add address=aa.bb.dd.251/29 interface=vlan763 network=aa.bb.dd.248
add address=aa.bb.cc.77 interface=loopback0 network=aa.bb.cc.77
add address=aa.bb.cc.78 interface=loopback0 network=aa.bb.cc.78
add address=10.96.96.88/24 interface=vlan29 network=10.96.96.0
add address=aa.bb.cc.254/27 interface=vlan3802 network=aa.bb.cc.224
add address=aa.bb.cc.30/27 interface=vlan3801 network=aa.bb.cc.0
add address=aa.bb.cc.97/28 interface=vlan3000 network=aa.bb.cc.96
add address=10.255.88.1 interface=loopback1-kpilan network=10.255.88.1
add address=aa.bb.cc.190/28 interface=vlan3803 network=aa.bb.cc.176

I have BGP and OSPF configured. Dynamic default route, couple VRFs,

I need to use one of the loopback addresses for updates/NTP and other RouterOS originated connections.

sindy · March 28, 2018, 9:41pm

I’m afraid the only method applicable along with dynamic routes is to use an ip firewall nat rule ****

chain=srcnat action=src-nat to-addresses=the.ip.you.want

. To avoid src-nat’ing forwarded traffic, you are free to choose one of two methods:

add a packet mark to every packet in chain output of table mangle, and only src-nat packets with that packet mark
create an address-list holding all of Mikrotik’s own addresses, and only src-nat packets matching that list as ****

src-address-list

xrobau · July 29, 2018, 3:00am

Facepalm - Thank you sindy, that’s such an obvious idea I that I am annoyed at myself for not thinking of it myself! This works perfectly. I assume most people with a reasonably complex network will have combinations of OSPF, BGP, Static Routes, and a bunch of routers with random IP addresses, as well, which makes this annoyingly complex, and you can’t just use a Loopback address like you can with Ciscos, for example. But your idea is obvious, and simple to implement!

Here is the quick guide for anyone reading along later:

Make sure you have an Address List of ‘do not nat these addresses’ - I assume you have that, or some other way of tagging packets or connections. That is up to you, but for me an Address List was the easiest.
Note: OSPF and VRRP uses multicast traffic! Make sure you have 224.0.0.0/4 as part of that list!
Create a Mangle rule

/ip firewall mangle add action=mark-packet chain=output src-address-list=nonat-dests dst-address-list=!nonat-dests log=yes new-packet-mark=nat-output passthrough=yes

Create a NAT rule to catch packets marked with that packet mark:

/ip firewall nat add action=src-nat chain=srcnat log=yes packet-mark=nat-output to-addresses=your.external.ip.addr

That’s it! Thanks for your idea, sindy, and I hope this snippet helps someone else.

Mozez · December 20, 2019, 12:00pm

Hi there,

Im not understanding this completely. Im using a Mikrotik to support IPoE and have a public subnet which is used on other devices also to build networks. I can’t seem to used DNS resolving for updating and also im not able to ping to 8.8.8.8 unless I use a ping with a source IP of my bridge. I do not use NAT.

I simply just want the Mikrotik to use a IP I state for upgrade, is this possible?

mkx · December 20, 2019, 2:45pm

It depends on how you assigned IP address(es) to router … couild be there’s some mistake there. If you can post complete config (you can obfuscate any public addresses, but obfuscate them so that it’s consistent throughout whole config), we can have a look at it.

Mozez · December 30, 2019, 3:05pm

Hi,

My apologies for the late reply, I forgot to check my email during the holidays. Ive managed to get it working with adding a route and use a source address on that route that I want to use. See the example below, for me this works fine. Its only needed for the update:

add comment=“** added for local resolv upgrading " distance=1 dst-address=8.8.4.4/32 gateway=145.54.63.5 pref-src=[source to use]
add distance=1 dst-address=8.8.8.8/32 gateway=145.54.63.5 pref-src=[source to use]
add comment=" added for upgrading **” distance=1 dst-address=159.148.147.204/32 gateway=145.54.63.5 pref-src=[source to use]

Thanks for your feedback!