SRC NAT to WAN IP without the IP existing on any interface?

marklodge · August 29, 2020, 9:41pm

Does WAN/Public IP addresses have to be assigned to any interface of the core or edge router?

Here is my topology

And here is my config:

[User@Gateway-CCR1009] > ip firewall nat export 

/ip firewall nat
add action=src-nat chain=srcnat out-interface=vlan70Fiber src-address=10.11.1.4 to-addresses=45.85.224.250
add action=src-nat chain=srcnat out-interface=vlan70Fiber src-address=10.1.0.0/22 to-addresses=45.85.224.226
add action=src-nat chain=srcnat out-interface=vlan70Fiber src-address=10.2.0.0/22 to-addresses=45.85.224.227
add action=src-nat chain=srcnat out-interface=vlan70Fiber src-address=10.6.0.0/22 to-addresses=45.85.224.230
add action=src-nat chain=srcnat out-interface=vlan70Fiber src-address=10.7.0.0/22 to-addresses=45.85.224.231
add action=src-nat chain=srcnat out-interface=vlan70Fiber src-address=10.9.0.0/22 to-addresses=45.85.224.232
add action=src-nat chain=srcnat out-interface=vlan70Fiber src-address=10.14.0.0/22 to-addresses=45.85.224.234
add action=src-nat chain=srcnat out-interface=vlan70Fiber src-address=10.13.0.0/22 to-addresses=45.85.224.233
add action=src-nat chain=srcnat out-interface=vlan70Fiber src-address=10.4.0.0/22 to-addresses=45.85.224.229
add action=src-nat chain=srcnat out-interface=vlan70Fiber src-address=10.3.0.0/22 to-addresses=45.85.224.228
add action=src-nat chain=srcnat out-interface=vlan70Fiber to-addresses=122.88.229.202

[User@Gateway-CCR1009] > ip route export 

/ip route
add distance=1 gateway=122.88.229.201

[User@Gateway-CCR1009] > ip address export 

/ip address
add address=122.88.229.202/30 interface=vlan70Fiber network=122.88.229.200
add address=10.255.255.12 interface=LoopBack network=10.211.115.12
add address=10.89.89.1/29 interface=ether3 network=10.89.89.0
add address=45.85.224.225/27 disabled=yes interface=vlan70Fiber network=45.85.224.224

So, my gateway is set to 122.88.229.201/30 (the ISPs router)
All is working fine.
If I set the following line (from the config above):

add action=src-nat chain=srcnat out-interface=vlan70Fiber src-address=10.13.0.0/22 to-addresses=[b]45.85.224.240[/b]

Then the clients who has any private IP in the range of 10.13.0.0/22 will have their public IP shown as 45.85.224.240 if they check it via whatismyipaddress.com

My questions: That public IP is not pingable (because it is not assigned to any interface on my core router, edge router or any specific client), so is this fine?
Could it cause any potential issues?
Do I have to assign it to any interface?
Is there any standard that I have to follow regarding this?

Thanks

Sob · August 29, 2020, 10:00pm

Router doesn’t care, it will happily change address to anything you tell it to. And if /27 is routed to you, it will work fine.

Only you should add unreachable route to /27 on router, because otherwise new connections to any address in /27 would be bounced back to ISP (and then back to you, back to ISP, … until TTL expires). There’s no problem with responses to connections initiated from clients, because even though packets will originally go to public address, conntrack will know that they belong to existing connection and will change destination to client’s address.

This would not work if /27 wasn’t routed to you and instead the gateway (ISP’s router) would be in same /27, because ISP’s router would send ARP request, but without the address on your router, it would not get any response.

marklodge · August 29, 2020, 10:20pm

Thank you so much for the reply. You are a legend for public IP routing.
So now my config looks like this:

/ip route 
add distance=1 dst-address=45.85.224.224/27 type=unreachable

/ip route print
1229 A SU 45.85.224.224/27                                            1

Adding all of the Public IP addresses to the

vlan70Fiber

interface is fine too and will work well, right?
Any advantages/disadvantages to this approach that you can mention?

Sob · August 29, 2020, 11:18pm

Small advantage is that you don’t need to add many addresses to router. Router wouldn’t mind, but you can save few minutes. So it’s really small advantage.

Disadvantage is that it may feel a little wrong or confusing to use addresses not assigned anywhere. It’s not difficult to get over it, but same can happen to someone else who gets to it after you. When addresses can be seen on router, it may be easier to understand. You also need to deal with bouncing packets (either using unreachable route, or firewall could do it too), which would not be needed if router was aware where they are (assigned to this router or routed somewhere else in your network). But to have such unreachable route is good idea anyway. Worst case is that it will be useless. But if you make some mistake, it will make sure that your and ISP’s router won’t play useless ping pong with packets.

If you want to add them to router, it may be better to use loopback interface (or empty bridge, because RouterOS doesn’t have loopback you can use). Not for technical reasons, but again to make it more obvious that it’s not a subnet tied to particular interface.

marklodge · August 30, 2020, 12:49pm

OK, thank you once again for the excellent and ‘to-the-point’ advice.
I have added the IP addresses to the vlan70 interface (the same interface that the other WAN IP is on) just to mitigate any future issues that you have mentioned