Has anyone been able to configure Unicast Reverse Path Forwarding in RouterOS?
I did some tests with on-demand Firewall Filtering rule activation (rules added on PPP Connection), but the implementation is tricky and can’t cover all scenarios available in a PPP Authenticated Session environment (for example if a Framed-Route is dynamically assigned to a User via Radius and injected in the created PPP IF On-Demand).
The RPF feature is commonly used on Access Device Interfaces, basically to prevent Users IP Spoofing. For this reason I think it is in the Top5 entry of Network Administrator RouterOS WhishLists!
I see some related requests on some old post in this forum, but I can’t find specific replies on this topic.
In the linux kernel URPF has been supported “forever”, and can be turned on using a single command.
So this should theoretically be easy for mikrotik to implement.
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
Having this would enable simpler firewall configurations and higher performance for cpe’s, since spoofed packets would be dropped before reaching layer 3 firewall.
Any update regarding uRPF? I believe that since it is already part of the linux kernel and that it is regarded as standard for adavnced routers, it should be enabled in RourOS as well
I’ve been trying it on 6.1 and I have found some problems:
If I enable it, it seems it isn’t actually enforced until I reboot the router.
This is not the best way to implement it. It should be controlled for each interface, instead of being an all or nothing parameter.
In a provider network you want to enable rp-filter on customer facing interfaces, and leave it disabled on your internal interfaces. Otherwise, depending on your configurations, routing assymmetries, etc, strict rpf will kill legitimate traffic.
So, please, change it and make it so that it can be enabled and configured as an interface specific parameter instead of a global setting.
Mikrotik please consider making uRPF configurable on a per-interface basis instead of globally only. Like Cisco and others have it. The current implementation breaks asymmetric routing. Thanks
Linux has a matcher in the iptables firewall that allows you to match on packets (not) adhering to the RP filter:
-m rpfilter [--invert] [--loose]
This should be added to RouterOS as well (as part of the firewall) so you can have full flexibility in what you do with the filter.
(apply it only to some interfaces, use it to block packets or to merely mark them for later action, logging, etc)
As it is now, the setting is useless because it works globally and you cannot even see what it is doing…
The advantage of having the rpfilter matcher instead of enabling rpfilter in strict or loose mode is that you can control exactly what it should do, and you can log what it drops.
