I’ve an x86 machine running RouterOS 5.20 which acts as a router for 3 networks. There are 5 IP addresses assigned to this router, lets assume they are:
I use Mikrotik’s HttpProxy as transparent proxy for all networks. Something strange occurs when I get an error page (e.g. timeout) from Mikrotik’s proxy from a computer in the network attached to ether2 interface for example (the same occurs in other networks). Instead of show proxy’s IP as 192.0.2.1, it does another from other network/interface, e.g. 203.0.113.49.
In this case of proxy it’s just strange, causing no real troubles. But in other cases like restricting access to some network only from a specific source this RouterOS’ behavior is taking out my rest. I restrict network in ether3 to be accessible only from vlan IP range 198.51.100.0/29. When I try to access some resource in ether3’ network I get no sucess. This is because RouterOS is assuming accesses are being done from other IPs rather than these in range I allowed.
The worse (most strange) is what follows. I’ve a user named “local” which is used only by scripts which need to self connect via FTP, for instance. This user has no password and I restrict login using it to 127.0.0.0/8. When my scripts try to login to 127.0.0.1 via FTP using “local” user I get authentication fault. Log shows me the authentication try was done from an IP assigned to any of the interfaces, e.g. 203.0.113.46.
In NAT there are only two rules: an empty masquerade - only chain and action are set, I must allow networks to communicate between them, except those who I filter as said before - and a dst-nat which redirects everything going to port 80 somewhere not self router to Mikrotik HttpProxy.
What is causing this very strange behavior in RouterOS? How can I fix it?
Thanks in advance and sorry if my English writing skill is so poor for you.
So will I need to create one masquerade rule for each pair of networks I wanna be able to communicate between themselves?
It isn’t here just networks to Internet, but also networks to networks traffic. Creating one masquerade for each combination of networks (e.g.: 192.0.2.1/29 and 192.0.2.9/29, 192.0.2.1/29 and 198.51.100.2/29…) would result in so much rules.
What workaround do you suggest me to solve this trouble?
