Community discussions

MikroTik App
 
alessiobravi
just joined
Topic Author
Posts: 3
Joined: Thu Nov 10, 2011 1:14 pm

Unicast Reverse Path Forwarding

Thu Nov 10, 2011 2:22 pm

Has anyone been able to configure Unicast Reverse Path Forwarding in RouterOS?

I did some tests with on-demand Firewall Filtering rule activation (rules added on PPP Connection), but the implementation is tricky and can't cover all scenarios available in a PPP Authenticated Session environment (for example if a Framed-Route is dynamically assigned to a User via Radius and injected in the created PPP IF On-Demand).

The RPF feature is commonly used on Access Device Interfaces, basically to prevent Users IP Spoofing. For this reason I think it is in the Top5 entry of Network Administrator RouterOS WhishLists! :)

I see some related requests on some old post in this forum, but I can't find specific replies on this topic.
 
nexos
just joined
Posts: 2
Joined: Fri Nov 11, 2011 8:10 pm

Re: Unicast Reverse Path Forwarding

Fri Nov 11, 2011 8:17 pm

In the linux kernel URPF has been supported "forever", and can be turned on using a single command.
So this should theoretically be easy for mikrotik to implement.
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter

Having this would enable simpler firewall configurations and higher performance for cpe's, since spoofed packets would be dropped before reaching layer 3 firewall.
 
petrik
newbie
Posts: 25
Joined: Tue Sep 26, 2006 9:37 pm

Re: Unicast Reverse Path Forwarding

Mon Jun 17, 2013 11:31 am

Any update regarding uRPF? I believe that since it is already part of the linux kernel and that it is regarded as standard for adavnced routers, it should be enabled in RourOS as well
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6043
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Unicast Reverse Path Forwarding

Mon Jun 17, 2013 11:33 am

 
User avatar
Bergante
Member Candidate
Member Candidate
Posts: 140
Joined: Tue Feb 28, 2012 12:27 pm
Location: Bilbao, Spain

Re: Unicast Reverse Path Forwarding

Wed Jun 19, 2013 10:35 am

I've been trying it on 6.1 and I have found some problems:

1) If I enable it, it seems it isn't actually enforced until I reboot the router.

2) This is not the best way to implement it. It should be controlled for each interface, instead of being an all or nothing parameter.

In a provider network you want to enable rp-filter on customer facing interfaces, and leave it disabled on your internal interfaces. Otherwise, depending on your configurations, routing assymmetries, etc, strict rpf will kill legitimate traffic.

So, please, change it and make it so that it can be enabled and configured as an interface specific parameter instead of a global setting.
 
schadom
Member Candidate
Member Candidate
Posts: 152
Joined: Sun Jun 25, 2017 2:47 am
Location: Austria

Re: Unicast Reverse Path Forwarding

Tue Jun 16, 2020 2:44 am

Mikrotik please consider making uRPF configurable on a per-interface basis instead of globally only. Like Cisco and others have it. The current implementation breaks asymmetric routing. Thanks
 
pe1chl
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Jun 08, 2015 12:09 pm

Re: Unicast Reverse Path Forwarding

Tue Jun 16, 2020 12:33 pm

Linux has a matcher in the iptables firewall that allows you to match on packets (not) adhering to the RP filter:
-m rpfilter [--invert] [--loose]
This should be added to RouterOS as well (as part of the firewall) so you can have full flexibility in what you do with the filter.
(apply it only to some interfaces, use it to block packets or to merely mark them for later action, logging, etc)

As it is now, the setting is useless because it works globally and you cannot even see what it is doing...

Who is online

Users browsing this forum: No registered users and 11 guests