Community discussions

 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

connecting firewall through routerboard keeping public ip address

Wed May 29, 2019 10:56 am

An existing firewall is directly connected to a dsl router with a /29 subnet public ip address
I have to interpose a routerboard used as a loadbalancer/failover with other two dsl routers.
Is there a way to keep the public ip address coming from original router ?

Image
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: connecting firewall through routerboard keeping public ip address

Thu May 30, 2019 12:47 am

Proxy ARP is your friend. If dsl router is connected to RB's etherX and firewall to etherY, then set arp=proxy-arp for both and add:
/ip route
add dst-address=a.b.c.1/32 gateway=etherX
add dst-address=a.b.c.6/32 gateway=etherY
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: connecting firewall through routerboard keeping public ip address

Thu May 30, 2019 1:06 am

But , from firewall point of view, is it like routerboard didn't exist ??
I would have to set up pcc/loadbalancing like eth facing wirewall was LAN and other eth as WANs.
Would any internet packet destinated to a.b.c.6 hit the firewall ?
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: connecting firewall through routerboard keeping public ip address

Thu May 30, 2019 1:53 am

Yes, for firewall (the device with a.b.c.6) it's like RB isn't there. But for RB it's regular routing, it sees the traffic and can do anything it wants with it.

I'm not sure that I understand what exactly you want to do with load balancing.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: connecting firewall through routerboard keeping public ip address

Thu May 30, 2019 2:15 am

Nice to know....
with PCC I let firewall (thus machines behind it) to use all three DSL line to achieve more bandwidth and failover like I'm actually doing in few systems (but without firewall in the middle).

Honestly, I don't know if :

lan_machines----routerboard_pcc------three_wans
lan_machines---firewall---routerboard_pcc------three_wans

behave the same way about pcc method.
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: connecting firewall through routerboard keeping public ip address

Thu May 30, 2019 3:58 am

It depends. If you'd have firewall machine, but you'd let original LAN addresses through (so RB would see them), it would be exactly the same. If firewall machine already does srcnat, then RB sees only one source address and distribution over WANs is going to be be slightly different.

One more thing you need to think about with this config is that public address a.b.c.6 can only work with one dsl router (most likely) and you'll need to srcnat it something else for outgoing connections via other dsl routers.

There's also question if you really need a.b.c.6 directly on firewall machine (there are some possible reasons), or if you could just put it on RB.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: connecting firewall through routerboard keeping public ip address

Thu May 30, 2019 9:59 am

Yes, firewall already does srcnat so routerboar would see all traffic coming only from a.b.c.6 address.
Some incoming services hitting a.b.c.6 are dst-natted by firewall to some lan machines
Maybe a vpn can be established from internet client to a.b.c.6
No need for incoming services on other two routers (just used for bandwidth and failover), they are there, just doing nothing, included by ISP in other paid service bundles
I'm not the firewall manager, it was asked me if it is possible to manage thing this way without any firewall modification and loss of services.
That's why I would really need to keep a.b.c.6 on the firewall.
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: connecting firewall through routerboard keeping public ip address

Thu May 30, 2019 12:25 pm

I've tested it with a PC instead of firewall:

Image

I can ping 10.0.0.1 from 10.0.0.9 and vice-versa

PC arp table says 10.0.0.1 is B8:69:F4:BC:BB:32 (routerboard ether3)
Dsl router arp table says 10.0.0.9 is B8:69:F4:BC:BB:31 (routerboard ether2)

On PC , default gateway and dns server is 10.0.0.1 (dsl router)

However, trying to ping any internet ip address , I get

Reply from 0.0.0.0: Destination net unreachable.

Trying to ping www.google.it I get

Pinging www.google.com [216.58.198.4] with 32 bytes of data:
Reply from 0.0.0.0: Destination net unreachable.


(domain name is resolved)

What's the problem ?
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: connecting firewall through routerboard keeping public ip address

Thu May 30, 2019 3:13 pm

Problem is missing default route on RB. You can try:
/ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.1
But question, are the other dsls supposed to be used for this firewall device, or are they for some other network not shown in diagram? Because unless you have some special deal with ISP, you won't be able to use a.b.c.6 with them anyway. If only original dsl would be enough for a.b.c.6, it would be easier to simply bridge the two ports. Although if that was the case, it would be easiest to just not involve RB at all, so maybe I'm getting wrong idea.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: connecting firewall through routerboard keeping public ip address

Thu May 30, 2019 3:43 pm

Problem is missing default route on RB. You can try:
/ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.1
Already tried, 10.0.0.1 gateway is "unreachable", also tried gateway=ether2 , same issue.

About other dsls, i want to tie them together with working one to achieve more bandwidth and failover like already done (i.e. https://mum.mikrotik.com/presentations/US12/steve.pdf).
I haven't yet tried an exixsting firewall cascaded with a such configured routerboard.
Doing tests with a single pc as lan device to a three-wan rb works great.

Not sure if PC----natting firewall------pcc_routerboard---three_dsls could works the same.
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: connecting firewall through routerboard keeping public ip address

Thu May 30, 2019 6:25 pm

Ok, I see it. I normally use this when there are more addresses, e.g. provider has x.x.x.1/24 on their router, I'm allowed to use x.x.x.2-10/24, but I don't want them all on router, and for some reason I can't connect all devices directly to provider's router. With proxy ARP, I can route some of x.x.x.2-10 further to internal network. But I always keep at least one on router connected to ISP. In your case there's none and there's some problem with that. I'll take a look at it later.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: connecting firewall through routerboard keeping public ip address

Fri May 31, 2019 2:04 am

So the router won't send ARP request if it doesn't have IP address on interface. One way it could be solved is to remove this route:
/ip route
add dst-address=10.0.0.1/32 gateway=ether2
and instead add point to point address:
/ip address
add address=x.x.x.x/32 interface=ether2 network=10.0.0.1
It will create dynamic route, will send ARP for 10.0.0.1, and the address can be used as gateway. But I'm not completely sure about x.x.x.x. It can be any unique address (I used 10.10.10.10) and it will be fine for RB. The problem is, I can't guarantee that the other router won't complain when it sees ARP request from address that doesn't belong to subnet on the interface. My testing router (also RouterOS) has no problem with that, but some other possibly could.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: connecting firewall through routerboard keeping public ip address

Mon Jun 03, 2019 9:41 am

Ok, It works , connection from firewall to internet are ok, I haven't yet checked in real environment if a.b.c.6 (firewall public ip) is reachable transparently from internet , I'll keep you updated...
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: connecting firewall through routerboard keeping public ip address

Mon Jun 17, 2019 4:53 pm

Unfortunately on the real test it fails:

ether1 facing dsl router
ether2 facing firewall

/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
set [ find default-name=ether2 ] arp=proxy-arp
/ip address
add address=10.10.10.10 interface=ether1 network=<dslrouter_ip_address>
/ip route
add distance=1 dst-address=<firewall_ip_address>/32 gateway=ether2


when firewall (a routerboard in this case) pings internet devices, it gets back:

SEQ HOST SIZE TTL TIME STATUS
0 10.10.10.10 84 64 0ms net unreachable


Any possible solution ?
Thanks
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: connecting firewall through routerboard keeping public ip address

Tue Jun 18, 2019 4:43 pm

Noob question.... Is it possible a different approach, something like a double routing/nat inside the same RB ??

Image
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: connecting firewall through routerboard keeping public ip address

Thu Jun 20, 2019 2:37 am

Short answer: no

Long answer: Maybe with loop hack (IPIP tunnel from router back to router), but you don't want that. My head hurts every time I think about it. And you'd still have problems with same addresses being both local and remote at the same time, router doesn't like that.

About the previous post, check what exactly is failing:
a) Does ARP succeed on firewall, i.e. does it get MAC address for gateway? It should be MAC address of router's ether2.
b) Does ARP succeed on router? Try to ping gateway (it's ok if it doesn't work) and check "/ip arp" if MAC address of gateway is there.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: connecting firewall through routerboard keeping public ip address

Fri Jun 21, 2019 10:24 am

Thank you for patience,

Arp table of firewall (actually a RB) sees both <ISP router ip address> and 10.10.10.10 with MT ether2 mac address
Arp table of MT sees <firewall ip address> with <firewall mac address> on ether2 and <ISP router ip address> with <ISP router mac address> on ether1

If I ping <ISP router ip address> from firewall I get replies,

If I hard-disconnect ether1 facing isp router while pinging, firewall gets "net unreachable" from 10.10.10.10

Anyway, no access to internet
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Re: connecting firewall through routerboard keeping public ip address

Fri Jun 21, 2019 11:06 am

In the meanwhile, I got it working with two separated routerboards each dst-natted from in-interface to the address of router behind it

Image

It works totally transparent, but the goal is to use , if possible, a single routerboard in the middle....

Who is online

Users browsing this forum: No registered users and 79 guests