Page 1 of 1

connecting firewall through routerboard keeping public ip address

Posted: Wed May 29, 2019 10:56 am
by ik3umt
An existing firewall is directly connected to a dsl router with a /29 subnet public ip address
I have to interpose a routerboard used as a loadbalancer/failover with other two dsl routers.
Is there a way to keep the public ip address coming from original router ?

Image

Re: connecting firewall through routerboard keeping public ip address

Posted: Thu May 30, 2019 12:47 am
by Sob
Proxy ARP is your friend. If dsl router is connected to RB's etherX and firewall to etherY, then set arp=proxy-arp for both and add:
/ip route
add dst-address=a.b.c.1/32 gateway=etherX
add dst-address=a.b.c.6/32 gateway=etherY

Re: connecting firewall through routerboard keeping public ip address

Posted: Thu May 30, 2019 1:06 am
by ik3umt
But , from firewall point of view, is it like routerboard didn't exist ??
I would have to set up pcc/loadbalancing like eth facing wirewall was LAN and other eth as WANs.
Would any internet packet destinated to a.b.c.6 hit the firewall ?

Re: connecting firewall through routerboard keeping public ip address

Posted: Thu May 30, 2019 1:53 am
by Sob
Yes, for firewall (the device with a.b.c.6) it's like RB isn't there. But for RB it's regular routing, it sees the traffic and can do anything it wants with it.

I'm not sure that I understand what exactly you want to do with load balancing.

Re: connecting firewall through routerboard keeping public ip address

Posted: Thu May 30, 2019 2:15 am
by ik3umt
Nice to know....
with PCC I let firewall (thus machines behind it) to use all three DSL line to achieve more bandwidth and failover like I'm actually doing in few systems (but without firewall in the middle).

Honestly, I don't know if :

lan_machines----routerboard_pcc------three_wans
lan_machines---firewall---routerboard_pcc------three_wans

behave the same way about pcc method.

Re: connecting firewall through routerboard keeping public ip address

Posted: Thu May 30, 2019 3:58 am
by Sob
It depends. If you'd have firewall machine, but you'd let original LAN addresses through (so RB would see them), it would be exactly the same. If firewall machine already does srcnat, then RB sees only one source address and distribution over WANs is going to be be slightly different.

One more thing you need to think about with this config is that public address a.b.c.6 can only work with one dsl router (most likely) and you'll need to srcnat it something else for outgoing connections via other dsl routers.

There's also question if you really need a.b.c.6 directly on firewall machine (there are some possible reasons), or if you could just put it on RB.

Re: connecting firewall through routerboard keeping public ip address

Posted: Thu May 30, 2019 9:59 am
by ik3umt
Yes, firewall already does srcnat so routerboar would see all traffic coming only from a.b.c.6 address.
Some incoming services hitting a.b.c.6 are dst-natted by firewall to some lan machines
Maybe a vpn can be established from internet client to a.b.c.6
No need for incoming services on other two routers (just used for bandwidth and failover), they are there, just doing nothing, included by ISP in other paid service bundles
I'm not the firewall manager, it was asked me if it is possible to manage thing this way without any firewall modification and loss of services.
That's why I would really need to keep a.b.c.6 on the firewall.

Re: connecting firewall through routerboard keeping public ip address

Posted: Thu May 30, 2019 12:25 pm
by ik3umt
I've tested it with a PC instead of firewall:

Image

I can ping 10.0.0.1 from 10.0.0.9 and vice-versa

PC arp table says 10.0.0.1 is B8:69:F4:BC:BB:32 (routerboard ether3)
Dsl router arp table says 10.0.0.9 is B8:69:F4:BC:BB:31 (routerboard ether2)

On PC , default gateway and dns server is 10.0.0.1 (dsl router)

However, trying to ping any internet ip address , I get

Reply from 0.0.0.0: Destination net unreachable.

Trying to ping www.google.it I get

Pinging www.google.com [216.58.198.4] with 32 bytes of data:
Reply from 0.0.0.0: Destination net unreachable.


(domain name is resolved)

What's the problem ?

Re: connecting firewall through routerboard keeping public ip address

Posted: Thu May 30, 2019 3:13 pm
by Sob
Problem is missing default route on RB. You can try:
/ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.1
But question, are the other dsls supposed to be used for this firewall device, or are they for some other network not shown in diagram? Because unless you have some special deal with ISP, you won't be able to use a.b.c.6 with them anyway. If only original dsl would be enough for a.b.c.6, it would be easier to simply bridge the two ports. Although if that was the case, it would be easiest to just not involve RB at all, so maybe I'm getting wrong idea.

Re: connecting firewall through routerboard keeping public ip address

Posted: Thu May 30, 2019 3:43 pm
by ik3umt
Problem is missing default route on RB. You can try:
/ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.1
Already tried, 10.0.0.1 gateway is "unreachable", also tried gateway=ether2 , same issue.

About other dsls, i want to tie them together with working one to achieve more bandwidth and failover like already done (i.e. https://mum.mikrotik.com/presentations/US12/steve.pdf).
I haven't yet tried an exixsting firewall cascaded with a such configured routerboard.
Doing tests with a single pc as lan device to a three-wan rb works great.

Not sure if PC----natting firewall------pcc_routerboard---three_dsls could works the same.

Re: connecting firewall through routerboard keeping public ip address

Posted: Thu May 30, 2019 6:25 pm
by Sob
Ok, I see it. I normally use this when there are more addresses, e.g. provider has x.x.x.1/24 on their router, I'm allowed to use x.x.x.2-10/24, but I don't want them all on router, and for some reason I can't connect all devices directly to provider's router. With proxy ARP, I can route some of x.x.x.2-10 further to internal network. But I always keep at least one on router connected to ISP. In your case there's none and there's some problem with that. I'll take a look at it later.

Re: connecting firewall through routerboard keeping public ip address

Posted: Fri May 31, 2019 2:04 am
by Sob
So the router won't send ARP request if it doesn't have IP address on interface. One way it could be solved is to remove this route:
/ip route
add dst-address=10.0.0.1/32 gateway=ether2
and instead add point to point address:
/ip address
add address=x.x.x.x/32 interface=ether2 network=10.0.0.1
It will create dynamic route, will send ARP for 10.0.0.1, and the address can be used as gateway. But I'm not completely sure about x.x.x.x. It can be any unique address (I used 10.10.10.10) and it will be fine for RB. The problem is, I can't guarantee that the other router won't complain when it sees ARP request from address that doesn't belong to subnet on the interface. My testing router (also RouterOS) has no problem with that, but some other possibly could.

Re: connecting firewall through routerboard keeping public ip address

Posted: Mon Jun 03, 2019 9:41 am
by ik3umt
Ok, It works , connection from firewall to internet are ok, I haven't yet checked in real environment if a.b.c.6 (firewall public ip) is reachable transparently from internet , I'll keep you updated...

Re: connecting firewall through routerboard keeping public ip address

Posted: Mon Jun 17, 2019 4:53 pm
by ik3umt
Unfortunately on the real test it fails:

ether1 facing dsl router
ether2 facing firewall

/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
set [ find default-name=ether2 ] arp=proxy-arp
/ip address
add address=10.10.10.10 interface=ether1 network=<dslrouter_ip_address>
/ip route
add distance=1 dst-address=<firewall_ip_address>/32 gateway=ether2


when firewall (a routerboard in this case) pings internet devices, it gets back:

SEQ HOST SIZE TTL TIME STATUS
0 10.10.10.10 84 64 0ms net unreachable


Any possible solution ?
Thanks

Re: connecting firewall through routerboard keeping public ip address

Posted: Tue Jun 18, 2019 4:43 pm
by ik3umt
Noob question.... Is it possible a different approach, something like a double routing/nat inside the same RB ??

Image

Re: connecting firewall through routerboard keeping public ip address

Posted: Thu Jun 20, 2019 2:37 am
by Sob
Short answer: no

Long answer: Maybe with loop hack (IPIP tunnel from router back to router), but you don't want that. My head hurts every time I think about it. And you'd still have problems with same addresses being both local and remote at the same time, router doesn't like that.

About the previous post, check what exactly is failing:
a) Does ARP succeed on firewall, i.e. does it get MAC address for gateway? It should be MAC address of router's ether2.
b) Does ARP succeed on router? Try to ping gateway (it's ok if it doesn't work) and check "/ip arp" if MAC address of gateway is there.

Re: connecting firewall through routerboard keeping public ip address

Posted: Fri Jun 21, 2019 10:24 am
by ik3umt
Thank you for patience,

Arp table of firewall (actually a RB) sees both <ISP router ip address> and 10.10.10.10 with MT ether2 mac address
Arp table of MT sees <firewall ip address> with <firewall mac address> on ether2 and <ISP router ip address> with <ISP router mac address> on ether1

If I ping <ISP router ip address> from firewall I get replies,

If I hard-disconnect ether1 facing isp router while pinging, firewall gets "net unreachable" from 10.10.10.10

Anyway, no access to internet

Re: connecting firewall through routerboard keeping public ip address

Posted: Fri Jun 21, 2019 11:06 am
by ik3umt
In the meanwhile, I got it working with two separated routerboards each dst-natted from in-interface to the address of router behind it

Image

It works totally transparent, but the goal is to use , if possible, a single routerboard in the middle....