Allow IP spoofing in internal network
In our MikroTik network we installed a security appliance called Darktrace. It observes the network using promiscous mode. One of the features of it is that it is able to break TCP connections that it classifies as malicious by sending RST packets with spoofed source and destination IP. And For that it uses a separate interface.
From the perspective of hosts talking to each other it looks as if the other side initiated a reset. That effectively breaks the connection.
However in our network spoofed packets are discarded before reaching it’s destination.
We experimented with setting ip rp-filter to none but that did not change anything. Spoofed RST packets are still not reaching targets.
We are able to easily identify RST packets that are coming from Darktrace, since they have a specific string in the payload.
After containing the endpoint in such a way, that every connection should be a subject of a reset, the only RST packets that reach it are RST packets sent when the endpoint tries to access … Darktrace Because it’s the only moment where there is no source IP spoofing. The Darktrace effectively works in it's own name. No source IP cheating. And that is the only moment where the host is effectively blocked, seeing "reset by peer" upon connecting. All the other connections look like being blocked for a few seconds but then in the end they are allowed and working fine.
We observed that using packet capture on the endpoint.
Long story short - how to fully enable IP spoofing on Mikrotik network? Preferrably enable it only for a specific list of IPs.