Community discussions

MikroTik App
 
Guscht
Member Candidate
Member Candidate
Topic Author
Posts: 236
Joined: Thu Jul 01, 2010 5:32 pm

when to use "pref-src"?

Sun Apr 24, 2022 8:43 pm

Hi,

I have read a lot about the pref-src (preferred source) field under IP -> Routes.
But what are reasons I shoud set it? I still dont know?

My only thinkable use-case was which IP should NAT -> SNAT -> Masquerading use (in a multi-WAN-IP scenario)? But this does exactly NOT use the pref-src.

The MT-Wiki says:
Which of the local IP addresses to use for locally originated packets that are sent via this route. Value of this property has no effect on forwarded packets. If value of this property is set to IP address that is not local address of this router then the route will be inactive. If pref-src value is not set, then for locally originated packets that are sent using this route router will choose one of local addresses attached to the output interface that match destination prefix of the route (an example).

Is this only for things in output-chain? Waht does "locally originated" mean? Locally in the LAN? Locally in the Router?
Whats with SNAT? Is this considerated "locally originated"? Its both, forwarded but locally manipulated...


For V7 an even more confusing statement is added:
The preferred source is not used anymore for connected routes. FIB chooses the source address based on the out-interface. This allows making setups that in ROS v6 and older were considered invalid.
Why is it not used anymore? Why was it used under V6 (even here we can leave this field blank).
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: when to use "pref-src"?

Sun Apr 24, 2022 9:03 pm

One example where it's useful is site to site tunnel using plain IPSec. Let's say you have local router with LAN 192.168.88.0/24 and WAN 1.2.3.4, and remote router with LAN 192.168.99.0/24 and WAN 2.3.4.5. You create tunnel between 192.168.88.0/24 and 192.168.99.0/24, but problem is that IPSec doesn't have interfaces, packets seem to use WAN as incoming and outgoing interface. If 192.168.88.x tries to connect to 192.168.99.y, there's no problem. But if router itself tries to connect to 192.168.99.y, it will use 1.2.3.4 as source, because it's on outgoing interface. And it won't work, because there's no IPSec policy for this traffic. So one solution would be to add it, but there could be problems if WAN addresses are dynamic, or maybe you just don't want to. Other solution is to add route to 192.168.99.0/24 (in current RouterOS it doesn't matter where it points to) with pref-src=192.168.88.1 (router's LAN address), and router will choose 192.168.88.1 when it sends something to 192.168.99.x.

As for the rest, locally originated = sent by router itself. And I don't know about the v7 change. Connected route is for directly reachable devices, e.g. when you add adddress 192.168.88.1/24, it creates connected route for 192.168.88.0/24. But AFAIK you can't set pref-src for that anyway, except maybe with routing filters. What exactly this change does, I'm not sure. Some examples what was invalid in v6 and can be done in v7 would be nice. I guess it could be something for enterprisey stuff, related to BGP and such, I don't know much about that.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: when to use "pref-src"?

Sun Apr 24, 2022 11:22 pm

Then in a multiple VPN tunnels on one WAN (ECMP) a local generated traffic can be given the scr-address of the shared IP-address. However how to control which of the tunnels is going to being used?

The tunnel IP entry point all are the same and the routing mark selects which tunnel will be used for that specific connection. I am using the fetch here and if I want to make a selection then I have to set a routing mark. Preferred Source is not anymore in v7 and is replaced by Routing Tables.

Routing Rules could be used, this by only using the src-address and setting the lookup only in table for Table TunnelOne.
The src-address used, is the IP address of the tunnels entry point. Using that IP address also avoids using the NAT, this because my VPN provider is natting on their side and they know the way back to the tunnel exit on my side, as long I use their provided IP address.

If you put a IP address like 192.168.88.1 as source address in the same tunnel then you never receive an answer back. The VPN provider does not know behind which tunnel 192.168.88.1 sits.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: when to use "pref-src"?

Mon Apr 25, 2022 12:17 am

Preferred source for manual routes still exists in v7 and works. And course you need to use something that makes sense for your setup. If it's someone else's VPN and they don't know about your LAN, then using address from there is not good choice. But if it's your VPN and other side knows about your LAN, it may be good choice. It always depends on what you want to achieve.

Who is online

Users browsing this forum: gkoleff, outtahere and 61 guests