But the upstream firewall are seeing lots of martian source packets (rp_filter strict)
I have this setup with Mikrotik router.
Code: Select all
/system/routerboard/print
routerboard: yes
model: CCR1036-8G-2S+
serial-number: 4466022F4CCF
firmware-type: tilegx
factory-firmware: 3.10
current-firmware: 7.2.3
upgrade-firmware: 7.2.3
Code: Select all
/interface vlan
add interface=sfp-sfpplus1 name=v128 vlan-id=128
/interface list
add name=WAN
add name=CUST
add name=GUEST
/interface list member
add interface=sfp-sfpplus2 list=CUST
add interface=ether6 list=GUEST
add interface=v128 list=WAN
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface-list=CUST out-interface-list=WAN
add action=accept chain=forward in-interface-list=GUEST out-interface-list=WAN
add action=drop chain=forward log=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip address
add address=192.168.213.1/24 interface=ether6 network=192.168.213.0
add address=172.16.31.1/24 interface=sfp-sfpplus2 network=172.16.31.0
add address=xxx.xxx.xxx.xxx/25 interface=v128 network=xxx.xxx.xxx.xxx
On our firewall, we are seeing lots of martitian source packets.
From non-mikrotik firewall:
Code: Select all
May 30 15:36:06 firewall-1 kernel: [12077613.285312] IPv4: martian source xxx.xxx.xxx.xxx from 192.168.212.158, on dev eth1.128
I have many mikrotiks with this setup - but they are all failing at the same rates - and they have identical nat rules with interface-lists and VLAN.
Picture for easier explanation: