I would like to do some rp filter checking on a single interface.
RouterOS providers the RP Filter seting in IP settings, but it is global for the entire router.
Linux iptables provides the "rpfilter" matcher that can be applied in the raw or mangle prerouting chain,
to do per-packet RP Filter matches that can be tied to an input interface, a source address range, etc
and then used to mark or drop the packet.
I have not found how it is configurable in RouterOS. Is it available, and if so, how?
Re: rpfilter matcher available?
I think, a good start would be per-interface RPFilter settings (it's kernel feature, without using iptables)
Re: rpfilter matcher available?
In my situation it would be an advantage to have a separate iptables rule for the RP filter, as I can see
the match count on the rule, do logging, and place the rule at an appropriate place in the chain after
other rules that drop part of the traffic (e.g. RFC1918 addresses).
the match count on the rule, do logging, and place the rule at an appropriate place in the chain after
other rules that drop part of the traffic (e.g. RFC1918 addresses).
Re: rpfilter matcher available?
Have you seen that topic?
viewtopic.php?f=2&t=114664
viewtopic.php?f=2&t=114664
Re: rpfilter matcher available?
I have read it but that doesn't cover my needs.
I do not have a performance issue. This feature is required only on the "customer facing" interface which is WiFi so very slow.
I want to do a couple of checks to make sure the source address is valid, and one of them is if the packet would be routed
out to the same interface. I cannot use blackhole in case it isn't, it is possible it would be routed elsewhere.
What I require is just: iptables -t raw -A PREROUTING -i ether5 -m rpfilter --invert -j log_drop
(where that log_drop will do rate-limited logging and drops the packet)
It should not be difficult to implement, there are already many similar matchers that can be selected.
I do not have a performance issue. This feature is required only on the "customer facing" interface which is WiFi so very slow.
I want to do a couple of checks to make sure the source address is valid, and one of them is if the packet would be routed
out to the same interface. I cannot use blackhole in case it isn't, it is possible it would be routed elsewhere.
What I require is just: iptables -t raw -A PREROUTING -i ether5 -m rpfilter --invert -j log_drop
(where that log_drop will do rate-limited logging and drops the packet)
It should not be difficult to implement, there are already many similar matchers that can be selected.
Re: rpfilter matcher available?
What you require is the uRPF setting to be configured per-interface. The kernel supports this, but Mikrotik does not yet expose this that I am aware of. You do not want to do this as you are describing.
You would set client-facing interfaces to strict and the rest to loose. Well, once this support is added.
You would set client-facing interfaces to strict and the rest to loose. Well, once this support is added.
Re: rpfilter matcher available?
No, I would prefer the rpfilter matcher over per-interface RP filter setting, because it allows me to monitor
the situation before doing a hard cutoff, keep statistics and logging, make exceptions, etc.
the situation before doing a hard cutoff, keep statistics and logging, make exceptions, etc.