Looking for a way to forward broadcast UDP packets between interfaces of a router.
1. As stated in Proxy-ARP feature article (http://www.mikrotik.com/testdocs/ros/2.9/ip/address.php)

routers do not forward broadcasts by default

Is there a place in RoutersOS where I can change this "default"?
2. Where the broadcast address specified in the "/ip addresses" (picture in manualhttp://wiki.mikrotik.com/wiki/Manual:IP) is used?

Are you routing between the interfaces, or bridging?

Broadcasts (and some multicasts) generally only concern layer-2 issues (ARP packets for instance) and do not need to go beyond the nearest router. However, they should transition any bridged interfaces, and layer-2 transparent tunnels, unless they are filtered out.

What are you trying to accomplish, or what is the concern?

ive used the dst-nat function to forward broadcasts / turn them into unicast. Not sure if that helps solve your issue or not, but you can nat them to whatever you want.

Are you routing between the interfaces, or bridging?

Routing.

Broadcasts (and some multicasts) generally only concern layer-2 issues (ARP packets for instance) and do not need to go beyond the nearest router. However, they should transition any bridged interfaces, and layer-2 transparent tunnels, unless they are filtered out.

At least one of L3 (IP protocol) may be broadcasted. I mean UDP broadcast packets.

What are you trying to accomplish, or what is the concern?

Subnetting.
Something like this: network 192.168.0.0/24 divide onto the smaller segments like 192.168.0.0/28. It seems to me that IP routing fits better than bridging in my case. I am going to make tight filtering between subnets, so L3 fits better my needs, but unfortunately it cuts off UDP broadcast packets, ruining work of some applications. To be exact I'd like that broadcast packets I specified for all interfaces (i.e. 192.168.0.255) pass into all 4 interfaces.

And it is just interesting to have some more knowledge on device I have and why to introduce setting which is nowhere used.

Thank you.

ive used the dst-nat function to forward broadcasts / turn them into unicast. Not sure if that helps solve your issue or not, but you can nat them to whatever you want.

It might help.
1. Can you please specify sample command?
2. Will such packets pass through IP filters?
Thank you.

/ip firewall nat
add action=dst-nat chain=dstnat in-interface=wan1 dst-address-type=broadcast dst-port=5678 protocol=udp to-addresses=10.40.1.31

This will take the cdp packets and redirect them to 10.40.1.31, which happens to be a broadcast address in your case.

My guess is that you wont get what you want in the end ... there is a reason broadcasts should only be isolated to that subnet : ) The other end probably cant transmit back, etc.

To clarify a bit, even though UDP broadcast packets are layer-3 packets, they are usually concerned with layer-2 information. For instance, an ARP packet requests information about what layer-2 address goes with a particular layer-3 address, and such a request would be useless beyond the router for ARP's purposes. OSPF packets are similar, and OSPF instances know how to re-multicast only the relevant information on other subnets.

While there are other applications that could use broadcast or multicast packets (video distribution for instance), they really shouldn't expect to work across a router boundary, and should provide a unicast option if they really need to cross a router boundary. Some routers can be configured to forward broadcast and/or multicast packets, but the bandwidth requirements, and potential for abuse, will quickly explode, which is why they don't "by default". One of the big (generally considered to be an) advantage of routers is that they stop broadcast storms from getting beyond the network they originated in; and keep other information (like ARP) limited to the network they are relevant to.

If you are worried about forwarding broadcast on general principles, you probably don't need to worry about it. If you have a specific reason you need to forward broadcasts, you can try the posted suggestions. I don't think routeros can be directly (as in click here and its done) configured to forward broadcasts, but I haven't needed it so I haven't explicitly looked for it.

My guess is that you wont get what you want in the end

Thank you for a rule, but this really don't get me what I want.

To clarify a bit, even though UDP broadcast packets are layer-3 packets, they are usually concerned with layer-2 information. For instance, an ARP packet requests information about what layer-2 address goes with a particular layer-3 address, and such a request would be useless beyond the router for ARP's purposes. OSPF packets are similar, and OSPF instances know how to re-multicast only the relevant information on other subnets.

I can't agree with you, for example look at netbios' UDP broacast packets on ports 137 and 138 or any broadcast chat programs: they have nothing to do with L2.

I don't think routeros can be directly (as in click here and its done) configured to forward broadcasts, but I haven't needed it so I haven't explicitly looked for it.

I thought this device was designed to solve the problems quickly, exactly like "click here and its done".

It looks like I have no other choice to forward UDP broadcasts than switch router into bridge mode. So this will rise bunch of questions like:
1. Is there a way to assign IPs on per-eth-port basis? It looks like DHCP-server can be assigned to a bridge as a whole thus giving all clients IPs from the same pool.
2. Whether IP packets will visit IP chains?
3. Is there a way to stop broadcast ARPs from some of the ports of a bridge to be answered by router's MAC (like proxy-arp)?
4. Whether OpenVPN server will work bridged with eth ports?

netbios can work across routers that do not forward broadcasts:

http://articles.techrepublic.com.com/51 ... 34239.html

In particular, from the referenced URL:

This is effective within a local network but is ineffective across routers, which do not forward broadcast packets. This means that the broadcast NetBIOS name resolution method does not work across routers. It can only be used for computers within the same IP subnet. Another problem with broadcast resolution is that it takes time from every computer. Finally, broadcast resolution requires that the packet be transmitted to every computer on a subnet. This can effectively eliminate the usefulness of a switch, which is designed to prevent computers from seeing traffic that is not destined for them. Since a broadcast is by definition destined for every computer on the subnet, it must be broadcast to every computer. As the amount of broadcast traffic increases, the switches tend to behave more like hubs—passing on every packet to every connected computer. The tendency to broadcast is one of the reasons that NetBIOS is not well liked in networking circles.

Note that that is not a mikrotik website, and they do not say "mikrotik routers", but just "routers".

It would be nice if there were a one-click enable broadcast forwarding button for those who feel they need it, but I think you will find it is not at the top of most people's wishlists, if its even on their wishlist at all.

You can assign more than one IP address to a bridge, or an ethernet, but unless you set up static leases, the dhcp server won't know what particular subnet it should hand to a client. And note that you would have the same problem if the router were forwarding broadcast packets. The DHCP request would appear in all the subnets that the broadcasts are being forwarded to, and whichever dhcp server was fastest in responding is the one the client will probably accept a response from. You could hope that this would be the "local" dhcp server, but there would be no guarantee.

You can use ip chains with the bridge; on the filters tab, you can do layer-2 firewall stuff (such as blocking ARP packets), for layer-3 firewalling between bridge ports you have to go into the bridge settings and check "use IP firewall". (in winbox, in bridge, on the bridge tab, there is a settings button). and then configure the IP firewall as normal.

Run the openVPN on the bridge, rather than on the individual ports. You can try running the DHCP server on the individual ports instead of on the bridge, but I suspect you won't get what you want.

Chat programs (at least ones that work across the internet) usually work by sending the chat packet to a central server, which then sends individual unicast packets to every client. There might be chat programs that can optimize if they see multiple clients in the same subnet, or were only intended to work in a broadcast domain.

It sounds like you are wanting clients on different ports to be in different subnets, but you otherwise want them to act like they are bridged together. Is there some reason they can't all just be in the same subnet?

Put another way, by using bridge, and assigning multiple IP addresses from different subnets to it, you are effectively doing the same thing as forwarding broadcast packets, if you add firewall rules to block packets originating from the "wrong subnets" from transiting the bridge.

I apologize if any of this sounds confrontational, I don't mean for it to.

netbios can work across routers that do not forward broadcasts:

Of course it works. But to allow NetBIOS's browse service to work (I mean browse network computers) you have to introduce WINS server on a dedicated PC and configure your clients to use it instead of broadcasts. That's not interesting.

It would be nice if there were a one-click enable broadcast forwarding button for those who feel they need it, but I think you will find it is not at the top of most people's wishlists, if its even on their wishlist at all.

Thanks for an answer on my 1st question in this topic.

You can assign more than one IP address to a bridge, or an ethernet, but unless you set up static leases, the dhcp server won't know what particular subnet it should hand to a client. And note that you would have the same problem if the router were forwarding broadcast packets. The DHCP request would appear in all the subnets that the broadcasts are being forwarded to, and whichever dhcp server was fastest in responding is the one the client will probably accept a response from. You could hope that this would be the "local" dhcp server, but there would be no guarantee.

Yeah, I know theory on how DHCP works. But just imagine that I disable UDP packets 67/68 to pass through bridge and installed its own DHCP on each of the segments with its 5 non-overlapping IP pools. It looks like everything will work smooth, won't it? And now imagine I moved all these 5 DHCP servers inside bridge, just before rule which drops UDP packets 67/68: that's would be great: just now I saved on buying 5 DHCP servers.

Just interesting why there is no option to tie DHCP server to a particular interface of a bridge. I understand that this might be technically not simple due to linux kernel architecture, but why there is no option in DHCP server software to process requests on a packet mark, for example?

You can use ip chains with the bridge; on the filters tab, you can do layer-2 firewall stuff (such as blocking ARP packets), for layer-3 firewalling between bridge ports you have to go into the bridge settings and check "use IP firewall". (in winbox, in bridge, on the bridge tab, there is a settings button). and then configure the IP firewall as normal.

Going to follow this way.

Run the openVPN on the bridge, rather than on the individual ports.

Going to follow this way.

You can try running the DHCP server on the individual ports instead of on the bridge, but I suspect you won't get what you want.

Is not working.

It sounds like you are wanting clients on different ports to be in different subnets, but you otherwise want them to act like they are bridged together. Is there some reason they can't all just be in the same subnet?

As I stated before: for tight filtering between segments.

Put another way, by using bridge, and assigning multiple IP addresses from different subnets to it, you are effectively doing the same thing as forwarding broadcast packets, if you add firewall rules to block packets originating from the "wrong subnets" from transiting the bridge.

Switched to bridged mode, now writing bunches of filters.

Thanks all of you for hints.

I have found easiest way to do this:

1. Download all packages for your routeros version.
2. Extract and install on your router package named "Multicast".
3. Enable PIM and IGMP Proxy for all ports (interfaces).

As a test case: create Quake3 server on a computer form Subnet A and try to connect server from Subnet B without specifying the IP address. UDP broadcast server discovery must work.

Anyway this works for me

Hey people! Did anybody try to do, what I say in previous message? Does it work for you?
I just want to get your feedback.

I want to try that! Will test thankyou!

Borizo - your question is basically similar to:
I have a lot of nails, and so I want to buy a screwdriver to install them. Is phillips head or flat head better for driving nails?

One of the primary reasons to create a subnet is blocking broadcasts between the networks.
If you need two groups of computers to see each others' broadcasts, then your design should be to place them into the same broadcast domain.

If you want name resolution on your hosts between the subnets, then you need to use a layer3-aware naming service (such as DNS) to do the job.
If you want a layer2 broadcast naming service, then use layer2.
Don't eliminate layer2 only to bend layer3 into a Frankenstein's monstrosity that acts exactly like layer2 because you don't want to implement proper layer3 solutions.

There are some interesting exceptions - centralized DHCP servers, for instance, but these are usually a "many-to-one" type of application.

As has been mentioned in this thread earlier: multicast is the way to get the best of both worlds, but your application must support multicast.

As has been mentioned in this thread earlier: multicast is the way to get the best of both worlds, but your application must support multicast.

Thank you for your opinion after 3 years after closing subject. 3 years ago I resolved my configuration, what I marked in the topic with:

Switched to bridged mode, now writing bunches of filters.

Actually four and half years...