Make an static nat with firewall using openvsswitch

Hey, I want to create a static nat with a firewall using openvswitch.

If something missing please ask in a comment. I can get you every information you want. I appreciate every help I can get.

My Setup
Mikrotik Routerboard (openwrt installed and the package openvsswitch)
ovs-bridge over port 2-5 and port 1 is the management interface ive connected via port 2 a laptop
ive connected via port 3 a laptop

The Task
I want to use the SDN as a Router.The Laptop on port 2 uses as default gateway and laptop on port 3 uses as default gateway. The goal is too add match-action-rules so the communication between port 3 and port 2 is working.

What I have to do
Add match-action-rules with following characteristics:

  • The router autonomously responds to ARP requests for the IP addresses
  • There must be matches for the destination IP address that decrement the TTL and determine the corresponding output port.
  • Source and destination MAC addresses need to be changed because the SDN switch now operates at Layer 3.
  • The end devices do not specify the MAC address of the destination but rather that of the next hop (default gateway). Invent corresponding MAC addresses for the data plane ports of the switch based on its default MAC address.

What I tried
I need Mac addresses for the SDN. So I lets take this:

  • MAC-Adress for 00:11:22:33:44:55
  • MAC-Adresse for 00:11:22:33:44:66

The Nat rules:

I added the following rules

ovs-ofctl add-flow ovs-br "arp,arp_tpa=,arp_op=1,actions=move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],mod_dl_src:00:11:22:33:44:55,mod_dl_dst:NXM_OF_ETH_SRC[],move:NXM_OF_ARP_TPA[]->NXM_OF_ARP_SPA[],move:NXM_OF_ARP_SHA[]->NXM_OF_ARP_THA[],load:0x2->NXM_OF_ARP_OP[],load:00:11:22:33:44:55->NXM_OF_ARP_SHA[],load:0x0a0401fe->NXM_OF_ARP_SPA[],output:in_port"

This is the rule for

This rules parameters are defined as:

  • arp_tpa= Filters ARP packets with the destination IP address
  • arp_op=1: Filters ARP Requests.
  • move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[]: Moves the source MAC address to the destination MAC address.
  • mod_dl_src:00:11:22:33:44:55: Sets the source MAC address of the reply.
  • mod_dl_dst:NXM_OF_ETH_SRC[]: Sets the destination MAC address of the reply to the source MAC address of the request.
  • move:NXM_OF_ARP_TPA[]->NXM_OF_ARP_SPA[]: Moves the target IP address to the source IP address.
  • move:NXM_OF_ARP_SHA[]->NXM_OF_ARP_THA[]: Moves the source MAC address to the target MAC address.
  • load:0x2->NXM_OF_ARP_OP[]: Sets the ARP operation field to Reply (2).
  • load:00:11:22:33:44:55->NXM_OF_ARP_SHA[]: Sets the source MAC address in the ARP packet.
  • load:0x0a0401fe->NXM_OF_ARP_SPA[]: Sets the source IP address in the ARP packet.
  • output:in_port: Sends the reply back to the input port of the ARP request.

When I try to add this rule I get the error:

ovs-ofctl: invalid mac address NXM_OF_ETH_SRC[]

So I need to get the correct rules for a working nat. I don't know how to make the correct rules.

Ip-Forwading rules:
if the nat rules work then I need to define the forwarding rules because of my own mac's.
Rule for Port 3 to port 2

ovs-ofctl add-flow ovs-br0 "ip,nw_src=,nw_dst=,actions=dec_ttl,mod_dl_src=00:11:22:33:44:66,mod_dl_dst=00:11:22:33:44:55,output:2"

rule for port 2 to port 3:

ovs-ofctl add-flow ovs-br0 "ip,nw_src=,nw_dst=,actions=dec_ttl,mod_dl_src=00:11:22:33:44:55,mod_dl_dst=00:11:22:33:44:66,output:3"

now drop every package with ttl =0:

ovs-ofctl add-flow ovs-br0 "ip,nw_ttl=0,actions=drop"

ubus call system board

        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:4",
        "model": "MikroTik RouterBOARD 750Gr3",
        "board_name": "mikrotik,routerboard-750gr3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"

Please provide output of

ubus call system board

No problem, I have added it to the question. Its at the end of it.

The package you claim installed is not provided by
Can you elaborate?

I got a typo. Its openvsswitch.

Dsa ports are not real ports ovs expects, namely you dont get all packets once dsa quickpath is set up, even with your config getting to cpu your whole ov-switch will be degraded by gigabit connection between soc cpu and switch asic.