I have an setup with two WAN connections. Each subnet has its own WAN interface. The PPPoE-TelekomDSL WAN interface is a PPPoE connection from the central RB750GL router. It is the WAN interface for the Telekom subnet.
The second WAN interface is a gateway router(192.168.0.240) doing its own PPPoE connection. The getway router is located in the second subnet and not directly connected to the central router. Both subnets can go online over its own WAN connection.
Now I want to analyze my firewall setup on the mikrotik PPPoE connection. Thus I do a nmap scan from the subnet 192.168.0.0/24 to the WAN IP of the PPPoE-TelekomDSL connection. That works but the packets go the direct way from RB750GL to the PPPoE connection. I’d like to have them leaving via gateway 192.168.0.240 and then entering my homent via Telekom ISP. So that I can simulate the normal way of attacking.
In my opion the dynamic route is the problem, as they tell the packets to go the short way?!
Sorry if my previous post showed up. I deleted it, because I realized after reading through your post a couple more times that it was not the solution you needed.
You run into a little bit of a tricky situation here in that I assume you don’t want to divert ALL your traffic from the Telekom subnet out the second ISP. I would suggest that you create the necessary rules to divert only the IP address of the computer you are using for nmap out the second ISP, and enable the rules only when needed. Let’s assume that 192.168.128.100 is your testing computer, and 10.10.10.10 is your public IP. You might give this a try:
The first command creates the mangle rule that catches any traffic coming from your test computer which is destined for the public IP address, and then adds a routing mark. The second command creates the entry in the routing table which matches a destination of public IP and routing mark. This should send your testing traffic out the second ISP.
So the mangle rules work properly, I see the increasing counter. But still there is only one hop to the destination IP. The route is added in the correct table.
Now if I disable the route the result is still the same. It seems to me like the routing doesn’t work…
But If I set the routing mark for theses packets then only the ‘table_PenetrationTesting’ routing table is valid for them. So having no route in this table must lead to an unreachable error?!
All other tables are ignored in that case I think…
0 A S dst-address=x.x.x.x/32 gateway=192.168.0.240
gateway-status=192.168.0.240 reachable via ether2_homenet distance=1
scope=30 target-scope=10 routing-mark=table_PenetrationTesting
In the last time I thougth about that problem again. It must be a kind of privilege problem. Because the pppoe connection creates a DAC route this DAC route is always preferred as over them my target IP can be reached(target IP is the external visible IP from the pppoe connection).
Even routing marks get ignored I think. This would explain why the target IP responds to pings even if the routing table from the routing mark has no entry…
