Access PPPoE ip address over subnet

inquiery · October 28, 2014, 1:20am

Why does everything I post gets deleted?

Am I just to dumb to get the right to have a question here?
I’m trying to reach PPPoE clientes on a routerboard, throught a subnet on that same routerboard. I have DHCP server on the routerboard, once I connect my PC to it I can access the routerboard. I can see pppoe clientes connected, but the routeboard just don’t masquerade my traffic to the pppoe addresses. I have added my subnet to NAT rules, with masquerade and it won’t work. It works to access every other subnet on the routerboard, but not for pppoe clientes.
How can I do that?

jacekes · October 28, 2014, 8:27am

I guess you’re not being clear enough.
You are connected to the same router as the PPPoE clients?
Why are you trying to masquerade your traffic when it can simply just be routed?
Do the PPPoE clients have any firewall? Are the IP addresses of PPPoE clients properly visible in the status of PPPoE connections?

If I’m being wrong anywhere, please attach a schematic of the network connections.

inquiery · October 28, 2014, 1:17pm

Hi.
Yes, I am connected to the same router as the PPPoE clients, it’s a CRS125-24G.
I wasn’t trying to masquerade the traffic, not at first. But for some reason, if I don’t add that rule on NAT, my PC won’t get routed to any other network. My PC is connected to a port that is part of a switch configuration, porta 7-24 are switched, isolated, and I added cpu port also, so the switch traffic can be processed by RouterOS. PPPoE clientes are on port 20, and my PC on port 24. My PC have no direct access to port 20 as the switch are configured with ports isolated, so it must be routed by RouterOS.
The PPPoE clientes have no firewall, I can ping them from inside winbox or terminal, they respond normaly. But my PC can’t ping them, even tho it can ping other devices connected to the same ports in the switch.
The PPPoE clientes have their IP visible on routeros (PPP → Active Connections).

I drew a simples schematic on Paint. On the schematic, my PC gets routed to the “Test notebook” that is on another network, and to the “Other device”, that is also on a different network.

jacekes · October 28, 2014, 2:46pm

Post the output of /ip route print and /ip firewall nat print
Can the PPPoE clients access internet or WAN through the CRS?
From what you’ve written by now, it should all work properly.

inquiery · October 28, 2014, 3:45pm

The 10.254.0.0/24 is from a pool used for a DHCP server (my PC gets IP from that DHCP).
The 192.168.12.0/24 and 192.168.13.0/24 are PPPoE pool.
I also copied the result of “ip firewall mangle”, where I mark routing from addresses lists that are created dynamically. I use user-manager routeros package, for radius server, and I created users with limitations that add them to specific address list, so I can route each user to a different gateway at my choice.

The PPPoE clients can access internet normaly.

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade src-address=10.254.0.0/24 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=192.168.12.0/24 log=no log-prefix="" 

 2    chain=srcnat action=masquerade src-address=192.168.13.0/24 log=no log-prefix="" 

[admin@MikroTik] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Mark traffic for "addrlist-g1" address list with "routing-g1" routing mark
      chain=prerouting action=mark-routing new-routing-mark=routing-g1 passthrough=yes 
      src-address-list=addrlist-g1 log=no log-prefix="" 

 1    ;;; Mark traffic for "addrlist-g2" address list with "routing-g2" routing mark
      chain=prerouting action=mark-routing new-routing-mark=routing-g2 passthrough=yes 
      src-address-list=addrlist-g2 log=no log-prefix="" 

[admin@MikroTik] /ip route> pr
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.1.1               1 (this one is for "routing-g1" routing table)
 1 A S  0.0.0.0/0                          192.168.201.254           1 (this one is for "routing-g2 routing table)
 2 A S  0.0.0.0/0                          192.168.1.1               1
 3 ADC  10.254.0.0/24      10.254.0.1      ether7                    0
 4 ADC  192.168.1.0/24     192.168.1.13    wlan1                     0
 5 ADC  192.168.12.251/32  10.10.1.1       <pppoe-xxxxxxxx...        0
 6 ADC  192.168.12.254/32  10.10.1.1       <pppoe-xxxxxxxx...        0
 7 ADC  192.168.20.0/24    192.168.20.3    ether7                    0
 8 ADC  192.168.88.0/24    192.168.88.1    bridge1                   0
 9 ADC  192.168.100.0/24   192.168.100.3   ether7                    0
10 ADC  192.168.201.0/24   192.168.201.3   ether4                    0
11 ADC  192.168.254.1/32   192.168.254.1   Internal Bridge           0

[admin@MikroTik] /ppp active> pr
Flags: R - radius 
 #   NAME         SERVICE CALLER-ID         ADDRESS         UPTIME   ENCODING                                         
 0 R xxxxxxxxxxxx pppoe   xx:xx:xx:xx:xx:xx 192.168.12.254  1h12m36s                                                  
 1 R xxxxxxxxxxx  pppoe   xx:xx:xx:xx:xx:xx 192.168.12.251  30m22s

ether7 is the master-port for the switch created between ports 7-24.

[admin@MikroTik] /interface> pr
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0     ether1                              ether            1500  1588       4064 D4:CA:6D:FA:49:08
 1  RS ether2                              ether            1500  1588       4064 D4:CA:6D:FA:49:09
 2     ether3                              ether            1500  1588       4064 D4:CA:6D:FA:49:0A
 3  R  ether4                              ether            1500  1588       4064 D4:CA:6D:FA:49:0B
 4     ether5                              ether            1500  1588       4064 D4:CA:6D:FA:49:0C
 5     ether6                              ether            1500  1588       4064 D4:CA:6D:FA:49:0D
 6  R  ;;; MASTER - Full access 7-24
       ether7                              ether            1500  1588       4064 D4:CA:6D:FA:49:0E
 7   S ;;; SLAVE - Full access 7-24
       ether8                              ether            1500  1588       4064 D4:CA:6D:FA:49:0F
 8   S ;;; SLAVE - Isolated
       ether9                              ether            1500  1588       4064 D4:CA:6D:FA:49:10
 9   S ;;; SLAVE - Isolated
       ether10                             ether            1500  1588       4064 D4:CA:6D:FA:49:11
10   S ;;; SLAVE - Isolated
       ether11                             ether            1500  1588       4064 D4:CA:6D:FA:49:12
11   S ;;; SLAVE - Isolated
       ether12                             ether            1500  1588       4064 D4:CA:6D:FA:49:13
12   S ;;; SLAVE - Isolated
       ether13                             ether            1500  1588       4064 D4:CA:6D:FA:49:14
13   S ;;; SLAVE - Isolated
       ether14                             ether            1500  1588       4064 D4:CA:6D:FA:49:15
14   S ;;; SLAVE - Isolated
       ether15                             ether            1500  1588       4064 D4:CA:6D:FA:49:16
15   S ;;; SLAVE - Isolated
       ether16                             ether            1500  1588       4064 D4:CA:6D:FA:49:17
16   S ;;; SLAVE - Isolated
       ether17                             ether            1500  1588       4064 D4:CA:6D:FA:49:18
17   S ;;; SLAVE - Isolated
       ether18                             ether            1500  1588       4064 D4:CA:6D:FA:49:19
18   S ;;; SLAVE - Isolated
       ether19                             ether            1500  1588       4064 D4:CA:6D:FA:49:1A
19   S ;;; SLAVE - Isolated
       ether20                             ether            1500  1588       4064 D4:CA:6D:FA:49:1B
20   S ;;; SLAVE - Isolated
       ether21                             ether            1500  1588       4064 D4:CA:6D:FA:49:1C
21   S ;;; SLAVE - Isolated
       ether22                             ether            1500  1588       4064 D4:CA:6D:FA:49:1D
22   S ;;; SLAVE - Isolated
       ether23                             ether            1500  1588       4064 D4:CA:6D:FA:49:1E
23  RS ;;; SLAVE - Isolated
       ether24                             ether            1500  1588       4064 D4:CA:6D:FA:49:1F
24     sfp1                                ether            1500  1588       4064 D4:CA:6D:FA:49:20
25  R  wlan1                               wlan             1500  2290            D4:CA:6D:FA:49:21
26 DR  <pppoe-xxxxxxxxxxx>                 pppoe-in         1480
27 DR  <pppoe-xxxxxxxxxxxx>                pppoe-in         1480
28  R  Internal Bridge                     bridge           1500 65535            00:00:00:00:00:00
29  R  bridge1                             bridge           1500  1588            D4:CA:6D:FA:49:09

inquiery · October 30, 2014, 7:13pm

Well, I figured out why I was not being routed properly to other PPPoE addresses.
Turns out it was my 2 mangle rules

/ip firewall mangle add chain=prerouting scr-address-list=addrlist-g1 action=mark-routing new-routing-mark=routing-g1
/ip firewall mangle add chain=prerouting scr-address-list=addrlist-g2 action=mark-routing new-routing-mark=routing-g2

I just added

/ip firewall mangle add chain=prerouting dst-address=192.168.12.0/24 action=accept

at the top of those two and I can now reach (be routed to) every pppoe cliente on the 192.168.12.0/24 subnet.