config help request: reaching KMS servers through a particular interface

bajzaadmin · March 7, 2018, 12:29pm

Hey there!

I have a 2011UiAS routerboard, that serves as my gateway.

I want to add an interface, that would only be used for Microsoft KMS server authentication of the LAN clients (since the bandwidth of the service is abysma otherwisel) !
The interface would have its own static DNS and IP settings and would serve as our connection to a particular telco.

In pseudo code, here is what I am thinking:

IF PACKET FROM LAN INTERFACE WANTS TO REACH “KMS SERVER IP ADDRESS AND PORT” THAN ROUTE TO INTERFACE X.
LET KMS SERVER REACH CLIENTS ON LAN INTERFACE SO THE TCP SESSION CAN FINISH, AND CLIENTS CAN AUTHENTICATE ON DEMAND.

Can you guys help me out with a valid config?

Thanks in advance!

Kind regards,
IBR

Sob · March 7, 2018, 2:43pm

It’s simple policy routing. Connect the second interface and add route to KMS server (or just default one) in another routing table. Mark routing for packets to KMS to use this alternative route. And you’re probably done (unless some firewall rules need adjusting, e.g. if you had some interface based ones which would not allow to use the other interface).

bajzaadmin · March 8, 2018, 3:16pm

Hey there, thanks for the reply!

You assume that I am savvy enough to translate what you said into config.

I'll link my cfg export as well as most of the details; could you help me with an actual config pretty please?

Thanks in advance!

Kind regards,
IBR

Target telco router uses a public port with statis public IP addresses available, there is no NAT going on here.

I wish to use ethernet 3 as "to-KMS interface":
Static address: 195.199.158.84 / 29 (already set but disabled)
Gateway: 195.199.158.86
It uses its own DNS servers #These servers should only be used on this interface:
195.199.255.57
195.199.255.58
195.199.255.4

KMS server:
IP: 195.199.255.195
port: 1688

\

Here is my cfg export, I hid some of the details, but they are not related to firewall settings.

mar/12/2018 10:48:51 by RouterOS 6.41

software id = 5IAZ-WMI5

model = 2011UiAS

...
/ip pool
add name=dhcp_pool_1 ranges=192.168.249.1-192.168.251.254
/ip dhcp-server
add address-pool=dhcp_pool_1 disabled=no interface=ether5 lease-time=2d10m
name=dhcp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.248.1/22 comment=LAN interface=ether5 network=
192.168.248.0
add address=192.168.3.1 comment=_To_sec_contractor_LAN interface=ether10
network=255.255.255.0
add address=195.199.158.84 comment=Sulinet interface=ether3 network=
255.255.255.248
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.248.0/22 dns-server=193.110.57.4,8.8.8.8 gateway=
192.168.248.1
...
/ip firewall mangle
add action=mark-routing chain=prerouting comment="routing mark for KMS"
dst-address=195.199.255.195 dst-port=1688 new-routing-mark=wan2KMS
passthrough=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT WAN1-hez" out-interface=
ether1 src-address=192.168.248.0/22
add action=masquerade chain=srcnat comment="NAT KMS-hez" dst-address=
195.199.255.195 out-interface=ether3
/ip route
add comment="KMS on ether3" distance=1 dst-address=195.199.255.195/32
gateway=195.199.158.86 routing-mark=wan2KMS
add distance=1 dst-address=192.168.3.0/24 gateway=ether10
....

Sob · March 8, 2018, 11:58pm

Actually, it can be even simpler, if all traffic to KMS server address can use second WAN:

/ip address
add address=195.199.158.84/29 interface=ether3
/ip route
add dst-address=195.199.255.195/32 gateway=195.199.158.86

If you’d want to only send specific port there, it can be done like this:

/ip address
add address=195.199.158.84/29 interface=ether3
/ip route
add dst-address=0.0.0.0/0 gateway=195.199.158.86 routing-mark=wan2
/ip firewall mangle
add chain=prerouting dst-address=195.199.255.195 protocol=tcp dst-port=1688 \
    action=mark-routing new-routing-mark=wan2

In both cases, you’ll most likely need masquerade on ether3.

bajzaadmin · March 12, 2018, 9:53am

Actually, it can be even simpler, if all traffic to KMS server address can use second WAN:
/ip address
add address=195.199.158.84/29 interface=ether3
/ip route
add dst-address=195.199.255.195/32 gateway=195.199.158.86
If you’d want to only send specific port there, it can be done like this:
/ip address
add address=195.199.158.84/29 interface=ether3
/ip route
add dst-address=0.0.0.0/0 gateway=195.199.158.86 routing-mark=wan2
/ip firewall mangle
add chain=prerouting dst-address=195.199.255.195 protocol=tcp dst-port=1688 \
    action=mark-routing new-routing-mark=wan2
In both cases, you’ll most likely need masquerade on ether3.

Hey there matey, thanks again!

I’ve configured what you’ve suggested, but the route seems to be “unreachable”.
Can you take a look at my cfg again? I’ve updated my previous post with the recent changes, and ommited irrelevant lines.

Thanks in advance!

Sob · March 12, 2018, 5:51pm

Change the address to:

/ip address
add address=195.199.158.84/29 interface=ether3

bajzaadmin · March 13, 2018, 8:24am

Many kisses on your forehead bröder, it works like a charm now !!

I must wonder, why on earth have I given a network mask when a network id was asked..

Anyhow, case is closed, KUDOS to you!