I posted in another thread about getting a VLAN35 from Bell internet going.
Well I have achieved success and can pull an IP fro bell BUT cannot get any internet traffic rolling.
I’m posting, a few pics that will hopefully answer some obvious questions anyway.
I was using the one masquerade default rule to cover off both WANS I have, cable and fibrop. This was done by stating both VLANBELL and Cable were on the WAN Interface List and then in the Masquerade rule stating the OUT-INTERFACE LIST as WAN. Just in case this was not good enough I used the OUT-INTERFACE tab and put each WAN as a separate masquerade rule.
I also created two ROUTES, one for each WAN, first was vlanbell with distance of 1 and ping gateway, second was cable with distance of 2.
I did notice that the router tends to create its own routes anyway and I hope it knows to follow my failover routing attempt.
For DNS the only funky thing I did was add google 8.8.8.8 as a DNS server.
You will note Cable is down on the jpegs as I can only have one ISP running on my test setup. You should know that my cable setup provides internet traffic without any issue. That is what is burning me at the moment because I treat both the same in most respects??
The compact rsc file is provided but if you need verbose on something specific, I can provide that/those sections…
THis is not IPTV there is no requirement for any VLAN traffic on the LAN. Thus there is no connection on the LAN to the VLAN. My current router zyxel has no such connection but perhaps,
the mikrotik does???
Let’s try and cut some fat off first.
Those routes are confusing to look at, can you first remove the “add default route” option if you are specifying your own? I haven’t pulled off your RSC file yet but will do (shortly) to see how you are connecting on the WANS but if they are DHCP client or PPP clients then there is an option to not add default routes.
That will then the box out a bit for you and make things easier to pick through from your routing perspectives.
You’re absolutely on the money with how your failover should work, distance 1 with check gateway and second route as distance 2.
DNS, absolute bugbear of mine, why use Google? Not that it makes any difference in your issues, but why? Is Googles genuinely the fastest to respond to you? I generally use my ISP for mine as they are the fastest to respond, 2ms compared to 11ms from Google! <<Yeah bug bear and not of any importance to your situation.
Point number 6 didn’t mean a lot to me when reading it, so you are saying that you don’t need to deliver the VLAN onto the LAN? It is purely there because that’s how the provider needs you to configure?
Hi Steve,
No worries I am not stuck on google, I just added it in case DNS was an issue for some reason. I do use occasionally OPEN DNS home just because it tends to help clean up traffic if only a little and I cant see any objection to using them or should I??
Okay sorry your right I should clean up my comments, I can see how they may add confusion. For me it was clarity, LOL as I wanted to make sure I knew which rule stemmed from the default rule for copy and paste reasons (you know which setup worked and copy that to the other LAN or route so to speak).
I dont use pPPp or anything like that. Everything is straight ethernet, dhcp etc… including current router.
Zyxel router - WAN is set to static client with settings 0.0.0.0 and netmask 0.0.0.0 and vlan35 is attached to this WAN
MIKROTIK router - couldnt find how to set static client LAN to WAN interface like the above so I basically just added the WAN interface, then attached VLAN35 to it and managed to pull an IP.
For item 6, just to state the VLAN internet connection has no value past the router. None of the pcs, devices or LAN traffic have any association with vlan35. It is basically used by the router to a. gain an IP and b. to access the BELL internet which runs on VLAN35.
OK,
I kind of meant to get rid of the router generate default routes. As you are creating your own then you don’t need them and they may be working against you. I think looking at your RSC file you have a dhcp-client on both an ether and a vlan, edit those dhcp-clients and select no to add default route. That should clean your routes table up a little.
Traffic won’t start going through it simultaneously as you have the setup as master-failover. If you temporarily disable the main gateway the ip route table should change your bell route to black and start working.
Attempted to remove Default Routes created by Router from IP/Routes page. First I unchecked the USE DEFAULT route in IP DCHP Clients for both WANs. On the IP Route page, VLANBell default route was deleted without issue. Was unable to delete EASTLINK created default route as the connection was live. I thus unplugged the Eastlink Wan connection, the default route stayed. I thus had to remove Eastlink as a DHCP client, rebooted the router and then reinstalled EASTLINK as A DHCP client. This effectively got rid of that lingering default route in IP route page.
The two routes I had created using the Mangle rule, are still at the top.
I then plugged the Eastlink WAN interface back in. The router pulled an IP and it created a route entry in the Table under my created one, both turned black and the one created adopted the distance=2 entry. I think this is working properly and no sign of the extra default route anymore.
Good news right!! WRONG… no traffic on the LAN. Just like my VLANbell connection.
Stumped me. I tried rebooting the router, I rebooted the PC, disabled and enabled adapter settings, no dice to get any traffic going.
Faced with a interface that easily pulled an IP but yielded no traffic (plain jane vanilla DHCP cable connection) I decided to (modify) try and add the the route/mangle mark routing trick that I did for email traffic, - to the routes I created for the two WAN interfaces..
[new]
IP Mangle rule
prerouting
source - 0.0.0.0
In-Interface List - LAN
Action: mark routing
name: Lan_2_Wan
Results: Still no joy, no traffic on Eastlink. back to square zero LOL
++++++++++++++++++++++++++++++++++
CZFan, thanks for the input. Why do you suppose strict RP filtering may be an impediment to LAN to WAN and WAN to LAN traffic??
I will try that tonight.
“Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing or VRRP, then loose mode is recommended.”
thanks CZFan also watching videos from Greg S, which may provide some clues.
What is interesting is that when I run a PC diagnosis on the network the problem is stated as not being able to resolve DNS.
This makes me think that disabling remote DNS is perhaps an error.
Should I
a. make the gateway for each LAN, 192.168.0.1 and 192.168.2.1 respectively, the DNS address
b. turn on remote DNS entries, something about caching being faster as well.
(from my compact config currently have
/ip dns
set servers=8.8.8.8
/ip dns static
add address=192.168.0.1 name=router.lan )
Also noted is the masquerade rule I have
( ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface=Eastlink
add action=masquerade chain=srcnat out-interface=vlanbell )
would it be better NOT to state the out-interface??
and instead
add action=masquerade chain=srcnat comment=“Homelan”
source address, 192.168.0.0/24, destination address 0.0.0.0/0
add action=masquerade chain=srcnat comment=“DMZlan”
source address 192.168.2.0/24, destination address 0.0.0.0/0
Under IP>DNS check “Allow Remote Request”. With out this checked your devices can not use the router for DNS. Just be sure that your firewall rule block DNS request from the internet.t
Hi 2 frogs I checked allow remote requests with no luck. Yes I have RAW prerouting rules to drop tcp/udp 53.
I also tried every possible combination of every rule with no luck. Couldnt ping 8.8.8.8 at all. I was always able to ping 192.168.0.1 and 192.168.2.1 with no issues.
I am back to square 1 as am locked out of winbox and have to reset to defaults.
May have to take a couple of weeks off, a most frustrating outcome due to very incomplete documentation.
Okay I reset to defaults and created my two WANs and two LANs from scratch, adding the xtra WAN and LAN first and then modifying the default WAN and LAN/
The good news is that I got the Cable network to come up right away with the initial default settings. IP acquired, internet access successful.
I then started to change the default settings to see where things would break.
At this point I noted that even though I put in static routes, the Cable connection I had seemed to create its own route anyway. (HINT).
By the way 2 frogs, if one sets up a static route rule for a dynamic IP address, putting in the GATEWAY and Destination as I have make way more sense, than after the fact, everytime there is an IP change to have to go back and change the ISP IP address
I checked the default DNS settings and yes, allow remote requests was checked off and left it as default (but added my raw prerouting drop rules for tcp/udp 53)
Since I had good internet and my static routes were not being used I figured the issue was… IP DCHP client settings…
I confirmed that USE PEER DNS, NTP were checked off as per default (as in checkmark in the box).
Also, USE Default Route was checked off.
******* As soon as I Unchecked use Default Route and Use peer DNS, I lost my ability to get to the internet from my PC.
What is particularly frustrating is I had to leave before I could sort out which of the two is the real issue.
I suspect its the Default Route.
WHERE IS THE DEFAULT ROUTE RULE PROGRAMMED. I want to see what is so fricken special about this route rule that works whereas the static route I create do not work.
The default route can be found in IP>Routes. In one of your screenshots you posted originally, the default route is the the third one down. It has a flag of “DS”. The “D” = Dynamic, and is what is created when use default route is checked. You might note on that screen shot and on that default route you marked out the gateway IP. The interface name that is beside the IP you marked out gets filled in automatically.
Again if you set your default route as:
0.0.0.0/0 gateway=(IP address) the route will work.
Hi Two frogs. the point is that I do not want to use the default route from the router.
I want to create either one or two static route(s) and UNCHECK use default route under the DHCP client selection.
BUT my static route of
destination: 0.0.0.0/0
Gateway: Eastlink
is not working
I am suspecting that using the Interface name under gateway is not the right move??
My plan was as follows
destination: 0.0.0.0/0
Gateway: vlanbell
Distance: 1
Ping gateway: yes
Being the devils advocate.
Then why does the router let me choose the Interface??
If an IP is dynamic from the ISP, will that number not change? making my routing rule void??
Are you saying the ISP never changes its gateway address??
What irks me is that there is an expectation that I would know the gateway before actually connecting to the network.
If you are concerned with the above, then rather use dynamic default routes by enabling “Add default route” on DHCP / PPPOE clients, you can still specify the “Distance” if needed. also in client settings
