Inbound and outbound connections on the same gateway

RouterOS General
1

Hello!

I posted a similar question in another thread, mixed with UDP OpenVPN tunnel in a OpenWRT box, and get no answers. It is my fault to have mixed various potential problems together.

So, I am testing a simplified setup and asking for help.

This is the setup:

WAN --PPPoE–>RB3011---->LAN1---->router2---->LAN2

I have a double NAT in LAN2, but it is working for regular Internet clients connected to LAN2.

My problem is: When I try to connect one port of the RB3011 to LAN2 (that RB3011 port configured as a DHCP client), to access Internet from RB3011 through router2, it doesn’t work. That RB3011 port get a LAN2 IP address, but it can’t access the Internet.

If that have worked, the path would be:

RB3011 ----> router2 ---->RB3011 ----> WAN

Is that possible?

Thanks!

2

I dont understand the explanation.
What device brand is router 2??

How can a port on the RB3011 get an IP address from Router1?
Dont you mean you want a device on router 1 ( a PC or something) to be able to be attached to router 2s LAN??
Further you want to be able to access the internet from that device while connected to LAN2.

There are probably many ways to accomplish what you want,
but try and explain your user needs without any mention of networks ports etc, the uSE case…

3

Router 2 is a Tp-link WR1043nd, with the OpenWRT firmware.


How can a port on the RB3011 get an IP address from Router1?

There is no Router1, only the RB3011 and Router2. A port on the RB3011 get an IP address from Router2 configuring it as a DHCP client.


Dont you mean you want a device on router 1 ( a PC or something) to be able to be attached to router 2s LAN??

No, I want a device on RB3011 to be able to access the Internet passing all traffic through the Router2.


Further you want to be able to access the internet from that device while connected to LAN2.

It is already working, a computer connected to LAN2 is able to access the Internet.


There are probably many ways to accomplish what you want,
but try and explain your user needs without any mention of networks ports etc, the uSE case…

Ok.
The objective is to have some computers in my network connecting to the Internet only through a OpenVPN tunnel, while having others computers connecting without pass through the VPN.

My VPN service (AirVPN) only provides access using OpenVPN with certificate authentication, and the Mikrotik Router OS does not support it.

My plan is to use the Tp-Link WR1043ND with the OpenWRT firmware only to establish the OpenVPN connection. So, only the traffic I want through the VPN I will route to the WR1043ND.


Apart the computers, I will only have 3 network devices: Fiber modem, RB3011 and WR1043ND.

The RB3011 establish a WAN PPPOE connection through the Fiber Modem. All my computers are connected to the RB3011. The WR1043ND will only be connected to the RB3011, one inbound and one outbound connection. Please, see bellow how I am planning it:

Until now, I only managed to have the following configuration working:




Thank you!

4

If all traffic from the second computer is to go via the WR1043 either put a few ports in a separate bridge on the RB3011, or change the existing bridge to be vlan-aware and use VLANs. No need for any DHCP, NAT, etc. as those few ports are effectively operating as an unmanaged switch.

If some of the traffic from the second computer is to go via the WR1043 it is effectively a dual-WAN setup, but with mangle rules marking traffic to go via the WR1043 (and VPN) rather than the more usual load-sharing or failover setups - you just have to decide how to identify the traffic to be marked, it could be by destination address and/or TCP/UDP port(s) for example. You can eliminate the double NAT if this “second WAN” on the RB3011 has a static address from the WR1043, and a static route is added on the WR1043.

5

Excellent description and diagrams thank you!!.
Concur with TDW two separate bridges or vlans ( I prefer single bridge and vlans).

6

I am trying something like your second suggestion, with mangle rules marking traffics to go via the WR1043, based on the source IP address.

The above figure is a simplification of my network, as I have tens of devices connected to different LANs. I have separate LANs for:
LAN1 - wireless network
LAN2 - desktops and printer
LAN3 - CCTV
LAN4 - IOTs
Please, see the figure below:

I would like to choose some devices of different LANs to have all traffic through the VPN, using mangle rules.

The problem is that I don’t know how to configure the connection between the RB3011 and the WR1043.

I tried the following steps:

1- Create a new LAN5 in the RB3011 (port 10), similar to the LAN1-LAN4, to be the WR1043 “WAN”;
2- Connect the WR1043 to that LAN5 to access the Internet;
[here, if I connect a computer directly to the WR1043 LAN it works as expected, connecting to the Internet through the VPN]
3- Configure a DHCP client on the RB3011 (port 3) and connect it to the WR1043.
here is the problem! The RB3011 port 3 get an valid IP address from the WR1043 DHCP server, the RB3011 can ping the WR1043, but can not ping the Internet.

A computer connected to the WR1043 can access the Internet, but the RB3011 connected to the WR1043 as a client can not.

I am testing the Internet connection from the RB3011 using the ping tool, choosing the port 3 (the configured DHCP client) as Interface.

7

To keep the requirement clear, would this be correct.

(1) I wish to use an existing router I have, that does OPEN VPN, but behind the RB3011.
(2) I wish to be able to direct various devices on different VLANS to use the OPEN VPN connection.

Assumptions
The other router has to be in router mode to access its open vpn functions
It is not possible to put all devices that require VPN into the same vlan on the RB3011

How do I direct those devices to the OPEN VPN router and then out to the internet needs to be solved.

8

Thank you very much, it is correct and much more clear.

To direct the traffic of some devices to the OpenVPN router I am using some mangle rules, and it seems there is no problem here:

/ip firewall mangle  
add chain=prerouting connection-mark=no-mark dst-address-type=!local src-address=10.0.1.190 action=mark-connection new-connection-mark=AIRVPN_conn passthrough=yes
add chain=prerouting connection-mark=AIRVPN_conn action=mark-routing new-routing-mark=to_AIRVPN

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_AIRVPN

The problem is that when the traffic goes from the RB3011 through the OpenVPN router, I have no Internet access.

If I connect a computer direct to the OpenVPN router, I can access the Internet.

9

The problem I am having is figuring out how to direct certain vlan IP, devices on different vlans to get routed through the OPEN Vpn router, but not all the time.

Can you confirm that those IP addresses ONLY require VPN access through the openvpn, or are they expecting to have normal activity through the RB otherwise?

a. locked in IP for no other purpose that VPN or
b. multi-use…

10

Those devices only require VPN access through the OpenVPN. All traffic to the Internet from these IP addresses will go through the OpenVPN, all the time.

Edit: Apart from the Internet connection through the OpenVPN, those devices must communicate with other hosts in my network, like file server, printer, etc.

11

Okay got it,
Fixed list of IPs from various vlans for any internet traffic require to be routed through the OPEN VPN router, otherwise normal LAN to LAN traffic.
As described to me in general.
(1) Create another route, other than the default route which identifies a pathway to all destinations via the IP address of the OpenVPN router.
(2) Mangle traffic in pre-routing such that traffic not intended for local subnets from those IPs is captured/marked
(3) Associate such traffic with the new route.

12

I did all that steps and it doesn’t work. Please, see bellow the commands that I used:

Step 0a - create on the ether10 of the RB3011 a LAN 5 to provide Internet access to the WR1043.

/ip address
add address=10.0.5.1/24 interface=ether10 network=10.0.5.0

/ip pool
add name=lan5_dhcp_pool ranges=10.0.5.210-10.0.5.250
/ip dhcp-server
network add address=10.0.5.0/24 gateway=10.0.5.1 dns-server=8.8.8.8 comment="LAN 5"
add name=lan5_dhcp_server interface=ether10 address-pool=lan5_dhcp_pool disabled=no 

/ip firewall
address-list add list=vpn_address_list address=10.0.5.0/24
filter add action=accept chain=forward src-address-list=vpn_address_list out-interface-list=WAN comment="Allow LAN 5 access to Internet"

Step 0b - connect the ether3 of the RB3011 to the WR1043 LAN - it is the entry point to the OpenVPN tunnel.

/ip address
add address=10.1.0.2/24 interface=ether3 network=10.1.0.1

Step 1 - Create another route, other than the default route which identifies a pathway to all destinations via the IP address of the OpenVPN router.

/ip route
add dst-address=0.0.0.0/0 gateway=10.1.0.1 distance=2 pref-src=10.1.0.2

Step 2 - Mangle traffic in pre-routing such that traffic not intended for local subnets from those IPs is captured/marked

/ip firewall mangle  
add chain=prerouting connection-mark=no-mark dst-address-type=!local src-address=10.0.1.228 action=mark-connection new-connection-mark=AIRVPN_conn passthrough=yes
add chain=prerouting connection-mark=AIRVPN_conn action=mark-routing new-routing-mark=to_AIRVPN

Step 3 - Associate such traffic with the new route.

/ip route
add dst-address=0.0.0.0/0 gateway=10.1.0.1 distance=1 pref-src=10.1.0.2 routing-mark=to_AIRVPN

Same situation, if I connect the laptop direct to the WR1043 it works.

But, if I connect the laptop on the RB3011 (getting the IP 10.0.1.228) it doesn’t access the Internet.

13

Listing part rules never helps me
/export hide-sensitive file=anynameyouwish

Not positive but likely your firewall rules get in the way.

14

Yes, probably, it is a mess…

# dec/08/2020 17:51:32 by RouterOS 6.47.8
# software id = 03Q9-KY1R
#
# model = RouterBOARD 3011UiAS
# serial number = 7810087375DE
/interface lte
set [ find ] name=lte1
/interface pppoe-client
add disabled=no interface=ether1 keepalive-timeout=disabled name=\
    pppoe-telecom_dados user=XXXXXXXXXXXX
/interface ethernet switch
set 0 mirror-source=ether1 mirror-target=ether5
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=CCTV
add name=DMZ
add name=WLAN
add name=AIRVPN_OUT
add name=AIRVPN_IN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add address=10.0.77.2 address-prefix-length=32 name=rodpp split-include=\
    10.0.0.0/16 static-dns=10.0.2.1 system-dns=no
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
add name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
add name=ike2 pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=wlan_dhcp_pool ranges=10.0.1.201-10.0.1.250
add name=lan_dhcp_pool ranges=10.0.2.201-10.0.2.250
add name=cctv_dhcp_pool ranges=10.0.3.201-10.0.3.250
add name=dmz_dhcp_pool ranges=10.0.4.201-10.0.4.250
add name=ike2-pool ranges=10.0.77.2-10.0.77.254
add name=lan5_dhcp_pool ranges=10.0.5.210-10.0.5.250
/ip dhcp-server
add address-pool=wlan_dhcp_pool disabled=no interface=ether6 name=\
    wlan_dhcp_server
add address-pool=lan_dhcp_pool disabled=no interface=ether7 name=\
    lan_dhcp_server
add address-pool=cctv_dhcp_pool disabled=no interface=ether8 name=\
    cctv_dhcp_server
add address-pool=dmz_dhcp_pool disabled=no interface=ether9 name=\
    dmz_dhcp_server
add address-pool=lan5_dhcp_pool disabled=no interface=ether10 name=\
    lan5_dhcp_server
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether7 list=LAN
add interface=pppoe-telecom_dados list=WAN
add interface=ether6 list=WLAN
add interface=ether8 list=CCTV
add interface=ether9 list=DMZ
add interface=lte1 list=WAN
/ip address
add address=10.0.1.1/24 interface=ether6 network=10.0.1.0
add address=10.0.2.1/24 interface=ether7 network=10.0.2.0
add address=10.0.3.1/24 interface=ether8 network=10.0.3.0
add address=10.0.4.1/24 interface=ether9 network=10.0.4.0
add address=10.0.5.1/24 interface=ether10 network=10.0.5.0
add address=10.1.0.2/24 interface=ether3 network=10.1.0.0
/ip dhcp-client
add add-default-route=no disabled=no interface=lte1
/ip dhcp-server network
add address=10.0.1.0/24 comment=WLAN dns-server=10.0.4.2 gateway=10.0.1.1
add address=10.0.2.0/24 comment=LAN dns-server=10.0.4.2 gateway=10.0.2.1
add address=10.0.3.0/24 comment=CCTV dns-server=10.0.4.2 gateway=10.0.3.1
add address=10.0.4.0/24 comment=DMZ dns-server=8.8.8.8 gateway=10.0.4.1
add address=10.0.5.0/24 comment="LAN 5" dns-server=8.8.8.8 gateway=10.0.5.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set servers=10.0.4.2
/ip firewall address-list
add address=10.0.2.0/24 list=lan_address_list
add address=10.0.1.0/24 list=wlan_address_list
add address=10.0.3.0/24 list=cctv_address_list
add address=10.0.4.0/24 list=dmz_address_list
add address=10.0.2.120 list=nvr_lan_address_list
add address=10.0.3.120 list=nvr_cctv_address_list
add address=10.0.3.190 list=gosat_pro_address_list
add address=10.0.2.100 list=rodrigo_desktopl_address_list
add address=10.0.2.10 list=linux_server_address_list
add address=10.0.2.20 list=printer_address_list
add address=10.0.4.2 list=pi-hole_address_list
add address=10.0.5.0/24 list=vpn_address_list
/ip firewall filter
add action=drop chain=output comment="Test Failover - TelecomDados OFF" \
    disabled=yes dst-address=8.8.8.8 out-interface=pppoe-telecom_dados
add action=drop chain=output comment="Test Failover - 4G OFF" disabled=yes \
    dst-address=8.8.8.8 out-interface=lte1
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=accept chain=input comment="Allow DNS queries for all, except WAN" \
    dst-port=53 in-interface-list=!WAN protocol=tcp
add action=accept chain=input comment="Allow DNS queries for all, except WAN" \
    dst-port=53 in-interface-list=!WAN protocol=udp
add action=accept chain=input comment=\
    "Allow DHCP queries for all, except WAN" dst-port=67 in-interface-list=\
    !WAN protocol=udp
add action=accept chain=input comment="Accept input from LAN" \
    src-address-list=lan_address_list
add action=accept chain=input comment="Accept input from WLAN" disabled=yes \
    in-interface-list=WLAN
add chain=input comment="ipsec policy matcher" in-interface=\
    pppoe-telecom_dados ipsec-policy=in,ipsec
add action=accept chain=input comment=VPN dst-port=500,4500 protocol=udp
add action=drop chain=input comment="DROP ALL INPUT" log-prefix="[INPUT] "
add action=drop chain=forward comment="Disable WAN" disabled=yes \
    out-interface-list=WAN
add action=drop chain=forward comment="Disable TelecomDados" disabled=yes \
    out-interface=pppoe-telecom_dados
add action=drop chain=forward comment="Disable 4G" disabled=yes \
    out-interface=lte1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Allow LAN 5 access to Internet" \
    out-interface-list=WAN src-address-list=vpn_address_list
add action=accept chain=forward comment=\
    "Allow the test computer forward to everywhere" src-address=10.0.1.228
add action=accept chain=forward comment=\
    "#####Begin Pi-hole#### - Allow access to TCP port 53 on Pi-hole " \
    dst-address-list=pi-hole_address_list dst-port=53 protocol=tcp
add action=accept chain=forward comment=\
    "Allow access to UDP port 53 on Pi-hole " dst-address-list=\
    pi-hole_address_list dst-port=53 protocol=udp
add action=accept chain=forward comment="Allow Desktop access Pi-hole Admin" \
    dst-address-list=pi-hole_address_list dst-port=80 protocol=tcp \
    src-address-list=rodrigo_desktopl_address_list
add action=accept chain=forward comment=\
    "Allow Rodrigo's Desktop access Pi-Hole SSH" dst-address-list=\
    pi-hole_address_list dst-port=22 protocol=tcp src-address-list=\
    rodrigo_desktopl_address_list
add action=accept chain=forward comment="Allow external DNS access from DMZ" \
    dst-port=53 protocol=udp src-address-list=dmz_address_list
add action=drop chain=forward comment=\
    "Only allow Pi-hole access external TCP DNS" dst-port=53 protocol=tcp \
    src-address=!10.0.4.2
add action=drop chain=forward comment=\
    "Only allow Pi-hole access external UDP DNS" dst-port=53 protocol=udp \
    src-address=!10.0.4.2
add action=drop chain=forward comment=\
    "#####End Pi-hole#### - Drop to Pi-hole" dst-address=10.0.4.2
add action=accept chain=forward comment=\
    "#####Begin CCTV#### - Allow Desktop access CCTV" dst-address-list=\
    cctv_address_list src-address-list=rodrigo_desktopl_address_list
add action=accept chain=forward comment="Access NTP server" dst-address=\
    201.49.148.135 dst-port=123 protocol=udp src-address-list=\
    nvr_lan_address_list
add action=accept chain=forward comment="Access NTP server" dst-address=\
    201.49.148.135 dst-port=123 protocol=udp src-address-list=\
    nvr_cctv_address_list
add action=accept chain=forward comment="Allow NVR(lan) access CCTV" \
    dst-address-list=cctv_address_list src-address-list=nvr_lan_address_list
add action=accept chain=forward comment="Allow CCTV access NVR(lan) " \
    dst-address-list=nvr_lan_address_list src-address-list=cctv_address_list
add action=drop chain=forward comment="Drop (LAN) NVR forward" \
    src-address-list=nvr_lan_address_list
add action=accept chain=forward comment=\
    "GoSat Pro (CCTV network) forward only to WAN" out-interface-list=WAN \
    src-address-list=gosat_pro_address_list
add action=drop chain=forward comment="Drop from CCTV" src-address-list=\
    cctv_address_list
add action=drop chain=forward comment="#####End CCTV#### - Drop to CCTV" \
    dst-address-list=cctv_address_list
add action=accept chain=forward comment="Allow LAN forward to all except DMZ" \
    dst-address-list=!dmz_address_list src-address-list=lan_address_list
add action=accept chain=forward comment=\
    "Allow WLAN forward to all except DMZ" dst-address-list=!dmz_address_list \
    src-address-list=wlan_address_list
add action=accept chain=forward comment="Internet access for DMZ" \
    in-interface-list=DMZ out-interface-list=WAN
add action=accept chain=forward comment="Internet access for WLAN " disabled=\
    yes in-interface-list=WLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow WLAN access NVR" disabled=yes \
    dst-address-list=nvr_lan_address_list in-interface-list=WLAN
add action=accept chain=forward comment="Allow WLAN access printer" disabled=\
    yes dst-address-list=printer_address_list in-interface-list=WLAN
add action=accept chain=forward comment="Allow WLAN access Linux Server" \
    disabled=yes dst-address-list=linux_server_address_list \
    in-interface-list=WLAN
add action=accept chain=forward comment="Allow WLAN access Plex Server" \
    disabled=yes dst-address-list=linux_server_address_list dst-port=\
    32469,32400 protocol=tcp src-address-list=wlan_address_list
add action=accept chain=forward comment="Allow WLAN access Plex Server" \
    disabled=yes dst-address-list=linux_server_address_list dst-port=\
    1900,32414,32413,32412,32410,5353 protocol=udp src-address-list=\
    wlan_address_list
add action=accept chain=forward comment="Allow NAT forward from WAN " \
    connection-nat-state=dstnat in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL FORWARD" log=yes log-prefix=\
    "[FORWARD] "
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local new-connection-mark=AIRVPN_conn passthrough=yes \
    src-address=10.0.1.228
add action=mark-routing chain=prerouting connection-mark=AIRVPN_conn \
    new-routing-mark=to_AIRVPN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NVR NAT" dst-port=18000 log=yes \
    log-prefix="[NVR] " protocol=tcp to-addresses=10.0.2.120 to-ports=18000
/ip ipsec identity
add auth-method=digital-signature certificate=server1 generate-policy=\
    port-strict match-by=certificate mode-config=rodpp peer=ike2 \
    policy-template-group=ike2-policies remote-certificate=rw-rodpp
add auth-method=digital-signature certificate=server1 generate-policy=\
    port-strict mode-config=ike2-conf peer=ike2 policy-template-group=\
    ike2-policies
/ip ipsec policy
add dst-address=10.0.77.0/24 group=ike2-policies proposal=ike2 src-address=\
    0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=10.1.0.1 pref-src=10.1.0.2 routing-mark=to_AIRVPN
add distance=1 gateway=pppoe-telecom_dados
add distance=2 gateway=10.1.0.1 pref-src=10.1.0.2
add distance=30 gateway=192.168.0.1
/lcd
set backlight-timeout=never default-screen=stats touch-screen=disabled
/lcd screen
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
set 4 disabled=yes
set 5 disabled=yes
/system clock
set time-zone-name=America/Sao_Paulo
/system logging
add disabled=yes topics=ipsec,!debug
add disabled=yes prefix="[DHCP]" topics=dhcp
/system scheduler
add interval=5s name=failover on-event=failover policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=no name=failover owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_------------------- header -------------------\r\
    \n# Script by Tomas Kirnak, version 1.0.7\r\
    \n# If you use this script, or edit and\r\
    \n# re-use it, please keep the header intact.\r\
    \n#\r\
    \n# For more information and details about\r\
    \n# this script please visit the wiki page at\r\
    \n# http://wiki.mikrotik.com/wiki/Failover_Scripting\r\
    \n# ------------------- header -------------------\r\
    \n\r\
    \n\r\
    \n\r\
    \n# ------------- start editing here -------------\r\
    \n# Edit the variables below to suit your needs\r\
    \n\r\
    \n# Please fill the WAN interface names\r\
    \n:local InterfaceISP1 pppoe-telecom_dados\r\
    \n:local InterfaceISP2 lte1\r\
    \n\r\
    \n# Please fill the gateway IPs (or interface names in case of PPP)\r\
    \n:local GatewayISP1 pppoe-telecom_dados\r\
    \n:local GatewayISP2 192.168.0.1\r\
    \n\r\
    \n# Please fill the ping check host - currently: resolver1.opendns.com\r\
    \n:local PingTarget 8.8.8.8\r\
    \n\r\
    \n# Please fill how many ping failures are allowed before fail-over happen\
    ds\r\
    \n:local FailTreshold 3\r\
    \n\r\
    \n# Define the distance increase of a route when it fails\r\
    \n:local DistanceIncrease 2\r\
    \n\r\
    \n# Editing the script after this point may break it\r\
    \n# -------------- stop editing here --------------\r\
    \n\r\
    \n\r\
    \n\r\
    \n# Declare the global variables\r\
    \n:global PingFailCountISP1\r\
    \n:global PingFailCountISP2\r\
    \n\r\
    \n# This inicializes the PingFailCount variables, in case this is the 1st \
    time the script has ran\r\
    \n:if ([:typeof \$PingFailCountISP1] = \"nothing\") do={:set PingFailCount\
    ISP1 0}\r\
    \n:if ([:typeof \$PingFailCountISP2] = \"nothing\") do={:set PingFailCount\
    ISP2 0}\r\
    \n\r\
    \n# This variable will be used to keep results of individual ping attempts\
    \r\
    \n:local PingResult\r\
    \n\r\
    \n\r\
    \n\r\
    \n# Check ISP1\r\
    \n:set PingResult [ping \$PingTarget count=1 interface=\$InterfaceISP1]\r\
    \n:put \$PingResult\r\
    \n\r\
    \n:if (\$PingResult = 0) do={\r\
    \n\t:if (\$PingFailCountISP1 < (\$FailTreshold+2)) do={\r\
    \n\t\t:set PingFailCountISP1 (\$PingFailCountISP1 + 1)\r\
    \n\t\t\r\
    \n\t\t:if (\$PingFailCountISP1 = \$FailTreshold) do={\r\
    \n\t\t\t:log warning \"ISP1 has a problem en route to \$PingTarget - incre\
    asing distance of routes.\"\r\
    \n\t\t\t:foreach i in=[/ip route find gateway=\$GatewayISP1 && static] do=\
    \\\r\
    \n\t\t\t\t{/ip route set \$i distance=([/ip route get \$i distance] + \$Di\
    stanceIncrease)}\r\
    \n\t\t\t:log warning \"Route distance increase finished.\"\r\
    \n                                               /system script run beep_s\
    ound_bt_\r\
    \n                                               /system script run beep_s\
    ound_cl\r\
    \n\t\t}\r\
    \n\t}\r\
    \n                #/system script run beep_sound_nil\r\
    \n}\r\
    \n:if (\$PingResult = 1) do={\r\
    \n\t:if (\$PingFailCountISP1 > 0) do={\r\
    \n\t\t:set PingFailCountISP1 (\$PingFailCountISP1 - 1)\r\
    \n\t\t\r\
    \n\t\t:if (\$PingFailCountISP1 = (\$FailTreshold -1)) do={\r\
    \n\t\t\t:log warning \"ISP1 can reach \$PingTarget again - bringing back o\
    riginal distance of routes.\"\r\
    \n\t\t\t:foreach i in=[/ip route find gateway=\$GatewayISP1 && static] do=\
    \\\r\
    \n\t\t\t\t{/ip route set \$i distance=([/ip route get \$i distance] - \$Di\
    stanceIncrease)}\r\
    \n\t\t\t:log warning \"Route distance decrease finished.\"\r\
    \n                                                /system script run beep_\
    sound_cfm\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n\r\
    \n# Check ISP2\r\
    \n:set PingResult [ping \$PingTarget count=1 interface=\$InterfaceISP2]\r\
    \n:put \$PingResult\r\
    \n\r\
    \n:if (\$PingResult = 0) do={\r\
    \n\t:if (\$PingFailCountISP2 < (\$FailTreshold+2)) do={\r\
    \n\t\t:set PingFailCountISP2 (\$PingFailCountISP2 + 1)\r\
    \n\t\t\r\
    \n\t\t:if (\$PingFailCountISP2 = \$FailTreshold) do={\r\
    \n\t\t\t:log warning \"ISP2 has a problem en route to \$PingTarget - incre\
    asing distance of routes.\"\r\
    \n\t\t\t:foreach i in=[/ip route find gateway=\$GatewayISP2 && static] do=\
    \\\r\
    \n\t\t\t\t{/ip route set \$i distance=([/ip route get \$i distance] + \$Di\
    stanceIncrease)}\r\
    \n\t\t\t:log warning \"Route distance increase finished.\"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}\r\
    \n:if (\$PingResult = 1) do={\r\
    \n\t:if (\$PingFailCountISP2 > 0) do={\r\
    \n\t\t:set PingFailCountISP2 (\$PingFailCountISP2 - 1)\r\
    \n\t\t\r\
    \n\t\t:if (\$PingFailCountISP2 = (\$FailTreshold -1)) do={\r\
    \n\t\t\t:log warning \"ISP2 can reach \$PingTarget again - bringing back o\
    riginal distance of routes.\"\r\
    \n\t\t\t:foreach i in=[/ip route find gateway=\$GatewayISP2 && static] do=\
    \\\r\
    \n\t\t\t\t{/ip route set \$i distance=([/ip route get \$i distance] - \$Di\
    stanceIncrease)}\r\
    \n\t\t\t:log warning \"Route distance decrease finished.\"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}"
add dont-require-permissions=no name=beep_sound_sos owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Morse SOS\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=150ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=150ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=150ms;\r\
    \n:delay 300ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;"
add dont-require-permissions=no name=beep_sound_nil owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Morse NIL - NOTHING HEARD \r\
    \n:beep frequency=800 length=150ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=150ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;"
add dont-require-permissions=no name=beep_sound_cl owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Morse CL - CLOSING\r\
    \n:beep frequency=800 length=150ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=150ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=150ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;"
add dont-require-permissions=no name=beep_sound_cfm owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Morse CFM - I ACKNOWLEDGE\r\
    \n:beep frequency=800 length=150ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=150ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=150ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=150ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=150ms;\r\
    \n:delay 200ms;\r\
    \n"
add dont-require-permissions=no name=beep_sound_bt_ owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Morse BT\\ - BREAK\r\
    \n:delay 300ms;\r\
    \n:beep frequency=800 length=150ms;\r\
    \n:delay 200ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=50ms;\r\
    \n:delay 100ms;\r\
    \n:beep frequency=800 length=150ms;\r\
    \n:delay 200ms;\r\
    \n:delay 300ms;"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sms
set port=lte1 receive-enabled=yes

Thank you very much!

15

Hmm, dont tell me your trying to to vpn over an lte celluar network LOL, Might as well use a soup can with a string to communicate.

(1) Why do you have this rule…
“Allow DHCP queries for all, except WAN” dst-port=67 in-interface-list=
!WAN protocol=udp

(2) DNS is done through the router (aka via the input chain) or the DHCP settings - gateway definitions and not per individual IP or subnet on the forward chain,
??? add action=accept chain=forward comment=“Allow external DNS access from DMZ”
dst-port=53 protocol=udp src-address-list=dmz_address_list ???

(3) In fact, I dont understand all these DNS pi hole reference in the firewall rules.

(4) What is the purpose of these rules??>> They dont seem to do anything which is never a good sign.
add action=drop chain=forward comment=“Drop from CCTV” src-address-list=
cctv_address_list
add action=drop chain=forward comment=“#####End CCTV#### - Drop to CCTV”
dst-address-list=cctv_address_list

(5) NTP again is a service for the input chain not forward chain rules.

(6) I dont get the mangle rule unless you are simply testing one computer…
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local new-connection-mark=AIRVPN_conn passthrough=yes
src-address=10.0.1.228???


The source address should be the source address list of all the IPs that require access to the VPN not a single IP.
Further you could do it with only one config entry for marking route in this case because we are mangling internal traffic, not traffic going through a wan.
add chain=prerouting action=mark routing new routing-mark=to_AIRVPN dst-address-list=!local
source-address-list=ovpn_users

(7) IP route rule… The lan IP address of the VPN router is??? I dont see it???
/ip route
add distance=1 gateway=10.1.0.1 pref-src=10.1.0.2 routing-mark=to_AIRVPN
add distance=1 gateway=pppoe-telecom_dados
add distance=2 gateway=10.1.0.1 pref-src=10.1.0.2
add distance=30 gateway=192.168.0.1

Just need what is the correct normal Route!
add distance=1 gateway=10.1.0.1 ??
There is no alternate ISP and not sure what 192.168.0.1 has to do with anything
but for the VPN this should do it…
add distance=2 gateway=10.0.5.1 routing-mark=to_AIRVPN

16

hehehe… no, no. It is only a redundancy, for the rare occasions when the fiber go down. But I contracted a second fiber link, to be installed in the next days.


(1) Why do you have this rule…
“Allow DHCP queries for all, except WAN” dst-port=67 in-interface-list=
!WAN protocol=udp

If I remember correctly, it was because some time ago my log was showing DHCP queries from WAN. But it doesn’t make sense. I’ll delete it.


(2) DNS is done through the router (aka via the input chain) or the DHCP settings - gateway definitions and not per individual IP or subnet on the forward chain,
??? > add action=accept chain=forward comment=“Allow external DNS access from DMZ”
dst-port=53 protocol=udp src-address-list=dmz_address_lis> t ???

It is because I configured a raspberry pi with pi-hole to be my DNS server, not the RB3011, and my intention was to block all DNS queries from other hosts to external DNS servers (like 8.8.8.8). Except the DMZ. So, this rule is to allow hosts in the DMZ to make queries to external DNS servers.


(3) In fact, I dont understand all these DNS pi hole reference in the firewall rules.

These rules are to allow some restricted LANs to forward queries to the pi-hole, located in another LAN. And to allow some hosts to access the pi-hole administration interface.


(4) What is the purpose of these rules??>> They dont seem to do anything which is never a good sign.
add action=drop chain=forward comment=“Drop from CCTV” src-address-list=
cctv_address_list
add action=drop chain=forward comment=“#####End CCTV#### - Drop to CCTV”
dst-address-list=cctv_address_list

These rules are to block the CCTV cameras to access any other LAN or WAN. And to block any host to access the cameras too. They only have to transmit to the NVR, and it is in the same LAN.


(5) NTP again is a service for the input chain not forward chain rules.

But those NTP rules are to allow the CFTV equipment to access external NTP servers, not the RB3011.


(6) I dont get the mangle rule unless you are simply testing one computer…
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local new-connection-mark=AIRVPN_conn passthrough=yes
src-address=10.0.1.228> ???
The source address should be the source address list of all the IPs that require access to the VPN not a single IP.

Yes, I’m only testing with one computer at this moment. It is a laptop that I can connect to the RB3011 or the WR1043 to perform the tests.


Further you could do it with only one config entry for marking route in this case because we are mangling internal traffic, not traffic going through a wan.
add chain=prerouting action=mark routing new routing-mark=to_AIRVPN dst-address-list=!local
source-address-list=ovpn_users

Yes, understood. I deleted those two rules and created the following:

/ip firewall
address-list add address=10.0.1.228 list=ovpn_users
mangle add chain=prerouting action=mark-routing new-routing-mark=to_AIRVPN dst-address-type=!local src-address-list=ovpn_users



(7) IP route rule… The lan IP address of the VPN router is??? I dont see it???

The lan IP address of the VPN router is 10.1.0.1, and the IP address of the ether3 port of the RB3011, that connect to it, is 10.1.0.2.
It only appear in the gateway field bellow.


/ip route
add distance=1 gateway=10.1.0.1 pref-src=10.1.0.2 routing-mark=to_AIRVPN
add distance=1 gateway=pppoe-telecom_dados
add distance=2 gateway=10.1.0.1 pref-src=10.1.0.2
add distance=30 gateway=192.168.0.1

Just need what is the correct normal Route!
add distance=1 gateway=10.1.0.1 ??

That is the LAN IP of the VPN router. My intention was to send to the “VPN router LAN” the traffic from the laptop. Then that traffic should enter into the OpenVPN tunnel inside the VPN router.


There is no alternate ISP and not sure what 192.168.0.1 has to do with anything

It is my LTE modem, there is a script that decrease the “distance” of that route when the fiber go down, and increases the PPPoE route distance.


but for the VPN this should do it…
add distance=2 gateway=> 10.0.5.1 > routing-mark=to_AIRVPN

But the IP 10.0.5.1 is where the VPN router get the Internet from the RB3011.
Shouldn’t be 10.1.0.1 (the LAN IP of the VPN router)?


The complete path should be:

10.0.1.228 (laptop) ==> 10.0.1.1(RB3011) ==> 10.1.0.2(RB3011) ==> 10.1.0.1(WR1043)==>OpenVPN tunnel==>10.0.5.246(WR1043)==>10.0.5.1(RB3011)==>PPPoE==>WAN

I appreciate your help!

17

Maybe a image can help me explain better the IP addresses:

18

Well that seems to be the problem for me.
Why does the VPN ROUTER have two LANIPS or two WANIPS

It should only have one, requests come from the LAN to the single LAN IP, (routed there by the mangle rules and route created) into the VPN router,
they get encrypted, not sure what you are doing there, and GO OUT the same LAN but encrypted and go out to the internet…

I dont see why you have a different IP structure…
Obviously I may have to learn something new here LOL


As for these rules.
(4) What is the purpose of these rules??>> They dont seem to do anything which is never a good sign.
add action=drop chain=forward comment=“Drop from CCTV” src-address-list=
cctv_address_list
add action=drop chain=forward comment=“#####End CCTV#### - Drop to CCTV”
dst-address-list=cctv_address_list

Any thing you add as user that are BLOCK rules are not necessary because you have a BLOCK ALL ELSE rule at the end.
So if you didnt specifically allow traffic it will be dropped!!!

19

From the VPN router point of view, there is one LAN IP and one WAN IP.
I see the VPN router as a black box intended to be put between the computer and the Internet connection. With it, all communications goes through the VPN tunnel. Something like that:

Suppose the computer is in USA and the AirVPN server is in Japan. Without the “black box” I’ll be navigating the Internet with a american IP. With the black box I’ll be navigating with a japanese IP address.

Probably it is possible to use only one connection between the RB3011 and the VPN router, but I don’t know how.
In reality, I don’t know how to do it with two cables too, like I’m trying, but to me it is a more logical way.


As for these rules.
(4) What is the purpose of these rules??>> They dont seem to do anything which is never a good sign.
add action=drop chain=forward comment=“Drop from CCTV” src-address-list=
cctv_address_list
add action=drop chain=forward comment=“#####End CCTV#### - Drop to CCTV”
dst-address-list=cctv_address_list

Any thing you add as user that are BLOCK rules are not necessary because you have a BLOCK ALL ELSE rule at the end.
So if you didnt specifically allow traffic it will be dropped!!!

The problem here, is that I can allow some hosts/LANs to have broad access in the network before that rule. For example, I want that communications from my desktop can be forward for all LANs, but I don’t want that it access the cameras directly. That exception could be included in the accept all forward from my desktop rule, but in this case I must remember to put that exception in every “broad” rule created.

20

No worries on the FW rules, i was sure it was something like that but was too tired to look too deeply last night lOL. I believe you!!!

As for the VPN router,
I understand you wanted to setup a LAN IP/WANIP for incoming traffic from the rest of the LANs into the secondary router and then you wanted to created A WANIP for the router to go out the internet etc.

My problem is that I dont think this is a legitimate approach and you should only have one traffic stream in and out of the secondary router.
However I am usually wrong in these tricky requirements, so dont take my word for it, as its a feeling not a certainty.