LAN access issue with public IP range through PPPOE connection

wesson · December 28, 2021, 12:52pm

Hello, I have a weird issue with Mikrotik router, and I can’t find a solution for it.

To connect to the INTERNET, I have a PPPOE connection established which provide me a single local address and gateway.
This PPOE connection also have a public IP range /29.
So I have manually set the range in the Address list and also 2 rules in the input and forward chain so this IP range is accepted and forwarded

This is working fine: On server connected to the LAN I set a secondary IP address matching one IP of the public range, and everything is working fine the computer(s) are properly seen on Internet at the matching IP(s), and I can access it from the outside (WAN) without trouble.

However, if I try to access an IP in this public range from the LAN, it doesn’t work, all the packets are lost.
I am completely puzzled and for instance PING from LAN to IP in this range give me no answer at all, all packets are lost, but PING from the Winbox terminal are OK I get the answer.

I’m running out of idea on this, and also I’m not a network specialist. What is needed to route/forward properly the LAN traffic toward the IP range ?

Anyone having an idea ?

anav · December 28, 2021, 12:58pm

Good questions, I have never had pppoe but many here use it successfully.
I imagine you use the pppoe client settings to establish your internet and then you have a pppoe server section and maybe thats where you dish out IPs to devices further down the line.

https://help.mikrotik.com/docs/display/ROS/PPPoE

wesson · December 28, 2021, 1:09pm

Yes, I have a pppoe client with username and password, but no pppoe server set
I have just set the /29 range in the address list with the bridge interface and that’s all what was needed to make them available on the LAN.

sindy · December 28, 2021, 1:51pm

Not enough information. To get a useful advice, post the text export of your current configuration, following the hint in my automatic signature below.

wesson · December 28, 2021, 2:26pm

Here it is.
quick note:

the LAN range is on 192.168.5.0/24
I have edited the public range to xxx.yyy.zzz.176/29 thus it’s 176 to 183 (176 network, 177-181 available public IP, 182 gateway, 183 broadcast)
ppp.oe.local.ip is the public IP provided by the PPOE isp which is not in the public range, pppoe.remote.ip being the remote address
There is a load balancing between 2 ISP - one available through PPPOE (pppoe-OVH), and one available on port eth2 (eth2BTF) connected to another router (with a DHCP attributed IP)
however, the second ISP is very recent, and the problem occured before having this other ISP.

So before someone tell me that It’s because of the load balancing, the problem existed before it was setup.

# dec/28/2021 14:59:42 by RouterOS 6.49.2
# software id = UMPL-TUUI
#
# model = RouterBOARD 3011UiAS
# serial number = xxxxxxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=eth1OVH speed=100Mbps
set [ find default-name=ether2 ] name=eth2BTF speed=100Mbps
set [ find default-name=ether3 ] name=eth3 speed=100Mbps
set [ find default-name=ether5 ] name=eth5_LAN speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth1OVH name=pppoe-OVH \
    password=xxxxxxx use-peer-dns=yes user=xxxxxxxxxxxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.5.100-192.168.5.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=eth5_LAN
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=eth1OVH list=WAN
add interface=pppoe-OVH list=WAN
add interface=eth2BTF list=WAN
add interface=eth3 list=WAN
/ip address
add address=192.168.5.1/24 interface=bridge network=192.168.5.0
add address=xxx.yyy.zzz.182/29 interface=bridge network=xxx.yyy.zzz.176
/ip arp
add address=192.168.5.248 interface=bridge mac-address=F4:6D:04:05:BD:A0
add address=192.168.5.249 interface=bridge mac-address=00:08:54:36:7B:CE
add address=192.168.5.250 interface=bridge mac-address=68:05:CA:24:61:94
/ip dhcp-client
add comment=defconf interface=eth1OVH
add disabled=no interface=eth2BTF
/ip dhcp-server lease
add address=192.168.5.248 mac-address=F4:6D:04:05:BD:A0 server=defconf
add address=192.168.5.250 client-id=1:68:5:ca:24:61:94 mac-address=\
    68:05:CA:24:61:94 server=defconf
add address=192.168.5.244 client-id=1:0:11:32:b0:ee:58 mac-address=\
    00:11:32:B0:EE:58 server=defconf
add address=192.168.5.242 client-id=\
    ff:54:a5:99:af:0:1:0:1:29:5b:6f:bb:0:23:54:a5:99:af mac-address=\
    00:23:54:A5:99:AF server=defconf
add address=192.168.5.241 client-id=\
    ff:85:9b:79:28:0:1:0:1:25:13:db:9a:0:21:85:9b:79:28 mac-address=\
    00:21:85:9B:79:28 server=defconf
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,77.88.8.8
/ip dns static
add address=192.168.8.1 name=router.lan
/ip firewall address-list
add address=192.168.1.0/24 list=Connected
add address=192.168.5.0/24 list=Connected
add address=ppp.oe.local.ip  list=Connected
add address=192.168.5.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Allow Firewall access from LAN subnet" \
    src-address=192.168.5.0/24
add action=drop chain=input comment=\
    "Drop all attempt to FTP,SSH,Winbox from outside" dst-port=\
    8291,8728,21,22,161 protocol=tcp
add action=accept chain=input dst-port=3104 log=yes log-prefix=RDP_ACC \
    protocol=tcp
add action=accept chain=input dst-port=3105 log=yes log-prefix=RDP_ACC \
    protocol=tcp
add action=accept chain=input dst-port=31500-31600 log=yes log-prefix=RDP_ACC \
    protocol=tcp
add action=drop chain=input dst-address=xxx.yyy.zzz.182 dst-port=22 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-address=xxx.yyy.zzz.182 dst-port=23 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="accept OVH Bloc /29" dst-address=\
    xxx.yyy.zzz.176/29 in-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix=DROP1
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=icmp \
    protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix=DROP2
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Forward packets to public server" \
    dst-address=xxx.yyy.zzz.176/29 in-interface=all-ppp
add action=accept chain=forward comment="Forward SVN port to TIGROU" \
    connection-state=new dst-address=192.168.5.244 in-interface=all-ppp port=\
    3690 protocol=tcp
add action=accept chain=forward connection-state=new disabled=yes \
    in-interface=bridge out-interface=pppoe-OVH
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=DROP3
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=DROP4
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=Connected \
    src-address-list=Connected
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    pppoe-OVH new-connection-mark=OVH->ROS passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    eth2BTF new-connection-mark=BOUY->ROS passthrough=no
add action=mark-routing chain=output connection-mark=OVH->ROS \
    new-routing-mark=OVH_Route passthrough=no
add action=mark-routing chain=output connection-mark=BOUY->ROS \
    new-routing-mark=BOUY_Route passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=pppoe-OVH new-connection-mark=OVH->LANs
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=eth2BTF new-connection-mark=BOUY->LANs
add action=mark-routing chain=prerouting connection-mark=OVH->LANs \
    new-routing-mark=OVH_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=BOUY->LANs \
    new-routing-mark=BOUY_Route src-address-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!Connected dst-address-type=!local new-connection-mark=\
    LAN->WAN src-address-list=LAN
add action=mark-routing chain=prerouting comment="Load Balancing here" \
    connection-mark=LAN->WAN new-routing-mark=OVH_Route passthrough=yes \
    src-address-list=LAN
add action=mark-connection chain=prerouting connection-mark=LAN->WAN \
    new-connection-mark=Sticky_OVH routing-mark=OVH_Route
add action=mark-connection chain=prerouting connection-mark=LAN->WAN \
    new-connection-mark=Sticky_BOUY routing-mark=BOUY_Route
add action=mark-routing chain=prerouting connection-mark=Sticky_OVH \
    new-routing-mark=OVH_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=Sticky_BOUY \
    new-routing-mark=BOUY_Route src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth2BTF
add action=masquerade chain=srcnat out-interface=pppoe-OVH
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat dst-address=xxx.yyy.zzz.176/29
/ip route
add distance=1 gateway=pppoe.remote.ip routing-mark=OVH_Route
add distance=1 gateway=192.168.1.254 routing-mark=BOUY_Route
add distance=1 gateway=pppoe.remote.ip
add distance=2 gateway=192.168.1.254
add distance=1 dst-address=xxx.yyy.zzz.176/29 gateway=pppoe-OVH
/ip service
set telnet disabled=yes
set ssh disabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=eth5_LAN type=internal
add interface=pppoe-OVH type=external
/system clock
set time-zone-name=Europe/Paris
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=pppoe-OVH name=LB1 on-event=":log warning \"LB Debug: OVH Overlo\
    aded, switching to BOUYGUES\";\r\
    \n/ip firewall mangle set [find comment=\"Load Balancing here\"] new-routi\
    ng-mark=BOUY_Route" threshold=350288000 traffic=received
add interface=pppoe-OVH name=LB2 on-event=":log warning \"LB Debug: switching \
    back to OVH as it is less emcumbered now\";\r\
    \n/ip firewall mangle set [find comment=\"Load Balancing here\"] new-routi\
    ng-mark=OVH_Route" threshold=100288000 traffic=received trigger=below

sindy · December 28, 2021, 6:05pm

The mangle rules added to implement the load distribution actually do break it, but as you say the problem existed before these rules were put into place, it means fixing them will not be enough. In particular, the xxx.yyy.zzz.176/29 is not added to the address-list Connected, so packets from 192.168.5.x to xxx.yyy.zzz.176/29 are not ignored by the rule assigning connection-mark LAN->WAN, so after the translation by the next rule to connection-mark Sticky_OVH, routing-mark OVH_Route is assigned also to packets from 192.168.5.x to xxx.yyy.zzz.176/29 and thus they are sent via the PPPoE interface rather than to the bridge (the distance has lower priority than the routing table name and the prefix). To fix this, it is enough to add xxx.yyy.zzz.176/29 to address-list Connected. Do that before proceeding.

The concept is such that the /29 network is completely hosted on your device, not related in any way to the PPPoE, except that the ISP routes everything towards that /29 to you via the PPPoE. So the route distance=1 dst-address=xxx.yyy.zzz.176/29 gateway=pppoe-OVH is totally useless, it gets overridden by the one added automatically as you’ve attached xxx.yyy.zzz.182/29 to bridge - distance=0 dst-address=xxx.yyy.zzz.176/29 gateway=bridge. But it is only useless, not harmful.

If I get you right, the server has both an address from 192.168.5.0/24 and an address from xxx.yyy.zzz.176/29 on the same interface. So the only explanation I can imagine now is that the server sends its responses from the private IP although the requests come to the public one, but it sounds highly unlikely to me.

So under /interface bridge port, set hw=no at both Ethernet interfaces to which the server and the test LAN client are connected, open a command line window, make it as wide as your screen allows, run /tool sniffer quick ip-protocol=icmp ip-address=xxx.yyy.zzz.17t (the public address of the server) in that window, and start pinging from the PC in 192.168.5.0/24 to see how far the request (and, eventually, response) actually gets and how it looks like at which interface.

If everything was perfect, you should see only the requests to pass through the router, and the responses to bypass the routing engine as the server has an address in the 192.168.5.0/24 so it can send the responses directly:
etherX … → … 192.168.5.n xxx.yyy.zzz.17t … ip:icmp
bridge … → … 192.168.5.n xxx.yyy.zzz.17t … ip:icmp
bridge … ← … 192.168.5.n xxx.yyy.zzz.17t … ip:icmp
etherY … ← … 192.168.5.n xxx.yyy.zzz.17t … ip:icmp
etherY … → … xxx.yyy.zzz.17t 192.168.5.n … ip:icmp
etherX … ← … xxx.yyy.zzz.17t 192.168.5.n … ip:icmp

But as it doesn’t work, you’ll see something different. If it doesn’t help you find the problem, post the outcome here.

wesson · December 29, 2021, 9:27am

to fix this, it is enough to add xxx.yyy.zzz.176/29 to address-list Connected

This fixed the issue. Thank you very much

anav · December 29, 2021, 2:03pm

Over my head by a mile ( or two sobs ), glad you got it sorted though!