Hello everyone.
First of all, I’m a noob at networking. I’m an electrician and I’ve been forced to take care of the company network because our technician recenly got corona, so I’m sorry if I can’t understand you perfectly or I make a mistake trying to explain my case.
Recently in my workplace we changed to Movistar Fusión Empresas (I’m from Spain). Before that, we worked with a ONT + Mikrotik (RB750GL) and a static IP. Now the internet provider installed a new ONT, a Teldat and a Switch and changed the Static IP (for example: 54.87.19.52). The structure stay as follows: ONT - Teldat - Switch Movistar - Mikrotik - Local network. When I plug in the MikroTik to the switch we don’t have connection. I’ve tried to factory reset the device (we have backups saved), changing the vlan 3/6 to 20/21 (data and VoIP) and trying several ports, but I cannot make it work.
Mikrotik’s configuration:
WAN 192.168.100.0
LAN 192.168.10.0
Again, I’m sorry if I missed any crucial information. I didn’t study networking, I just have to deal with my boss decisions.
Since no one familiar with Movistar’s habits seems to wander around, let me ask you a question, because to debug a blackbox is not easy even for a network specialist, leaving aside regular users.
Should the static public IP be used to access some server in your premises remotely (web server, VPN connection, anything where you set up the public IP of your connection to a web browser or anything else on a remote PC or mobile)?
You should have put VLAN 20 at the ethernet port connected to the switch and the PPPoE connects to VLAN 20. Is the Teldat/switch in bridge mode then you can use PPPoE and if not you let the stuff from Moviestar do the work.
I assume that VOIP is handled by the Teldat/Moviestar switch itself.
Yes, we have a VPN for some employees and a Exchange server too. We have the outsorced DNS and we will change it to the new public IP after we get conection.
configure one of the VPN clients to connect to the new public IP (rather than to the domain name if set like that),
open a command line window to the Mikrotik (ssh, [Terminal] button in Winbox/WebFig) and make it as wide as your screen allows
run /tool sniffer quick interface=ether1 in that window (if you know the IP address of the client, add ip-address=ip.of.that.client to the command)
let the client (which must not be on your LAN) attempt to connect
You should see either the IP packets carrying the VPN initial request trying to reach your device, or ARP packets trying to determine some IP address, or nothing at all.
If only ARP requests are coming, you should see the VLAN ID which is used for internet connection (I don’t expect VoIP traffic to be arriving spontaneously, except if you have a specifically configured PBX). If nothing is coming at all, the forwarding of traffic which arrives to the public IP further to the private WAN IP of the Mikrotik is not configured on the Movistar gear.
So post the result of this test and your configuration export in anonymized text form, following the hint in my automatic signature right below.
I am familiar with the configuration. The problem is that the movistar fiber uses VLANs after the ONT. If your previous configuration is as you said (ONT<->Mikrotik) the configuration of the Mikrotik is using VLANs and it gets the public ip directly. If now you have a new hardware interconnections the Teldat removes the VLAN tags, gets the IP and does NAT. The configuration for the Mikrotik has to be different unless you remove Teldat+Switch Movistar.
If the “Switch Movistar” (I don’t know what this is) is just a switch, you might have a working configuration by setting up ONT<->Mikrotik<->Switch using the same ethernet (probably 1) that was used before.
I don’t think the Teldat is in bridge mode. When I plug in a laptop directly to the Movistar’ Switch I get the address 192.168.1.X, so it must be in router mode.
So what happens if you attach a DHCP client directly (no /interface vlan in between) to Mikrotik’s ether1 rather than a fixed address? Does it get a dynamic one too?
First of all, thank you all for your help.
Sadly I can’t try your solutions untill tomorrow (I have my own work as electrician and the company doesn’t stop until 22:00). The only moment I can touch the network without being yelled is at lunch break. Tomorrow I’ll tell you, every idea is welcomed.
Clarification: while the new configuration is fixed, Movistar kept the old ONT still running so we don’t loose functionality. When everyone stops working I go to the comunications room, plug the Mikrotik to the Teldat and the new ONT, and try to solve the puzzle.
My guess would be that if you disconnect/unplug the Teldat router and connect straight away the ONT to port 1 of the Mikrotik (which is how I guess things were installed before), things will work:
mikrotik will get the public IP address
internet will work
if you plug the switch to any of the remaining ports of the mikrotik, all the network will work.
This is assuming that before the connection was as you reported, and that the Movistar person only changed a standard consumer fiber by a enterprise fiber, no extra config.
I did what you said: I connected the Mikrotik directly to the new ONT, but nothing changed. Probably the Teldat has some new configuration and Movistar disabled the ONT so I’m forced to use the Teldat.
You were quite aggressive with the obfuscation, can you double-check in the original data that in the “741.258.963.159: who has 741.258.963.159”, both addresses are really the same? I would expect their last byte to differ, which would mean that it is the modem/router (the gateway) asking for the translation of the IP address of your WAN to its MAC address so that it could deliver the actual packet to it. Can you confirm?
Second, to speed things up, is that address the new public one or it is one of (10.x.x.x, 172.16-31.x.x, 192.168.x.x, 100.64-127.x.x)?
Sorry for the aggressiveness. Yes, the last byte differ, my mistake.
The address begins with 217.x.x.x. The technician told me that I must change the MikroTik’s WAN to that addres so their firewall works. I think it’s a GRE tunnel inside the Teldat.
I doubt that you are forced to use the Movistar router, their fiber is quite standard through Spain. But without knowing the current configuration of your router it is difficult to know what is failing/missing. I expected that the Mikrotik had the right config to work without the router, but it doesn’t look so
Movistar uses vlans for its configuration, so adding something like the following to a default config of mikrotik, (removing ether1 from the WAN list and the dhcp-client on it is not even needed) should be close to enough to make it work without the teldat router, ethernet cable from ether1 straight to the ONT ether.
Note the passwords are the same for every customer, they authenticate using the fiber circuit.
On the other hand, a default Mikrotik configuration should work “through” the teldat router straight out of the box. ( any teldat ethernet port to ether1)
If you have an export of the whole config it might be simpler to start with either a VLAN configuration that works without the Teldat router or a NATted dhcp-client configuration that works through the Teldat router, and then add the specifics of your mikrotik configuration on top of it (VPN, etc).
We will learn that in the next round. To get there, you have to assign the 217.x.x.x address to the uplink interface of the Mikrotik directly*) (no VLAN, because no VLAN is indicated in the sniff output for the ARP packets), so that the Mikrotik would respond to the ARP and get some IP packet. And from there, we will see whether it is a GRE one or a direct UDP one, attempting to establish the VPN connection. But as it is a public IP, my guess is that it will be direct IP and you’ll have the public IP directly on the Mikrotik itself, making some things easier.
I intentionally ignore the VoIP part for now.
What would make the whole process faster would be if you could use some other Mikrotik (a hAP lite for €20 would be sufficient) to allow debugging the new setup outside lunch time. A virtualized CHR for € 0,- would do as well but I guess it might be even further outside your scope.
*) before doing that, I’d strongly recommend to post the export of your configuration - even though Movistar mentions their firewall, I’d prefer to verify that there are decent firewall rules in your 'Tik.
The configuration doesn’t seem to fit to the description you gave before, especially because I can see no traces of this device itself acting as a VPN server. But that’s for later.
Can you tell me the RouterOS version there? It seems to me it is way outdated (older than 6.41). Also the Winbox port open for access via WAN (so to anyone in the internet) along with a historical version of RouterOS makes me cry. The router may easily have been squatted in by some malware years ago.
But I mainly ask about the version as I’d like to suggest a script which would modify the firewall so that it would still work in the old condiguration but at the same time with the new one depending on where it would be connected, but if the RouterOS is too old, it might not support some things. We may come back to the security issues later, but they need to be addressed.
It also has the vlan3 (VoIP) configuration and a pptp vpn definition.
Now, unless your Movistar connection is fairly strange, your router should work straight away without the teldat, connected ONT<->ether1, and offer internet in ether2…ether5.
