Multiply VLAN, dual WAN

semond · August 9, 2012, 7:26am

Hi all

After hours of reading forum dues I doesn’t find a solution that works. I hope one of you can help.

I have the attached network (see diagram)

I have two internet connections over a pfSense – Firewall. One of this connection is protected with a captive portal. So, the goal will be, that the VL_LAN on eth2 can only connect the internet after login and the VL_LANE on eth3 has a direct internet access.

So, if I don’t use mangle rules, I can connect ether over LANE on eth3 or LAN on eth1 (pfSense – Firewall) to the internet, according to, with default gateway is in first position or activated. But if I try to build some routing rules, it doesn’t work though I think it should work with the following settings:

Mangle:
[admin@MikroTik] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=RM_LANE
passthrough=yes src-address=172.20.0.0/16 dst-address=!192.168.2.0/24
in-interface=VL_LANE

1 chain=prerouting action=mark-routing new-routing-mark=RM_LAN passthrough=yes
src-address=192.168.2.0/24 dst-address=!172.20.0.0/16 in-interface=VL_LAN
[admin@MikroTik] /ip firewall mangle>

Route with routing mark:
[admin@MikroTik] /ip route> export

aug/09/2012 09:01:26 by RouterOS 5.19

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.1.1 routing-mark=RM_LANE scope=30
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=RM_LAN scope=30
target-scope=10
[admin@MikroTik] /ip route>

Routes:
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 S 0.0.0.0/0 172.16.1.1 1
1 S 0.0.0.0/0 192.168.1.1 1
2 ADC 172.20.0.0/16 172.20.0.1 BR_LANE 0
3 ADC 192.168.2.0/24 192.168.2.1 BR_LAN 0
4 ADC 192.168.5.0/24 192.168.5.1 BR_Data 0
5 ADC 192.168.10.0/24 192.168.10.25 Administration 0
[admin@MikroTik] /ip route>

NAT:
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=LAN

1 chain=srcnat action=masquerade out-interface=LANE
[admin@MikroTik] /ip firewall nat>

I mark the corresponding network traffic and try it to route with the corresponding routing mark ether to the right gateway but from both networks I cannot connect to the internet.

Who can help?
Thanks
Dani

CelticComms · August 9, 2012, 1:15pm

Try defining the mangle rule either with source IPs or in-interfaces - don’t see why you need both in this application. Also set passthrough=no since we should be using one mangle rule at most. The simpler it reads the easier it is to find the issue…

semond · August 10, 2012, 10:08am

I found my fault. I forgot to set the subnet mask on the interface LAN and LANE

[admin@MikroTik] /ip address> print

ADDRESS NETWORK INTERFACE

0 ;;; added by setup
192.168.10.25/24 192.168.10.0 Administration
1 ;;; LAN without Internet Access (Portal pfSense)
192.168.2.1/24 192.168.2.0 VL_LAN
2 ;;; LAN with Internet Access
172.20.0.1/16 172.20.0.0 VL_LANE
3 ;;; LAN including Data, Storage, Peripherie
192.168.5.1/24 192.168.5.0 VL_Data
4 ;;; WAN Port with Internet Access
172.16.1.2/16 172.16.0.0 LANE
5 ;;; WAN Port without Internet Access (pfSense)
192.168.1.2/24 192.168.1.0 LAN
[admin@MikroTik] /ip address>

But the problem with the captive portal is, if anybody login the internet access is open for all (NAT - Rule).

I’ve no idea at the moment how to solve this problem.

Thanks for your help CelticComms