N lans and N wans (ADSL)

RouterOS General
1

Hi,

I have N lans and N wans (adsl). I want that every lan get out from its wan.
So lan1 output from wan1, lan2 output from wan2,… lanN output from wanN.
I done this with these lines (based on http://aacable.wordpress.com/2011/10/27/mikrotik-policy-routing-based-on-client-ip-address/ example):

/ip address
add address=192.168.N.254/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.10.N.254/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1

/ip firewall address-list
add address=192.168.N.0/24 disabled=no list=WANN_LIST

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no new-routing-mark=wanN_user passthrough=no src-address-list=WANN_LIST

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.N.254 routing-mark=wanN_user scope=30 target-scope=10

/ip firewall nat add action=masquerade chain=srcnat disabled=no

But there are two problem.

First problem:
What about PPTP server?
I want that a client from wanX connect succesufully with PPTP. I do this with no success with these lines:

/ ip dns 
allow-remote-requests=yes

/ ip firewall service-port 
set gre disabled=no 
set pptp disabled=no 

/ ip pool 
add name="pptp" ranges=172.16.0.200-172.16.0.229 

/ ppp profile 
add name="pptp-in" local-address=192.168.1.1 remote-address=pptp use-encryption=required \
   only-one=yes change-tcp-mss=yes dns-server=192.168.1.254

/ interface pptp-server server 
set enabled=yes max-mtu=1460 max-mru=1460 authentication=chap,mschap1,mschap2 \
default-profile=pptp-in 

/ ppp secret 
add name="user-1" service=pptp password="******" profile=pptp-in
add name="user-2" service=pptp password="******" profile=pptp-in

Second problem:
I don’t know how to do to setup mikrotik firewall for comunication beetwen lanX and lanY.



May you help me?

v.

2

add address=10.10.N.254/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1

makes no sense … :smiley:
… I assume it was network=10.10.N.0 broadcast=10.10.N.255

anyway:

for problem 1
if you mean that the client has to see the right networks, use pptp profiles to add dial-in users to specific address list for the network / neworks they should use, then mark their traffic accordingly to have the right routing
if you mean that the response for the client creating the tunnel goes the wrong way, in mangle table you should mark connections incoming on an interface and use that mark to mark routing in output chain

/ ip firewall service-port
set gre disabled=no

i think it should raise an error, but maybe is only unuseful .. anyway I don’t understand what it should obtain

for problem 2
for firewall should be sufficient one or two forward rule with action “accept” based on two address-lists of on the interfaces they come in and out
for routing add some rules to evaluate your internal and vpn traffic only on main table.
I normally have somethinglike this:

/ip route rule
add dst-address=192.168.0.0/16 table=main
add dst-address=172.16.0.0/12 table=main
add dst-address=10.0.0.0/8 table=main

without routing rules, you will need to add your known networks on any routing table


dt

3

Hi dtoffo :smiley:,

yes! This is a my :confused: copy&paste error. Correct address are:

add address=10.10.n.254/24 network=10.10.n.0 broadcast=10.10.n.255 interface=WANn

where “n” is the WAN id.

Problem 1. Trivially gre service port is on. :slight_smile:
User connect successfully and get correct ip. Tunnel is established.
User ping every firewall interface (10.10.n.254 and 192.168.n.254) but no clients in LANn (clients are pinged from mikrotik firewall terminal).
Note that arp is enabled in LANn interfaces.
I suppose that’s a mangle (my) error. If I disable mangle marking routes all go right.
But. How to mark correctly without loose n-WAN balancing?

Problem 2 resolution: I think your position is correct but may you be more verbose? May you use my notation? For example if x and y are two LANs what are you route rules? I think masquerade flow have precedence and packet from x to y go throw WANx and not throw LANy.
So my question will be explicited as “How to setup correct rules if I want LANx and LANy comunicate and LANx go in internet by WANx and LANx go in internet by WANy?”


Thanks for your effort.
v.

4

problem 1 and 2
for both of them, you need to force your firewall to resolve addresses in the main table, because VPN links are addedd only in main routing table.
so I would add:

# for pptp clients: I used the best match of a network address for the pool you used... in rules you will use networks, not ranges
/ip route rule add action=lookup-only-in-table dst-address=172.16.0.192/26 table=main
# for local subnets:
/ip route rule add action=lookup-only-in-table dst-address=192.168.N.0/24 table=main

as long as you don’t have the same addresses in more than one local network, this will work.

another hint on problem 1:

/ ppp profile
add name=“pptp-in” local-address=192.168.1.1 remote-address=pptp use-encryption=required
only-one=yes change-tcp-mss=yes dns-server=192.168.1.254

honestly, I think that in ppp profile local address should better be in the same network as the pool you give to clients, but maybe if you are using only pptp it can work, for the assumptions that the protocol has (I think your clients will have “use default route”, right?).

d