Newbie routing question

RouterOS Beginner Basics
1

Hello guys at Mikrotik,

Let;s try another approach to see if I get an answer :frowning:.

I have setup PCC routing load balancing on my mikrotik using:

http://aacable.wordpress.com/2011/07/27/mikrotik-dual-wan-load-balancing-using-pcc-method-complete-script-by-zaib/

I’ve setup a pptp connection to my office VPN I can connect just fine, I created a routing rule like this:

[admin@MikroTik] > /ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.0.1               1
 1   S  0.0.0.0/0                          192.168.169.1             1
 8 A S  0.0.0.0/0                          192.168.0.1               1
 9   S  0.0.0.0/0                          192.168.169.1             2
10 A S   10.10.10.0/24                      pptp-out1                 1
11 ADC  10.10.10.200/32    10.10.10.206    pptp-out1                 0
12 ADC  192.168.0.0/24     192.168.0.254   ETB                       0
13 ADC  192.168.5.0/24     192.168.5.254   LAN                       0

I also have a NAT rule fot machines behind MK that look like this:

[admin@MikroTik] > /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=ETB 

 1 I chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=UNE 

 2   ;;; NAT TO VPN
     chain=srcnat action=masquerade out-interface=pptp-out1

When I enable route number 10 I can ping from mikrotik terminal to IPs behind the VPN what doesn’t happen when I turn it off.

I’m just network student so I’m no expert on routing issues, so any help or correction to what I’m doing here will be greatly appreciated.


Thanks

2

You need to have an accept rule at the top of your mangle PCC rules for LAN to LAN traffic. Right now my guess is that your traffic is running through the PCC and going out the wrong route.

3

Hey cbrown,

Thank you for taking the time to answer; I found a useful page on hidemyass.com (http://wiki.hidemyass.com/Mikrotik_Router_PPTP_and_L2TP_Setup) although it cleared some of black holes I had configuring it and following routing form my LAN could ping and connect to services on the VPN network now this morning I tried it didn’t work, just like that :frowning:

According to that wiki I had to add a Route, a Mangle Rule and NAT Rule, I have them like this:

Addresses:

[admin@MikroTik] > /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                            
 0   192.168.5.254/24   192.168.5.0     LAN                                                                  
 1   192.168.0.254/24   192.168.0.0     ETB                                                                  
 2   192.168.169.254/24 192.168.169.0   UNE                                                                  
 3 D 10.10.10.209/32    10.10.10.200    pptp-out1

Routes

[admin@MikroTik] > /ip route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.0.1               1
 1 A S  0.0.0.0/0                          192.168.169.1             1
 2 A S  ;;; HTTP
        0.0.0.0/0                          192.168.169.1             2
 3 A S  ;;; SSL
        0.0.0.0/0                          192.168.169.1             2
 4 A S  ;;; SMTP
        0.0.0.0/0                          192.168.169.1             1
 5 A S  ;;; IMAP
        0.0.0.0/0                          192.168.0.1               1
 6 X S  ;;; P2P
        0.0.0.0/0                          192.168.0.1               1
 7 X S  ;;; UnKNWON
        0.0.0.0/0                          192.168.0.1               1
                                           UNE               
 8 A S  0.0.0.0/0                          192.168.0.1               1
 9   S  0.0.0.0/0                          192.168.169.1             2
10 A S  ;;; MUNDO VPN
        10.10.10.0/24                                    pptp-out1         
11 ADC  10.10.10.200/32    10.10.10.209    pptp-out1                 0
12 ADC  192.168.0.0/24     192.168.0.254   ETB                       0
13 ADC  192.168.5.0/24     192.168.5.254   LAN                       0
14 ADC  192.168.169.0/24   192.168.169.254 UNE                       0

Mangle Rules

[admin@MikroTik] > /ip firewall mangle print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=input action=mark-connection new-connection-mark=ETB_conn 
     passthrough=yes in-interface=ETB 

 1   chain=input action=mark-connection new-connection-mark=UNE_conn 
     passthrough=yes in-interface=UNE 

 2   chain=output action=mark-routing new-routing-mark=to_ETB passthrough=yes 
     connection-mark=ETB_conn 

 3   chain=output action=mark-routing new-routing-mark=to_UNE passthrough=yes 
     connection-mark=UNE_conn 

 4   chain=prerouting action=accept dst-address=192.168.0.0/24 in-interface=LA>

 5   chain=prerouting action=accept dst-address=192.168.169.0/24 
     in-interface=LAN 

 6   chain=prerouting action=mark-connection new-connection-mark=ETB_conn 
     passthrough=yes dst-address-type=!local in-interface=LAN 
     per-connection-classifier=both-addresses-and-ports:2/0 

 7   chain=prerouting action=mark-connection new-connection-mark=UNE_conn 
     passthrough=yes dst-address-type=!local in-interface=LAN 
     per-connection-classifier=both-addresses-and-ports:2/1 

 8   chain=prerouting action=mark-routing new-routing-mark=to_ETB 
     passthrough=yes in-interface=LAN connection-mark=ETB_conn 

 9   chain=prerouting action=mark-routing new-routing-mark=to_UNE 
     passthrough=yes in-interface=LAN connection-mark=UNE_conn 

10   ;;; MUNDO PPTP VPN
     chain=prerouting action=mark-routing new-routing-mark=PAYMUNDO VPN 
     passthrough=yes in-interface=LAN

NAT Rules

[admin@MikroTik] > /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=ETB 

 1   chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=UNE 

 2   ;;; NAT TO MUNDO VPN
     chain=srcnat action=masquerade out-interface=pptp-out1 connection-limit=100,32 limit=1,5 
     connection-type=pptp

I don’t really know how to diagnose this as I now can’t ping from any internal machine to any host on the 10.10.10.0/24 network except fropm Mikrotik itself.

I might have something there on my configuration that’s wrong, now I’m new to mikrotik way of doing things I know some Linux and Cisco but the Mikrotik has my head spinning. I know this would be an advanced topic for a n00b like me but Mikrotik as I said on another post is the only solution I’ve gotten to work with my two WANs in tandem, eventhough SSL continues to be broken but tha’s topic for another day.

Thank you for your invaluable help.

Cheers.