Hello Guys,
I have a PPTP server set using a pool part of the same local subnet. The local interface for the PPTP server is set in proxy-arp mode in order to have ARP traversal for the PPTP clients.
The above setup works fine in a normal environment with only one up-link.
In my case I have a setup with two up-links connected on a 6.32.2 router. Up-links are linked via two separate interfaces. In order to be able to route traffic through both up-links I use routing marks. I mark traffic originating from specific local addressees with different routing-mark and then proper routing is set in the routing table for each mark.
The problem is that as long as mangle is used to mark with routing mark, PPTP clients stop seeing local IP addresses within 10.10.10.0/24 behind the RouterBOARD.
The moment I disable the mangle routing-marking for 10.10.10.0/24 I can see those addresses again.
Proxy-arp debug from a machine in ether1.vlan10 part of bridge1 that is in proxy-arp mode shows that in both cases - with or without mangle, the router is properly responding to ARP requests for IP addresses that are PPTP clients.
Here is little bit more detailed setup:
[admin@lax-gw1] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=AAA.AA.AA.2/30 network=AAA.AA.AA.0 interface=ether5 actual-interface=ether5
2 address=BBB.BB.BB.2/30 network=BBB.BB.BB.0 interface=ether6 actual-interface=ether6
1 address=10.10.10.254/24 network=10.10.10.0 interface=bridge1 actual-interface=bridge1
1 address=192.168.100.254/24 network=192.168.100.0 interface=bridge1 actual-interface=bridge1
[admin@lax-gw1] > /ip route print detail where dst-address=“0.0.0.0/0”
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 S dst-address=0.0.0.0/0 pref-src=BBB.BB.BB.2 gateway=BBB.BB.BB.1 gateway-status=BBB.BB.BB.1 reachable via ether6 distance=1 scope=30 target-scope=10 routing-mark=private
1 A S dst-address=0.0.0.0/0 pref-src=AAA.AA.AA.2 gateway=AAA.AA.AA.1 gateway-status=AAA.AA.AA.1 reachable via ether5 distance=1 scope=30 target-scope=10 routing-mark=home
3 A S dst-address=0.0.0.0/0 gateway=AAA.AA.AA.1 gateway-status=AAA.AA.AA.1 reachable via ether5 distance=1 scope=30 target-scope=10
[admin@lax-gw1] > /ip route print detail where dst-address=“10.10.10.0/24”
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=10.10.10.0/24 pref-src=10.10.10.254 gateway=bridge1 gateway-status=bridge1 reachable distance=1 scope=10 target-scope=10 routing-mark=private
1 A S dst-address=10.10.10.0/24 pref-src=10.10.10.254 gateway=bridge1 gateway-status=bridge1 reachable distance=1 scope=10 target-scope=10 routing-mark=home
2 ADC dst-address=10.10.10.0/24 pref-src=10.10.10.254 gateway=bridge1 gateway-status=bridge1 reachable distance=0 scope=10
[admin@lax-gw1] > /ip route print detail where dst-address=“192.168.100.0/24”
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=192.168.100.0/24 pref-src=192.168.100.254 gateway=bridge2 gateway-status=bridge2 reachable distance=1 scope=10 target-scope=10 routing-mark=private
1 A S dst-address=192.168.100.0/24 pref-src=192.168.100.254 gateway=bridge2 gateway-status=bridge2 reachable distance=1 scope=10 target-scope=10 routing-mark=home
2 ADC dst-address=192.168.100.0/24 pref-src=192.168.100.254 gateway=bridge2 gateway-status=bridge2 reachable distance=0 scope=10
[admin@lax-gw1] > /interface bridge print detail
Flags: X - disabled, R - running
0 R name=“bridge1” mtu=1500 actual-mtu=1500 l2mtu=9010 arp=proxy-arp mac-address=00:F1:F3:19:E4:95 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
1 R name=“bridge2” mtu=1500 actual-mtu=1500 l2mtu=9010 arp=enabled mac-address=00:F1:F3:19:E4:97 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
[admin@lax-gw1] > /interface bridge port print detail
Flags: X - disabled, I - inactive, D - dynamic
0 interface=ether1.vlan10 bridge=bridge1 priority=0x80 path-cost=10 edge=auto point-to-point=auto external-fdb=auto horizon=none auto-isolate=no
1 interface=ether2.vlan10 bridge=bridge1 priority=0x80 path-cost=10 edge=auto point-to-point=auto external-fdb=auto horizon=none auto-isolate=no
2 interface=ether3.vlan11 bridge=bridge2 priority=0x80 path-cost=10 edge=auto point-to-point=auto external-fdb=auto horizon=none auto-isolate=no
3 interface=ether4.vlan11 bridge=bridge2 priority=0x80 path-cost=10 edge=auto point-to-point=auto external-fdb=auto horizon=none auto-isolate=no
[admin@lax-gw1] > /ip firewall mangle print detail
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=private passthrough=yes src-address=192.168.100.0/24 log=no log-prefix=“”
1 chain=prerouting action=mark-routing new-routing-mark=home passthrough=yes src-address=10.10.10.0/24 log=no log-prefix=“”
[admin@lax-gw1] > /ppp profile print detail
Flags: * - default
0 * name=“default” remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=yes address-list=“”
1 name=“vpn-servers” local-address=10.10.10.254 remote-address=pool1 remote-ipv6-prefix-pool=*0 bridge=bridge1 use-ipv6=yes use-mpls=default use-compression=default use-encryption=required only-one=default change-tcp-mss=default address-list=“” dns-server=10.10.10.254
[admin@lax-gw1] > /ip pool print detail
0 name=“pool1” ranges=10.10.10.128-10.10.10.199
[admin@lax-gw1] > /interface pptp-server server print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: vpn-servers
[admin@lax-gw1] > /ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=src-nat to-addresses=AAA.AA.AA.2 src-address=10.10.10.0/24 out-interface=ether5 log=no log-prefix=“”
1 chain=srcnat action=src-nat to-addresses=BBB.BB.BB.2 src-address=192.168.100.0/24 out-interface=ether6 log=no log-prefix=“”
Any thoughts?
~Cheers~