Hi
I have a relatively simple and small (one router) network setup. Please see the following (rudimentary) network layout:
[Jeandre@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R Ethernet1-UCom ether 1500 1600
1 R Ethernet2-Network ether 1500 1598 2030
2 R Ethernet3-Telkom ether 1500 1598 2030
3 X ether4 ether 1500 1598 2030
4 X ether5 ether 1500 1598 2030
5 R Jeandre-Network-WiFi wlan 1500 2290
6 R Jeandre-Network-Bridge bridge 1500 1598
7 X Telkom-ADSL pppoe-out
8 Jeandre-Remote-VPN pptp-in
9 Jeandre-CPT-VPN pptp-in
10 R EoIP-Jeandre-CPT-VPN eoip-tunnel 1500 65535
11 R Jeandre-Desktop-Loopback bridge 1500 65535
12 R Jeandre-NAS-Loopback bridge 1500 65535
13 R Jeandre-Server-Loopback bridge 1500 65535
14 R Telkom-Router-Loopback bridge 1500 65535
15 R Pierre-Desktop-Loopback bridge 1500 65535
16 Chanelle-VPN pptp-in
17 X Jeandre-OpenWeb pppoe-out
18 Jeandre-Phone-VPN pptp-in
19 R Jeandre-iPhone-Loopback bridge 1500 65535
20 R ;;; WebAfrica
Pierre-ADSL pppoe-out 1480
21 Pierre-VPN pptp-in
22 R ;;; RSA-Web
Jeandre-ADSL pppoe-out 1480
[Jeandre@MikroTik] > interface pppoe-client print
Flags: X - disabled, R - running
2 R ;;; WebAfrica
name="Pierre-ADSL" max-mtu=1480 max-mru=1480 mrru=disabled interface=Ethernet3-Telkom user="x" password="x" profile=default service-name=""
ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=no allow=pap,chap,mschap1,mschap2
3 R ;;; RSA-Web
name="Jeandre-ADSL" max-mtu=1480 max-mru=1480 mrru=disabled interface=Ethernet3-Telkom user="x" password="x" profile=default
service-name="" ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=no allow=pap,chap,mschap1,mschap2
[Jeandre@MikroTik] >
[Jeandre@MikroTik] > interface bridge print
Flags: X - disabled, R - running
0 R name="Jeandre-Network-Bridge" mtu=1500 l2mtu=1598 arp=enabled mac-address=00:0C:42:D5:09:0A protocol-mode=none priority=0x8000 auto-mac=no admin-mac=00:0C:42:D5:09:0A
max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
1 R name="Jeandre-Desktop-Loopback" mtu=1500 l2mtu=65535 arp=proxy-arp mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00
max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
2 R name="Jeandre-NAS-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00
max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
3 R name="Jeandre-Server-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00
max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
4 R name="Telkom-Router-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00
max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
5 R name="Pierre-Desktop-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00
max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
6 R name="Jeandre-iPhone-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00
max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
[Jeandre@MikroTik] >
[Jeandre@MikroTik] > interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 Ethernet2-Network Jeandre-Network-Bridge 0x80 10 none
1 Jeandre-Network-WiFi Jeandre-Network-Bridge 0x80 10 none
2 EoIP-Jeandre-CPT-VPN Jeandre-Network-Bridge 0x80 10 none
[Jeandre@MikroTik] >
[Jeandre@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 172.16.180.100/24 172.16.180.0 Ethernet1-UCom
1 192.168.0.1/24 192.168.0.0 Jeandre-Network-Bridge
2 192.168.1.2/24 192.168.1.0 Ethernet3-Telkom
3 192.168.2.3/32 192.168.2.3 Telkom-Router-Loopback
4 192.168.2.10/32 192.168.2.10 Jeandre-Desktop-Loopback
5 192.168.2.50/32 192.168.2.50 Pierre-Desktop-Loopback
6 192.168.2.40/32 192.168.2.40 Jeandre-Server-Loopback
7 192.168.2.45/32 192.168.2.45 Jeandre-NAS-Loopback
8 192.168.2.20/32 192.168.2.20 Jeandre-iPhone-Loopback
9 D xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx Pierre-ADSL
10 D xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx Jeandre-ADSL
[Jeandre@MikroTik] >
[Jeandre@MikroTik] > ip dns print
servers: 8.8.8.8,168.210.2.2
allow-remote-requests: yes
max-udp-packet-size: 512
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 62KiB
[Jeandre@MikroTik] >
[Jeandre@MikroTik] > ip dhcp-server print
Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 Jeandre-Network Jeandre-Network-Bridge Jeandre-Network 3d
[Jeandre@MikroTik] >
[Jeandre@MikroTik] > ip dhcp-server lease print detail
Flags: X - disabled, R - radius, D - dynamic, B - blocked
0 ;;; Jeandre-Desktop
address=192.168.0.10 mac-address=BC:AE:C5:CF:02:31 client-id="1:bc:ae:c5:cf:2:31" address-list="Jeandre" server=Jeandre-Network status=bound expires-after=2d20h52m22s last-seen=1h5m9s
active-address=192.168.0.10 active-mac-address=BC:AE:C5:CF:02:31 active-client-id="1:bc:ae:c5:cf:2:31" active-server=Jeandre-Network host-name="Jeandre-Desktop"
1 ;;; Jeandre-Printer
address=192.168.0.5 mac-address=98:4B:E1:3B:4F:A7 client-id="1:98:4b:e1:3b:4f:a7" address-list="Jeandre" server=Jeandre-Network status=bound expires-after=2d20h49m17s last-seen=14h31m59s
active-address=192.168.0.5 active-mac-address=98:4B:E1:3B:4F:A7 active-client-id="1:98:4b:e1:3b:4f:a7" active-server=Jeandre-Network host-name="Jeandre-Printer"
2 ;;; Jeandre-Network-Server
address=192.168.0.40 mac-address=00:1D:7D:AC:47:06 address-list="Jeandre" server=Jeandre-Network always-broadcast=yes status=bound expires-after=2d20h51m47s last-seen=1d5h39m24s
active-address=192.168.0.40 active-mac-address=00:1D:7D:AC:47:06 active-client-id="1:0:1d:7d:ac:47:6" active-server=Jeandre-Network host-name="hyper-v-server"
3 ;;; Jeandre-NAS
address=192.168.0.45 mac-address=00:10:75:07:45:8D client-id="1:0:10:75:7:45:8d" address-list="Jeandre" server=Jeandre-Network status=bound expires-after=2d20h51m52s last-seen=15h29m24s
active-address=192.168.0.45 active-mac-address=00:10:75:07:45:8D active-client-id="1:0:10:75:7:45:8d" active-server=Jeandre-Network host-name="Jeandre-NAS"
4 ;;; Pierre-iPad
address=192.168.0.65 mac-address=40:30:04:81:16:74 address-list="Pierre" server=Jeandre-Network always-broadcast=yes status=bound expires-after=2d23h51m45s last-seen=8m15s
active-address=192.168.0.65 active-mac-address=40:30:04:81:16:74 active-client-id="1:40:30:4:81:16:74" active-server=Jeandre-Network host-name="Pierres-iPad"
5 ;;; Jeandre-PS3
address=192.168.0.30 mac-address=00:24:8D:D2:93:5F client-id="1:0:24:8d:d2:93:5f" address-list="Jeandre" server=Jeandre-Network last-seen=1d2h40m23s
6 ;;; Pierre-Desktop
address=192.168.0.50 mac-address=00:80:77:15:13:20 client-id="1:0:80:77:15:13:20" address-list="Pierre" server=Jeandre-Network status=bound expires-after=2d20h51m17s last-seen=2h54m29s
active-address=192.168.0.50 active-mac-address=00:80:77:15:13:20 active-client-id="1:0:80:77:15:13:20" active-server=Jeandre-Network host-name="snorbaard-i5"
7 ;;; Jeandre-Phone
address=192.168.0.15 mac-address=50:CC:F8:28:82:2B address-list="Jeandre" server=Jeandre-Network always-broadcast=yes status=bound expires-after=2d20h52m58s last-seen=3h7m2s
active-address=192.168.0.15 active-mac-address=50:CC:F8:28:82:2B active-client-id="1:50:cc:f8:28:82:2b" active-server=Jeandre-Network
8 ;;; Jeandre-Desktop Wifi (EnGenius)
address=192.168.0.11 mac-address=00:02:6F:4F:74:AD address-list="UCom-Global" server=Jeandre-Network last-seen=never
9 ;;; Pierre-PS3
address=192.168.0.70 mac-address=FC:0F:E6:71:51:B1 client-id="1:fc:f:e6:71:51:b1" address-list="Pierre" server=Jeandre-Network last-seen=9w4d10h33m40s
10 ;;; Pierre-Netbook WiFi
address=192.168.0.61 mac-address=00:1D:92:C7:B2:D5 client-id="1:0:1d:92:c7:b2:d5" address-list="Pierre" server=Jeandre-Network last-seen=1w1d3h52m48s
11 ;;; Pierre-Netbook Ethernet
address=192.168.0.60 mac-address=00:1D:92:5A:9C:33 client-id="1:0:1d:92:5a:9c:33" address-list="Pierre" server=Jeandre-Network last-seen=1w1d1h6m18s
12 ;;; Pierre-iPhone
address=192.168.0.55 mac-address=14:8F:C6:4E:DB:E9 client-id="1:14:8f:c6:4e:db:e9" address-list="Pierre" server=Jeandre-Network last-seen=6w7m31s
13 ;;; Jeandre-Download-Server
address=192.168.0.35 mac-address=00:00:58:11:84:3E address-list="Jeandre" server=Jeandre-Network last-seen=8w12h35m35s
14 ;;; Pierre-phone-xperia
address=192.168.0.56 mac-address=00:23:45:39:CD:F5 address-list="Pierre" server=Jeandre-Network last-seen=1w5d40m47s
15 X ;;; Jeandre-Laptop - Wifi
address=192.168.0.98 mac-address=00:26:C6:00:8F:54 address-list="Jeandre" server=Jeandre-Network last-seen=3w23h27m35s
16 X ;;; Jeandre-Laptop - EtherNet
address=192.168.0.99 mac-address=18:A9:05:93:85:DF address-list="Jeandre" server=Jeandre-Network last-seen=never
17 ;;; Jeandre-Laptop - Wifi
address=192.168.0.20 mac-address=00:24:D7:9E:64:9C address-list="Jeandre" server=Jeandre-Network status=bound expires-after=2d21h37m50s last-seen=2h22m6s active-address=192.168.0.20
active-mac-address=00:24:D7:9E:64:9C active-client-id="1:0:24:d7:9e:64:9c" active-server=Jeandre-Network host-name="Jeandre-Laptop"
18 ;;; Jeandre-Laptop - EtherNet
address=192.168.0.21 mac-address=F0:DE:F1:72:F9:6C address-list="Jeandre" server=Jeandre-Network last-seen=1w2d2h8m27s
19 D address=192.168.0.97 mac-address=00:00:5A:11:84:3E client-id="1:0:0:5a:11:84:3e" server=Jeandre-Network status=bound expires-after=2d20h51m47s last-seen=1d5h39m26s active-address=192.168.0.97
active-mac-address=00:00:5A:11:84:3E active-client-id="1:0:0:5a:11:84:3e" active-server=Jeandre-Network host-name="hyper-v-server"
[Jeandre@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=Jeandre-ADSL
1 chain=srcnat action=masquerade out-interface=Pierre-ADSL
2 chain=srcnat action=masquerade out-interface=Ethernet3-Telkom
3 chain=srcnat action=masquerade out-interface=Ethernet1-UCom
5 chain=srcnat action=src-nat to-addresses=192.168.2.10 src-address=192.168.0.10 dst-address=192.168.2.0/24
6 chain=srcnat action=src-nat to-addresses=192.168.2.20 src-address=192.168.0.20 dst-address=192.168.2.0/24
7 chain=srcnat action=src-nat to-addresses=192.168.2.40 src-address=192.168.0.40 dst-address=192.168.2.0/24
8 chain=srcnat action=src-nat to-addresses=192.168.2.45 src-address=192.168.0.45 dst-address=192.168.2.0/24
9 chain=srcnat action=src-nat to-addresses=192.168.2.50 src-address=192.168.0.50 dst-address=192.168.2.0/24
10 chain=srcnat action=src-nat to-addresses=192.168.2.3 src-address=192.168.1.1 dst-address=192.168.2.0/24
11 chain=dstnat action=dst-nat to-addresses=192.168.0.10 src-address=192.168.2.0/24 dst-address=192.168.2.10
12 chain=dstnat action=dst-nat to-addresses=192.168.0.20 src-address=192.168.2.0/24 dst-address=192.168.2.20
13 chain=dstnat action=dst-nat to-addresses=192.168.0.45 src-address=192.168.2.0/24 dst-address=192.168.2.45
14 chain=dstnat action=dst-nat to-addresses=192.168.0.40 src-address=192.168.2.0/24 dst-address=192.168.2.40
15 chain=dstnat action=dst-nat to-addresses=192.168.1.1 src-address=192.168.2.0/24 dst-address=192.168.2.3
16 chain=dstnat action=dst-nat to-addresses=192.168.0.50 src-address=192.168.2.0/24 dst-address=192.168.2.50
17 X chain=dstnat action=dst-nat to-addresses=192.168.0.10 to-ports=8080 protocol=tcp in-interface=Jeandre-OpenWeb dst-port=80
[Jeandre@MikroTik] >
[Jeandre@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Jeandre VPN
chain=input action=mark-connection new-connection-mark=Jeandre-VPN passthrough=yes protocol=tcp in-interface=Jeandre-ADSL dst-port=1723
1 ;;; Jeandre VPN
chain=output action=mark-routing new-routing-mark=Jeandre passthrough=no connection-mark=Jeandre-VPN
2 ;;; Pierre VPN
chain=input action=mark-connection new-connection-mark=Pierre-VPN passthrough=yes protocol=tcp in-interface=Pierre-ADSL dst-port=1723
3 ;;; Pierre VPN
chain=output action=mark-routing new-routing-mark=Pierre passthrough=no connection-mark=Pierre-VPN
4 ;;; Pierre packet marks for queue
chain=prerouting action=mark-packet new-packet-mark=pierre-in passthrough=yes in-interface=Pierre-ADSL
5 ;;; Pierre packet marks for queue
chain=postrouting action=mark-packet new-packet-mark=pierre-out passthrough=yes out-interface=Pierre-ADSL
6 ;;; Pierre Traffic route through WebAfrica (ADSL)
chain=prerouting action=mark-routing new-routing-mark=Pierre passthrough=no src-address-list=Pierre
7 ;;; Jeandre packet marks for queue
chain=prerouting action=mark-packet new-packet-mark=jeandre-in passthrough=yes in-interface=Jeandre-ADSL
8 ;;; Jeandre packet marks for queue
chain=postrouting action=mark-packet new-packet-mark=jeandre-out passthrough=yes out-interface=Jeandre-ADSL
9 ;;; Jeandre Traffic route through RSA-Web (ADSL)
chain=prerouting action=mark-routing new-routing-mark=Jeandre passthrough=no src-address-list=Jeandre
[Jeandre@MikroTik] > ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 Router 192.168.0.1
1 Router 192.168.1.2
2 Router 172.16.180.100
3 Local 192.168.0.0/24
4 Local 192.168.1.0/24
5 Local 172.16.0.0/16
7 Internal 192.168.0.0/24
8 Internal 192.168.1.0/24
9 Local 192.168.2.0/24
10 Local 192.168.3.0/24
11 Jeandre 192.168.4.2
1060 D Jeandre 192.168.0.10 >
1061 D Jeandre 192.168.0.5 >
1062 D Jeandre 192.168.0.40 >
1063 D Jeandre 192.168.0.45 >
1064 D Pierre 192.168.0.65 >
1065 D Pierre 192.168.0.50 >
1066 D Jeandre 192.168.0.15 >
1067 D Jeandre 192.168.0.20 >
[Jeandre@MikroTik] >
As shown in the layout, my local network is on one subnet (192.168.0.0/24). There are three user groups, Myself (Jeandre), Pierre, and default. All the nodes on the network share the same subnet but are differentiated by address lists (dynamically assigned via a predefined dhcp static lease for that node).
The main objective here is to route all Jeandre traffic through Jeandre-ADSL, Pierre traffic though Pierre-ADSL and other traffic (which would be most likely guests connecting via the wifi interface and will only be temporary) through Ethernet1-UCom. The ‘X’-ADSL interfaces are pppoe clients dialed through Ethernet3-Telkom which has a standard ADSL router connected to it (and has been placed in bridge mode.) The Ethernet1-Ucom interface is an actual utp cable leading to a switch of my secondary isp. This (ethernet1-ucom) interface has a static ip and network assigned to it.
I have made the Ucom interface the defualt route, as this account is an uncapped account. The other 2 (ADSL) accounts are capped accounts.
I would like that any incoming connection on any of the various interfaces follow out of that same interface. That is, say if a pptp client dials a connection to dyndnsname1.org the connection should be established should ‘route’ back out of Jeandre-ADSL (as dyndnsname1.org is linked to Jeandre-ADSL public IP address). However, it seems that the connection is ‘made’ but cannot be established. I am presuming what happens is that the incoming tcp/1723 connection hits the route and wants to travel out of the default route instead of the incoming interface. I therefore had to setup some mangle rules that detect this incoming tcp/1723 connection and places it on the Jeandre routing table.
This is where I seem to be struggling. I don’t know if my approach to this whole problem/setup is correct. I decided to go with mangle rules detecting the source address of each packet and then placing it on on of the two routing tables: Jeandre or Pierre. and obviously default/non address-list packets on main. Then specifying three global/default routes, one with prerequisite routing mark Jeandre, one with prerequisite routing mark Pierre and one with no prerequisite. However, I am starting to think this whole approach is incorrect. I am experiences more and more problems with this approach, but don’t know of any other way to setup the network so that it follows the layout (above). Simple things like port forwarding dont seem to work either. Or at least not when incoming on one of the ADSL interfaces. It seems as if a packet that has been forwarded/dst-nat to an internal ip (based on the dst port) reaches that node but any packets returning from that connection seems as if it wants to follow the default route, and therefore it doesn’t work.
I have reached the point were I am even considering placing each user group on a separate subnet and running some form of wins server for the netbios and windows network discovery (as this was the main reason why all nodes was to be on the same subnet.)
If anyone can please help me with this I would greatly appreciate it. I have sat for days with this problem but am afraid I am looking at it from the wrong point of view. Sometimes a second set of eyes is all that’s needed.
Thanks so much.