Routing Help

Alfs98 · May 10, 2018, 9:06pm

Hi Everyone

I am lookong for some help in where I’ve gone wrong in my configuration.

What I want is for all traffic from ether1_desktops to go down the ether9_virgin interface and interface ether2_servers and ether3_server2 to go down zen_pppoe. Currently the traffic from ether2 and ether3 is doing what I want it to do. However cannot get the traffic from ether1 to go through ether9. I have been searching through this fourm and through the Wiki but havent found any solutions that have worked yet.

See below for configuration the firewall and routes

/ip route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          ether9_virgin             1
 1 A S  0.0.0.0/0                          zen_pppoe                 1
 2 ADC  51.148.72.22/32    51.148.140.134  zen_pppoe                 0
 3 ADC  172.28.0.0/24      172.28.0.1      ether1_desktop            0
 4 ADC  172.28.1.0/24      172.28.1.1      servers                   0
 5 ADC  172.28.2.0/24      172.28.2.1      servers                   0
 6 ADC  192.168.0.0/24     192.168.0.23    ether9_virgin             0

/ip route rule print
Flags: X - disabled, I - inactive 
 0   routing-mark=virgin action=lookup table=virgin

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface=ether9_virgin log=no log-prefix="" 
 1    chain=srcnat action=masquerade out-interface=zen_pppoe log=no log-prefix="" 
 2    chain=dstnat action=dst-nat to-addresses=172.28.2.247 to-ports=25 protocol=tcp in-interface=zen_pppoe dst-port=25 log=yes log-prefix="SMTP" 
 3    chain=dstnat action=dst-nat to-addresses=172.28.2.247 to-ports=993 protocol=tcp in-interface=zen_pppoe dst-port=993 log=no log-prefix="" 
 4    chain=dstnat action=dst-nat to-addresses=172.28.2.247 to-ports=143 protocol=tcp in-interface=zen_pppoe dst-port=143 log=yes log-prefix="IMAP" 
 5    chain=dstnat action=dst-nat to-addresses=172.28.2.247 to-ports=110 protocol=tcp in-interface=zen_pppoe dst-port=110 log=no log-prefix="" 
 6    chain=dstnat action=dst-nat to-addresses=172.28.2.247 to-ports=587 protocol=tcp in-interface=zen_pppoe dst-port=587 log=no log-prefix=""
 7    chain=dstnat action=dst-nat to-addresses=172.28.2.247 to-ports=8443 protocol=tcp in-interface=zen_pppoe dst-port=8443 log=no log-prefix=""

/ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=prerouting action=mark-connection new-connection-mark=virgin passthrough=yes connection-mark=no-mark in-interface=ether9_virgin log=no log-prefix="" 

 1    chain=prerouting action=mark-connection new-connection-mark=virgin passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=ether1_desktop log=no 
      log-prefix="" 

 2    chain=prerouting action=mark-routing new-routing-mark=virgin passthrough=yes dst-address-type=!local connection-mark=virgin in-interface=ether1_desktop log=no 
      log-prefix="" 

 3    chain=output action=mark-routing new-routing-mark=virgin passthrough=yes connection-mark=virgin log=no log-prefix=""

If anything other config output is require please ask.

Thanks for your help in advance

sindy · May 11, 2018, 6:10am

You have configured ether9 (the interface name) as the gateway value for the first default route, but that doesn’t work well with Mikrotik with point-to-multipoint connections, so use the IP address of the other router as the gateway value there.

If that doesn’t help, use /export hide-sensitive Instead of print to export the complete configuration.

Alfs98 · May 12, 2018, 9:49am

Hi Sindy

Thanks for your reply. Heres the full config export

# may/12/2018 10:43:37 by RouterOS 6.42.1
# software id = Y57B-87EQ
#
# model = 2011iL
# serial number = 75B406547C00
/interface bridge
add arp=proxy-arp fast-forward=no name=servers
/interface ethernet
set [ find default-name=ether1 ] name=ether1_desktop
set [ find default-name=ether2 ] name=ether2_servers
set [ find default-name=ether3 ] name=ether3_server2
set [ find default-name=ether8 ] name=ether8_zen
set [ find default-name=ether9 ] name=ether9_virgin
set [ find default-name=ether10 ] name=ether10_ee
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,blowfish lifetime=0s pfs-group=\
    none
/ip pool
add name=dhcp_pool0 ranges=172.28.0.50-172.28.0.75
add name=vpn ranges=172.28.3.10-172.28.3.15
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 disabled=no interface=ether1_desktop \
    lease-time=1h name=dhcp1
/ppp profile
add change-tcp-mss=yes name=zen_profile use-compression=no use-encryption=no \
    use-mpls=no
set *FFFFFFFE bridge=servers dns-server=8.8.8.8,8.8.4.4 local-address=\
    172.28.100.1 remote-address=vpn
/interface pppoe-client
add disabled=no interface=ether8_zen max-mru=1492 max-mtu=1492 mrru=1600 \
    name=zen_pppoe profile=zen_profile use-peer-dns=yes user=zen345764@zen
/system logging action
set 3 remote=172.28.1.246 remote-port=5140 src-address=172.28.1.1
/interface bridge port
add bridge=servers interface=ether2_servers
add bridge=servers interface=ether3_server2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface detect-internet
set detect-interface-list=dynamic internet-interface-list=dynamic \
    lan-interface-list=dynamic wan-interface-list=dynamic
/interface l2tp-server server
set enabled=yes keepalive-timeout=disabled
/ip address
add address=172.28.1.1/24 interface=ether2_servers network=172.28.1.0
add address=172.28.0.1/24 interface=ether1_desktop network=172.28.0.0
add address=172.28.2.1/24 interface=ether3_server2 network=172.28.2.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
    interface=ether9_virgin use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=172.28.0.0/24 dns-server=172.28.1.253,8.8.8.8 domain=\
    alfstech.internal gateway=172.28.0.1 netmask=24 ntp-server=172.28.1.253
/ip dns
set cache-size=20480KiB servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=114.67.64.15 list=blocklist
add address=196.52.43.112 list=blocklist
add address=177.67.82.96 list=blocklist
add address=172.28.1.253 list=servers
add address=95.111.109.119 list=blocklist
add address=220.137.18.29 list=blocklist
add address=172.28.1.246 list=servers
/ip firewall filter
add action=drop chain=input log=yes log-prefix="DROP CONNECTION" \
    src-address-list=blocklist
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward dst-address=172.28.2.247 dst-port=25 log=yes \
    protocol=tcp
add action=accept chain=forward dst-address=172.28.2.247 dst-port=110 \
    protocol=tcp
add action=accept chain=forward dst-address=172.28.2.247 dst-port=143 \
    protocol=tcp
add action=accept chain=forward dst-address=172.28.2.247 dst-port=993 \
    protocol=tcp
add action=accept chain=forward dst-address=172.28.2.247 dst-port=587 \
    protocol=tcp
add action=accept chain=forward dst-address=172.28.2.247 dst-port=8443 \
    protocol=tcp
add action=accept chain=forward dst-address=172.28.1.246 dst-port=5140 \
    protocol=udp
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether9_virgin new-connection-mark=virgin passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=ether1_desktop new-connection-mark=\
    virgin passthrough=yes
add action=mark-routing chain=prerouting connection-mark=virgin \
    dst-address-type=!local in-interface=ether1_desktop new-routing-mark=\
    virgin passthrough=yes
add action=mark-routing chain=output connection-mark=virgin new-routing-mark=\
    virgin passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether9_virgin
add action=masquerade chain=srcnat out-interface=zen_pppoe
add action=dst-nat chain=dstnat dst-port=25 in-interface=zen_pppoe log=yes \
    log-prefix=SMTP protocol=tcp to-addresses=172.28.2.247 to-ports=25
add action=dst-nat chain=dstnat dst-port=993 in-interface=zen_pppoe protocol=\
    tcp to-addresses=172.28.2.247 to-ports=993
add action=dst-nat chain=dstnat dst-port=143 in-interface=zen_pppoe log=yes \
    log-prefix=IMAP protocol=tcp to-addresses=172.28.2.247 to-ports=143
add action=dst-nat chain=dstnat dst-port=110 in-interface=zen_pppoe protocol=\
    tcp to-addresses=172.28.2.247 to-ports=110
add action=dst-nat chain=dstnat dst-port=587 in-interface=zen_pppoe protocol=\
    tcp to-addresses=172.28.2.247 to-ports=587
add action=dst-nat chain=dstnat dst-port=8443 in-interface=zen_pppoe \
    protocol=tcp to-addresses=172.28.2.247 to-ports=8443
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 enc-algorithm=\
    aes-256,aes-192,aes-128,3des,blowfish exchange-mode=main-l2tp \
    generate-policy=port-override
/ip route
add distance=2 gateway=ether9_virgin routing-mark=virgin
add check-gateway=ping distance=1 gateway=zen_pppoe
/ip route rule
add routing-mark=virgin table=virgin
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=8000
set ssh address=172.28.100.0/24,172.28.1.0/24,172.28.0.0/24 port=2222
set winbox address=172.28.3.0/24,172.28.1.0/24
/ip upnp
set show-dummy-rule=no
/ipv6 nd prefix
add interface=zen_pppoe prefix=2a02:8011:d000:19e::/64
/ppp secret
add disabled=yes name=test
add name=alfie
/radius
add address=172.28.1.253 service=login
/system clock
set time-zone-name=Europe/London
/system identity
set name=router.alfstech.internal
/system logging
set 3 action=memory
add action=remote topics=info
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=warning
/system routerboard settings
set silent-boot=no
/system script
add name=wol-vmware owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/tool wol interface=ether1_svr mac=18:a9:05:50:79:f4"
/tool bandwidth-server
set authenticate=no enabled=no
/user aaa
set default-group=full use-radius=yes

sindy · May 12, 2018, 11:14am

As I’ve said before - you cannot use interface name as route’s gateway unless that interface connects the router to a point-to-point link. This is not the case of ether9_virgin. So you have to use an IP address provided by the DHCP server as the gateway of the default route in routing table virgin.

If that address doesn’t change with each DHCP lease renewal, it is enough to change the settings of the /ip dhcp-client attached to interface=ether9_virgin to add-default-route=yes default-route-distance=9 and renew the lease. Then, copy the IP address of the gateway from the default route with distance=9 and use it in the route with routing-mark=virgin. After that, you can revert the /ip dhcp-client settings to add-default-route=no.

If Virgin assigns you addresses from different subnets and thus changes the gateway IP address, you’ll need to attach a script to the dhcp client, which will fetch the address from the default routing table and update the route with routing-mark=virgin on each address assignment and/or renewal.

Other than that, the distance=2 in the default route with routing-mark=virgin is useless but not harmful.

Alfs98 · May 12, 2018, 1:45pm

Thanks Sindy.

Following the steps in your posted I have been able to get the routing working

CZFan · May 12, 2018, 5:30pm

Please note, that once all traffic from ether1_desktops have gone down the ether9_virgin interface, it will no longer be a virgin