Hi
0 A S dst-address=94.183.75.219/32 gateway=pppoe-out-2
gateway-status=pppoe-out-2 reachable distance=1 scope=30 target-scope=10
routing-mark=VpnShatel
1 A S dst-address=0.0.0.0/0 gateway=pppoe-out-1
gateway-status=pppoe-out-1 reachable distance=1 scope=30 target-scope=10
2 A S dst-address=10.103.65.197/32 gateway=pptp-out-shatel gateway-status=pptp-out-office reachable
distance=1 scope=30 target-scope=10
3 ADC dst-address=94.183.74.1/32 pref-src=31.56.190.71
gateway=pppoe-out-2,pppoe-out-1
gateway-status=pppoe-out-2 reachable,pppoe-out1 reachable
distance=0 scope=10
4 ADC dst-address=94.183.75.253/32 pref-src=172.16.3.7 gateway=pptp-out-office
gateway-status=pptp-out-office reachable distance=0 scope=10
5 A S dst-address=172.16.1.0/24 gateway=pptp-out-office gateway-status=pptp-out-office reachable
distance=1 scope=30 target-scope=10
6 ADC dst-address=172.20.1.0/24 pref-src=172.20.1.1 gateway=wlan gateway-status=wlan reachable distance=>
scope=10
7 ADC dst-address=192.168.1.1/32 pref-src=192.168.1.5 gateway=ether1-Net1
gateway-status=ether1-Net1 reachable distance=0 scope=10
8 ADC dst-address=192.168.2.1/32 pref-src=192.168.2.10 gateway=ether2-Net2
gateway-status=ether2-Net2 reachable distance=0 scope=10
9 A S dst-address=192.168.11.0/24 gateway=pptp-out-office gateway-status=pptp-out-office reachable
distance=1 scope=30 target-scope=10
and this is my Nat print
0 chain=srcnat action=masquerade src-address=172.20.1.0/24 out-interface=pppoe-out-1
log=no log-prefix=""
1 XI chain=srcnat action=masquerade src-address=172.20.1.0/24 out-interface=pppoe-out-2
log=no log-prefix=""
2 chain=srcnat action=masquerade dst-address=192.168.1.1 log=no log-prefix=""
3 chain=srcnat action=masquerade dst-address=192.168.11.0/24 log=no log-prefix=""
4 chain=srcnat action=masquerade dst-address=172.16.1.0/24 log=no log-prefix=""
5 chain=srcnat action=masquerade dst-address=10.103.65.197 log=no log-prefix=""
so i marked vpn packet on the mangel and put on this routing tabel for conneceting to vpn side on route 0
So i have internet on the pppoe 1 and crm on pppoe 2
and have some problems
Please post an export e.g “/ip firewall export” and paste the results in here.
Here is an excellent article on how to set up dual wan that may also assist https://aacable.wordpress.com/2013/12/06/mikrotik-dual-wan-pppoe-client-pcc-with-pppoe-server/
Farshad, have you though of creating a GRE tunnel destined to each PPPoE IP and wrapping those tunnels with IPSec? You can then use routing to control how traffic paths.
If I’m understanding it correctly you have a main site with 2 PPPoE connections and you want a second site to be able to access it over either PPPoE connection. Correct?
idlemind:
Farshad, have you though of creating a GRE tunnel destined to each PPPoE IP and wrapping those tunnels with IPSec? You can then use routing to control how traffic paths.
If I’m understanding it correctly you have a main site with 2 PPPoE connections and you want a second site to be able to access it over either PPPoE connection. Correct?
I have pptp vpn to office. yes i want pptp used PPPOE2 and other side use the internet PPPOE1, now i have internet and i have user crm , but for example i have big problem i haven’t 192.168.11.11 ping or i cant use winbox for connect other site and other problem
/ip firewall filter
add action=add-dst-to-address-list address-list=telentlist \
address-list-timeout=0s chain=input dst-port=2323 protocol=tcp
add action=add-dst-to-address-list address-list=ping \
address-list-timeout=1h chain=input in-interface=\
pppoe-out-2410105004-33445979 protocol=icmp
add action=reject chain=input disabled=yes in-interface=\
pppoe-out-2410105004-33445979 protocol=icmp reject-with=\
icmp-admin-prohibited
/ip firewall mangle
add action=mark-connection chain=input comment=In-Ner1 in-interface=\
pppoe-out-2410105004-33445979 new-connection-mark=InNet1 \
passthrough=no
add action=mark-routing chain=output comment=Out-Net1 \
new-routing-mark=OutNet1 out-interface=\
pppoe-out-2410105004-33445979 passthrough=no
add action=mark-connection chain=input comment=In-Net2 in-interface=\
pppoe-out-2410105589-33470232 new-connection-mark=InNet2 \
passthrough=no
add action=mark-connection chain=output comment=Out-Net2 \
new-connection-mark=OutNet2 out-interface=\
pppoe-out-2410105589-33470232 passthrough=no
add action=mark-connection chain=input comment=In-Shatel \
in-interface=pptp-out-shatel new-connection-mark=Shatel \
passthrough=no
add action=mark-routing chain=output comment=Out-Shatel \
new-routing-mark=Shatel out-interface=pptp-out-shatel \
passthrough=no
add action=mark-routing chain=prerouting connection-mark=Shatel \
new-routing-mark=VpnShatel passthrough=yes
add action=mark-connection chain=prerouting disabled=yes \
dst-address-type=!local in-interface=wlan new-connection-mark=\
Net1 passthrough=yes per-connection-classifier=src-port:2/0
add action=mark-connection chain=prerouting disabled=yes \
dst-address-type=!local in-interface=wlan new-connection-mark=\
Net2 passthrough=yes per-connection-classifier=src-port:2/1
add action=mark-routing chain=prerouting connection-mark=Net1 \
disabled=yes in-interface=wlan new-routing-mark=Net1 passthrough=\
no
add action=mark-routing chain=prerouting connection-mark=Net2 \
disabled=yes in-interface=wlan new-routing-mark=Net2 passthrough=\
no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=\
pppoe-out-2410105004-33445979 src-address=172.20.1.0/24
add action=masquerade chain=srcnat out-interface=\
pppoe-out-2410105589-33470232 src-address=172.20.1.0/24
add action=masquerade chain=srcnat dst-address=192.168.1.1
add action=masquerade chain=srcnat dst-address=192.168.2.1
add action=masquerade chain=srcnat dst-address=192.168.11.0/24
add action=masquerade chain=srcnat dst-address=172.16.1.0/24
add action=masquerade chain=srcnat dst-address=10.103.65.197
Hi Farshad,
If you use connection-marks to identify traffic FROM a specific WAN t0 allow the response to then return through the correct WAN then passthrough=yes is required.
So for just Winbox and VPN you would say:
/ip mangle
/ip firewall mangle
add action=mark-routing chain=output comment=Out-Net1
Any site to site VPN should create it’s own route and will forward back over the establishing tunnel - this assumes this device is the VPN server not client.
In terms of your load balancing please refer to AACABLE’s exceleent example.
Likewise if you have dst-nat rules you will need pre-routing rules to identify the reply traffic from your hosts and mark it’s return path.
scampbell:
Hi Farshad,
If you use connection-marks to identify traffic FROM a specific WAN t0 allow the response to then return through the correct WAN then passthrough=yes is required.
So for just Winbox and VPN you would say:
/ip mangle
/ip firewall mangle
add action=mark-routing chain=output comment=Out-Net1
Any site to site VPN should create it’s own route and will forward back over the establishing tunnel - this assumes this device is the VPN server not client.
In terms of your load balancing please refer to AACABLE’s exceleent example.
Likewise if you have dst-nat rules you will need pre-routing rules to identify the reply traffic from your hosts and mark it’s return path.
if you saw my routing table , you can see i marked vpn traffic , but my question is why i haven’t 8.8.8.8 ping but have internet on the system
The example was so Winbox could be accessed via either WAN.
Note also a Remote VPN can connect via either WAN (subject to firewall rules) and then any VPN traffic will automatically flow over the correct WAN.
If you are doing a site to site VPN that’s another issue that will require routes or IPSEC.
But first you must get your connection-mark and mark-routing working so replies from the router always go back on the WAN they were received on.
