simple routing question. please...

RouterOS General
1

I want setup very simple vpn concentrator.

Router1 setup.

PPtP server
local IP 10.0.0.1/24
Ip-pool 10.0.0.5~10.0.0.254

Interface
ether1 222.222.222.1
ether2 222.222.222.2
eoip 10.0.0.2

Route
destination=0.0.0.0/0 gateway=222.222.222.254
destination=10.0.0.0/24 gateway=eoip


Router2

Interface
ether1 111.111.111.1
ether2 111.111.111.2
eoip 10.0.0.3

Route
destination=0.0.0.0/0 gateway=111.111.111.254
destination=10.0.0.0/24 gateway=eoip

Now i want route all traffic from pptp tunnel to eoip at router1 &
router 2 redirect traffic from router1 thru eoip

What i need to do?
d.jpeg

2

If I correctly understand what you are doing, you are actually distributing the 10.0.0.0/24 address space between two routers. You can’t simply say “destination=10.0.0.0/24 gateway=eoip” on each router because each router also has local addresses of its own within that range.

I think this is a start towards what you are trying to do. It doesn’t require you to create explicit routes. I’ve found the “proxy-arp” specification to be absolutely necessary to get this to work correctly.

On router 2:

/ppp secret add name="tunneluser" service=pptp password="mypassword" profile=default \
   local-address=10.0.0.5 remote-address=10.0.0.1
/interface pptp-server add name="pptp-from-router1" user="tunneluser" mtu=1460 mru=1460 \
   client-address="222.222.222.2"
/interface pptp-server server set enabled=yes
/interface eoip add name="tunnel-to-router1" mtu=1500 l2mtu=65535 mac-address=00:00:5E:80:02:01 \
   arp=proxy-arp remote-address=222.222.222.2 tunnel-id=1 
/interface bridge add name="virtual_lan" mtu=1500 l2mtu=1522 arp=proxy-arp
/interface bridge port add interface=tunnel-to-router1 bridge=virtual_lan
/interface bridge port add interface=physical-lan-interface(s) bridge=virtual_lan

Don’t forget to apply “ip address” to the bridge as a whole instead of the physical lan interface.

On router 1:

/interface pptp-client> add name="pptp-to-router2" max-mtu=1460 max-mru=1460 mrru=disabled \
   connect-to=111.111.111.2 user="tunneluser" password="mypassword" profile=default-encryption 
/interface eoip add name="tunnel-to-router2" mtu=1500 l2mtu=65535 mac-address=00:00:5E:80:01:01 \
   arp=proxy-arp remote-address=111.111.111.2 tunnel-id=1

I hope I have understood your goal correctly.

3

Thanks for reply.

what exactly i want achieve as below scenario.

  1. user access to ether2@router1 via PPTP.
  2. router1 redirect all traffic of user to tunnel between router1&router2(eoip,pptp or any tunneling protocol)
  3. router2 handle user traffic to out stream.

I want setup because user want to hide their IP behind router2 public IP.
surely user can using router1 public IP to hide their own but some of service at router2 location not allow to access from router1 location(CHINA) IP range.

Question is how to redirect all traffic from user@router1 to router2.

Jin Lee

4

You say “redirect all traffic from user@router1 to router2” but you never specify the target of this traffic.

I assumed the user on router1 wanted to access LAN devices on router2. But now it sounds like you want the user to appear to be originating from router2, as if he were a physically a LAN device on router2, and his traffic is destined for the WAN (Internet). Is this the capability you want?

5

ut now it sounds like you want the user to appear to be originating from router2, as if he were a physically a LAN device on router2, and his traffic is destined for the WAN (Internet). Is this the capability you want?

I;m not englishman so I can’t understand what you ask..
but if you ask " user want to using internet service via WAN@router2?" then yes.

original user’s internet connection from China local ISP,
router1 internet connection also from China local ISP,
router2 internet connection also from Korea ISP,
user want using internet behind Korean Public IP.

JIN LEE

6

OK, then same configuration as above, with the following refinement: simply configure User’s PPTP connection as having an IP address of 10.0.0.1 and a gateway of 10.0.0.3. Any non-local address reference from User will travel to gateway on Router 2, then to WAN internet from that point.

7

On router 1:
Create a bridge interface.
Create your EOIP tunnel to the public IP of router 2.
Add the user PPTP interface to the to the bridge interface.
Add the EOIP tunnel to the bridge interface.

On router 2:
Create a bridge interface.
Create the EOIP tunnel to the public IP of router 1.
Add the EOIP tunnel to the bridge interface.
Add your IP address/dhcp server to the bridge interface.

8

Thanks for reply.
Actually i can’t fully understand what you guys suggest to me.
This is my configuration for 2 routers.
and when i access to router1 via pptp client, it can pinging 10.0.0.1, 10.0.0.2, 10.0.0.3, 222.222.222.1, 222.222.222.1, 111.111.111.2 but can’t pinging to 111.111.111.254
So PPtP client can not reach to outside of Router2




Router1

/interface bridge
add name=lan
/interface ethernet
set 0 name=ether1
set 1 name=ether2
/interface eoip
add arp=proxy-arp comment=“” disabled=no l2mtu=65535 mac-address=02:8A:A1:22:63:9B mtu=1500 name=eoip-tunnel1 remote-address=111.111.111.2 tunnel-id=111
/ip pool
add name=pptp ranges=10.0.0.5-10.0.254.254
/ppp profile
add change-tcp-mss=default comment=“” dns-server=10.0.0.1 local-address=10.0.0.1 name=profile1-ppp remote-address=pptp
/interface bridge port
add bridge=lan comment=“” disabled=no interface=ether1
add bridge=lan comment=“” disabled=no interface=eoip-tunnel1
/interface pptp-server server
set authentication=chap default-profile=profile1-ppp enabled=yes keepalive-timeout=60 max-mru=1460 max-mtu=1460
/ip address
add address=222.222.222.1/24 disabled=no interface=ether1
add address=10.0.0.2/16 disabled=no interface=eoip-tunnel1
add address=222.222.222.2/24 disabled=no interface=ether2
add address=10.0.0.1/16 disabled=no interface=lan
/ip firewall mangle
add action=mark-connection chain=input comment=“” disabled=no dst-address-list=!local in-interface=ether1 new-connection-mark=test_conn passthrough=yes
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=“” new-connection-mark=test_conn passthrough=yes per-connection-classifier=src-address:1/0 src-address=10.0.0.5-10.0.254.254
add action=mark-routing chain=prerouting comment=“” connection-mark=test_conn disabled=no new-routing-mark=to_test passthrough=yes src-address=10.0.0.5-10.0.254.254
/ip firewall nat
add action=masquerade chain=srcnat comment=“” disabled=no src-address=10.0.0.5-10.0.254.254
/ip firewall service-port
set pptp disabled=no
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.3 routing-mark=to_test <---- i made this for redirect all traffic from PptP clients to router2 but i’m not sure about gateway addressadd check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=222.222.222.254


Router 2

/interface bridge
add name=lan
/interface ethernet
/interface ethernet
set 0 name=ether1
set 1 name=ether2
/interface eoip
add arp=proxy-arp comment=“” disabled=no l2mtu=65535 mac-address=02:FE:9A:BA:2F:BB mtu=1500 name=eoip-tunnel1 remote-address=222.222.222.2 tunnel-id=111
/interface bridge port
add bridge=lan interface=ether1
add bridge=lan interface=eoip-tunnel1
/ip address
add address=111.111.111.2/29 disabled=no interface=ether1
add address=10.0.0.3/16 disabled=no interface=eoip-tunnel1
/ip route
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=111.111.111.254