The saga of FIber ONT connectivity with Mikrotik (non pppoee variant).
So if I put I use default route or put it in myself, the setup is basically
/ip route
dest-address=0.0.0.0/0 gatewayIP1 check-gateway ping distance=1 (primary Fiber OP)
dest-address=0.0.0.0./0 gatewayIP2 distance=2 (secondary cable)
dest-address= emailserver address gatewayIP2 distance=1
(1) In IP address, I get an IP address of the router (call this VLANIP but with a /22 at the end), and a network which looks like the destination address below but without the /22
(2) In IP Route, DAC, I get the destination address which includes the /22, reachable and preferred source I get VLANIP ( this time without any /22 ending )
(3) IN DHCP Client,
a. Global View: I get VLANIP address with /22 ending and it states bound.
b. DHCP (after clicking on VLAN entry) use peer DNS (Y) and use peer NTP (y)
c. Status: VLANIP with /22 ending / GatewayIP1 / DHCP server of Fiber ISP / primary and secondary DNS are indicated
With the above SETUP
A. WHO is my IP comes up with the correct WANIP from VLAN Bell Fiber
B. My email send no longer works
C. My VOIP goes offline
When I CHANGE THE SETUP and use the DST address provided In DAC such that my IP route becomes
dest-address=actual ISP DESTINATION IP, GatewayIP2, gateway-ping distance=1
A. Who is my IP reverts to the backup ISP the CABLE eastlink one.
B. My email send then works
C. My VOIP comes back online
WHAT THE F over???
I am looking for that sweet middle ground where my primary ISP is actually available but I have full functionality for the rest of the router.
ofer, this is Bell Fiber Op East Coast, its not the crappy FIBE everywhere else in Ontario where you need pPPOE.
Also, its internet ONLY, no TV and that runs strictly on VLAN35, no other VLANS.
Case in point, I have been using my zyxel USG40W for years with only VLAN35 setup and no other vlans.
I am trying to replace the zyxel router with the HEX unit and thus far have reached only frustration.
I am not sure if it means anything but right now my list of dns servers (dynamic) lists
the first two from Cable and then the two from Bell.
I use a similar setup tagging the WAN port and then using a DHCP client on the tag
But it would be helpful to have some configuration details of your specific setup.
Hi Ofer, thanks not sure what you mean about tagging the WAN?
I have ether1 WAN BELL INTERNET for my ethernet
I have associated with ether 1, my VLANBELL with vlanID 35 (interface is WAN BELL INTERNET)
Both have ARP enabled but probably not required on the ETHERNET BELL entry.
On the VLAN is the only spot I noted that there was a checkbox for Service TAG? That is not checked.
When I did check it, my winbox IP ADDRESS entry for BELL disappeared so I figured it best NOT to check this box.
Right now, I have the VLAN bound, reachable and seemingly working with the destination address provided by the DAC route entry
in my manually created Route rule. It is clear though that the Mikrotik is not using this connection as primary as WHO is my IP comes up with
my Cable wanip. Furthermore my email send and VOIP box (nothing fancy just an IP on my LAN and it works) work properly.
If I try to use destination address 0.0.0.0/0 and correct IPgateway, the mikrotik finally chooses the VLAN connection for internet
who is my IP shows my Bell WANIP, but my email send does not work and my VOIP modem goes offline.
I will post later the relevant details…
Can you post your WAN, VLAN rules and IP routes (using fictitious actual IPs of course).
I’ll modify my existing configuration to match what you’ve told me because my configuration is much bigger and contains several VPNs and Bridges
I use the WAN port as bridge for other reasons.
Okay what is different off the top of my head is that
you associate the sfp interface to a bridge and not just a standard ethernet type interface entry.
I have WANBELL as my ether1 and associate the VLAN to the this interface.
I am assuming that if you didnt use a bridge it would be more like my setup.
Your sfp1 is equivalent to my ether1
So you would have
sfp1 - ethernet - nothing special arp?
associated vlan35 interface=sfp1 arp?
The only other difference is that you have peer NTP and peer set to NO, whereas mine are set to YES
my goal is to force all users to use respective gateway for DNS (192.168.0.1 or 192.168.2.1 for example) and thus decided by the router depending which gateway is being used.
(the Bell dns servers for the majority of time and if that isp is down switch to Cable DNS providers both sets are dynamic).
So is the solution not to define ether 1 as an ethernet interface as you seemed to have avoided with the SFP1?
Simply assign it to a bridge with no properties or did you miss adding the actual interface definition of sfp1 to your post??
i do have a question as to the purpose of this… authoritative=after-2sec-delay (ip dhcp server line).
I have an additional dhcp server as I use PXE for my Raspberry Pi boot it straight from the network and my PXE boot image is located on NFS
I don’t use the ISP DNS servers instead I use OpenDNS
if ARP is not defined on the interface to no then the default is yes so I have ARP enabled on my interfaces but it doesn’t show on the configuration export (I double checked that it’s enabled)
the interface definition of sfp1 doesn’t make a difference because I only interact with it using the VLANs
OFW
Find below to log captures of smtp traffic, the first shows a successful attempt when Cable (ether5) is the primary WAN.
Lots of back and forth and success.
The second jpg is when Bell Fiber is primary (vlan) and I am unable to send email. You can see the aborted attempt.
For some reason it appears the issue is that the router is strill trying to use bell routing when it should be using the eastlink routing as I made a specific route for email traffic.
which you can confirm in the above rules (above your last post) or below.
Not up to date for current wanips but you get the idea of the rules.
/ip route
add check-gateway=ping comment=“BELL FibreOp” distance=1 gateway=142.68.200.1
add comment=“EASTLINK Cable” distance=2 gateway=24.138.16.1
add comment=“EMAIL Eastlink” distance=1 dst-address=24.220.0.20/32 gateway=
24.138.16.1
Yes i have tried mucking about with source nat, using masquerade for both wans vlanbell and ether5 as well as ether1 and ether5,
and finally I even tried scrnat (vice masquerade) where action=srcnat with out-interface being vlanbell and to-adddresses being the public IP assigned to me fo Fiber
Nothing works… router ignores my email routing when connected to the VLAN bell.
By the way what does blue text colour mean in ip route ???
By the post where you posted config, unless you specify DNS settings manually on the clients, I will be surprised if anything internet related works.
In this config, you force / redirect clients to use local DNS, which is not a problem but your firewall rules does not seem to allow any DNS responses back to the router, so I can’t see how it does name resolutions for the clients.
Also change rp-filter=strict to rp-filter=loose for your asymmetric routing
Thanks CZFAN I read that somewhere on one of the MUM archive presentations and was wondering if it applied to me.
How do I let the dns returns work…
I understand your logic but why does it work for when CABLE is primary - because the DNS is already pointing in the right direction both ways??
Also one chap said one shoujld never use masquerade and stated one should use
action=snat, out-interface=applicable_wan_etherport to-addresses=actual public IP of that etherport
Is this true or
b. two masquerade rules (one for each wan connection)
All right I tried everything to get this to work and my EFFING email still will not work with VLAN as primary router.
Okay let me describe the settings so all is clear.
IP Filter is LOOSE
IP DNS servers 8.8.4.4 and 208.67.222.222 (dynamic servers show up for Cable connection) - allow remote requests YES.
VLANbell peer dns, peer ntp and default route ALL NO!
Cable peer dns YES, peer ntp and default route NO.
My IP route listing… You should note I even put the email route to the Cable email server IP as the SHORTEST DISTANCE ROUTE of 1.
The Router should be using the VLAN cable connection as it recursively checks if Google is up and a secondary check for Open DNS in case google is down (distance =2,3 respectively)
Otherwise it will use the Cable route, distance=10
However as you can see, the damn stupid router keeps trying to connect and NAT through the vlan bell when I send my email send request smtp.eastlink.ca
My NAT rules are below…
/ip firewall nat
add action=masquerade chain=srcnat comment=“SCR_NAT for LAN Users”
ipsec-policy=out,none out-interface=Eastlink
add action=masquerade chain=srcnat comment=“SCR_NAT for LAN Users”
out-interface=vlanbell
I suspect that there is already a route in the cache via Bell vlan from downloading e-mail
add pop.eastlink.ca or mail.eastlink.ca (Whichever you use for e-mail download) to use the same route as smtp.eastlink.ca, restart router and test, then the route in cache will be via eastlink
Or, definitely not recommended way, disable route caching on router
As I mentioned earlier to you, you should really configure the client to use authentication, then you can send and receive from any network
CZfan, I dont think my ISP uses authentication for PCs. They have it setup for mobile devices though. I am wondering if I can cheat and pretent my PC is a mobile device LOL…
As for the email issue it is now fixed on one of my HEX units but not the other -most strange as nothing is radically different??
Will have to do a close side by side…
Filter loose (strict was wrong and may have been contributing)
Remove mark routing entry on email route (probably a key factor)
now using google,opendns for bell fiber primary
still using cable peer DNS
Had an old IP DNS static entry for default network 192.168.88.1 (may have been a contributing factor)
Made sure email route had shortest distance and made all other routes higher (may or may not make a difference)
I accepted CZFANs response earlier as the solving answer, more out of pity than anything else. I would hope it would perk up his spirits.
Seriously, I think that (filter from strict to loose) was a major factor in solving the issue. I also on of my hexes had the wrong email IP server address in the mix.
Finally I used recursive route, tres cool by the way, but ensured that the email route was the shortest distance route regardless, probably not required but makes me feel better LOL.
I am also a bit more patient with letting the router search for awhile and then grab a fiber IP… its often not instantaneous.
Finally the VOIP problems I investigated, OMG, I never had done a wireshark where you trap some sip data and then follow the UDP stream. Yes newbie me had no clue to the layers of information embedded in traffic, rather mind boggling. In any case the result is the sip on the for my case is probably not needed as the obihai modem seems to know to include public IP on traffic before it hits he layer 7 mikrotik sip services going out of the router. I only turned off sip media for the moment and when I get braver will turn off sip altogether, but if its working with it on, why change it. I also created a dstnat rule for the SIP IP to reach my modem private IP so that whatever happens with WAN changes the sip server will always get to my modem. The problem stemmed from me jumping back and forth frequently between cable and fiber ISPs and the voip modem didnt like that for some reason.
In any case up and running now with consistency and a working router. Next challenge is cap AC and vlans…
