[SOLVED]destination net unreachable

farshad · May 9, 2017, 1:23pm

I configure the router and managed the bandwidth with load balancing method and have some problem
I cant open the modem IP or when connected the pptp vpn to the network and although have routed for pptp vpn i cant open the office portal or i cant ping the portal , both of them show the destination net unreachable

Address:

#   ADDRESS            NETWORK         INTERFACE                                
 0   172.20.1.1/24      172.20.1.0      wlan                                     
 1   ;;; Tplink
     192.168.1.5/32     192.168.1.5     ether1-ADSL1                             
 2   ;;; Zyxel
     192.168.2.10/32    192.168.2.10    ether2-ADSL2                             
 3 D 31.56.171.117/32   94.183.74.1     pppoe-out2-2410105589-33470232           
 4 D 172.16.3.7/32      94.183.75.253   pptp-out-shatel                          
 5 D 172.30.38.80/32    94.183.74.1     pppoe-out1-2410100431-33444113

Nat:

Flags: X - disabled, I - invalid, D - dynamic 
 0 XI  chain=srcnat action=masquerade out-interface=pppoe-out1-2410100431-334441>
      log=no log-prefix="" 

 1 XI  chain=srcnat action=masquerade out-interface=pppoe-out2-2410105589-334702>
      log=no log-prefix="" 

 2    chain=srcnat action=masquerade src-address=172.20.1.0/24 log=no 
      log-prefix="" 

 3 XI  chain=srcnat action=masquerade to-addresses=172.16.20.1 
      dst-address=192.168.1.1 log=no log-prefix="" 

 4 XI  chain=srcnat action=masquerade dst-address=192.168.2.1 log=no log-prefix=>

 5    chain=srcnat action=masquerade dst-address=192.168.11.0/24 log=no 
      log-prefix="" 

 6    chain=srcnat action=masquerade dst-address=172.16.1.0/24 log=no 
      log-prefix="" 

 7    chain=srcnat action=masquerade dst-address=10.103.65.197 log=no 
      log-prefix=""

Mangel

Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=prerouting action=accept src-address-list=Wlan dst-address-list=Wlan
      log=no log-prefix="" 

 1    chain=forward action=mark-connection new-connection-mark=ISP1_conn 
      passthrough=no in-interface=pppoe-out1-2410100431-33444113 
      packet-mark=no-mark log=no log-prefix="" 

 2    chain=forward action=mark-connection new-connection-mark=ISP2_conn 
      passthrough=no in-interface=pppoe-out2-2410105589-33470232 
      packet-mark=no-mark log=no log-prefix="" 

 3    chain=prerouting action=mark-connection new-connection-mark=ISP1_conn 
      passthrough=yes in-interface=pppoe-out1-2410100431-33444113 
      packet-mark=no-mark log=no log-prefix="" 

 4    chain=prerouting action=mark-connection new-connection-mark=ISP2_conn 
      passthrough=yes in-interface=pppoe-out2-2410105589-33470232 
      packet-mark=no-mark log=no log-prefix="" 

 5    chain=prerouting action=jump jump-target=polic
      packet-mark=no-mark log=no log-prefix="" 

 6    chain=prerouting action=mark-routing new-routi
      passthrough=yes src-address-list=Wlan connecti
      log-prefix="" 

 7    chain=prerouting action=mark-routing new-routi
      passthrough=yes src-address-list=Wlan connecti
      log-prefix="" 

 8    chain=output action=mark-routing new-routing-m
      passthrough=yes connection-mark=ISP1_conn log=

 9    chain=output action=mark-routing new-routing-m
      passthrough=yes connection-mark=ISP2_conn log=

10    chain=policy_routing action=mark-connection ne
      passthrough=yes dst-address-type=!local 
      per-connection-classifier=both-addresses:2/0 l

11    chain=policy_routing action=mark-connection ne
      passthrough=yes dst-address-type=!local 
      per-connection-classifier=both-addresses:2/1 l

list ip

Flags: X - disabled, D - dynamic 
 #   LIST                               ADDRESS                                                 CREATION-TIME        TIMEOUT             
 0   Wlan                               172.20.1.0/24                                           may/07/2017 07:16:36
 1   modem                              192.168.1.1                                             may/07/2017 07:59:29
 2   modem2                             192.168.2.1                                             may/07/2017 07:59:37

Ip route

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=pppoe-out1-2410100431-33444113 gateway-status=pppoe-out1-2410100431-33444113 reachable 
        check-gateway=arp distance=1 scope=30 target-scope=10 routing-mark=ISP1_Traffic 

 1 A S  dst-address=0.0.0.0/0 gateway=pppoe-out2-2410105589-33470232 gateway-status=pppoe-out2-2410105589-33470232 reachable 
        check-gateway=arp distance=1 scope=30 target-scope=10 routing-mark=ISP2_Traffic 

 2 A S  dst-address=0.0.0.0/0 gateway=pppoe-out2-2410105589-33470232 gateway-status=pppoe-out2-2410105589-33470232 reachable 
        check-gateway=arp distance=2 scope=30 target-scope=10 

 3   S  dst-address=0.0.0.0/0 gateway=pppoe-out1-2410100431-33444113 gateway-status=pppoe-out1-2410100431-33444113 reachable 
        check-gateway=arp distance=3 scope=30 target-scope=10 

 4 A S  dst-address=10.103.65.197/32 gateway=pptp-out-shatel gateway-status=pptp-out-shatel reachable distance=1 scope=30 target-scope=1>

 5 ADC  dst-address=94.183.74.1/32 pref-src=31.56.171.117 gateway=pppoe-out2-2410105589-33470232,pppoe-out1-2410100431-33444113 
        gateway-status=pppoe-out2-2410105589-33470232 reachable,pppoe-out1-2410100431-33444113 reachable distance=0 scope=10 

 6 ADC  dst-address=94.183.75.253/32 pref-src=172.16.3.7 gateway=pptp-out-shatel gateway-status=pptp-out-shatel reachable distance=0 
        scope=10 

 7 A S  dst-address=172.16.1.0/24 gateway=pptp-out-shatel gateway-status=pptp-out-shatel reachable distance=1 scope=30 target-scope=10 

 8 ADC  dst-address=172.20.1.0/24 pref-src=172.20.1.1 gateway=wlan gateway-status=wlan reachable distance=0 scope=10 

 9 ADC  dst-address=192.168.1.5/32 pref-src=192.168.1.5 gateway=ether1-ADSL1 gateway-status=ether1-ADSL1 reachable distance=0 scope=10 

10 ADC  dst-address=192.168.2.10/32 pref-src=192.168.2.10 gateway=ether2-ADSL2 gateway-status=ether2-ADSL2 reachable distance=0 scope=10 

11 A S  dst-address=192.168.11.0/24 gateway=pptp-out-shatel gateway-status=pptp-out-shatel reachable distance=1 scope=30 target-scope=10

cdiedrich · May 9, 2017, 1:44pm

Are you sure on the /32 addresses on the dsl-facing interfaces?
Then create srcnat rules for accessing the dsl-modems with to-address= and dst-address=

I’m almost sure that both networks are /24

-Chris

farshad · May 9, 2017, 2:59pm

did you mean :

Flags: X - disabled, I - invalid, D - dynamic 
 0   address=172.20.1.1/24 network=172.20.1.0 interface=wlan actual-interface=wlan 

 1   ;;; Tplink
     address=192.168.1.5/24 network=192.168.1.0 interface=ether1-ADSL1 actual-interface=ether1-ADSL1 

 2   ;;; Zyxel
     address=192.168.2.10/24 network=192.168.2.0 interface=ether2-ADSL2 actual-interface=ether2-ADSL2 

 3 D address=172.30.38.80/32 network=94.183.74.1 interface=pppoe-out1-2410100431-33444113 actual-interface=pppoe-out1-2410100431-33444113 

 4 D address=31.56.169.171/32 network=94.183.74.1 interface=pppoe-out2-2410105589-33470232 
     actual-interface=pppoe-out2-2410105589-33470232 

 5 D address=172.16.3.7/32 network=94.183.75.253 interface=pptp-out-shatel actual-interface=pptp-out-shatel

and NAT:

 0 XI  chain=srcnat action=masquerade out-interface=pppoe-out1-2410100431-33444113 log=no log-prefix="" 

 1 XI  chain=srcnat action=masquerade out-interface=pppoe-out2-2410105589-33470232 log=no log-prefix="" 

 2    chain=srcnat action=masquerade src-address=172.20.1.0/24 log=no log-prefix="" 

 3    chain=srcnat action=masquerade to-addresses=172.16.20.1 dst-address=192.168.1.1 log=no log-prefix="" 

 4    chain=srcnat action=masquerade dst-address=192.168.2.1 log=no log-prefix="" 

 5    chain=srcnat action=masquerade dst-address=192.168.11.0/24 log=no log-prefix="" 

 6    chain=srcnat action=masquerade dst-address=172.16.1.0/24 log=no log-prefix="" 

 7    chain=srcnat action=masquerade dst-address=10.103.65.197 log=no log-prefix=""

cdiedrich · May 9, 2017, 4:38pm

Almost

I must admit that the vast amount of your (loosly defined) masq rules confuse me a lot.

To get it working, add those rules and put them at the very top:

/ip firewall nat
chain=srcnat action=srcnat to-address=192.168.1.5 src-address=172.20.1.0/24 dst-address=192.168.1.0/24 out-interface=ether1-ADSL1
chain=srcnat action=srcnat to-address=192.168.2.10 src-address=172.20.1.0/24 dst-address=192.168.2.0/24 out-interface=ether2-ADSL2

The (one) issue is that your DSL modems don’t have a clue where 172.20.1.0/24 should be routed to - so they send it out to their default gateway.

Then, add another set of static routes because you are mangling connections and routing (they get marked before a routing decision is made. They hit the router, get a mark and are sent out based on the routing mark.

/ip route
add dst-address=192.168.1.0/24 gateway=ether1-ADSL1 routing-mark=ISP1_conn
add dst-address=192.168.1.0/24 gateway=ether1-ADSL1 routing-mark=ISP2_conn
add dst-address=192.168.2.0/24 gateway=ether2-ADSL2 routing-mark=ISP1_conn
add dst-address=192.168.2.0/24 gateway=ether2-ADSL2 routing-mark=ISP2_conn

I’ve seen this a couple of times now and it was the root of the trouble in 99.995%.

-Chris