Hi, I’m some kind of beginner to mikrotik and what I need if someone can help me is this:
I have 3 WAN access to CCR and have setup 4 pppoe servers for users. I have marked routing and masquerade it so i can have each pppoe server on separate wan and have them switch if any of WAN interfaces fale to respond to ping. The question and problem I have is now when they are marked, clients cant access some IP on separate LAN ports ( IP of connected devices on those ports ) on CCR.
For example I use Splynx radius server ( on LAN10 via ProxMox - IP 192.168.250.2, and Splynx IP 192.168.250.101) and it authorize it and all but clients cant access user portal now. If I remove marking and masquerade it works but not now.
Here is print from all things I have done,
INTERFACE
/interface bridge
add arp=proxy-arp comment="Bridge-portovi ether5" mtu=1508 name=bridge1-pppoe
/interface ethernet
set [ find default-name=ether1 ] comment=Speedtouch name=ether1-gateway1
set [ find default-name=ether2 ] comment=Speedtouch242 name=ether2-gateway2
set [ find default-name=ether3 ] comment=Speedtouch name=ether3-gateway3
set [ find default-name=ether5 ] comment=Bazna mtu=1518
set [ find default-name=ether9 ] comment=Komp
set [ find default-name=ether10 ] comment=ProxMox
/interface bridge port
add bridge=bridge1-pppoe interface=ether5
add bridge=bridge1-pppoe disabled=yes interface=ether10
/interface bridge settings
set use-ip-firewall-for-pppoe=yes
/interface pppoe-server server
add authentication=pap,chap default-profile=profile-cetvrti-gateway disabled=\
no interface=bridge1-pppoe keepalive-timeout=30 max-mru=1500 max-mtu=1500 \
mrru=1600 one-session-per-host=yes service-name=MR-pppoe-4
add authentication=pap,chap default-profile=profile-treci-gateway disabled=no \
interface=bridge1-pppoe keepalive-timeout=30 max-mru=1500 max-mtu=1500 \
mrru=1600 one-session-per-host=yes service-name=MR-pppoe-3
add authentication=pap,chap default-profile=profile-drugi-gateway disabled=no \
interface=bridge1-pppoe keepalive-timeout=30 max-mru=1500 max-mtu=1500 \
mrru=1600 one-session-per-host=yes service-name=MR-pppoe-2
add authentication=pap,chap default-profile=profile-prvi-gateway disabled=no \
interface=bridge1-pppoe keepalive-timeout=30 max-mru=1500 max-mtu=1500 \
mrru=1600 one-session-per-host=yes service-name=MR-pppoe
NAT
# feb/03/2017 13:30:17 by RouterOS 6.36.4
# software id = QC1B-9WU7
#
/ip firewall address-list
add address=192.168.167.10-192.168.167.254 list=Gateway1-lista
add address=192.168.168.10-192.168.168.254 list=Gateway2-lista
add address=192.168.169.10-192.168.169.254 list=Gateway3-lista
add address=192.168.170.10-192.168.170.254 list=Gateway4-lista
/ip firewall connection tracking
set enabled=yes
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=forward connection-state=related
add action=accept chain=forward connection-state=established
add action=accept chain=input disabled=yes dst-port=161-162 protocol=udp
add action=drop chain=forward connection-state=invalid
add action=jump chain=forward comment="jump na provjeru virusa" jump-target=\
virus
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 \
protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 \
protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 log-prefix=\
"VIRUS LAG" protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 log-prefix=\
"VIRUS LAG" protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 log-prefix=\
"VIRUS LAG" protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 log-prefix=\
"VIRUS LAG" protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 log-prefix=\
"VIRUS LAG" protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 log-prefix=\
"VIRUS LAG" protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 log-prefix=\
"VIRUS LAG" protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=\
tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 \
log-prefix="VIRUS LAG" protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 \
protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 log-prefix="VIRUS LAG" \
protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 log-prefix="VIRUS LAG" \
protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 log-prefix=\
"VIRUS LAG" protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=\
tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=\
tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 \
log-prefix="VIRUS LAG" protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=\
tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 log-prefix=\
"VIRUS LAG" protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 log-prefix=\
"VIRUS LAG" protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 \
log-prefix="VIRUS LAG" protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Markacija ruta za gateway4" \
new-routing-mark=wan4-korisnici passthrough=yes src-address-list=\
Gateway4-lista
add action=mark-routing chain=prerouting comment="Markacija ruta za gateway3" \
new-routing-mark=wan3-korisnici passthrough=yes src-address-list=\
Gateway3-lista
add action=mark-routing chain=prerouting comment="Markacija ruta za gateway2" \
new-routing-mark=wan2-korisnici passthrough=yes src-address-list=\
Gateway2-lista
add action=mark-routing chain=prerouting comment="Markacija ruta za gateway1" \
new-routing-mark=wan1-korisnici passthrough=yes src-address-list=\
Gateway1-lista
/ip firewall nat
add action=masquerade chain=srcnat comment=LanWAN out-interface=ADSL2 \
src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="Proxmox net" out-interface=ADSL2 \
src-address=192.168.250.0/24
add action=dst-nat chain=dstnat comment=winboxWAN dst-port=8080 protocol=tcp \
to-addresses=192.168.1.2 to-ports=8080
add action=dst-nat chain=dstnat comment=apiWAN dst-port=8728 protocol=tcp \
to-addresses=192.168.1.2 to-ports=8728
add action=dst-nat chain=dstnat comment=snmpWAN dst-port=161 protocol=udp \
to-ports=161
add action=dst-nat chain=dstnat dst-port=8291 protocol=tcp to-addresses=\
192.168.1.2 to-ports=8291
add action=masquerade chain=srcnat comment="Maskarada ADSL1" out-interface=\
ether1-gateway1 src-address=192.168.167.0/24
add action=masquerade chain=srcnat out-interface=ether1-gateway1 src-address=\
192.168.168.0/24
add action=masquerade chain=srcnat out-interface=ether1-gateway1 src-address=\
192.168.169.0/24
add action=masquerade chain=srcnat out-interface=ether1-gateway1 src-address=\
192.168.170.0/24
add action=masquerade chain=srcnat comment="Maskarada ADSL2" out-interface=\
ADSL2 src-address=192.168.167.0/24
add action=masquerade chain=srcnat out-interface=ADSL2 src-address=\
192.168.168.0/24
add action=masquerade chain=srcnat out-interface=ADSL2 src-address=\
192.168.169.0/24
add action=masquerade chain=srcnat out-interface=ADSL2 src-address=\
192.168.170.0/24
add action=masquerade chain=srcnat comment="Maskarada ADSL3" out-interface=\
ether3-gateway3 src-address=192.168.167.0/24
add action=masquerade chain=srcnat out-interface=ether3-gateway3 src-address=\
192.168.168.0/24
add action=masquerade chain=srcnat out-interface=ether3-gateway3 src-address=\
192.168.169.0/24
add action=masquerade chain=srcnat out-interface=ether3-gateway3 src-address=\
192.168.170.0/24
add action=dst-nat chain=dstnat comment=ProxmoxSSH dst-address=10.222.122.100 \
dst-port=22 in-interface=pptp-out1 protocol=tcp to-addresses=\
192.168.250.2 to-ports=22
add action=dst-nat chain=dstnat comment=ProxmoxWEB dst-address=10.222.122.100 \
dst-port=8006 in-interface=pptp-out1 protocol=tcp to-addresses=\
192.168.250.2 to-ports=8006
add action=dst-nat chain=dstnat comment=SplynxWAN dst-port=8007 protocol=tcp \
to-addresses=192.168.250.101 to-ports=80
add action=dst-nat chain=dstnat comment=SplynxSSH dst-port=8008 protocol=tcp \
to-addresses=192.168.250.101 to-ports=22
add action=dst-nat chain=dstnat comment=RouteSplynx disabled=yes dst-address=\
192.168.250.101 dst-port=80 log=yes protocol=tcp routing-mark=\
wan2-korisnici to-addresses=192.168.250.101 to-ports=80
and ROUTE
/ip route
add check-gateway=ping comment="Geatway ADSL2" distance=1 gateway=ADSL2 \
routing-mark=wan4-korisnici
add check-gateway=ping comment="Geatway ADSL3" distance=1 gateway=192.168.2.1 \
routing-mark=wan4-korisnici
add check-gateway=ping comment="Geatway ADSL1" distance=1 gateway=192.168.0.1 \
routing-mark=wan3-korisnici
add check-gateway=ping distance=1 gateway=ADSL2 routing-mark=wan3-korisnici
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=\
wan2-korisnici
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=\
wan2-korisnici
add check-gateway=ping distance=1 gateway=ADSL2 routing-mark=wan2-korisnici
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=\
wan1-korisnici
add check-gateway=ping distance=1 gateway=ADSL2 routing-mark=wan1-korisnici
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=\
wan1-korisnici
add check-gateway=ping distance=1 gateway=ADSL2
Please help
. I just added 192.168.250.0/24 to NOT in dst.address in each mangle rule.