I am running a RB/2011L-RM with RouterOS v6.0rc13. I have two WANs and two networks running through my router. The WANs use separate gateways and are from different ISPs. My configuration currently works so that when I am connected to a local port it routes my traffic through the corresponding WAN. I have port 5 set up so that I can switch between networks when I need to.
Here is my network diagram:
My problem is that I am unable to route between the two networks, specifically form a laptop connected to port 5 to a webserver. I have a webserver at 192.168.88.15 and a domain pointing to the WAN plugged into ether1.
My configuration is as follows:
I have two bridges bridge-local and bridge-W.
Port 1: ether1-gateway (WAN1)
Port 2: ether2-TC-Local bridge-local
Port 3: ether3-W-WAN (Wan2)
Port 4: ether4-W-Local bridge-w
Port 5: ether5 bridge-local/bridge-w (Switches bridge)
Firewall/Mangle:
Mark Routing src-address=192.168.88.0/24 routing-mark=TC
Mark Routing src-address=192.168.1.0/24 routing-mark=W
I disabled all of my firewall rules, it did not solve the problem. I then tried and disabled my mangle rules and I can now access the webserver. I still have the correct IP on my laptop (192.168.1.2) and my external IP is the one for the correct WAN (W). Is my setup going to continue to work without these mangle rules?
Based on these rules they should have never caused an issue because the route is distance 1. When a request comes from the 192.168.88.0/24 subnet to the 192.168.1.0/24 subnet it will use the distance ZERO connected route. So those rule should not be causing the issue unless you have some element in them I am not aware of. Post the mangle rules New Terminal IP Firewall Mangle Print
[admin@MikroTik] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=TC
passthrough=yes src-address=192.168.88.0/24
1 chain=prerouting action=mark-routing new-routing-mark=W
passthrough=yes src-address=192.168.1.0/24
Sorry for the long wait time. After disabling these routes I was able to get traffic between the networks, but External traffic into my webserver was not routing properly. I have currently re-enabled these mangle rules and am back where I started.
I’m into the realm where I’m not quite sure what I am doing. I added these two rules. My though was when the source address is form the TC network and the destination is the W network accept the connection and vice versa.
Lets add NOT ! 192.168.0.0/16 for DST Address to both rules and test it.
We could add an Accept local Passthough NO above those two rules.
We could add a distance zero connected route that supports your routing marks as is.
I tried the NOTs as you see above, nothing changed. I tried the accept rules, again no change. I tried a route but I don’t think I configured it right. Could you give me an example of what the route should look like? Thanks.
Okay I see the issue. You have 0.0.0.0/0 routes at distance ZERO. Distance Zero should be all your local routes and distance 1+ should be used for your out to internet routes.
At no time should a 0.0.0.0/0 DST route be distance 0…
I presume you are talking about these two default routes at a distance of 0. These two routes were dynamically assigned, hence the D on the far left. Should I still get rid of them?
I fooled around with mangles a bit and managed to get routing by internal IP working by adding the !(Address Range) to the rules.
[admin@MikroTik] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=TC
passthrough=no src-address=192.168.88.0/24 dst-address=!192.168.1.0/24
1 chain=prerouting action=mark-routing new-routing-mark=W passthrough=no
src-address=192.168.1.0/24 dst-address=!192.168.88.0/25
Everything is almost fixed, my last problem is that I need to get access to my webserver via my domain internally. Externally everything works fine, but internally I can only access my webserver via it’s IP (192.168.88.15). Again I’m a novice at mikrotik routing, but I think I need some sort of Masquarade between the two networks. Am I right in thinking this?
Update:
It seems that I need to setup a hairpin NAT. I’ve tried the example on the wiki, along with some other threads on this forum, but nothing so far has worked. My remaining problem is that I cannot reach my webserver using the FQDN, nor can the webserver reach itself using its FQDN, which has caused other problems with my Mysql server and email server.
Is anyone able to help me with this routing problem? I have two WANs with two subnets, I’m unable to access my webserver on the opposite subnet using it’s FQDN. I’ve tried multiple Hairpin configurations but nothing has worked and I have been dead in the water for almost two weeks now. Please Help.
And Yes I was using the last masquerade rule on the hairpin page.
I tried adding a DNS entry for my Domain in my routers DNS. It seems to now be resolving my local IP for my domain (192.168.88.1). Is this the desired result? I also still am unable to access the server.
