Hello ,
i have MT 3.2 and ISA 2006 server ,i wanna Use both but i need to configure the MT right ,
here is the situation , ISA is the internet Gateway and have alot of publishing on the internet to internal websites
so i’d like to make the mikrotik as the default gateway to all pc internaly and it forward everything to ISA ,so they got the internet from the ISA .
so how can i do that?
akram -
Not really sure what your intended meaning is with ‘ISA server’ but it sounds like a ‘regular’ Internet Gateway / Router.
So really all you have to do is configure the MT to be the gateway for all your internal systems on one ethernet interface and on the second connect it to the ISA server. I am supposing here that the ISA server will NAT for you all internal systems. If not then you will need to have the MT box NAT your internal systems and then forward the requests to the ISA server to get to the Internet.
All the MT has to do is route (and maybe NAT) everything to the ISA server. Look at the Wiki pages for some of the basic configs as well as the MT V 3.x ROS manual.
manual link - http://www.mikrotik.com/testdocs/ros/3.0/
Wiki link - http://wiki.mikrotik.com/wiki/MikroTik_RouterOS
R/
thanks for your fast reply you are right , but i’d like to simple my question now
for example : MT ip : 192.168.1.2 - it’s Gateway 192.168.1.6
in future MT 2nd LAN ip : xxx.xxx.xxx.xxx - NAT to internet
ISA 2006 Server Internal IP : 192.168.1.3 - no Gateway
ISA 2006 Server External IP : xxx.xxx.xxx.xxx - it NAT to internet
so it will work fine if i do this on MT or not?
why i’m doing this cause i’ll put another Internet on MT for Voice only ,so when internal data goes to MT it will send it to MT then MT will use it’s internet either that forward it to ISA Server.
i wish i explained it better
it works
i tested it and it works
i have made an ip route on the MT that 192.168.1.6 is it’s gateway
now MT is the default gateway for all ppl
and the ISA is the default gateway to internet
this is what i want and it works
now i have another issue ,i’d like to do
i put 2nd LAN card on the MT to another Internet
i want to use this connection for some ppl like 192.168.1.178 or by it’s mac to access internet from MT not the default one
so all ppl have internet through MT then ISA then Internet
few ppl can use the Internet on the 2nd lan card ,so i think it will be by masqurade ,i tried it but the internet goes through the ISA ,why?
akram -
To answer that question you’ll need to post your config. Go to terminal mode (either in winbox, left hand menu ‘New Terminal’ or telnet/ssh to the MT box).
/ip address export
/ip route export
/ip router rule export
/ip firewall nat export
Copy and paste the results here.
If you renamed your interfaces with a name other than ether1, ether2, then provide an explanation as to which interface does what… (Internal, Internet, etc.)
R/
[admin@MikroTik] > /ip address export
/ip address
add address=192.168.1.2/24 broadcast=192.168.1.255 comment="LAN Address"
disabled=no interface=SLAN network=192.168.1.0
add address=196.219.31.37/27 broadcast=196.219.31.63 comment="" disabled=no
interface=SWAN network=196.219.31.32
add address=196.219.31.42/27 broadcast=196.219.31.63 comment="" disabled=yes
interface=SWAN network=196.219.31.32
add address=196.219.31.43/27 broadcast=196.219.31.63 comment="" disabled=yes
interface=SWAN network=196.219.31.32
add address=196.219.31.44/27 broadcast=196.219.31.63 comment="" disabled=yes
interface=SWAN network=196.219.31.32
add address=196.219.31.41/27 broadcast=196.219.31.63 comment="" disabled=yes
interface=SWAN network=196.219.31.32
add address=196.219.31.34/27 broadcast=196.219.31.47 comment=
"WAN Leased Line Addresses" disabled=yes interface=SWAN network=
196.219.31.32
add address=196.219.31.36/28 broadcast=196.219.31.47 comment="" disabled=yes
interface=SWAN network=196.219.31.32
add address=196.219.31.38/27 broadcast=196.219.31.47 comment="" disabled=yes
interface=SWAN network=196.219.31.32
add address=196.219.31.39/27 broadcast=196.219.31.47 comment="" disabled=yes
interface=SWAN network=196.219.31.32
add address=196.219.31.40/27 broadcast=196.219.31.47 comment="" disabled=yes
interface=SWAN network=196.219.31.32
add address=196.218.38.246/29 broadcast=196.218.38.247 comment="WAN - ADSL"
disabled=no interface=SABWAN network=196.218.38.240
add address=196.218.38.245/32 broadcast=196.218.38.245 comment="WAN - ADSL"
disabled=yes interface=SABWAN network=196.218.38.245
add address=192.168.1.28/24 broadcast=192.168.1.255 comment="" disabled=yes
interface=SLAN network=192.168.1.0
[admin@MikroTik] > /ip route export
/ip route
add comment="Forward to Leased Line Router " disabled=yes distance=1
dst-address=0.0.0.0/0 gateway=196.219.31.33 scope=30 target-scope=10
add comment="Forward to ISA Server - Not working anymore" disabled=yes
distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 scope=30
target-scope=10
add comment="Forward to ADSL Router " disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=196.218.38.241 scope=30 target-scope=10
add comment="Route or Forward to ISA Server2 - Works now" disabled=no
distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.6 scope=30
target-scope=10
add comment="" disabled=no distance=1 dst-address=10.0.0.0/24 gateway=
10.0.0.40 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=192.168.1.0/24 gateway=
192.168.1.2,SLAN scope=30 target-scope=10
/ip route rule
add action=lookup comment="" disabled=no dst-address=0.0.0.0/0 interface=
SABWAN routing-mark="Akram Rules" src-address=192.168.1.178/32 table=
"Akram Rules"
[admin@MikroTik] > /ip route rule export
/ip route rule
add action=lookup comment="" disabled=no dst-address=0.0.0.0/0 interface=
SABWAN routing-mark="Akram Rules" src-address=192.168.1.178/32 table=
"Akram Rules"
[admin@MikroTik] > /ip firewall nat export
/ip firewall nat
add action=redirect chain=dstnat comment="Webproxy enabled" disabled=yes
dst-port=80 protocol=tcp to-ports=8080
add action=masquerade chain=srcnat comment="Test ADSL - Akram Laptop"
disabled=no out-interface=SABWAN src-address=192.168.1.178
add action=masquerade chain=srcnat comment="For ADSL" disabled=yes
out-interface=SABWAN
add action=dst-nat chain=dstnat comment="" disabled=yes protocol=tcp
src-port=1723 to-addresses=192.168.1.3 to-ports=1723
add action=dst-nat chain=dstnat comment=
"Redirect the public to internal server no.1" disabled=yes dst-address=
196.218.38.246 to-addresses=192.168.1.33
add action=src-nat chain=srcnat comment=
"Redirect the public to internal server no.2" disabled=yes src-address=
192.168.1.33 to-addresses=196.218.38.246
add action=dst-nat chain=dstnat comment="" disabled=yes dst-address=
196.219.31.44 dst-port=80 in-interface=SABWAN protocol=tcp to-addresses=
192.168.1.3 to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=yes dst-address=
196.219.31.44 dst-port=80 in-interface=SLAN protocol=tcp to-addresses=
192.168.1.3 to-ports=80
add action=dst-nat chain=dstnat comment=
"port Forward - Public to private server to remote desktop" disabled=yes
dst-address=196.219.31.44 dst-port=3389 in-interface=SABWAN protocol=tcp
to-addresses=192.168.1.137 to-ports=3389
add action=dst-nat chain=dstnat comment=
"port Forward - Public to private server to Ftp" disabled=no dst-address=
196.219.31.37 dst-port=21 in-interface=SWAN protocol=tcp to-addresses=
192.168.1.3 to-ports=21
add action=src-nat chain=srcnat comment="" disabled=yes protocol=tcp
src-address=192.168.1.3 to-addresses=196.219.31.44
add action=dst-nat chain=dstnat comment="" disabled=yes dst-address=
196.219.31.43 dst-port=21 in-interface=SLAN protocol=tcp to-addresses=
192.168.1.137 to-ports=21
add action=dst-nat chain=dstnat comment="" disabled=yes dst-address=
196.219.31.44 dst-port=80 in-interface=SABWAN protocol=tcp to-addresses=
192.168.1.29 to-ports=80
add action=src-nat chain=srcnat comment="" disabled=yes src-address=
192.168.1.6 to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="" disabled=yes dst-address=
192.168.1.12 dst-port=80 in-interface=SLAN protocol=tcp src-address=
0.0.0.0 to-addresses=192.168.1.6 to-ports=80
add action=src-nat chain=srcnat comment="" disabled=yes src-address=
192.168.1.178 to-addresses=196.218.38.246
add action=dst-nat chain=dstnat comment="" disabled=yes dst-address=
196.218.38.246 to-addresses=192.168.1.178
internal LAN : SLAN
External WAN1 : SWAN
External WAN2 : SABWAN
akram -
See below...I removed most of the 'disabled' entries. Made comments in the body of the text below. Study it and be sure to look over the MT docs to understand what I did....
Basically it is 'policy routing'. The policy is when a chosen IP makes a request to get something from the Internet, the connection is marked, then a routing mark is added. After that as the connection makes it's way through the router processing chain and comes upon routing, the routing mark tells the router to lookup this action in the Akram Rules table and route the connection that way. The NAT table masquerades the connection out the SBAWAN interface as it leaves the router.
/R
Thom
internal LAN : SLAN
External WAN1 : SWAN
External WAN2 : SABWAN
[admin@MikroTik] > /ip address export
/ip address
add address=192.168.1.2/24 broadcast=192.168.1.255 comment="LAN Address"
disabled=no interface=SLAN network=192.168.1.0
add address=196.218.38.246/29 broadcast=196.218.38.247 comment="WAN - ADSL"
disabled=no interface=SABWAN network=196.218.38.240
add address=196.218.38.245/32 broadcast=196.218.38.245 comment="WAN - ADSL"
disabled=yes interface=SABWAN network=196.218.38.245
[admin@MikroTik] > /ip route export
/ip route
First route (if it is a manually inputted route);
add comment="" disabled=no distance=1 dst-address=10.0.0.0/24 gateway=
10.0.0.40 scope=30 target-scope=10
Second route (if it is a manually inputted route);
add comment="" disabled=no distance=1 dst-address=192.168.1.0/24 gateway=
192.168.1.2,SLAN scope=30 target-scope=10
I am guessing that this route is in route table "Akram Rules". If it is then ok. If it is not then you need to make a route table and put this in it.
add comment="Forward to ADSL Router " disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=196.218.38.241 scope=30 target-scope=10
This is what you expect to be the 'normal' default route to the Internet - right? It should be in table main.
add comment="Route or Forward to ISA Server2 - Works now" disabled=no
distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.6 scope=30
target-scope=10
[admin@MikroTik] > /ip route rule export
/ip route rule
This should be the first rule;
add action=lookup comment="" disabled=no dst-address=0.0.0.0/0 interface=
SABWAN routing-mark="Akram Rules" src-address=192.168.1.178/32 table=
"Akram Rules"
This should be your second rule;
add action=lookup comment="" disabled=no dst-address=0.0.0.0/0 interface=
SWAN routing-mark="" scr-addrress=0.0.0.0/0 action=lookup table=main
/ip firewall mangle
These should be the first mangle rules after any 'filter' type mangles but before any other types so you can get the connection marked and going out to the Internet via the correct (SBAWAN) interface.
chain=prerouting action=mark-connection new-connection-mark=Akram Rules
passthrough=yes src-address=192.168.1.178/32 in-interface=SLAN
chain=prerouting action=mark-routing new-routing-mark=Akram Rules
passthrough=no
[admin@MikroTik] > /ip firewall nat export
/ip firewall nat
Add the rule below - should be one of the first few - before any other masquerade or src-nat rules;
add action=masquerade chain=srcnat comment="Test ADSL - Akram Laptop"
connection-mark=Akram Rules disabled=no out-interface=SABWAN
add action=dst-nat chain=dstnat comment=
"port Forward - Public to private server to Ftp" disabled=no dst-address=
196.219.31.37 dst-port=21 in-interface=SWAN protocol=tcp to-addresses=
192.168.1.3 to-ports=21
thanks ,i’ll test and feed you back