Hello,
Been trying to complete my config for a client's Router and just when i think i get how this works something happens and i am back to step one.
The following config works in every aspect.
It Load balances 2 DSL Lines, accept incoming remote connection with port forwarding to my internal server from both modems at the same time,
it Fail Over all traffic to 1 of the 2 modems if a ping fails etc.
What i cannot seem to be able to duplicate from my home router (where no mangle is used and incoming SSTP works fine) is the SSTP connection.
I have created the certificates, configured the SSTP server, the IP Pools and everything seems to be working... FROM THE LAN.
No matter what i change or do i cannot seem to be able to telnet to the Router at TCP 443 from any of the DSL IPs.
Both modems have been configured to forward traffic properly to the external IP of my router for port 443.
When i telnet from my home to my client i can see the packets reaching the router but no responce in TCP level. The packet reach the route and are stuck in TCP-SYN.
Can someone please assist me?
I have also tried removing all the firewall rules but dont think thats where the problem is located. There is something wrong with my mangle.
Thanks in advance
dec/17/2016 10:37:49 by RouterOS 6.36.1
software id = 2WNG-DSQ2
/interface ethernet
set [ find default-name=ether3 ] name=Local
set [ find default-name=ether4 ] master-port=Local name=Local2
set [ find default-name=ether5 ] master-port=Local name=Local3
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=sstp-pool ranges=192.168.10.5-192.168.10.15
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.10.1 name=SSTP remote-address=
sstp-pool use-compression=yes
/interface sstp-server server
set authentication=mschap2 certificate=CA1 default-profile=SSTP enabled=yes
/ip address
add address=192.168.1.254/24 interface=Local network=192.168.1.0
add address=10.111.0.1/24 interface=WAN1 network=10.111.0.0
add address=10.112.0.1/24 interface=WAN2 network=10.112.0.0
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512
servers=8.8.4.4,8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=443 log=yes protocol=tcp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=drop chain=output dst-address=208.67.220.220 out-interface=WAN2
add action=drop chain=output dst-address=208.67.222.222 out-interface=WAN1
add action=accept chain=output
add action=accept chain=forward
/ip firewall mangle
add action=mark-connection chain=prerouting comment="MARK WAN CONNECTIONS"
in-interface=WAN1 log=yes new-connection-mark=WAN1_mark passthrough=yes
add action=mark-connection chain=prerouting in-interface=WAN2
new-connection-mark=WAN2_mark passthrough=yes
add action=accept chain=input dst-port=8291 protocol=tcp
add action=mark-connection chain=input dst-address=10.111.0.1 dst-port=443
in-interface=WAN1 log=yes new-connection-mark=WAN1_mark passthrough=yes
protocol=tcp
add action=mark-routing chain=output connection-mark=WAN1_mark log=yes
new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_mark
new-routing-mark=to_ISP2 passthrough=yes
add action=accept chain=prerouting dst-address=10.111.0.0/24 in-interface=
Local
add action=accept chain=prerouting dst-address=10.112.0.0/24 in-interface=
Local
add action=mark-connection chain=prerouting comment=
"Send all server traffic back where it came from" connection-mark=
WAN1_mark in-interface=Local new-connection-mark=WAN1_mark passthrough=
yes src-address=192.168.1.1
add action=mark-connection chain=prerouting connection-mark=WAN2_mark
in-interface=Local new-connection-mark=WAN2_mark passthrough=yes
src-address=192.168.1.1
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=Local new-connection-mark=WAN1_mark passthrough=yes
src-address=192.168.1.1
add action=mark-connection chain=prerouting comment=PCC1 connection-mark=
no-mark connection-state=new dst-address-type=!local in-interface=Local
new-connection-mark=WAN1_mark passthrough=yes per-connection-classifier=
both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting comment=PCC2 connection-mark=
no-mark connection-state=new dst-address-type=!local in-interface=Local
new-connection-mark=WAN2_mark passthrough=yes per-connection-classifier=
both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_mark
in-interface=Local new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_mark
in-interface=Local new-routing-mark=to_ISP2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=dst-nat chain=dstnat dst-port=3389 in-interface=WAN1 log=yes
protocol=tcp to-addresses=192.168.1.1 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=WAN2 log=yes
protocol=tcp to-addresses=192.168.1.1 to-ports=3389
/ip route
add check-gateway=ping comment=PROVIDER1 distance=10 gateway=10.111.0.2
routing-mark=to_ISP1
add check-gateway=ping comment=PROVIDER2 distance=10 gateway=10.112.0.2
routing-mark=to_ISP2
add distance=5 dst-address=208.67.220.220/32 gateway=10.111.0.2 scope=10
add distance=5 dst-address=208.67.222.222/32 gateway=10.112.0.2 scope=10
/ip service
set winbox address=0.0.0.0/0
/ppp secret
add local-address=192.168.10.1 name=client1 password=secret1 profile=SSTP
service=sstp
/system routerboard settings
set memory-frequency=1200DDR protected-routerboot=disabled
/tool netwatch
add down-script="ip route set [find comment="PROVIDER1"] distance=20 \r
\n" host=208.67.220.220 interval=10s up-script=
"ip route set [find comment="PROVIDER1"] distance=10 \r
\n"
add down-script="ip route set [find comment="PROVIDER2"] distance=20 \r
\n" host=208.67.222.222 interval=10s up-script=
"ip route set [find comment="PROVIDER2"] distance=10 \r
\n"