Community discussions

 
farshad
just joined
Topic Author
Posts: 8
Joined: Mon Aug 29, 2016 6:04 pm
Contact:

routing problem

Sun Apr 02, 2017 3:40 pm

Hi
I have 2 PPPOE connection on the router , other side i should connect the pptp vpn to office for crm
this is my configuration routing tabel
 0 A S  dst-address=94.183.75.219/32 gateway=pppoe-out-2 
        gateway-status=pppoe-out-2 reachable distance=1 scope=30 target-scope=10 
        routing-mark=VpnShatel 

 1 A S  dst-address=0.0.0.0/0 gateway=pppoe-out-1 
        gateway-status=pppoe-out-1 reachable distance=1 scope=30 target-scope=10 

 2 A S  dst-address=10.103.65.197/32 gateway=pptp-out-shatel gateway-status=pptp-out-office reachable 
        distance=1 scope=30 target-scope=10 

 3 ADC  dst-address=94.183.74.1/32 pref-src=31.56.190.71 
        gateway=pppoe-out-2,pppoe-out-1 
        gateway-status=pppoe-out-2 reachable,pppoe-out1 reachable 
        distance=0 scope=10 

 4 ADC  dst-address=94.183.75.253/32 pref-src=172.16.3.7 gateway=pptp-out-office 
        gateway-status=pptp-out-office reachable distance=0 scope=10 

 5 A S  dst-address=172.16.1.0/24 gateway=pptp-out-office gateway-status=pptp-out-office reachable 
        distance=1 scope=30 target-scope=10 
        
 6 ADC  dst-address=172.20.1.0/24 pref-src=172.20.1.1 gateway=wlan gateway-status=wlan reachable distance=>
        scope=10 

 7 ADC  dst-address=192.168.1.1/32 pref-src=192.168.1.5 gateway=ether1-Net1 
        gateway-status=ether1-Net1 reachable distance=0 scope=10 

 8 ADC  dst-address=192.168.2.1/32 pref-src=192.168.2.10 gateway=ether2-Net2 
        gateway-status=ether2-Net2 reachable distance=0 scope=10 

 9 A S  dst-address=192.168.11.0/24 gateway=pptp-out-office gateway-status=pptp-out-office reachable 
        distance=1 scope=30 target-scope=10 


and this is my Nat print

 0    chain=srcnat action=masquerade src-address=172.20.1.0/24 out-interface=pppoe-out-1
      log=no log-prefix="" 

 1 XI  chain=srcnat action=masquerade src-address=172.20.1.0/24 out-interface=pppoe-out-2
      log=no log-prefix="" 

 2    chain=srcnat action=masquerade dst-address=192.168.1.1 log=no log-prefix="" 

 3    chain=srcnat action=masquerade dst-address=192.168.11.0/24 log=no log-prefix="" 

 4    chain=srcnat action=masquerade dst-address=172.16.1.0/24 log=no log-prefix="" 

 5    chain=srcnat action=masquerade dst-address=10.103.65.197 log=no log-prefix="" 

so i marked vpn packet on the mangel and put on this routing tabel for conneceting to vpn side on route 0

So i have internet on the pppoe 1 and crm on pppoe 2
but i have pinging 8.8.8.8 or intenet on the router but i have not ping on the system on the other side i can open the web page
so i want when i pinging, get to true route
Hi
I'm Farshad :)
 
farshad
just joined
Topic Author
Posts: 8
Joined: Mon Aug 29, 2016 6:04 pm
Contact:

Re: routing problem

Sun Apr 02, 2017 3:46 pm

and have some problems
for example i cant use win box for connect office :lol:
Hi
I'm Farshad :)
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: routing problem

Mon Apr 03, 2017 10:46 pm

Please post an export e.g "/ip firewall export" and paste the results in here.

Here is an excellent article on how to set up dual wan that may also assist :-) https://aacable.wordpress.com/2013/12/0 ... oe-server/
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
idlemind
Forum Guru
Forum Guru
Posts: 1101
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: routing problem

Mon Apr 03, 2017 10:56 pm

Farshad, have you though of creating a GRE tunnel destined to each PPPoE IP and wrapping those tunnels with IPSec? You can then use routing to control how traffic paths.

If I'm understanding it correctly​ you have a main site with 2 PPPoE connections and you want a second site to be able to access it over either PPPoE connection. Correct?
 
farshad
just joined
Topic Author
Posts: 8
Joined: Mon Aug 29, 2016 6:04 pm
Contact:

Re: routing problem

Tue Apr 04, 2017 10:06 am

Farshad, have you though of creating a GRE tunnel destined to each PPPoE IP and wrapping those tunnels with IPSec? You can then use routing to control how traffic paths.

If I'm understanding it correctly​ you have a main site with 2 PPPoE connections and you want a second site to be able to access it over either PPPoE connection. Correct?

I have pptp vpn to office. yes i want pptp used PPPOE2 and other side use the internet PPPOE1, now i have internet and i have user crm , but for example i have big problem i haven't 192.168.11.11 ping or i cant use winbox for connect other site and other problem
Hi
I'm Farshad :)
 
farshad
just joined
Topic Author
Posts: 8
Joined: Mon Aug 29, 2016 6:04 pm
Contact:

Re: routing problem

Tue Apr 04, 2017 10:09 am

Please post an export e.g "/ip firewall export" and paste the results in here.

Here is an excellent article on how to set up dual wan that may also assist :-) https://aacable.wordpress.com/2013/12/0 ... oe-server/



/ip firewall filter
add action=add-dst-to-address-list address-list=telentlist \
    address-list-timeout=0s chain=input dst-port=2323 protocol=tcp
add action=add-dst-to-address-list address-list=ping \
    address-list-timeout=1h chain=input in-interface=\
    pppoe-out-2410105004-33445979 protocol=icmp
add action=reject chain=input disabled=yes in-interface=\
    pppoe-out-2410105004-33445979 protocol=icmp reject-with=\
    icmp-admin-prohibited
/ip firewall mangle
add action=mark-connection chain=input comment=In-Ner1 in-interface=\
    pppoe-out-2410105004-33445979 new-connection-mark=InNet1 \
    passthrough=no
add action=mark-routing chain=output comment=Out-Net1 \
    new-routing-mark=OutNet1 out-interface=\
    pppoe-out-2410105004-33445979 passthrough=no
add action=mark-connection chain=input comment=In-Net2 in-interface=\
    pppoe-out-2410105589-33470232 new-connection-mark=InNet2 \
    passthrough=no
add action=mark-connection chain=output comment=Out-Net2 \
    new-connection-mark=OutNet2 out-interface=\
    pppoe-out-2410105589-33470232 passthrough=no
add action=mark-connection chain=input comment=In-Shatel \
    in-interface=pptp-out-shatel new-connection-mark=Shatel \
    passthrough=no
add action=mark-routing chain=output comment=Out-Shatel \
    new-routing-mark=Shatel out-interface=pptp-out-shatel \
    passthrough=no
add action=mark-routing chain=prerouting connection-mark=Shatel \
    new-routing-mark=VpnShatel passthrough=yes
add action=mark-connection chain=prerouting disabled=yes \
    dst-address-type=!local in-interface=wlan new-connection-mark=\
    Net1 passthrough=yes per-connection-classifier=src-port:2/0
add action=mark-connection chain=prerouting disabled=yes \
    dst-address-type=!local in-interface=wlan new-connection-mark=\
    Net2 passthrough=yes per-connection-classifier=src-port:2/1
add action=mark-routing chain=prerouting connection-mark=Net1 \
    disabled=yes in-interface=wlan new-routing-mark=Net1 passthrough=\
    no
add action=mark-routing chain=prerouting connection-mark=Net2 \
    disabled=yes in-interface=wlan new-routing-mark=Net2 passthrough=\
    no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=\
    pppoe-out-2410105004-33445979 src-address=172.20.1.0/24
add action=masquerade chain=srcnat out-interface=\
    pppoe-out-2410105589-33470232 src-address=172.20.1.0/24
add action=masquerade chain=srcnat dst-address=192.168.1.1
add action=masquerade chain=srcnat dst-address=192.168.2.1
add action=masquerade chain=srcnat dst-address=192.168.11.0/24
add action=masquerade chain=srcnat dst-address=172.16.1.0/24
add action=masquerade chain=srcnat dst-address=10.103.65.197

Hi
I'm Farshad :)
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: routing problem

Wed Apr 05, 2017 12:32 am

Hi Farshad,

If you use connection-marks to identify traffic FROM a specific WAN t0 allow the response to then return through the correct WAN then passthrough=yes is required.

So for just Winbox and VPN you would say:

/ip mangle

/ip firewall mangle
add action=mark-connection chain=input comment=In-Ner1 in-interface=\
pppoe-out-2410105004-33445979 new-connection-mark=InNet1 \
passthrough=yes
add action=mark-connection chain=input comment=In-Net2 in-interface=\
pppoe-out-2410105589-33470232 new-connection-mark=InNet2 \
passthrough=yes

add action=mark-routing chain=output comment=Out-Net1 \
connection-mark=InNet1 new-routing-mark=OutNet1 passthrough=no
add action=mark-connection chain=output comment=Out-Net2 \
connection-mark=InNet2 new-routing-mark=OutNet2 passthrough=no

Any site to site VPN should create it's own route and will forward back over the establishing tunnel - this assumes this device is the VPN server not client.

In terms of your load balancing please refer to AACABLE's exceleent example.

Likewise if you have dst-nat rules you will need pre-routing rules to identify the reply traffic from your hosts and mark it's return path.
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
farshad
just joined
Topic Author
Posts: 8
Joined: Mon Aug 29, 2016 6:04 pm
Contact:

Re: routing problem

Wed Apr 05, 2017 8:35 am

Hi Farshad,

If you use connection-marks to identify traffic FROM a specific WAN t0 allow the response to then return through the correct WAN then passthrough=yes is required.

So for just Winbox and VPN you would say:

/ip mangle

/ip firewall mangle
add action=mark-connection chain=input comment=In-Ner1 in-interface=\
pppoe-out-2410105004-33445979 new-connection-mark=InNet1 \
passthrough=yes
add action=mark-connection chain=input comment=In-Net2 in-interface=\
pppoe-out-2410105589-33470232 new-connection-mark=InNet2 \
passthrough=yes

add action=mark-routing chain=output comment=Out-Net1 \
connection-mark=InNet1 new-routing-mark=OutNet1 passthrough=no
add action=mark-connection chain=output comment=Out-Net2 \
connection-mark=InNet2 new-routing-mark=OutNet2 passthrough=no

Any site to site VPN should create it's own route and will forward back over the establishing tunnel - this assumes this device is the VPN server not client.

In terms of your load balancing please refer to AACABLE's exceleent example.

Likewise if you have dst-nat rules you will need pre-routing rules to identify the reply traffic from your hosts and mark it's return path.

if you saw my routing table , you can see i marked vpn traffic , but my question is why i haven't 8.8.8.8 ping but have internet on the system
Hi
I'm Farshad :)
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: routing problem

Wed Apr 05, 2017 9:42 am

The example was so Winbox could be accessed via either WAN.

Note also a Remote VPN can connect via either WAN (subject to firewall rules) and then any VPN traffic will automatically flow over the correct WAN.

If you are doing a site to site VPN that's another issue that will require routes or IPSEC.

But first you must get your connection-mark and mark-routing working so replies from the router always go back on the WAN they were received on.
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz

Who is online

Users browsing this forum: No registered users and 40 guests