Community discussions

MikroTik App
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Forward route

Tue Mar 27, 2018 9:35 pm

Hello All!

I want to point my local network to my CRS125-24G-1S-RM as the gateway. In the CRS125-24G-1S-RM I want to tell it that for all networks with 10.XXX.XXX.XXX to go out through my pfsense, Else Go out through the CRS125-24G-1S-RM gateway.

IE: 10.60.77.0/24 LAN.... non-routable addresses go to 10.60.77.1
Everything else go out though ether1-gateway.


How can I do that?

Thanks!
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Tue Mar 27, 2018 10:12 pm

Also, If I can not choose a subnet, Can I do a host? If so how?

Thanks!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Forward route

Tue Mar 27, 2018 10:22 pm

Your description is unclear, it appears to be recursive.
You you know basic IP routing?
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Tue Mar 27, 2018 10:51 pm

lol I do... I just don't know how to say it the right way. :P

If my mikrotik is my gateway, how can I tell it to send non-routable addresses (meaning the internet) through my pfsense box? I know how to do this with a brocade but mikrotik is a whole different monster.. :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Tue Mar 27, 2018 10:52 pm

It still is not any clearer provide a network diagram so we can see the physical and IP relationships between the devices,.,.,.,.,.,.,.,.
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Wed Mar 28, 2018 12:19 am

It still is not any clearer provide a network diagram so we can see the physical and IP relationships between the devices,.,.,.,.,.,.,.,.
Look at the attached diagram
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Wed Mar 28, 2018 2:15 am

Are you saying that the mikrotik and Pfsense routers are both attached to the same modem?
That the modem provides two public IP addresses??
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Forward route

Wed Mar 28, 2018 2:16 am

/ip route add distance=1 gateway=10.30.2.1 routing-mark=pfsense

/ip firewall mangle add action=mark-routing chain=prerouting dst-address=!10.30.2.0/24 new-routing-mark=pfsense passthrough=no src-address=10.30.2.0/24
Last edited by 2frogs on Wed Mar 28, 2018 2:41 am, edited 1 time in total.
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Wed Mar 28, 2018 2:20 am

That the modem provides two public IP addresses??
That is right.

@anav, You dont happen to hang around the DSLReports Forum?
Last edited by xcom on Wed Mar 28, 2018 2:27 am, edited 1 time in total.
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Wed Mar 28, 2018 2:25 am

/ip route add distance=1 gateway=10.30.2.1 routing-mark=pfsence

/ip firewall mangle add action=mark-routing chain=prerouting dst-address=!10.30.2.0/24 new-routing-mark=pfsence passthrough=no src-address=10.30.2.0/24
I think this is what I am looking for.
Thanks for the help.
All inputs/ideas/comments are still welcome.
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Wed Mar 28, 2018 2:48 am

/ip route add distance=1 gateway=10.30.2.1 routing-mark=pfsense

/ip firewall mangle add action=mark-routing chain=prerouting dst-address=!10.30.2.0/24 new-routing-mark=pfsense passthrough=no src-address=10.30.2.0/24
It did the trick but is causing a huge performance degradation on going out to the internet... Not sure whats going on... It takes about 10 Seconds to resolve an address...
The DNS Server is pfsense....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Wed Mar 28, 2018 3:52 am

yes the very same xcom, I was wondering about your nick LOL. I recently bought a hEX to play with.
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Wed Mar 28, 2018 3:56 am

yes the very same xcom, I was wondering about your nick LOL. I recently bought a hEX to play with.
LOL!
Small world after all!
Does are very nice. I own one and love it!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Wed Mar 28, 2018 4:09 pm

Okay so the diagram helped!
I now understand that mikrotik is responsible for handling an amount of the traffic from your networks to the ISP modem and to the internet.
However for some network traffic you want to be able to shift that traffic from the MIcrotik to the pFSENSE router and use a DNS the PSFSENSE router is dictating and then out the door, and on a separate public IP.

Here is my take on your situation. Overly complicated!
Why not use the mikrotik to do both?? Get rid of pfsense, the p is for PUNT!!!

ISP1 - Mikrotik interface ether1
ISP2 - Mikcrotik interface ether10

Create
BridgeMikcrotik ether2-5
BridgePFsense ether3-9

Assign
Ip address Bridgemikrotik 192.168.88.1/24 network 192.168.88.0
IP address BridgePFsense 10.60.77.1/24 network 10.60.77.0

IP interface list
WAN
isp1
isp2
LAN
BridgeMikrotik
BridgePFsense

Assign DHCP servers and pools as appropriate.

Routes and Mangles ( a new combo chips & fruit snack I will invent)
There is two ways I would think about doing this and remember I am a complete newb at this router.
1. a. assign route rules such that mikrotik is default go to router for internet traffic, with old pfsense route as secondary and not used unless primary fails.
b. mark thru mangle rule oldpfsense traffic and tell it to go through ISP2 with another route rule

OR
2. assign both interfaces mangle rules and route rules separately.

1. route mikrotik
0.0.0.0/0
interface: actual gateway IP of ISP1
distance = 1
ping gateway

route oldpfsense
0.0.0.0/0
interface: actual gateway IP of ISP2
distance=2

Mangle Rule for oldpfsense traffic,
Chain - prerouting
Source address 10.60.77.0 ****
In-Interface: LAN
Action TAB
action - mark routing
new routing mark - OldPF

route
0.0.0.0/0
gateway IP - actual IP of ISP2 Gateway
Routing mark - OldPF

OR Approach

2. Two routes and two mangle rules........

route mikrotik
0.0.0.0/0
interface: actual gateway IP of ISP1
routing mark - mikrotik_traffic

route oldpfsense
0.0.0.0/0
interface: actual gateway IP of ISP2
routing mark - pfsense_traffic

Mangle Rule for mikrotic traffic,
Chain - prerouting
Source address 192.168.88.0 ****
In-Interface: LAN
Action TAB
action - mark routing
new routing mark - mikrotik_traffic

Mangle Rule for oldpfsense traffic,
Chain - prerouting
Source address 10.60.77.0 ****
In-Interface: LAN
Action TAB
action - mark routing
new routing mark - pfsense_traffic

There you have it, and hopefully the sobs and solars of the world will point out where I have gone horribly wrong. :-)
**** I am not sure how to actually describe source address as from any IP within the particular LAN is it 192.168.88.0 or 192.168.88.0/0


PS....... DNS hmmmmm I am piss poor at understand how DNS works on any router but suggest at the DCHP server settings under the NETWORK TAB, there is a spot, normally blank for you to put in the DNS server of your choice vice the default ISP ones normally used. If I am not mistaken the Mikrotik will use the ones you setup first (can be more than one) prior to using the ISP DNS servers.

On the other hand there is a more direct IP DNS settings tab. Here one can see a blank spot at the top perhaps to add servers and below this it shows the default ISP DNS servers being used.
However at this spot I am not sure what use it is if you have TWO WANS? The DHCP server Network Tab seems more useful in that you are telling each network to use a specific DNS server.

I would like to kinow the purpose and hierarchy of this IP DNS Tab.
For example if one puts a specific DNS server under the IP DNS Tab does that automatically overide the default DNS servers from ISP for all networks?
For example if one puts a specific DNS Server under the IP DNS Tab does that automatcially overide the DHCP SERVER additions one could make at the Networks Tab?
What is the relationship??
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Wed Mar 28, 2018 6:14 pm

So your options work and like the others is what I need.
But what I dont understand is... As soon as I make the changes... Internet out pfsense slows down... I actually thought it was DNS but is not. a simple curl to get an IP response over the internet takes over 5 seconds. :(
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Wed Mar 28, 2018 7:46 pm

Hence my suggestion to only use the mikrotik and Punt the pfsense unit out the door, down the street and into a body of water of your choice............... (probably to join your old zyxel unit).
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Wed Mar 28, 2018 8:01 pm

Hence my suggestion to only use the mikrotik and Punt the pfsense unit out the door, down the street and into a body of water of your choice............... (probably to join your old zyxel unit).
I wish I could anav. LOL
Work has me tide down to it. :(

I would need some serious help to transition from pfsense to Mikrotik, Trust me when I say I really want too.... The other part is that I would need something like a Mikrotik RouterBoard RB1100AHx4
Because of work, I have to proxy and we use openvpn.

Thoughts?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Wed Mar 28, 2018 8:17 pm

No unfortunately, way above my pay grade LOL.
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Wed Mar 28, 2018 8:25 pm

No unfortunately, way above my pay grade LOL.
Bah!
LOL!
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Forward route

Wed Mar 28, 2018 8:39 pm

Use Tools>Traceroute with routing-table=pfsense and see if it shows you where the bottleneck is. Compare to routing-table=main.

And/Or

Connect a device directly to the pfsense and see if you get the same results.
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Wed Mar 28, 2018 9:28 pm

Use Tools>Traceroute with routing-table=pfsense and see if it shows you where the bottleneck is. Compare to routing-table=main.

And/Or

Connect a device directly to the pfsense and see if you get the same results.
Systems with gateway out through the pfsense have no issues.
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Forward route

Wed Mar 28, 2018 10:14 pm

Change your mangle rule from src-address=10.30.2.0/24 to src-address-list=pfsense and create address-list=pfsense address=10.30.2.3-10.30.2.254.

And make sure your not catching that traffic with a src-nat rule or something silly like that.

And as always, a /export hide-sensitive is always appreciated!
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Wed Mar 28, 2018 10:52 pm

Working on it!
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Forward route

Wed Mar 28, 2018 11:30 pm

Another thing I just thought of, is the port your pfsense connected to part of your LAN or is it isolated like a WAN?
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Wed Mar 28, 2018 11:37 pm

Yes pfsense has one leg in the mikrotik switch and is part of my Lan all living under one subnet.... Than it has another leg carrying its own wan.
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Thu Mar 29, 2018 1:55 am

And as always, a /export hide-sensitive is always appreciated!
hide-sensitive really does not hide sensitive...
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Forward route

Thu Mar 29, 2018 2:09 am

hide-sensitive really does not hide sensitive...
/export filename=export
and you can download the created export.rsc file and edit with your favorite text editor.

Is there a reason to have the pfsense in the same IP Scope as your LAN? Could you change it to a different IP scope?
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Thu Mar 29, 2018 2:30 am

hide-sensitive really does not hide sensitive...
/export filename=export
and you can download the created export.rsc file and edit with your favorite text editor.

Is there a reason to have the pfsense in the same IP Scope as your LAN? Could you change it to a different IP scope?
I think that what I am trying to do by design is just plain broken due to the fact that both devices have their own GW and both leave under the same subnet.... I think that it has to be ether or and make ether device decide which GW to use... Meaning what ever device I decide to make primary has to handle which GW to use for which ever traffic....
Like Anav posted... I made things overly complicated by trying to fix a broken design...
I think I am going leave this one alone unless you really think we can make everybody get along under the same roof.... Though thoughts are still welcome :D :P
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Forward route

Thu Mar 29, 2018 4:20 am

No, I think it is something simple that is being overlooked somewhere. Either a setting on the Mikrotik or on pfsense.

I just setup a test running pfsense on a virtual machine on my desktop with two virtual nics. My router is 192.168.88.1/24 on bridge1. pfsense LAN is Static to 192.168.88.5. I set 192.168.254.1/24 also on bridge1 on my router and set 192.168.254.2 on pfsense WAN. Using the mangle code I provided originally (modified to my IP’s) and Route (modified to 192.168.88.5), I have no issues what so ever. A tracert from my desktop shows it going from my router to LAN of pfsense, then out the WAN of pfsense and back to my router and out my isp. And did so without even a blip!
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Thu Mar 29, 2018 6:33 am

No, I think it is something simple that is being overlooked somewhere. Either a setting on the Mikrotik or on pfsense.

I just setup a test running pfsense on a virtual machine on my desktop with two virtual nics. My router is 192.168.88.1/24 on bridge1. pfsense LAN is Static to 192.168.88.5. I set 192.168.254.1/24 also on bridge1 on my router and set 192.168.254.2 on pfsense WAN. Using the mangle code I provided originally (modified to my IP’s) and Route (modified to 192.168.88.5), I have no issues what so ever. A tracert from my desktop shows it going from my router to LAN of pfsense, then out the WAN of pfsense and back to my router and out my isp. And did so without even a blip!
Ok, That sounds very promising!
Here is what I got on my code:

/interface bridge
add admin-mac= auto-mac=no fast-forward=no mtu=1500 name=\
bridge-local
add fast-forward=no mtu=1500 name=bridge-trunk
/interface ethernet
set [ find default-name=ether1 ] mac-address= name=\
ether1-gateway
set [ find default-name=ether2 ] mac-address= name=\
ether2-master-local
set [ find default-name=ether3 ] mac-address= name=\
ether3-slave-local
set [ find default-name=ether4 ] mac-address= name=\
ether4-slave-local
set [ find default-name=ether5 ] mac-address= name=\
ether5-slave-local
set [ find default-name=ether6 ] mac-address= name=\
ether6-slave-local
set [ find default-name=ether7 ] mac-address= name=\
ether7-slave-local
set [ find default-name=ether8 ] mac-address= name=\
ether8-slave-local
set [ find default-name=ether9 ] mac-address= name=\
ether9-slave-local
set [ find default-name=ether10 ] mac-address= name=\
ether10-slave-local
set [ find default-name=ether11 ] mac-address= name=\
ether11-slave-local
set [ find default-name=ether12 ] mac-address= name=\
ether12-slave-local
set [ find default-name=ether13 ] mac-address= name=\
ether13-slave-local
set [ find default-name=ether14 ] mac-address= name=\
ether14-slave-local
set [ find default-name=ether15 ] mac-address= name=\
ether15-slave-local
set [ find default-name=ether16 ] mac-address= name=\
ether16-slave-local
set [ find default-name=ether17 ] mac-address= name=\
ether17-slave-local
set [ find default-name=ether18 ] mac-address= name=\
ether18-slave-local
set [ find default-name=ether19 ] mac-address= name=\
ether19-slave-local
set [ find default-name=ether20 ] mac-address= name=\
ether20-slave-local
set [ find default-name=ether21 ] mac-address= name=\
ether21-slave-local
set [ find default-name=ether22 ] mac-address= name=\
ether22-slave-local
set [ find default-name=ether23 ] mac-address= name=\
ether23-slave-local
set [ find default-name=ether24 ] mac-address= name=\
ether24-slave-local
set [ find default-name=sfp1 ] mac-address= name=\
sfp1-gateway
/interface vlan
add interface=bridge-local name=vlan2 vlan-id=2
add interface=bridge-local name=vlan3 vlan-id=3
/interface list
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vlan2 ranges=10.30.XX.100-10.30.XX.200
add name=vlan3 ranges=10.30.XX.100-10.30.XX.200
add name=dhcp_pool1 ranges=10.30.XX.1,10.XX.2.100-10.30.XX.254
/ip dhcp-server
add address-pool=vlan2 authoritative=after-2sec-delay disabled=no interface=\
vlan2 lease-time=3d name=server1-wireless
add address-pool=vlan3 authoritative=after-2sec-delay disabled=no interface=\
vlan3 lease-time=3d name=dmz_vlan3
add address-pool=dhcp_pool1 authoritative=after-2sec-delay interface=\
bridge-local name=dhcp1
/queue simple
add name=VoIP packet-marks=VoIP priority=2/2 target=10.30.XX.0/24
add max-limit=20M/100M name="Internal Network" priority=3/3 target=\
bridge-local,bridge-local
/snmp community
set [ find default=yes ] addresses=10.30.XX.13/32,10.30.XX.34/32
/user group
add name=sniffer policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!\
test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local disabled=yes hw=no interface=ether1-gateway
add bridge=bridge-local hw=no interface=sfp1-gateway
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
add bridge=bridge-local interface=ether6-slave-local
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
add bridge=bridge-local interface=ether10-slave-local
add bridge=bridge-local interface=ether11-slave-local
add bridge=bridge-local interface=ether12-slave-local
add bridge=bridge-local interface=ether13-slave-local
add bridge=bridge-local interface=ether14-slave-local
add bridge=bridge-local interface=ether15-slave-local
add bridge=bridge-local interface=ether16-slave-local
add bridge=bridge-local interface=ether17-slave-local
add bridge=bridge-local interface=ether18-slave-local
add bridge=bridge-local interface=ether19-slave-local
add bridge=bridge-local interface=ether20-slave-local
add bridge=bridge-local interface=ether21-slave-local
add bridge=bridge-local interface=ether22-slave-local
add bridge=bridge-local interface=ether23-slave-local
add bridge=bridge-local interface=ether24-slave-local
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch port
set 0 dscp-based-qos-dscp-to-dscp-mapping=no
set 1 dscp-based-qos-dscp-to-dscp-mapping=no
set 2 dscp-based-qos-dscp-to-dscp-mapping=no
set 3 dscp-based-qos-dscp-to-dscp-mapping=no
set 4 dscp-based-qos-dscp-to-dscp-mapping=no
set 5 dscp-based-qos-dscp-to-dscp-mapping=no
set 6 dscp-based-qos-dscp-to-dscp-mapping=no
set 7 dscp-based-qos-dscp-to-dscp-mapping=no
set 8 dscp-based-qos-dscp-to-dscp-mapping=no
set 9 dscp-based-qos-dscp-to-dscp-mapping=no
set 10 dscp-based-qos-dscp-to-dscp-mapping=no
set 11 dscp-based-qos-dscp-to-dscp-mapping=no
set 12 dscp-based-qos-dscp-to-dscp-mapping=no
set 13 dscp-based-qos-dscp-to-dscp-mapping=no
set 14 dscp-based-qos-dscp-to-dscp-mapping=no
set 15 dscp-based-qos-dscp-to-dscp-mapping=no
set 16 dscp-based-qos-dscp-to-dscp-mapping=no
set 17 dscp-based-qos-dscp-to-dscp-mapping=no
set 18 dscp-based-qos-dscp-to-dscp-mapping=no
set 19 dscp-based-qos-dscp-to-dscp-mapping=no
set 20 dscp-based-qos-dscp-to-dscp-mapping=no
set 21 dscp-based-qos-dscp-to-dscp-mapping=no
set 22 dscp-based-qos-dscp-to-dscp-mapping=no
set 23 dscp-based-qos-dscp-to-dscp-mapping=no
set 24 dscp-based-qos-dscp-to-dscp-mapping=no
set 25 dscp-based-qos-dscp-to-dscp-mapping=no
/interface list member
add interface=ether2-master-local list=mactel
add interface=sfp1-gateway list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=sfp1-gateway list=mac-winbox
/ip accounting
set enabled=yes threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=10.30.XX.0/24
/ip address
add address=10.30.XX.2/24 comment="default configuration" interface=\
ether2-master-local network=10.30.XX.0
add address=MYEXTIP/29 interface=ether1-gateway network=MYEXTIPNETWORK
add address=10.30.XX.1/24 interface=vlan2 network=10.30.XX.0
add address=10.30.XX.1/24 interface=vlan3 network=10.30.XX.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
ether1-gateway
/ip dhcp-server network
add address=10.30.XX.0/24 comment="default configuration" dns-server=10.30.XX.1 \
gateway=10.30.XX.2 netmask=24 next-server=192.168.88.1
add address=10.30.XX.0/24 dns-server=8.8.8.8 gateway=10.30.XX.1
add address=10.30.XX.0/24 dns-server=8.8.8.8 gateway=10.30.XX.1
/ip dns
set allow-remote-requests=yes servers=10.30.2.1
/ip dns static
add address=10.30.XX.2 name=router
/ip firewall address-list
add address=10.0.0.0/8 list=bogons
add address=172.16.0.0/26 list=bogons
add address=192.168.0.0/16 list=bogons
/ip firewall filter
add action=log chain=forward dst-address-list=bogons in-interface=vlan2
add action=accept chain=forward comment="default configuration" \
connection-state=established
add action=accept chain=forward comment="default configuration" \
connection-state=related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1-gateway
/ip firewall mangle
add action=mark-packet chain=forward new-packet-mark=VoIP passthrough=yes \
src-address=10.30.XX.53
add action=mark-packet chain=forward dst-address=10.30.XX.53 new-packet-mark=\
VoIP passthrough=yes
add action=mark-routing chain=prerouting dst-address=!10.30.XX.3-10.30.XX.254 \
in-interface=bridge-local new-routing-mark=mikrotik passthrough=no \
src-address=10.30.XX.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=web-proxy1
/ip route
add distance=1 gateway=10.30.XX.1 routing-mark=pfsense
add distance=1 gateway=MYEXTGW routing-mark=mikrotik
add check-gateway=ping distance=1 dst-address=10.30.XX.0/24 gateway=10.30.XX.1
add check-gateway=ping disabled=yes distance=1 dst-address=10.60.XX.0/24 \
gateway=10.30.XX.1
add check-gateway=ping distance=1 dst-address=172.29.XX.0/16 gateway=10.30.XX.1
add check-gateway=ping distance=1 dst-address=172.30.XX.0/16 gateway=10.30.XX.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
/lcd
set backlight-timeout=1h30m default-screen=stats
/lcd interface pages
set 0 interfaces="ether1-gateway,ether2-master-local,ether3-slave-local,ether4\
-slave-local,ether5-slave-local,ether6-slave-local,ether7-slave-local,ethe\
r8-slave-local,ether9-slave-local"
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system leds
set 0 interface=ether1-gateway leds=""
/system ntp client
set enabled=yes primary-ntp=162.210.196.6 secondary-ntp=50.7.0.66
/tool e-mail
set address=10.30.XX.51 from=switch@domain
/tool graphing interface
add allow-address=10.30.XX.0/24
add allow-address=172.30.XX.0/24
/tool graphing resource
add allow-address=10.30.XX.0/24
add allow-address=172.30.XX.0/24
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon port
add
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Thu Mar 29, 2018 9:50 pm

BumP :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Thu Mar 29, 2018 10:02 pm

Send $$$$ ;-PPP

What is the purpose of the IP neighbour discovery being set to everything but dynamic addresses??


your inteface list makes no sense to me,
THe purpose of the list is to define what is WAN and what is LAN.

Lastly I would have to better understand what the heck your mangle rule is doing.............. and what a mess the IP route seems to be...
Butt ugly IMHO ;-)

So the Mikrotik only has access to ISP1 through ether1 and The PFsense only has access to ISP2.
Gateway IP of ISP1?? xx.yy.cc.vv

You seem to have three networks, the standard default LAN 192.168.88.x
and you have two VLANs but not sure for what??
SHould I assume 10.30.2.5 is for VLAN2 and 10.30.2.4 is for VLAN1??

Now nowhere in the thread can I find what the trigger is for 10.30.2.5 traffic to go to ISP2 vice ISP1.
Thus I am going to assume that the destination of the traffic from 10.30.2.5 is the trigger???
But I do not know if the trigger is the LAN gateway destination (Ie the PFSENSE 10.30.2.1)) or the ISP2 Gateway being the trigger ?????

Or is it via VLAN.
In other words 10.30.5.2 device is smart enough to send out ISP1 traffic on VLAN1 and ISP2 traffic on VLAN2???
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Fri Mar 30, 2018 6:20 am

Okay reading more slowly, basically the idea is this
All traffic from 10.30.2.5 intended for LAN destinations should use the Mikrotik LAN network
When 10.30.2.5 traffic needs to reach the internet it must go out the PFSENSE and ISP2.

Well eff me gently cause I have no clue on how to handle that.
Other than state when source address is 10.30.2.5 and destination is a WANIP, then mark this traffic in a Mangle Rule.
THen Route this traffic to the pfsense gateway.

Then use another mangle rule to identify all traffic coming into the pfsense gateway
then route this traffic to ISP2

Am I close LOL.
As per most posts the logic is missing or not explained of what exactly the program is functionally doing and thus I dont learn a damn thing :-(
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Fri Mar 30, 2018 4:12 pm

/me takes a deep breath...

Ok.... Accounting for everything else and not local? I Only want to know what my vlans consume. Local is just me and I account for that in the pfsense.

vlan 2 and 3 are Guest vlan and test vlan

The dhcp pools the default one is disable. The rest are for the vlans. I also have one in there as the local network for a "Just in case"

The routes I agree is a cluster fuck but I was just testing. I deleted most of them.

The Mangle rules are advices that I got on this thread. Look further up and you will see what they mean.
With the exception of the mangle rule for QoS.

Can I rename my ports without causing down time?
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Forward route

Fri Mar 30, 2018 4:40 pm

What do have for:
/interface bridge print
Set arp=proxy-arp and protocol-mode==none.

You can change Interface names with out any down time. Any rule you have pointing to that interface will change with out it breaking any thing.
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Fri Mar 30, 2018 5:01 pm

What do have for:
/interface bridge print
Set arp=proxy-arp and protocol-mode==none.

You can change Interface names with out any down time. Any rule you have pointing to that interface will change with out it breaking any thing.
[admin@MikroTik] > /interface bridge print
Flags: X - disabled, R - running
0 R name="bridge-local" mtu=1500 actual-mtu=1500 l2mtu=1588 arp=enabled arp-timeout=auto mac-address= protocol-mode=rstp fast-forward=no igmp-snooping=no
priority=0x8000 auto-mac=no admin-mac=4C:5E:0C:95:6D:76 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m region-name="" region-revision=0
max-hops=20 vlan-filtering=no pvid=1

1 R name="bridge-trunk" mtu=1500 actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto mac-address= protocol-mode=rstp fast-forward=no igmp-snooping=no
priority=0x8000 auto-mac=yes max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m region-name="" region-revision=0 max-hops=20 vlan-filtering=no
pvid=1
[admin@MikroTik] >

bridge-trunk is nothing and has no traffic... Well I think... I vaguely remember creating that.
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Fri Mar 30, 2018 5:03 pm

Set arp=proxy-arp and protocol-mode==none.
You want me to set those options?
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Forward route

Fri Mar 30, 2018 5:43 pm

Set arp=proxy-arp and protocol-mode==none.
You want me to set those options?
Yes, try those settings on your bridge.
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Fri Mar 30, 2018 6:23 pm

Set arp=proxy-arp and protocol-mode==none.
You want me to set those options?
Yes, try those settings on your bridge.
Can you tell me how to run the command? Cant seem to see it under /ip arp...

Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Fri Mar 30, 2018 6:26 pm

Clue XCOM - Bridge settings my friend, in WINBOX
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Fri Mar 30, 2018 6:30 pm

Clue XCOM - Bridge settings my friend, in WINBOX
Ah.... I dont use Winbox, Linux here.
Ill spin up my VM and run it.
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Forward route

Fri Mar 30, 2018 6:41 pm

/interface bridge set 0 arp=proxy-arp protocol-mode=none
Edit:
You can also use the interface name like:
/interface bridge set bridge-local arp=proxy-arp protocol-mode=none
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Fri Mar 30, 2018 6:47 pm

2frogs, how is the traffic on 10.30.2.5 that is destined for ISP2 (internet bound) sent to the pfsense and then out to ISP2 (where all the 10.30.2.5 other traffic is simply interlan traffic that intereacts with the MIkrotik router).
As Led Zepplin said....... Dazed and Confused!!
I cannot figure out from the rules how this is being done??
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Forward route

Fri Mar 30, 2018 7:02 pm

@ Anav
/ip route add distance=1 gateway=10.30.2.1 routing-mark=pfsense
This creates a route for 0.0.0.0/0 (which basically means anything not local) to go out gateway=10.30.2.1(which is the pfsence), but only if it has a routing-mark=pfsence.
/ip firewall mangle add action=mark-routing chain=prerouting dst-address=!10.30.2.0/24 new-routing-mark=pfsense passthrough=no src-address=10.30.2.0/24
This is where we set the routing-mark=pfsence with a src-address=10.30.2.0/24 (which means any address from that range) going to dst-address=!10.30.2.0/24(which means any address NOT(!=not) 10.30.2.0/24, basically 0.0.0.0/0) and chain=prerouting(means we do this before routing desicion is made).

Hope this helps.
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Fri Mar 30, 2018 7:21 pm

@ Anav
/ip route add distance=1 gateway=10.30.2.1 routing-mark=pfsense
This creates a route for 0.0.0.0/0 (which basically means anything not local) to go out gateway=10.30.2.1(which is the pfsence), but only if it has a routing-mark=pfsence.
/ip firewall mangle add action=mark-routing chain=prerouting dst-address=!10.30.2.0/24 new-routing-mark=pfsense passthrough=no src-address=10.30.2.0/24
This is where we set the routing-mark=pfsence with a src-address=10.30.2.0/24 (which means any address from that range) going to dst-address=!10.30.2.0/24(which means any address NOT(!=not) 10.30.2.0/24, basically 0.0.0.0/0) and chain=prerouting(means we do this before routing desicion is made).

Hope this helps.
I did the same for my vlans and works like a champ. Is just the forwarding of the traffic up to the pfsense that has a delay.
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Forward route

Fri Mar 30, 2018 7:27 pm

Did you try with the changes to bridge?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Fri Mar 30, 2018 7:28 pm

Okay,
So you answered one of my questions..........
Do you route to the ISP2 or to the PFSense and the answer is the PFSense, which now makes sense because the PFsense rules will take care of what then happens to that traffic and thus clearer.

BUT.......you do two things I didnt think of.

a. you didn't narrow down your rules to traffic coming from 10.30.2.5
b. you applied the mangle rule to all traffic from 10.30.2.0.

Although this works, I disagree with the logic applied because you made an assumption that is not clear and I think false.
1. that no traffic from 10.30.2.0 was also destined for ISP1

In other words, you didnt take into account traffic from 10.30.2.4, the other box, that might be destined for ISP1.
In summary, you lumped in all traffic NOT going from the LAN to other LAN devices, as the mangle rule, and then routed this traffic to ISP2.

I would like comments from 2frogs and Xcom on the above analysis.
SHOOT ME DOWN please. :-)
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Forward route

Fri Mar 30, 2018 7:38 pm

@Anav
Hello All!

I want to point my local network to my CRS125-24G-1S-RM as the gateway. In the CRS125-24G-1S-RM I want to tell it that for all networks with 10.XXX.XXX.XXX to go out through my pfsense, Else Go out through the CRS125-24G-1S-RM gateway.

IE: 10.60.77.0/24 LAN.... non-routable addresses go to 10.60.77.1
Everything else go out though ether1-gateway.


How can I do that?

Thanks!
This, the original post is where I got for the whole IP scope, although i used then IP's from his diagram.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Fri Mar 30, 2018 8:02 pm

@Anav
Hello All!

I want to point my local network to my CRS125-24G-1S-RM as the gateway. In the CRS125-24G-1S-RM I want to tell it that for all networks with 10.XXX.XXX.XXX to go out through my pfsense, Else Go out through the CRS125-24G-1S-RM gateway.

IE: 10.60.77.0/24 LAN.... non-routable addresses go to 10.60.77.1
Everything else go out though ether1-gateway.


How can I do that?

Thanks!
This, the original post is where I got for the whole IP scope, although i used then IP's from his diagram.
Concur, that on the surface it looks okay, but its not clear to me what if any traffic goes out ISP 1 then???
It appears all traffic from 10.30.2.0 devices with destination to something other than 10.30.2.0 addresses (non-local) get sent to the PFsense and thus out ISP2 ???
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Fri Mar 30, 2018 8:45 pm

@Anav
Hello All!

I want to point my local network to my CRS125-24G-1S-RM as the gateway. In the CRS125-24G-1S-RM I want to tell it that for all networks with 10.XXX.XXX.XXX to go out through my pfsense, Else Go out through the CRS125-24G-1S-RM gateway.

IE: 10.60.77.0/24 LAN.... non-routable addresses go to 10.60.77.1
Everything else go out though ether1-gateway.


How can I do that?

Thanks!
This, the original post is where I got for the whole IP scope, although i used then IP's from his diagram.
Concur, that on the surface it looks okay, but its not clear to me what if any traffic goes out ISP 1 then???
It appears all traffic from 10.30.2.0 devices with destination to something other than 10.30.2.0 addresses (non-local) get sent to the PFsense and thus out ISP2 ???
Anav,

This is not complex. What is it about the logic that is wrong?
Is actually working but there is a delay on the packet and I am thinking because of the mark there is in the packet....

It is a hack and it is broken by design because a L3 Switch can only have one Default route. Not two hence why we mark the packet and do post routing. Once the packet goes up stream to pfsense, pfsense than routes the packet accordingly... Is happening... But pfsense is not liking something... That something is why I am seen a delay... We are getting there! :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Fri Mar 30, 2018 8:57 pm

you didnt answer the question directly XCOM.
What I needed to hear was

a. all non-local traffic from the 10.30.2.0 network (regardless if from 10.30.2.4 or 10.30.2.5) ie needs to go to the internet shall get routed to the PFSENSE device (for eventual TX thru ISP2)

b. no traffic from 10.30.2.0 network is required to go out ISP1 (regardless if from 10.30.2.4 or 10.30.2.5)

Logic is fallible when you miss out parts............

please confirm!
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Fri Mar 30, 2018 9:02 pm

you didnt answer the question directly XCOM.
What I needed to hear was

a. all non-local traffic from the 10.30.2.0 network (regardless if from 10.30.2.4 or 10.30.2.5) ie needs to go to the internet shall get routed to the PFSENSE device (for eventual TX thru ISP2)

b. no traffic from 10.30.2.0 network is required to go out ISP1 (regardless if from 10.30.2.4 or 10.30.2.5)

Logic is fallible when you miss out parts............

please confirm!
All 10.30.2.0/24 Goes out to the internet through pfsense. Evertyhing else (My vlans) out to the internet through Mikrotik.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Fri Mar 30, 2018 9:42 pm

Thanks, the seas have parted, I am going to cross the ocean bottom to the promised land to MT programming.

I hope you can see where I was uncertain.................
In your diagram you explicitly stated that 10.30.2.5 internet traffic had to go via the PFSENSE unit but there was no mention of the 10.30.2.4 which threw me off.
Where was 10.30.2.4s internet traffic going?? I asked myself.

It would have been less confusing if the statement was all 10.30.2.0 traffic or all traffic from 10.30.2.4 and 10.30.2.5 that had to go out the internet needed routing through the pfsense.

I understand now that only the 10.30.2.5 box has any requirement to go out the internet............

I quite like 2frogs method of stating, mark any traffic from 10.30.2.0/24 that is not going to 10.30.2.0/24 LOL
route this marked traffic to the pfsense.

On the other hand this would have worked as well too.
mark any traffic from 10.30.2.5 that is not going to 10.30.2.0/24
route this marked traffic to the pfsense.

I like this rule better because it is more focussed, and the MT CPU will not be bogged down inspecting all 10.30.2.0 traffic in the mangle rule.
/ip route add distance=1 gateway=10.30.2.1 routing-mark=pfsense
/ip firewall mangle add action=mark-routing chain=prerouting dst-address=!10.30.2.0/24 new-routing-mark=pfsense passthrough=no src-address=10.30.2.5

thoughts??

as to why pfsense is slowing down the traffic ???
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Fri Mar 30, 2018 10:50 pm

Thanks, the seas have parted, I am going to cross the ocean bottom to the promised land to MT programming.

I hope you can see where I was uncertain.................
In your diagram you explicitly stated that 10.30.2.5 internet traffic had to go via the PFSENSE unit but there was no mention of the 10.30.2.4 which threw me off.
Where was 10.30.2.4s internet traffic going?? I asked myself.

It would have been less confusing if the statement was all 10.30.2.0 traffic or all traffic from 10.30.2.4 and 10.30.2.5 that had to go out the internet needed routing through the pfsense.

I understand now that only the 10.30.2.5 box has any requirement to go out the internet............

I quite like 2frogs method of stating, mark any traffic from 10.30.2.0/24 that is not going to 10.30.2.0/24 LOL
route this marked traffic to the pfsense.

On the other hand this would have worked as well too.
mark any traffic from 10.30.2.5 that is not going to 10.30.2.0/24
route this marked traffic to the pfsense.

I like this rule better because it is more focussed, and the MT CPU will not be bogged down inspecting all 10.30.2.0 traffic in the mangle rule.
/ip route add distance=1 gateway=10.30.2.1 routing-mark=pfsense
/ip firewall mangle add action=mark-routing chain=prerouting dst-address=!10.30.2.0/24 new-routing-mark=pfsense passthrough=no src-address=10.30.2.5

thoughts??

as to why pfsense is slowing down the traffic ???
Thats a good sugestion and yes I like it better instead of the whole subnet.
I found the problem!

LAN THEPUBLICIPOFMIKROTIK:5060 REGISTRATIONSERVER:5060 UDP

Mikrotik is passing the packets with the external address. WTF
LOL
Now I am the one that is puzzled.
Last edited by xcom on Fri Mar 30, 2018 11:11 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Fri Mar 30, 2018 11:04 pm

Traffic from where is going out the mikrotik??
Are you sure the source is 10.30.2.5
Are you sure this is not lan traffic leaking out the mikrotik or is it traffic intended for the internet??
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Fri Mar 30, 2018 11:10 pm

Traffic from where is going out the mikrotik??
Are you sure the source is 10.30.2.5
Are you sure this is not lan traffic leaking out the mikrotik or is it traffic intended for the internet??
Yes.
Its an asterisk server trying to qualify a registration server. This is .5. And is trying to go out of the pfsense as instructed by the preroute but SOMEHOW is going via the Mikrotik GW and inside the LAN. and because is inside the LAN with a public address, Is been blocked.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Fri Mar 30, 2018 11:46 pm

Try narrowing down the mangle rule to 10.30.2.5
although its probably some other cockup in the rules maybe a srcnat situation ???
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Sat Mar 31, 2018 12:22 am

Try narrowing down the mangle rule to 10.30.2.5
although its probably some other cockup in the rules maybe a srcnat situation ???
I did set the source to. 5
Its funny you say that the GW port of the mikrotik is set to NAT. Is it not suppose to?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward route

Sat Mar 31, 2018 12:44 am

I would assume its set correctly ie the mikrotik router for all outgoing connections to ISP1 has masquerate applied.

Not sure how the 10.30.2.0 packets are getting confused in the mix though..........
I read something about preventing packets leaking out of the LAN but cannot remember where...............


Maybe you need a masquerade rule to the pfsense? for 10.30.2.0 traffic???
 
xcom
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: Forward route

Sat Mar 31, 2018 12:54 am

I would assume its set correctly ie the mikrotik router for all outgoing connections to ISP1 has masquerate applied.

Not sure how the 10.30.2.0 packets are getting confused in the mix though..........
I read something about preventing packets leaking out of the LAN but cannot remember where...............


Maybe you need a masquerade rule to the pfsense? for 10.30.2.0 traffic???
I hope somebody can chime in.... This is causing chaos :(

Who is online

Users browsing this forum: Google [Bot] and 28 guests