Page 1 of 1

Connect three locations

Posted: Sat Dec 15, 2018 9:05 pm
by igpetkov
Hello for everyone!!!
I am beginner in Mikrotik and have oe problem which I can't resolve.
I hope someone to help me. Thank you

I have 3 sites with 3 mikrotik routers.
One of these sites is Mikrotik RB 951G-2HnD which is my VPN L2TP server.
The other two sites are VPN L2TP Clients.

I create two secrets in my VPN server:

Secret 1: username and password for VPN Client and Local Address: 172.31.32.1 Remote Address: 172.31.32.2
Secret 2: username and password for VPN Client and Local Address: 172.31.32.1 Remote Address: 172.31.32.3

The connections are created successful and clients receive IP''s: 172.31.32.2 and 172.31.32.3

After that I create Static Route in Router 1 (VPN Server) to site 2 and site 3 and Static Routes in Router 2 and 3 to Router 1.

Everything looks good and Router 1 have connection with Router 2 and Router 3.

But I need to set connection between Router 2 and Router 3 through existing connection to Router 1.

Which routes have to be created to establish that connection?

Can someone help me?

Thank You

Re: Connect three locations

Posted: Sun Dec 16, 2018 6:11 pm
by mkx
Either you need static route in router 2 for site 3 with gateway router 1 (and same in router 3 for site 2 with router 1 as gateway). Or you need default route using router 1 on routers 2 and 3 ... but this depends on other setup on sites 2 and 3 and you really didn't give us much details.

All of above assumes that IP addresses on all 3 sites don't overlap.

Re: Connect three locations

Posted: Sun Dec 16, 2018 7:56 pm
by igpetkov
Thank You,mkx!
I already have routes to router 2 and 3 in router 1, but when add route in router 2 to router 3 through router 1 and in router 3 to router 2 through router 1:

8 A S 192.168.11.0/24 172.31.32.1

and

6 A S 192.168.10.0/24 172.31.32.1

there is no pig between router 2 and 3.

I try to set like gateway VPN connection, but didn't have success again.


It is VPN serer (Router 1):










MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.43.4 (c) 1999-2018 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
[BurGas@Izgrev] > export
# dec/16/2018 19:47:17 by RouterOS 6.43.4
# software id = Q8ZW-C1T5
#
# model = 951G-2HnD
# serial number = 3E2D016AED59
/interface bridge
add fast-forward=no name=LAN
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=ether1 name=pppoe-out1 password=xxxxxx \
use-peer-dns=yes user=xxxxx
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=\
profile1 supplicant-identity="" wpa2-pre-shared-key=xxxxxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-XX country=bulgaria disabled=no \
frequency=auto mode=ap-bridge security-profile=profile1 ssid=Ivan
/ip pool
add name=dhcp_pool0 ranges=192.168.2.201-192.168.2.250
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN lease-time=1d10m name=dhcp1
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=wlan1
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes ipsec-secret=xxx use-ipsec=required
/ip address
add address=192.168.2.1/24 interface=LAN network=192.168.2.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=87.120.0.1,87.120.0.10,8.8.8.8 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip route
add distance=1 dst-address=192.168.10.0/24 gateway=172.31.32.3
add distance=1 dst-address=192.168.11.0/24 gateway=172.31.32.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=xxxxxx
set api-ssl disabled=yes
/ppp secret
add local-address=172.31.32.1 name="xxxxxxxx" password=xxxxxxxxxx remote-address=\
172.31.32.2 service=l2tp
add local-address=172.31.32.1 name="xxxxx" password=xxxxxxxxx remote-address=\
172.31.32.3 service=l2tp
/system clock
set time-zone-name=Europe/Sofia
/system identity
set name=xxxx
/system routerboard settings
set silent-boot=no
[BurGas@Izgrev] >


It is router 2:













MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.42.5 (c) 1999-2018 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@Ralica Superior ATC] > export
# dec/16/2018 19:48:48 by RouterOS 6.42.5
# software id = 2RFZ-IBYK
#
# model = RouterBOARD 941-2nD
# serial number = 8AFE088CFE63
/interface bridge
add fast-forward=no name=AccessControl
add name=LAN
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] comment=WAN: mac-address=CC:2D:E0:43:89:91
set [ find default-name=ether2 ] mac-address=CC:2D:E0:43:89:92
set [ find default-name=ether3 ] mac-address=CC:2D:E0:43:89:93
set [ find default-name=ether4 ] mac-address=CC:2D:E0:43:89:94
/interface l2tp-client
add allow=mschap1,mschap2 connect-to=xxxxxxxxxxx disabled=no ipsec-secret=xxxxxxx name=l2tp-out1 \
password=xxxxxxxxxxxx use-ipsec=yes user="xxxxxxxxxxx"
add connect-to=xxxxxxxxxxx disabled=no ipsec-secret="xxxxxxxxx" name=maintenance password=\
"xxxxxxxxxxxxxxxxx" use-ipsec=yes user="xxxxxxxxxxxxx"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.10.51-192.168.10.99
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN lease-time=1d name=dhcp1
/interface bridge port
add bridge=LAN hw=no interface=ether2
add bridge=AccessControl interface=ether3
/ip address
add address=192.168.10.1/24 interface=LAN network=192.168.10.0
add address=10.10.18.101/24 interface=ether1 network=10.10.18.0
add address=10.10.3.1/24 interface=AccessControl network=10.10.3.0
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=masquerade chain=srcnat src-address=10.10.3.0/24
add action=dst-nat chain=dstnat comment=SMDR: dst-address=10.10.18.101 dst-port=2300 protocol=tcp \
to-addresses=192.168.10.100
/ip route
add distance=1 gateway=10.10.18.1
add distance=1 dst-address=192.168.1.0/24 gateway=maintenance
add distance=1 dst-address=192.168.2.0/24 gateway=172.31.32.1
add distance=1 dst-address=192.168.11.0/24 gateway=172.31.32.1
add distance=1 dst-address=192.168.45.0/24 gateway=172.31.31.1
/system clock
set time-zone-name=Europe/Sofia
/system identity
set name="xxxxxxxxxxxx"
/system ntp client
set enabled=yes primary-ntp=79.98.105.18
/system routerboard settings
set silent-boot=no
[admin@Ralica Superior ATC] >



It is router 3:












MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.42.5 (c) 1999-2018 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@Forest Beach] > export
# dec/16/2018 19:52:10 by RouterOS 6.42.5
# software id = F342-8V04
#
# model = RouterBOARD 941-2nD
# serial number = 8AFE08B9C1B7
/interface bridge
add name=LAN
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] mac-address=CC:2D:E0:42:64:C1
set [ find default-name=ether2 ] mac-address=CC:2D:E0:42:64:C2
set [ find default-name=ether3 ] mac-address=CC:2D:E0:42:64:C3
set [ find default-name=ether4 ] mac-address=CC:2D:E0:42:64:C4
/interface l2tp-client
add allow=mschap1,mschap2 connect-to=xxxxxxxxxxx disabled=no ipsec-secret=\
xxxxxxxxxx name=xxxxxxxxxxx password=xxxxxxxxxxxxxxxxxx use-ipsec=yes user=\
"xxxxxxxxxxxxxx"
add connect-to=xxxxxxxxxxxxxxx disabled=no ipsec-secret="xxxxxxxxxxxxxx" name=\
l2tp-out1 password="xxxxxxxxxxxxxxxxx" use-ipsec=yes user=xxxxxxxxxxxxxxxxxx
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.11.51-192.168.11.99
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN lease-time=1d10m name=\
dhcp1
/interface bridge port
add bridge=LAN hw=no interface=ether2
/ip address
add address=10.150.1.85/24 interface=ether1 network=10.150.1.0
add address=192.168.11.1/24 interface=LAN network=192.168.11.0
/ip dhcp-server lease
add address=192.168.11.150 client-id=1:bc:c3:42:a9:f5:b0 mac-address=\
BC:C3:42:A9:F5:B0 server=dhcp1
/ip dhcp-server network
add address=192.168.11.0/24 gateway=192.168.11.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.11.0/24
add action=dst-nat chain=dstnat dst-address=10.150.1.85 dst-port=2300 protocol=\
tcp to-addresses=192.168.11.101
/ip route
add distance=1 gateway=10.150.1.1
add distance=1 dst-address=192.168.1.0/24 gateway=l2tp-out1
add distance=1 dst-address=192.168.2.0/24 gateway=172.31.32.1
add distance=1 dst-address=192.168.10.0/24 gateway=172.31.32.1
add distance=1 dst-address=192.168.45.0/24 gateway=l2tp-out1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Sofia
/system identity
set name="xxxxxxxxxxxx"
/system routerboard settings
set silent-boot=no
[admin@Forest Beach] >



In router 2 and 3 I have and other VPN connections.

I really hope You help me , thank you

Re: Connect three locations

Posted: Sun Dec 16, 2018 8:02 pm
by JohnTRIVOLTA
May be necessary to add accept rules for the three networks in the forward chains on filter section on the three routers

Re: Connect three locations

Posted: Sun Dec 16, 2018 8:19 pm
by igpetkov
I do nor heva any limitations in filter

Re: Connect three locations

Posted: Sun Dec 16, 2018 8:35 pm
by JohnTRIVOLTA
I do nor heva any limitations in filter
You don't have rules in the routers at all ?

Re: Connect three locations

Posted: Sun Dec 16, 2018 9:07 pm
by mkx
My guess is that on routers 2 and 3 your masquerade rules masquerade too much. Whatever sent from e.g. site 2 towards site 1 and site 3 should probably not be masqueraded ... You could try to rewrite masquerade rules to match outgoing interfaces or something ...

Re: Connect three locations

Posted: Sun Dec 16, 2018 9:30 pm
by JohnTRIVOLTA
My guess is that on routers 2 and 3 your masquerade rules masquerade too much. Whatever sent from e.g. site 2 towards site 1 and site 3 should probably not be masqueraded ... You could try to rewrite masquerade rules to match outgoing interfaces or something ...
+ must select outgoing interface in src-nat rule!
The packet, after route decision change src address because of src nat rule is not selected out-interface. The rule work on all interfaces now, but must select only WAN interface.

Re: Connect three locations

Posted: Sun Dec 16, 2018 10:39 pm
by igpetkov
I am not sure what I have to do, but if I understand I have to create two firewall--> nat rules:

In one of remote routers:
0 chain=srcnat action=src-nat to-addresses=172.31.32.3 src-address=192.168.10.0/24
dst-address=192.168.11.0/24 log=no log-prefix=""

In other remote router:

0 chain=srcnat action=src-nat to-addresses=172.31.32.2
src-address=192.168.11.0/24 dst-address=192.168.10.0/24 log=no
log-prefix=""

these rules are in combination with two routes
6 A S 192.168.10.0/24 172.31.32.1 1

8 A S 192.168.11.0/24 172.31.32.1 1

It does not work!!!
Maybe I made somethink wrong?!

Re: Connect three locations

Posted: Sun Dec 16, 2018 10:59 pm
by JohnTRIVOLTA
I am not sure what I have to do, but if I understand I have to create two firewall--> nat rules:

In one of remote routers:
0 chain=srcnat action=src-nat to-addresses=172.31.32.3 src-address=192.168.10.0/24
dst-address=192.168.11.0/24 log=no log-prefix=""

In other remote router:

0 chain=srcnat action=src-nat to-addresses=172.31.32.2
src-address=192.168.11.0/24 dst-address=192.168.10.0/24 log=no
log-prefix=""

these rules are in combination with two routes
6 A S 192.168.10.0/24 172.31.32.1 1

8 A S 192.168.11.0/24 172.31.32.1 1

It does not work!!!
Maybe I made somethink wrong?!
Only change the existing srcnat rule on both routers :
router 2
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.10.0/24 out-interface=ether1
router 3
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.11.0/24 out-interface=ether1

if ether1 is the WAN interface of course!

or in this way so it's safe not to be wrong that the complete network scheme is not completely clear!

router 2
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.10.0/24 out-interface=!l2tp-out1
router 3
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.11.0/24 out-interface=!l2tp-out1