Community discussions

 
witom80
just joined
Topic Author
Posts: 7
Joined: Fri Aug 02, 2019 12:44 am

Access DSL modem in "bridge mode" behind Mikrotik

Fri Aug 02, 2019 1:02 am

Hello together!

I have searched a long time and tried many things but nothing with success.
A similar topic was posted by icanfly at post viewtopic.php?t=139205 but the solution is not working for me. I don't know why.

In my setup I have a VDSL modem (Vigor 165) in "bridge mode" and connected to a Mikrotik RB 750G r3.
On the LAN side I'm using a pfSense Firewall which is the default gateway for my LAN. The gateway of the pfSense is the Mikrotik router.
For more details see the attached diagram:
Image

Internet is working, and also my LAN is working fine but I can't access the modem web interface.
Can someone help me please?

Here's my configuration:
# aug/01/2019 00:43:32 by RouterOS 6.44.3
# software id = Z7L3-P5LF
#
# model = RouterBOARD 750G r3
# serial number = XXXXXXXXXXXX
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] loop-protect=on rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] loop-protect=on rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] loop-protect=on rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] loop-protect=on rx-flow-control=auto tx-flow-control=auto
/interface vlan
add interface=ether1 name=vlan7 vlan-id=7
/interface bonding
add mode=active-backup name=bonding1 primary=ether2 slaves=ether2,ether3
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan7 name=pppoe-tcom password=XXXXXXXX use-peer-dns=yes user=XXXXXXXXXXXXXXXXXXXXXXXX#0001@t-online.de
/interface vlan
add interface=bonding1 name=vlan71 vlan-id=71
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface list member
add interface=bonding1 list=LAN
add interface=pppoe-tcom list=WAN
add interface=vlan71 list=LAN
add interface=vlan7 list=WAN
/ip address
add address=172.16.1.250/24 interface=vlan71 network=172.16.1.0
add address=172.16.2.250/24 interface=ether1 network=172.16.2.0
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.16.1.250 name=gw1.local ttl=1h
/ip firewall address-list
add address=0.0.0.0/8 list=bogons
add address=10.0.0.0/8 list=bogons
add address=100.64.0.0/10 list=bogons
add address=127.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=172.0.0.0/12 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=192.168.0.0/16 list=bogons
add address=198.18.0.0/15 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=240.0.0.0/4 list=bogons
add address=10.0.0.0/8 list=rfc1918
add address=172.16.0.0/12 list=rfc1918
add address=192.168.0.0/16 list=rfc1918
/ip firewall filter
add action=accept chain=input comment="accept established,reladed" connection-state=established,related
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept LAN->*" in-interface-list=LAN
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop"
add action=fasttrack-connection chain=forward comment="fasttrack,established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=output comment="drop invalid" connection-state=invalid
/ip firewall nat
add action=dst-nat chain=dstnat comment="nat ipsec-esp" in-interface-list=WAN protocol=ipsec-esp to-addresses=172.16.1.249
add action=dst-nat chain=dstnat comment="nat udp IPSec" dst-port=500,4500 in-interface-list=WAN protocol=udp to-addresses=172.16.1.249
add action=src-nat chain=srcnat comment="nat to modem" dst-address=172.16.2.248 out-interface=ether1 to-addresses=172.16.2.248
add action=masquerade chain=srcnat comment="masquerade LAN->WAN" dst-address-list=!rfc1918 out-interface-list=WAN src-address-list=rfc1918
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/system clock
set time-zone-name=Europe/Berlin
 
tdw
Member Candidate
Member Candidate
Posts: 173
Joined: Sat May 05, 2018 11:55 am

Re: Access DSL modem in "bridge mode" behind Mikrotik

Fri Aug 02, 2019 9:41 am

The NAT rule appears to be incorrect, either

/ip firewall nat
add action=src-nat chain=srcnat comment="nat to modem" dst-address=172.16.2.248 out-interface=ether1 to-addresses=172.16.2.250

or
add action=masquerade chain=srcnat comment="nat to modem" dst-address=172.16.2.248 out-interface=ether1
 
witom80
just joined
Topic Author
Posts: 7
Joined: Fri Aug 02, 2019 12:44 am

Re: Access DSL modem in "bridge mode" behind Mikrotik

Sat Aug 03, 2019 3:27 am

Changed nat filter to:
/ip firewall nat
add action=dst-nat chain=dstnat comment="nat ipsec-esp" in-interface-list=WAN protocol=ipsec-esp to-addresses=172.16.1.249
add action=dst-nat chain=dstnat comment="nat udp IPSec" dst-port=500,4500 in-interface-list=WAN protocol=udp to-addresses=172.16.1.249
add action=masquerade chain=srcnat comment="nat to modem" dst-address=172.16.2.248 out-interface=ether1
add action=masquerade chain=srcnat comment="masquerade LAN->WAN" dst-address-list=!rfc1918 out-interface-list=WAN src-address-list=rfc1918
But no success. No Access to the modem...
Any other idea?
 
witom80
just joined
Topic Author
Posts: 7
Joined: Fri Aug 02, 2019 12:44 am

Re: Access DSL modem in "bridge mode" behind Mikrotik

Sat Aug 03, 2019 12:14 pm

Do I need to add a bridge or do I need to add a seperate gateway?
 
sid5632
Member
Member
Posts: 349
Joined: Fri Feb 17, 2017 6:05 pm

Re: Access DSL modem in "bridge mode" behind Mikrotik

Sat Aug 03, 2019 12:29 pm

But no success. No Access to the modem...
You haven't said where you're testing FROM, and WHAT test you are performing.
 
mkx
Forum Guru
Forum Guru
Posts: 2604
Joined: Thu Mar 03, 2016 10:23 pm

Re: Access DSL modem in "bridge mode" behind Mikrotik

Sat Aug 03, 2019 12:30 pm

Does PfSense know about 172.16.2.0/24? Or it treats it as "normal" WAN address?

Can your RB ping Vigor?
BR,
Metod
 
ros44
newbie
Posts: 37
Joined: Sun Feb 25, 2018 2:05 am
Location: Sofia, Bulgaria

Re: Access DSL modem in "bridge mode" behind Mikrotik

Sat Aug 03, 2019 12:32 pm

Can you ping the modem's IP from the MikroTik's command prompt? If not do you, at least, see a line with the MAC address of the modem in the /ip arp menu?
Every moment something magical is happening!
 
witom80
just joined
Topic Author
Posts: 7
Joined: Fri Aug 02, 2019 12:44 am

Re: Access DSL modem in "bridge mode" behind Mikrotik

Sat Aug 03, 2019 1:09 pm

You haven't said where you're testing FROM, and WHAT test you are performing.
Sorry, my mistake. I have tried to access the modem from inside my LAN (see picture of post 1).
So the test was from 10.0.20.51/24 to 172.16.2.248/24.

Does PfSense know about 172.16.2.0/24? Or it treats it as "normal" WAN address?
pfSense does not know about 172.16.2.0/24. It treats it as normal WAN address.

Can your RB ping Vigor?
Not from the LAN, but from MikroTik's command prompt (by setting ether1 interface on ping command)

Can you ping the modem's IP from the MikroTik's command prompt?
Just if ether1 is set as interface on ping command.
 
witom80
just joined
Topic Author
Posts: 7
Joined: Fri Aug 02, 2019 12:44 am

Re: Access DSL modem in "bridge mode" behind Mikrotik

Sat Aug 03, 2019 2:06 pm

New tests:
1. ping from 172.16.1.249 (pfSense WAN) to 172.16.2.250 (Mikrotik ip set on ether1) -> response OK
2. ping from 172.16.1.249 (pfSense WAN) to 172.16.2.248 (Vigor) -> no response
3. ping from Mikrotik:
[admin@MikroTik] > ping 172.16.2.248 count=3
  SEQ HOST                                     SIZE TTL TIME  STATUS           
    0 172.16.2.248                               56 255 0ms  
    1 172.16.2.248                               56 255 0ms  
    2 172.16.2.248                               56 255 0ms  
    sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms 

[admin@MikroTik] > ping 172.16.2.248 count=3 interface=ether1
  SEQ HOST                                     SIZE TTL TIME  STATUS           
    0 172.16.2.248                               56 255 0ms  
    1 172.16.2.248                               56 255 0ms  
    2 172.16.2.248                               56 255 0ms  
    sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms 

[admin@MikroTik] > ping 172.16.2.248 count=3 interface=vlan71
  SEQ HOST                                     SIZE TTL TIME  STATUS           
    0 172.16.2.248                                            timeout          
    1 172.16.2.248                                            timeout          
    2 172.16.2.248                                            timeout          
    sent=3 received=0 packet-loss=100% 


Routing:
[admin@MikroTik] /ip route> print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          pppoe-tcom                1
 1 ADC  62.XXX.XXX.79/32   84.XXX.XXX.240   pppoe-tcom                0
 2 ADC  172.16.1.0/24      172.16.1.250    vlan71                    0
 3 ADC  172.16.2.0/24      172.16.2.250    ether1                    0
 
mkx
Forum Guru
Forum Guru
Posts: 2604
Joined: Thu Mar 03, 2016 10:23 pm

Re: Access DSL modem in "bridge mode" behind Mikrotik

Sat Aug 03, 2019 2:35 pm

When you're testing ping from PfSense, does counter of the appropriate masquerade rule increase?
BR,
Metod
 
witom80
just joined
Topic Author
Posts: 7
Joined: Fri Aug 02, 2019 12:44 am

Re: Access DSL modem in "bridge mode" behind Mikrotik

Sat Aug 03, 2019 2:48 pm

No, the counter does not change
 
ros44
newbie
Posts: 37
Joined: Sun Feb 25, 2018 2:05 am
Location: Sofia, Bulgaria

Re: Access DSL modem in "bridge mode" behind Mikrotik  [SOLVED]

Sat Aug 03, 2019 3:42 pm

It seems that the issue is routing-related or source/masquerade-related. Can you post again in a separate code your current /ip firewall nat of the MikroTIk and also the routing tables of both the PfSense and the MikroTik.
Every moment something magical is happening!
 
witom80
just joined
Topic Author
Posts: 7
Joined: Fri Aug 02, 2019 12:44 am

Re: Access DSL modem in "bridge mode" behind Mikrotik

Sat Aug 03, 2019 4:23 pm

It seems that the issue is routing-related or source/masquerade-related. Can you post again in a separate code your current /ip firewall nat of the MikroTIk and also the routing tables of both the PfSense and the MikroTik.
Wow - Thanks for the tip with the pfSense routing table...! Now I knew what the root cause was!
My network is a little bit more complicated than described at the picture. In reality I have two pfSense which are configured as high available using CARP.
What I completely have forgotten is that the SYNC Interface between the pfSense is using the same subnet.

So my solution was really simple: Changing the subnet from 172.16.2.0/24 to 172.16.3.0/24. The ether1 has now 172.16.3.250 and the Vigor has now 172.16.3.248. Also changed the nat rule to match the new vigor IP and now I can access the webui of my modem.

Thank you all for your help!

Who is online

Users browsing this forum: No registered users and 26 guests