Community discussions

MikroTik App
 
dacian
just joined
Topic Author
Posts: 7
Joined: Mon Sep 20, 2021 6:20 pm
Location: Timisoara, Romania

Multi IP PPPOE Wan routing

Mon Sep 20, 2021 6:41 pm

Hello everybody,
I am new here and i am using MikroTik products for about a year and i must say i am very satisfied :)

I am running a micro-datacenter/home lab type of environment where i host some websites and play around with new tech (k8s, proxmox etc.) and for the past 5 years everything is running very well. Now i decided to get a second static IP from my ISP to migrate all services to that IP and leave the old IP for web-surfing. Both IP's are configured via two PPPOE clients listening on eth1 interface.
Everything looks good, i have internet connectivity on both IP/connections, but i have a hard time routing/NAT-ing traffic to my servers from the second IP.
I searched google for a few days now and tried a bunch of config, but nothing seems to work properly. I used the config listed here: https://serverfault.com/questions/66091 ... n-internet with partial success, it works but the "performance" is very bad, it takes a few seconds to load a basic html page.
My knowledge of networks is limited, but i managed to figure everything out using google in the past but this situation is a bit to much, can somebody help me with some configuration and maybe some explanation?
Here is the config dump:
# sep/20/2021 18:24:31 by RouterOS 6.48.4
# software id = US0R-A0TX
#
# model = RB750Gr3
# serial number = CC210DE0CC7C
/interface bridge
add admin-mac=08:55:31:36:57:72 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=PPPOE
set [ find default-name=ether4 ] comment=SWITCH
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=WAN1 \
    use-peer-dns=yes user=
add disabled=no interface=ether1 keepalive-timeout=disabled name=WAN2 user=\
    
/interface vlan
add comment="Unsafe/Guest VLAN" interface=ether4 name=UNSAFE vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=10.0.0.60-10.0.0.100
add name=dhcp_pool3 ranges=10.0.10.2-10.0.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool3 disabled=no interface=UNSAFE name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=default use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=WAN2 list=WAN
add interface=WAN1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=OVPN-server.crt_0 cipher=aes256 \
    require-client-certificate=yes
/ip address
add address=10.0.0.1/24 comment=defconf interface=ether2 network=10.0.0.0
add address=10.0.10.1/24 interface=UNSAFE network=10.0.10.0
/ip arp
add address=10.0.0.2 comment="D-Link Switch/Router/AP" interface=bridge \
    mac-address=10:FE:ED:E6:5B:7E
add address=10.0.0.40 comment=Truenas interface=bridge mac-address=\
    0C:C4:7A:74:F0:3C
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.0.10.254 client-id=1:b8:27:eb:79:d0:c9 mac-address=\
    B8:27:EB:79:D0:C9 server=dhcp1
add address=10.0.10.252 mac-address=C4:4F:33:8E:C7:A2 server=dhcp1
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.102,10.0.0.1 \
    gateway=10.0.0.1 netmask=24
add address=10.0.10.0/24 dns-server=10.0.0.102,1.1.1.1 gateway=10.0.10.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.102,1.1.1.1
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input disabled=yes dst-port=1194 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="PIHOLE DNS Query UDP" dst-address=\
    10.0.0.102 dst-port=53 in-interface=UNSAFE protocol=udp
add action=accept chain=forward comment="PIHOLE DNS Query TCP" dst-address=\
    10.0.0.102 dst-port=53 in-interface=UNSAFE protocol=tcp
add action=accept chain=forward comment=SMB dst-address=10.0.0.40 dst-port=\
    445 in-interface=UNSAFE protocol=tcp
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=reject chain=forward in-interface=UNSAFE out-interface=bridge \
    reject-with=icmp-network-unreachable
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=wan2 passthrough=\
    yes src-address=10.0.0.150
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface=WAN1 protocol=tcp \
    to-addresses=10.0.0.205 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=WAN1 protocol=tcp \
    to-addresses=10.0.0.205 to-ports=443
add action=dst-nat chain=dstnat dst-port=22 in-interface=WAN1 protocol=tcp \
    to-addresses=10.0.0.205 to-ports=2200
add action=dst-nat chain=dstnat dst-port=51820 in-interface=WAN1 protocol=udp \
    to-addresses=10.0.0.210 to-ports=51820
add action=dst-nat chain=dstnat dst-port=80 in-interface=WAN2 protocol=tcp \
    to-addresses=10.0.0.150 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=WAN2 protocol=tcp \
    to-addresses=10.0.0.150 to-ports=443
/ip route
add check-gateway=ping distance=10 gateway=WAN2 routing-mark=wan2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh address=10.0.0.0/24 disabled=yes
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name="MikroTik Router hEX"
/system ntp client
set enabled=yes server-dns-names=\
    0.europe.pool.ntp.org,1.europe.pool.ntp.org,2.europe.pool.ntp.org
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
dacian
just joined
Topic Author
Posts: 7
Joined: Mon Sep 20, 2021 6:20 pm
Location: Timisoara, Romania

Re: Multi IP PPPOE Wan routing

Fri Sep 24, 2021 10:12 am

Bump
 
dacian
just joined
Topic Author
Posts: 7
Joined: Mon Sep 20, 2021 6:20 pm
Location: Timisoara, Romania

Re: Multi IP PPPOE Wan routing

Wed Sep 29, 2021 10:38 am

Bump
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multi IP PPPOE Wan routing

Wed Sep 29, 2021 2:24 pm

(1) I am not familiar with multiple ppoe clients but will take you word for it that they can come in on same ether 1 connection.

(2) Onet error I see is
/ip address
add address=10.0.0.1/24 comment=defconf interface=ether2 network=10.0.0.0
add address=10.0.10.1/24 interface=UNSAFE network=10.0.10.0ee is the Ip address settings...

should be the bridge.

(3) MISSING LAN as a member of the LAN.
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=UNSAFE list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=WAN2 list=WAN
add interface=WAN1 list=WAN


(4) MISSING One route. You need a route for every WAN on the main table.
If you need to add special routes, you still need the main one.
For WAN1 you have the default route already selected in the pppoe-client
For WAN 2 its missing (and you dont use the default route option).
THus
/ip route
add check gateway=ping distance=10 gateway=WAN2
add check-gateway=ping distance=10 gateway=WAN2 routing-mark=wan2
 
dacian
just joined
Topic Author
Posts: 7
Joined: Mon Sep 20, 2021 6:20 pm
Location: Timisoara, Romania

Re: Multi IP PPPOE Wan routing

Fri Dec 10, 2021 12:42 pm

Bump
 
dacian
just joined
Topic Author
Posts: 7
Joined: Mon Sep 20, 2021 6:20 pm
Location: Timisoara, Romania

Re: Multi IP PPPOE Wan routing

Mon Feb 21, 2022 6:54 pm

Bump!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multi IP PPPOE Wan routing

Mon Feb 21, 2022 7:06 pm

Fasttrack and mangle rules don't go together. If you want it for single host, you can use routing rule instead of mangle rule:
/ip route rule
add src-address=10.0.0.150/32 action=lookup-only-in-table table=wan2
 
dacian
just joined
Topic Author
Posts: 7
Joined: Mon Sep 20, 2021 6:20 pm
Location: Timisoara, Romania

Re: Multi IP PPPOE Wan routing

Sat Mar 16, 2024 3:27 pm

After a long while, i'm coming back to this topic/issue.
So i still did not manage to configure the router to use both IP addresses that i have but i would really like to give it another try.

The situation remained the same, my ISP gives me two IP's over two separate PPPoE clients, named WAN1 and WAN2.
My intention is to use one IP for traffic going to/from my homelab server (where i host some websites) and the other IP for normal web use.
One thing that i really want to implement this time around is separating the traffic/access between the two WAN's in the sense that i want the Server WAN (lets say WAN1) to only "see" devices on its own network (VLAN1) and nothing else, for example if someone would hack one of the websites on the server they would not be able to see/access any device connected on the VLAN2.

Maybe this is a bit confusing so i tried to draw a logical schematic.
network.jpg
You do not have the required permissions to view the files attached to this post.
 
jaclaz
Long time Member
Long time Member
Posts: 569
Joined: Tue Oct 03, 2023 4:21 pm

Re: Multi IP PPPOE Wan routing

Sat Mar 16, 2024 4:19 pm

Maybe it is logical for you (because you know how the whole stuff is physically located and how it is connected) but I cannot understand the drawing.

What do you mean by PPPoE clients? What are those? two ISP modems? You say you have two separate ones of those, yet they seem both connected to ether1? So what it is, a media converter from fibre with only one ether port out?

Then you you have two vlans that in your drawing are represented as if they were two separate lans, yet they are both connected to ether5?

Also, are you still on 6.48.4?
What is your current configuration? (anav found a few mistakes at the time, did you implement his suggestions or something else?).
 
dacian
just joined
Topic Author
Posts: 7
Joined: Mon Sep 20, 2021 6:20 pm
Location: Timisoara, Romania

Re: Multi IP PPPOE Wan routing

Mon Mar 18, 2024 10:47 am

Maybe it is logical for you (because you know how the whole stuff is physically located and how it is connected) but I cannot understand the drawing.

What do you mean by PPPoE clients? What are those? two ISP modems? You say you have two separate ones of those, yet they seem both connected to ether1? So what it is, a media converter from fibre with only one ether port out?

Then you you have two vlans that in your drawing are represented as if they were two separate lans, yet they are both connected to ether5?

Also, are you still on 6.48.4?
What is your current configuration? (anav found a few mistakes at the time, did you implement his suggestions or something else?).
Looking again at my post, i can agree that my diagram does not make any sense... sorry for that!
Yes i applied the suggestions that i got in the posts above but it did not work back then, also made the update to 7.x a while back.

It is clear to me that i have a skill issue with networking and the way i want to setup everything is a bit more complex then what i am able to implement. But after a bit of back-and-forth with my ISP, they suggested to use a switch between the ONT (the fiber box that they gave me) and my PPPoE clients. Previously i connected the ONT directly to the eth1(WAN) port on the hEX router.

The setup now is like this:
diagram.jpg
I hope it makes more sense then the other diagram...

Thanks for the reply!
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: kevinds, qadir52786 and 41 guests