Hello Gents

Just had a little box dropped on my desk and been asked to do some testing for it so I am basically a total beginner.

I am trying to set up the router to send all outgoing port 80 and 443 across an IPIP tunnel.

The tunnel appears to be set up (192.168.170.1/24) and can ping the other end of the tunnel across the internet (192.168.170.2)

How can I add policy routes / ip filters to send traffic from a network ie 192.168.1.0/24 on port 80 and 443 to this tunnel interface?

I realise you may need more info just let me know

thanks

James

You have to set up mangle rules to mark routing and then add route with routing mark over ipip tunnel.
Here is an example of using mangle rules:
http://wiki.mikrotik.com/wiki/Load_Bala ... e_Gateways

wiki has also other similar examples that might help to start

Hi there

I have set up a mangle rule with source address 192.168.1.0/24 dst address 0.0.0.0 and DST port 80

action marking routing , new routing mark 'Tunnel Traffic'

Regardless of setting up the route should I see traffic matching this rule under its statistics?

Yes, if the rule is set up correctly. A destination address of 0.0.0.0 will not work. You either have to let that off (it is not necessary), or you have to make it 0.0.0.0/0

Hi there

Thanks for that tip that has done the trick. I had tried with blank source and destinations and had no luck.

It appears that the winbox gui has a very large (30s+) delay and I was making a change testing it and moving on to another before it had taken effect.

It should not have noticeable delay. Are you accessing it via MAC address or via IP address? If the latter has a thirty second delay something is seriously wrong.

Hi again

I am still having trouble getting this to work and I cannot find anything on the wiki's similar enough to what I am trying to accomplish, sorry if I'm being a bother.

What I want to be able to do is

Web request from client behind router A -> ipip tunnel (one way tunnel) -> Router B -> webserver -> router A

Since the latest change I am able to see the requests traversing the tunnel and hitting the webserver but they seem to have a return REPLY DST ADDRESS of 192.168.1.111.

Without the mangle rule applied the packets have a Reply DST of my WAN/Public IP 222.154.x.x which is what I would expect

How can I make the packets that traverse the tunnel have a return DST of the WAN IP of the router?

Post the output of "/ip firewall export", "/ip address print" and "/ip route print" as well as a network diagram.

Post the output of "/ip firewall export", "/ip address print" and "/ip route print" as well as a network diagram.

[admin@MikroTik] > /ip firewall export
# sep/08/2010 22:14:50 by RouterOS 4.10
# software id = QTDA-ABI5
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=no \
in-interface=ether1-gateway
/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=\
0.0.0.0/0 dst-port=80,443 new-routing-mark="Tunnel traffic" passthrough=\
no protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no


Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; default configuration
192.168.1.126/24 192.168.1.0 192.168.1.255 ether2-local-master
1 192.168.170.1/24 192.168.170.0 192.168.170.255 ipip1
2 D 222.154.xxx.15/24 222.154.xxx.0 222.154.xxx.255 ether1-gateway


[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 ipip1 1
1 ADS 0.0.0.0/0 222.154.238.254 0
2 ADC 192.168.1.0/24 192.168.1.126 ether2-local-ma... 0
3 ADC 192.168.170.0/24 192.168.170.1 ipip1 0
4 ADC 222.154.xxx.0/24 222.154.xxx.15 ether1-gateway 0

I don't have my network diag software on this machine if you need I can get it at the weekend.

I want traffic on port 80 and 443 to be tunneled to another router, then access the webhost (it is working up till here).

The webhost needs to know to send the requested page to the source router (222.154.xxx.15) and the source router needs to recognize and accept this on it's firewall.

Mikrotek 222.154.xxx.15 -> IPIP tunnel 192.168.170.1 for ports 80 and 443 -> Cisco 6500 with tunnel interface 192.168.170.2 and public IP 202.89.xxx.245 -> Webhost -> 222.154.xxx.15

Any chance of some more help on this?

The router can't send a packet with source IP A to destination IP B and then receive a packet to destination IP B but from source IP C as a reply. If reply traffic is sent to public IP of router and doesn't travel back via the tunnel the router cannot know what internal LAN IP address to forward the traffic to because there is no NAT action to undo.

I guess you could try source NATing the packet through the tunnel to the router WAN IP via an action of src-nat and a specific to-address (at which point you will lose the internal source IP as seen by the other end - which makes an IPIP tunnel pointless), but I am pretty sure connection tracking takes interfaces into account and will discard the return traffic as coming in from the wrong interface (WAN vs tunnel) anyway.

I don't think what you're trying to do can be done. Why do you want a one way tunnel?

It certainly can be done perhaps I am not being clear what I want to achieve.

I have done it using Cisco -> Cisco and ATI -> Cisco I was hopeful I could use mikrotik boxes to achieve the same thing.

I do nat the tunnel interfaces on both of those brands

I am doing so here I have a Nat rule src masq out int tunnel

I think I will try with a GRE tunnel

Is there anyone I can pay for help?

If you're doing NAT across the tunnel, how is it a one way tunnel? NAT implies that the source address arriving at the other endpoint is the IP address of the tunnel interface. In your case that is a private IP address, so reply traffic has to go across the tunnel or the destination would be unreachable.

My job is 90% Cisco. Maybe if you post a Cisco to Cisco configuration I can help out. I don't do contract work so I cannot guarantee I will reply in a timely manner.

Thank you, any help is really appreciated, whenever you have the time

local router

interface Tunnel0
ip address 192.168.114.1 255.255.255.0
ip nat outside
ip virtual-reassembly
tunnel source Dialer1
tunnel destination 202.x.x.245

interface Vlan1
ip address 192.168.1.125 255.255.255.0
ip nat inside
ip policy route-map tunnel

int dialer1
ip nat outside
ip access-group 103 in

ip nat inside source list 102 interface Dialer1 overload
access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 103 permit tcp any eq www any established
access-list 103 permit tcp any eq 443 any established

access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 443

route-map tunnel permit 10
match ip address 110
set ip next-hop 192.168.114.2


endpoint router

interface Tunnel14
description Office Test
ip address 192.168.114.2 255.255.255.0
tunnel source GigabitEthernet5/2 (202.x.x.245)
tunnel destination 222.x.x.15

Basically this allows us to view outgoing web (or whatever required port)requests for anyone without having to take their downstream bandwidth

I see. That performs the same kind of NAT your Cisco routers are doing. However, I'm not at all sure this is going to work on RouterOS. Give it a try - maybe it does. You're already sending the traffic across the IPIP tunnel, and that NAT rule above will perform the same source NAT translation you're doing on Cisco so you'll have that side completely duplicated.

I think it's likely that while the Cisco NAT stack can apparently process the return traffic the RouterOS NAT stack might not be able to piece together that the return traffic is part of the flow - it's my impression that connection tracking (which is responsible for assigning packets to flows, which in turn influences how source NAT is undone for return traffic to forward the packet back to the private IP address that originally initiated the flow) also uses input and output interfaces in its decision making process. Since the input interface for return traffic won't match the output interface the original packet left through return traffic might be discarded due to not being able to match it to a flow. However, I might be completely and utterly wrong on that so it's worth trying. If it doesn't work I don't see how you can implement your Cisco solution on RouterOS simply because the NAT stacks have slightly different functionality.

Thank you this has worked exactly as I'd hoped

So return traffic makes it? Just want to verify because that's a good thing to know.

Yes it is working 100% is there any output you would like me to show you?

Nope, all good! Thanks for the confirmation. Learned something about RouterOS NAT. I really didn't think it would work.