Community discussions

MUM Europe 2020
 
sharkboy
newbie
Topic Author
Posts: 35
Joined: Sun Mar 01, 2009 1:08 am

Multiple Wan

Mon Sep 24, 2012 5:42 pm

Hi
Previously I had 10 hotspots on one wan interface. Everything worked fine and when I connected to the WAN with VPN connection from my office I could access boxes on any subnet by using winbox from my desktop. I could connect to 192.168.0.100 and 192.168.20.5 for example.
Now i have added 3 more WAN lines and I have mangle setup so traffic from each box goes out on a specific WAN. Again the mangle is working OK but now I cant access the boxes that are mangled onto wan 2 and 3 from my VPN connection .
Winbox does not connect but I can ping the boxes ok and they are working fine but I just cant connect to them for management. I can connect to everything on WAN1
I know I need to add some ACCEPT rules to make them talk to each other but not sure what to use ?
To setup the mangle I used
ip - firewall - mangle - prerouting - src address 192.168.0.100 - action mark-routing=wifi2
this is the hotspot lan address and catches all traffic from the hotspot
and
ip - routes - 0.0.0.0/0 - gateway WAN2 routing mark wifi2
These are not the commands obviously but thats all I setup to make the mangle work.
Anyone like to help ?
 
sharkboy
newbie
Topic Author
Posts: 35
Joined: Sun Mar 01, 2009 1:08 am

Re: Multiple Wan

Mon Sep 24, 2012 11:58 pm

So here is a bit of the code to what I did

This is on a RB1200 with 3 PPPOE Dialups on ether1, 2, 3. It has a local lan 192.168.8.1/24 on ether4 and 5 hotspot routers on 192.168.7.0/24 range ether5. Also hotspot routers on 192.168.20.0/24.

When using 1 WAN everything routed fine and I could connect from local lan to the hotspot boxes and with a VPN I could also access all the boxes. The dude map had all the boxes online.

So then I routed some of the hotspot boxes by adding
chain=prerouting action=mark-routing new-routing-mark=wifi passthrough=no 
     src-address=192.168.20.9
This picks up all the traffic from the hotspot box 192.168.20.9 and marks it wifi

Then I added a route
Ip Route Add Dst-Address=0.0.0.0/0 Gateway="pppoeout2" Routing-Mark=wifi
(Now that I read it, can a route like this be passed to an interface name "pppoeout2" or is it better to route to the actual ip address. It works but is it correct ? )

So now the hotspot uses the second WAN but at the same time it is no longer reachable from the local lan or the vpn connection.

I have setup a NAT masquerade rule for both wan
chain=srcnat action=masquerade out-interface=pppoe-out1
chain=srcnat action=masquerade out-interface=pppoe-out2
I have disabled everything in the firewall just for testing but I cant figure out the missing link ?

So what am I missing to allow access to the subnets after adding a mangle rule?

ROS 5.14

Thanks
 
sharkboy
newbie
Topic Author
Posts: 35
Joined: Sun Mar 01, 2009 1:08 am

Re: Multiple Wan

Wed Sep 26, 2012 10:44 am

Anyone ?

Is this normal or a known fault ?

Thanks
 
sharkboy
newbie
Topic Author
Posts: 35
Joined: Sun Mar 01, 2009 1:08 am

Re: Multiple Wan

Wed Sep 26, 2012 7:29 pm

55 views and no replies ?

Not sure what other info I would need to post here to get a reply ?

Anyone got any suggestions ?

Thanks
 
sharkboy
newbie
Topic Author
Posts: 35
Joined: Sun Mar 01, 2009 1:08 am

Re: Multiple Wan

Fri Sep 28, 2012 3:01 pm

Hi

No help yet.

I have found that I can remotely connect with winbox to static IP address on first wan PPPOE connection on address 82.xxx.xx.5 and manage the router
But when I try to use winbox to connect to the static IP address on second WAN PPOE it is not accepted.
What needs to be done to accept the connections to winbox over second wan connection ?
I think this would also fix the other problems ?

Thanks
 
sharkboy
newbie
Topic Author
Posts: 35
Joined: Sun Mar 01, 2009 1:08 am

Re: Multiple Wan

Mon Oct 01, 2012 7:56 pm

bump
 
inibir
Member Candidate
Member Candidate
Posts: 116
Joined: Thu Nov 25, 2010 2:25 pm
Location: lebanon
Contact:

Re: Multiple Wan

Mon Oct 01, 2012 9:54 pm

 
sharkboy
newbie
Topic Author
Posts: 35
Joined: Sun Mar 01, 2009 1:08 am

Re: Multiple Wan

Mon Oct 01, 2012 10:50 pm

Hi
Thanks for he reply.

I used the wiki to get this far and that part is all working. Well the traffic is being routed out correctly.

So based on the wiki can I access the router on either external IP address ? And can the computers in each group
connect to each other ?

I have used the wiki as a guide so there are a couple of changes
I am using fixed addresses and not an address range for the src address but the rest of the mangle rule is tha same.
Not sure this is a problem as the outbound traffic is going out the correct wan.

The masquerade rule for each WAN does not have an IP address or range but has the routing mark only.
/ip route
add comment="INTERNET for wifi" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=pppoe-out2 routing-mark=wifi scope=30 target-scope=10
add comment="INTERNET for wifi" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=pppoe-out3 routing-mark="wifi 2" scope=30 target-scope=10
and NAT
 1   ;;; WIFI Internet
     chain=srcnat action=masquerade out-interface=pppoe-out2 

 2   ;;; WIFI Internet    LINE 2
     chain=srcnat action=masquerade out-interface=pppoe-out3
Any ideas what part is causing the trouble ?
 
deejayq
Member Candidate
Member Candidate
Posts: 195
Joined: Wed Feb 23, 2011 8:33 am

Re: Multiple Wan

Tue Oct 02, 2012 4:05 pm

i think there's something to do with the source port number used by winbox to connect to devices behind nat.
i had a similar experience with a rb behind a wireless router, the port for winbox and http from the rb were forwarded properly to the wireless router, http was working, winbox was not.
 
sharkboy
newbie
Topic Author
Posts: 35
Joined: Sun Mar 01, 2009 1:08 am

Re: Multiple Wan

Wed Oct 03, 2012 12:40 am

Hi
Thanks for trying to help but when I revert everything back to one wan I get all the access on all the interfaces that I need. So it seems that its something to do with NAT or route problem.

Something I didnt show on earlier posts was that I also have one default route
setup aswell without routing marks.
/ip route add gateway=pppoe-out2

If i remove the mangle rule then I can access the rb the way I want, over vpn and works with the dude. That is what I have been doing to get access when required but I know it should not be like this.

From another post in the forums http://forum.mikrotik.com/viewtopic.php?f=7&t=37898 there is something similar for mangle
Code:
/ip firewall mangle add chain=prerouting src-address=198.54.15.0/24 action=mark-routing new-routing-mark=r_178
/ip firewall mangle add chain=prerouting src-address=192.168.10.0/24 action=mark-routing new-routing-mark=r_178
/ip firewall mangle add chain=prerouting src-address=192.168.11.0/24 action=mark-routing new-routing-mark=r_172
/ip firewall mangle add chain=prerouting src-address=192.168.12.0/24 action=mark-routing new-routing-mark=r_172

/ip route add gateway=178.242.0.200 routing-mark=r_178
/ip route add gateway=172.16.0.200 routing-mark=r_172


something like that. and if you need routing between those subnets, then you should add one more rule on the top with 'action=accept' and dst-address-list=my_local_subnets, then add all your four subnets to that address list
So i thought that was all i was missing, just missing an accept rule but no still does not work.

Who is online

Users browsing this forum: MSN [Bot], Paul9cf22ad1 and 57 guests