Multiple wan PPPoE same gateway

nicutdk · Sun Jul 15, 2018 6:33 pm

Hi,

I try in different way to make that config to work but without succes. I have public IPs just from PPPoE.

I make in exact way like wiki example https://wiki.mikrotik.com/wiki/Manual:L ... bnet_links but without success
I make the internet work from lan but dst-nat no. I want to connect from internet to All IPs from PPPoE but not working.
I try some example but nothing work with DSTNAT

In LOG I see:

Jul/14/2018 23:16:55 firewall,info firewall: prerouting: in:Local(ether3) out:(unknown 0), src-mac 10:bf:48:4f:3f:11, proto UDP, 192.168.19.252:56740->192.168.19.255:20561, len 50
Jul/14/2018 23:16:55 firewall,info firewall: prerouting: in:Local(ether3) out:(unknown 0), src-mac 6c:3b:6b:83:35:b6, proto UDP, 192.168.19.251:60641->255.255.255.255:5246, len 48
Jul/14/2018 23:16:55 firewall,info firewall: prerouting: in:Local(ether3) out:(unknown 0), src-mac 10:bf:48:4f:3f:11, proto UDP, 192.168.19.252:56740->192.168.19.255:20561, len 50

I want to use dst-nat port forwarding for my servers but I can't do that.

Please can help me with that ?
I do not know what to do anymore

/interface bridge add fast-forward=no name=Local
/interface pppoe-client
add disabled=no interface=ether1 name=pppoe-out1 password=pRb654B user=rt65445
add disabled=no interface=ether1 name=pppoe-out2 password=626hggff8 user=rt56542
add disabled=no interface=ether1 name=pppoe-out3 password=yt78j543vh user=rt56545
/ip pool
add name=dhcp_pool0 ranges=192.168.18.1-192.168.19.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=Local name=dhcp1
/interface bridge port
add bridge=Local interface=ether3
add bridge=Local interface=ether4
add bridge=Local interface=ether5
/ip firewall connection tracking
set enabled=yes
/ip address
add address=192.168.16.1/22 interface=Local network=192.168.16.0
/ip dhcp-server network
add address=192.168.16.0/22 dns-server=192.168.16.1 gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 \
    servers=8.8.8.8,8.8.4.4
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=81.123.231.156 \
    new-routing-mark=toWAN2 passthrough=yes
add action=mark-routing chain=output new-routing-mark=toWAN2 passthrough=yes \
    src-address=81.123.231.156
add action=mark-routing chain=prerouting new-routing-mark=toWAN1 passthrough=\
    yes src-address=192.168.16.0/22
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
add action=dst-nat chain=dstnat dst-address=81.123.231.156 dst-port=80 log=\
    yes protocol=tcp to-addresses=192.168.17.250 to-ports=80
/ip route
add distance=1 gateway=10.0.0.1%pppoe-out2 routing-mark=toWAN2
add distance=1 gateway=10.0.0.1%pppoe-out1 routing-mark=toWAN1
add distance=1 gateway=10.0.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Bucharest
/system routerboard settings
set silent-boot=no

sindy · Sun Jul 15, 2018 8:34 pm

The routing itself (gateway=10.0.0.1%pppoe-outX) is fine but as PPPoE is a point-to-point interface, the interface name alone is actually sufficient as route's gateway (the ip.add.re.ss%interface-name syntax is necessary only for point-to-multipoint interfaces). However, if you want your port-forwarding (dst-nat) to LAN servers to work, you need to assign a connection mark to each connection coming to the 'Tik from the internet to one of the pppoe-outX:

/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=wan1 in-interface=pppoe-out1 passthrough=yes
add chain=prerouting action=mark-connection new-connection-mark=wan2 in-interface=pppoe-out2 passthrough=yes
add chain=prerouting action=mark-connection new-connection-mark=wan3 in-interface=pppoe-out3 passthrough=yes

To route response packets of these connections out via the correct pppoe-outX, you have to translate the connection-marks for packets forwarded from LAN to the internet into routing-marks:

/ip firewall mangle
add chain=prerouting action=mark-routing connection-mark=wan1 in-interface=ether3 new-routing-mark=wan1 passthrough=no
add chain=prerouting action=mark-routing connection-mark=wan2 in-interface=ether3 new-routing-mark=wan2 passthrough=no
add chain=prerouting action=mark-routing connection-mark=wan3 in-interface=ether3 new-routing-mark=wan3 passthrough=no

And you must have the default routes with routing-marks in place:
/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=wan1
add dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=wan2
add dst-address=0.0.0.0/0 gateway=pppoe-out3 routing-mark=wan3

More details here.

nicutdk · Mon Jul 16, 2018 11:37 am

The routing itself (gateway=10.0.0.1%pppoe-outX) is fine but as PPPoE is a point-to-point interface, the interface name alone is actually sufficient as route's gateway (the ip.add.re.ss%interface-name syntax is necessary only for point-to-multipoint interfaces). However, if you want your port-forwarding (dst-nat) to LAN servers to work, you need to assign a connection mark to each connection coming to the 'Tik from the internet to one of the pppoe-outX:

/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=wan1 in-interface=pppoe-out1 passthrough=yes
add chain=prerouting action=mark-connection new-connection-mark=wan2 in-interface=pppoe-out2 passthrough=yes
add chain=prerouting action=mark-connection new-connection-mark=wan3 in-interface=pppoe-out3 passthrough=yes

To route response packets of these connections out via the correct pppoe-outX, you have to translate the connection-marks for packets forwarded from LAN to the internet into routing-marks:

/ip firewall mangle
add chain=prerouting action=mark-routing connection-mark=wan1 in-interface=ether3 new-routing-mark=wan1 passthrough=no
add chain=prerouting action=mark-routing connection-mark=wan2 in-interface=ether3 new-routing-mark=wan2 passthrough=no
add chain=prerouting action=mark-routing connection-mark=wan3 in-interface=ether3 new-routing-mark=wan3 passthrough=no

And you must have the default routes with routing-marks in place:
/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=wan1
add dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=wan2
add dst-address=0.0.0.0/0 gateway=pppoe-out3 routing-mark=wan3

More details here.

Thank you for your support but that already try and not working.

I make to work inside internet connection but when I try to use DSTNAT not working.
Please...do you have an idea ?

Regards,

sindy · Mon Jul 16, 2018 11:49 am

If you've tried exactly that and the dstnat (port forwarding of requests coming to WAN to servers on LAN) did not work, the cause must be something else than the multi-wan setup. Recreate the complete configuration which didn't work and post it so that we could check for the other issue.

nicutdk · Tue Jul 17, 2018 1:43 pm

If you've tried exactly that and the dstnat (port forwarding of requests coming to WAN to servers on LAN) did not work, the cause must be something else than the multi-wan setup. Recreate the complete configuration which didn't work and post it so that we could check for the other issue.

add distance=1 gateway=10.0.0.1

Hi,

Thank you again !

First I try withot default route /ip route add distance=1 gateway=10.0.0.1 and not working.

If I put /ip route add distance=1 gateway=10.0.0.1 Internet from LAN working but when I try to connect to router from external IP not working.

I don't understand LOG. I see in log and:
Same log for DSTNAT

Jul/17/2018 08:14:00 firewall,info Test: prerouting: in:Local out:(unknown 0), src-mac 2c:4d:54:4b:b2:d0, proto UDP, 192.168.19.250:56018->255.255.255.255:20561, len 50
Jul/17/2018 08:14:00 firewall,info Test: prerouting: in:Local out:(unknown 0), src-mac 2c:4d:54:4b:b2:d0, proto UDP, 192.168.19.250:56018->255.255.255.255:20561, len 50
Jul/17/2018 08:14:01 firewall,info Test: prerouting: in:pppoe-out3 out:(unknown 0), proto TCP (SYN), 62.32.81.83:52837->82.76.164.184:443, len 44
Jul/17/2018 08:14:01 firewall,info Test: prerouting: in:Local out:(unknown 0), src-mac 00:0c:29:02:03:6f, proto TCP (ACK,RST), 192.168.19.253:443->192.168.16.1:52837, NAT (192.168.19.253:443->82.76.164.184:443)->(192.168.16.1:52837->62.32.81.83:52837), len 40
Jul/17/2018 08:14:01 firewall,info Test: prerouting: in:pppoe-out3 out:(unknown 0), proto TCP (SYN,ACK), 216.118.236.245:80->82.76.164.184:3289, len 44
Jul/17/2018 08:14:01 firewall,info Test: prerouting: in:Local out:(unknown 0), src-mac 2c:4d:54:4b:b2:d0, proto UDP, 192.168.19.250:56018->255.255.255.255:20561, len 50
Jul/17/2018 08:14:01 firewall,info Test: prerouting: in:Local out:(unknown 0), src-mac 2c:4d:54:4b:b2:d0, proto UDP, 192.168.19.250:56018->255.255.255.255:20561, len 50

I try with config:

/interface bridge
add fast-forward=no name=Local
/interface pppoe-client
add disabled=no interface=ether1 name=pppoe-out1 password=pRytfrtLB user=76766679
add disabled=no interface=ether1 name=pppoe-out2 password=tLBfddsvg user=98237651
add disabled=no interface=ether1 name=pppoe-out3 password=WimVyrCop user=76888432
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.18.1-192.168.19.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=Local name=dhcp1
/system logging action
add disk-file-count=1 disk-file-name=TestFirewall disk-lines-per-file=100 disk-stop-on-full=yes name=TestFirewall target=disk
/interface bridge port
add bridge=Local interface=ether3
add bridge=Local interface=ether4
add bridge=Local interface=ether5
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes
/ip address
add address=192.168.16.1/22 interface=Local network=192.168.16.0
/ip dhcp-server network
add address=192.168.16.0/22 dns-server=192.168.16.1 gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 servers=8.8.8.8,8.8.4.4
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=pppoe-out1 log=yes new-connection-mark=conWan1 passthrough=yes
add action=mark-connection chain=prerouting in-interface=pppoe-out2 log=yes new-connection-mark=conWan2 passthrough=yes
add action=mark-connection chain=prerouting in-interface=pppoe-out3 log=yes new-connection-mark=conWan3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conWan1 in-interface=Local log=yes new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=conWan2 in-interface=Local log=yes new-routing-mark=wan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=conWan3 in-interface=Local log=yes new-routing-mark=wan3 passthrough=no
add action=mark-routing chain=prerouting log=yes new-routing-mark=wan3 passthrough=yes src-address=192.168.16.0/22
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-address=86.116.164.147 dst-port=!8291 protocol=tcp to-addresses=192.168.19.253
add action=dst-nat chain=dstnat dst-address=82.133.189.156 dst-port=!8291 protocol=tcp to-addresses=192.168.19.253
add action=dst-nat chain=dstnat dst-address=86.116.164.184 dst-port=!8291 protocol=tcp to-addresses=192.168.19.253
/ip route
add distance=1 gateway=10.0.0.1%pppoe-out1 routing-mark=wan1
add distance=1 gateway=10.0.0.1%pppoe-out2 routing-mark=wan2
add distance=1 gateway=10.0.0.1%pppoe-out3 routing-mark=wan3
add distance=1 gateway=10.0.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system logging
add action=TestFirewall prefix=Test topics=firewall
/system routerboard settings
set silent-boot=no

sindy · Tue Jul 17, 2018 2:06 pm

Have you obfuscated the actual public IP addresses in the configuration but not in the log?

because the log shows:

Jul/17/2018 08:14:01 firewall,info Test: prerouting: in:pppoe-out3 out:(unknown 0), proto TCP (SYN), 62.32.81.83:52837->82.76.164.184:443, len 44
...
Jul/17/2018 08:14:01 firewall,info Test: prerouting: in:pppoe-out3 out:(unknown 0), proto TCP (SYN,ACK), 216.118.236.245:80->82.76.164.184:3289, len 44

But none of the dst-nat rules in configuration matches that destination address:

/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-address=86.116.164.147 dst-port=!8291 protocol=tcp to-addresses=192.168.19.253
add action=dst-nat chain=dstnat dst-address=82.133.189.156 dst-port=!8291 protocol=tcp to-addresses=192.168.19.253
add action=dst-nat chain=dstnat dst-address=86.116.164.184 dst-port=!8291 protocol=tcp to-addresses=192.168.19.253

nicutdk · Tue Jul 17, 2018 2:44 pm

Have you obfuscated the actual public IP addresses in the configuration but not in the log?

because the log shows:

Jul/17/2018 08:14:01 firewall,info Test: prerouting: in:pppoe-out3 out:(unknown 0), proto TCP (SYN), 62.32.81.83:52837->82.76.164.184:443, len 44
...
Jul/17/2018 08:14:01 firewall,info Test: prerouting: in:pppoe-out3 out:(unknown 0), proto TCP (SYN,ACK), 216.118.236.245:80->82.76.164.184:3289, len 44

But none of the dst-nat rules in configuration matches that destination address:

/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-address=86.116.164.147 dst-port=!8291 protocol=tcp to-addresses=192.168.19.253
add action=dst-nat chain=dstnat dst-address=82.133.189.156 dst-port=!8291 protocol=tcp to-addresses=192.168.19.253
add action=dst-nat chain=dstnat dst-address=86.116.164.184 dst-port=!8291 protocol=tcp to-addresses=192.168.19.253

sorry for that.

is like

/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-address=82.76.164.147 dst-port=!8291 protocol=tcp to-addresses=192.168.19.253
add action=dst-nat chain=dstnat dst-address=86.123.189.156 dst-port=!8291 protocol=tcp to-addresses=192.168.19.253
add action=dst-nat chain=dstnat dst-address=82.76.164.184 dst-port=!8291 protocol=tcp to-addresses=192.168.19.253

sindy · Tue Jul 17, 2018 3:05 pm

OK. The reason why you need the default route without routing-mark: the connections originating from LAN do not get any connection marks, so don't get any routing marks, so need a route with no routing-mark.

But the last /ip firewall mangle rule in your configuration, action=mark-routing chain=prerouting log=yes new-routing-mark=wan3 passthrough=yes src-address=192.168.16.0/22 which you have added probably to solve that has caused packets coming from outside to be routed back out instead of letting them reach the LAN. It doesn't contain in-interface=Local, so even packets which come from (any!) WAN are routing-marked, and there is no route to LAN subnet with a routing mark. So remove this rule and try again.

nicutdk · Wed Jul 18, 2018 6:48 pm

OK. The reason why you need the default route without routing-mark: the connections originating from LAN do not get any connection marks, so don't get any routing marks, so need a route with no routing-mark.

But the last /ip firewall mangle rule in your configuration, action=mark-routing chain=prerouting log=yes new-routing-mark=wan3 passthrough=yes src-address=192.168.16.0/22 which you have added probably to solve that has caused packets coming from outside to be routed back out instead of letting them reach the LAN. It doesn't contain in-interface=Local, so even packets which come from (any!) WAN are routing-marked, and there is no route to LAN subnet with a routing mark. So remove this rule and try again.

Thank You for your respone.

I solved but firewall LOG have a lot...lot of error. If you want to store firewall LOG you must have BIIIG HDD
I think in mikrotik can't resolve that (Jul/17/2018 08:14:01 firewall,info Test: prerouting: in:Local out:(unknown 0), src-mac 00:0c:29:02:03:6f, proto TCP (ACK,RST), 192.168.19.253:443->192.168.16.1)

That solved for anyone want PPPoE with src-nat and dst-nat!

This is from mikrotik support slow but VERY GOOD SUPPORT!!!

/interface bridge port
add bridge=Local interface=ether3
add bridge=Local interface=ether4
add bridge=Local interface=ether5
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes
/ip address
add address=192.168.16.1/22 interface=Local network=192.168.16.0


/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=pppoe-out1 new-connection-mark=conWan1 passthrough=yes
add action=mark-connection chain=prerouting in-interface=pppoe-out2 new-connection-mark=conWan2 passthrough=yes
add action=mark-connection chain=prerouting in-interface=pppoe-out3 new-connection-mark=conWan3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conWan1 in-interface=Local new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=conWan2 in-interface=Local new-routing-mark=wan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=conWan3 in-interface=Local new-routing-mark=wan3 passthrough=no
add action=mark-routing chain=output connection-mark=conWan1 new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=output connection-mark=conWan3 new-routing-mark=wan3 passthrough=no
add action=mark-routing chain=output connection-mark=conWan2 new-routing-mark=wan2 passthrough=no
/ip firewall nat
add action=src-nat chain=srcnat out-interface=pppoe-out1 to-addresses=81.71.161.141
add action=src-nat chain=srcnat out-interface=pppoe-out2 to-addresses=81.121.181.151
add action=src-nat chain=srcnat out-interface=pppoe-out3 to-addresses=81.71.161.181
add action=dst-nat chain=dstnat dst-port=!8291 protocol=tcp to-addresses=192.168.19.253
/ip route
add distance=1 gateway=10.0.0.1%pppoe-out1 routing-mark=wan1
add distance=1 gateway=10.0.0.1%pppoe-out2 routing-mark=wan2
add distance=1 gateway=10.0.0.1%pppoe-out3 routing-mark=wan3
add distance=1 gateway=10.0.0.1

sindy · Wed Jul 18, 2018 8:19 pm

firewall LOG have a lot...lot of error. If you want to store firewall LOG you must have BIIIG HDD
I think in mikrotik can't resolve that
Jul/17/2018 08:14:01 firewall,info Test: prerouting: in:Local out:(unknown 0), src-mac 00:0c:29:02:03:6f, proto TCP (ACK,RST), 192.168.19.253:443->192.168.16.1

Log events with topics "firewall" are only logged if you have manually configured some rule to log the packet properties when it matches a packet. You are supposed to do so when debugging things and maybe when monitoring some malware attacks, but not routinely. By default, RouterOS logging saves to disk only critical events, and all the rest is stored to memory and the number of events is limited to 1000, oldest ones get overwritten by new ones.

If you want long-term persistent logs, you have to use a syslog server (with a biiig HDD

) and configure Mikrotik to send the log messages to it.

And that particular log message says out: Unknown(0) because the rule which has written that log event is in a prerouting chain, so the packet was not yet routed so its out-interface could not be known.

This is from mikrotik support slow but VERY GOOD SUPPORT!!!

This forum is not Mikrotik support, this is a community (=volunteer) support. The official Mikrotik support deals with bugs and only to a limited extent with configuration assistance like this - compare the amount of topics here (many of them repeatedly dealing with the same typical problems as people have difficulties seeing parallels between their own problem and someone else's problem which is not exactly the same) and the price of the boxes. Normally your authorized distributor of Mikrotik stuff has to be qualified to provide configuration assistance to you, but their margin wouldn't cover a free-of-charge assistance either.

All that is to say that I don't get what kind of speed you would expect

nicutdk · Thu Jul 19, 2018 11:16 am

Hi Sindy and thank you for your support.

I love mikrotik and every time I can do this I recommend mikrotik for my clients but they must adapt to the competition of cheap producers. I'm glad because with your help and mikrotik support I resolved pppoe problem and my clients now is happy.

I could give at least 5 suggestions (you laugh at me) that I would be sure mikrotik would increase sales on a certain market segment. It is becoming increasingly difficult to convince a customer that the mikrotik router is better than tplink, dlink,asus etc.. For this reason mikrotik should try to be different from others.

Best Regards,

dharmikshah8928 · Thu Jul 19, 2018 7:55 pm

Hello,

When I am trying to print log for interface : in for pppoe interface, i am not getting src-mac in log.

sindy · Fri Jul 20, 2018 3:22 pm

The reason is simply that pppoe-client, like any other ppp interface, is an L3 interface so packets which come through that interface have neither src-mac address nor dst-mac address.

Multiple wan PPPoE same gateway

Multiple wan PPPoE same gateway

Re: Multiple wan PPPoE same gateway

Re: Multiple wan PPPoE same gateway

Re: Multiple wan PPPoE same gateway

Re: Multiple wan PPPoE same gateway

Re: Multiple wan PPPoE same gateway

Re: Multiple wan PPPoE same gateway

Re: Multiple wan PPPoE same gateway

Re: Multiple wan PPPoE same gateway

Re: Multiple wan PPPoE same gateway

Re: Multiple wan PPPoE same gateway

Not getting src-mac for pppoe interface

Re: Multiple wan PPPoE same gateway

Who is online