Hello,
I state that I am VERY beginner.
I need a following configuration:
I have two networks, the first one generated by a 4G router to a private APN which requires a specific DNS and creates a "VPN".
With this router I am therefore connected to an intranet, in which using a remote desktop on my PC I connect to the server on the intranet.
I can also use a browser to use the internet by setting the intranet proxy.
I would like to reach my PC from the outside using another ADSL connection with existing static IP.
I would like to reach it for example with TEAMVIEWER, and then connect with the RDP to the intranet server using the 4G connection.
The Routerboard will then have two WANs with two GW and a LAN where the PC is connected.
Is it possible to do this?
Thank you
Re: Two connection and two gateway
It depends on what kind of beginners you are. If you're willing to learn, everything is possible.
The simplest case would be if ADSL can be primary connection and 4G would be used only to access specific subnet(s). You'd simply configure router for one connection (ADSL) and you'd add 4G, but without default gateway, only with route(s) to specific subnet(s).
If 4G should be primary and ADSL only for remote access to PC, it would be regular dual-WAN config. Example of that is https://wiki.mikrotik.com/wiki/Manual:PCC. It's mainly about load balancing, but when you skip the two rules with per-connection-classifier, it gives you basic dual-WAN config where you can route traffic to one connection or the other, router can be accesses from both connections, also port forwarding will work, basically everything you could need.
The rest is about various details, static or dynamic addresses that might need some tweaking, etc. The important thing is to try. If you get stuck, either ask about specific problem, of search the forum, everything has been done million times.
The simplest case would be if ADSL can be primary connection and 4G would be used only to access specific subnet(s). You'd simply configure router for one connection (ADSL) and you'd add 4G, but without default gateway, only with route(s) to specific subnet(s).
If 4G should be primary and ADSL only for remote access to PC, it would be regular dual-WAN config. Example of that is https://wiki.mikrotik.com/wiki/Manual:PCC. It's mainly about load balancing, but when you skip the two rules with per-connection-classifier, it gives you basic dual-WAN config where you can route traffic to one connection or the other, router can be accesses from both connections, also port forwarding will work, basically everything you could need.
The rest is about various details, static or dynamic addresses that might need some tweaking, etc. The important thing is to try. If you get stuck, either ask about specific problem, of search the forum, everything has been done million times.
Re: Two connection and two gateway
It might be possible.
The routing part is easy - if I understand your case right, you simply need your mobile connection to be used only for access to the IP addresses of your intranet and the ADSL connection to be used for the rest, which is easily provided by configuring the mobile connection to add a default route with a high value of distance or not add it at all (depending whether it is a router connected using Ethernet or a 3G/4G modem connected to the Mikrotik), and manually add route(s) to the intranet subnet(s) via that gateway; more precise (longer) prefixes always have precedence over wider (shorter) prefixes, so packets towards the intranet will choose the manually added routes while packets to other destinations will take the default route with lower distance value, i.e. the one via ADSL.
What makes it difficult is the need to use a dedicated DNS for intranet access; Mikrotik is not really good here and you'll have to follow @Sob's suggestion how to use /ip firewall layer7-protocol to redirect the DNS packets from your LAN hosts to the Intranet DNS server if the query goes for the intranet domains, and let them use the standard DNS (the Mikrotik itself or any public one depending on your configuration) for the rest.
The routing part is easy - if I understand your case right, you simply need your mobile connection to be used only for access to the IP addresses of your intranet and the ADSL connection to be used for the rest, which is easily provided by configuring the mobile connection to add a default route with a high value of distance or not add it at all (depending whether it is a router connected using Ethernet or a 3G/4G modem connected to the Mikrotik), and manually add route(s) to the intranet subnet(s) via that gateway; more precise (longer) prefixes always have precedence over wider (shorter) prefixes, so packets towards the intranet will choose the manually added routes while packets to other destinations will take the default route with lower distance value, i.e. the one via ADSL.
What makes it difficult is the need to use a dedicated DNS for intranet access; Mikrotik is not really good here and you'll have to follow @Sob's suggestion how to use /ip firewall layer7-protocol to redirect the DNS packets from your LAN hosts to the Intranet DNS server if the query goes for the intranet domains, and let them use the standard DNS (the Mikrotik itself or any public one depending on your configuration) for the rest.
Re: Two connection and two gateway
@sindy
I would like to use the 4G connection only for the intranet.
As I wrote, unfortunately I don't know how to do it, I don't know how to set the routing rules.
You can help me, if you want in MP I am willing to pay to solve this problem.
Thank you in advance
I would like to use the 4G connection only for the intranet.
As I wrote, unfortunately I don't know how to do it, I don't know how to set the routing rules.
You can help me, if you want in MP I am willing to pay to solve this problem.
Thank you in advance
Re: Two connection and two gateway
PM doesn't work at this forum. How is the 4G thing connected to the Mikrotik? USB, ethernet cable, just a SIM inside the Mikrotik?
Re: Two connection and two gateway
through a router (not mikrotik) with a sim insidePM doesn't work at this forum. How is the 4G thing connected to the Mikrotik? USB, ethernet cable, just a SIM inside the Mikrotik?
In the MK I have connected:
ETH1 from router with SIM 4G
ETH2 from router MK with ADSL and configured in client DHCP
ETH3 to PC
Re: Two connection and two gateway
The 4G router also provides you with IP configuration (your address , default gateway, DNC) using DHCP or you must configure it statically if you connect your laptop directly to the 4G router?
Re: Two connection and two gateway
Yes dhcp can be configured, the router is TELTONIKA RUT950
but if I configure it in dhcp, I still have to put the dns manual if it doesn't connect to the intranet
but if I configure it in dhcp, I still have to put the dns manual if it doesn't connect to the intranet
Re: Two connection and two gateway
That's not the point, the point was whether you know the IP subnet and gateway to use and can configure them manually, and whether you know the DNS server address and all the subnets which represent the intranet.
What you need to do is to add the IP address on ether1 manually with the proper mask, and add a route or routes towards the intranet subnets via the 4G router's IP address as a gateway. This makes it possible for your PC to connect there, but it does not resolve the DNS part. I was asking regarding DHCP because it sounded more likely to me and was about to tell you how to change /ip dhcp-client settings to get the information from there without interfering with the ADSL connection; as you apparently know the information (your IP, netmask, gateway IP, DNS server IP) already, this part is not necessary.
So you'll end up with one default route provided by the DHCP client on ether2, and one or more routes added manually, with dst-address matching the intranet subnet(s) and the IP address of the 4G modem as gateway.
Then, you'll need to adapt @Sob's instruction for DNS redirection as mentioned above to your needs - to keep it simple, create one layer7-protocol row per each domain suffix representing the intranet, and one action=dst-nat rule per each such regexp, rather than composing a complex regexp covering all the domain suffixes.
What you need to do is to add the IP address on ether1 manually with the proper mask, and add a route or routes towards the intranet subnets via the 4G router's IP address as a gateway. This makes it possible for your PC to connect there, but it does not resolve the DNS part. I was asking regarding DHCP because it sounded more likely to me and was about to tell you how to change /ip dhcp-client settings to get the information from there without interfering with the ADSL connection; as you apparently know the information (your IP, netmask, gateway IP, DNS server IP) already, this part is not necessary.
So you'll end up with one default route provided by the DHCP client on ether2, and one or more routes added manually, with dst-address matching the intranet subnet(s) and the IP address of the 4G modem as gateway.
Then, you'll need to adapt @Sob's instruction for DNS redirection as mentioned above to your needs - to keep it simple, create one layer7-protocol row per each domain suffix representing the intranet, and one action=dst-nat rule per each such regexp, rather than composing a complex regexp covering all the domain suffixes.
Re: Two connection and two gateway
this is too difficult for me.
I can see how it is configured now
but obviously it doesn't work:
I can see how it is configured now
but obviously it doesn't work:
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-4G
set [ find default-name=ether2 ] comment=WAN-ADSL
set [ find default-name=ether3 ] comment=LAN
/ip address
add address=192.168.50.2/30 interface=ether1 network=192.168.50.0
add address=192.168.60.1/24 interface=ether3 network=192.168.60.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether2
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 dst-address=10.66.12.15/32 gateway=ether1
/system clock
set time-zone-name=Europe/Rome
/system routerboard settings
set init-delay=0sRe: Two connection and two gateway
OK, what DOES work for you? If you disable ether2, make 192.168.50.1 the gateway of a manually added route with dst-address=0.0.0.0/0 and distance=2, and change the DNS server from 8.8.8.8 to the intranet one, can the PC connect to intranet? Don't do this remotely, you'd cut your access over ether2.
Re: Two connection and two gateway
I don't know if I did well, but I can't connect to the intranet:
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-4G
set [ find default-name=ether2 ] comment=WAN-ADSL disabled=yes
set [ find default-name=ether3 ] comment=LAN
/ip address
add address=192.168.50.2/30 interface=ether1 network=192.168.50.0
add address=192.168.60.1/24 interface=ether3 network=192.168.60.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether2
/ip dns
set servers=10.66.12.15
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=2 gateway=192.168.50.1
/system clock
set time-zone-name=Europe/Rome
/system routerboard settings
set init-delay=0s
Re: Two connection and two gateway
You've done exactly what I've asked you to do, but I haven't realized that you probably never tried this before. So do also /ip firewall nat print where (!dynamic); /ip firewall nat add chain=srcnat action=masquerade out-interface=ether1 place-before=0. After this step the PC should get to intranet. If not, something must be wrong with the IP configuration of ether1.
Re: Two connection and two gateway
the "place-before = 0" command gives me an error does not exist.
However it works the pc connects to the intranet.
on MK I configured a DHCP server on the ETH3 and the pc is connected to the ETH3 (with the network card configured in DHC mode including the DNS)
The first step was done
However it works the pc connects to the intranet.
on MK I configured a DHCP server on the ETH3 and the pc is connected to the ETH3 (with the network card configured in DHC mode including the DNS)
The first step was done
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-4G
set [ find default-name=ether2 ] comment=WAN-ADSL disabled=yes
set [ find default-name=ether3 ] comment=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.60.2-192.168.60.254
add name=dhcp_pool1 ranges=192.168.60.2-192.168.60.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether3 name=dhcp1
/ip address
add address=192.168.50.2/30 interface=ether1 network=192.168.50.0
add address=192.168.60.1/24 interface=ether3 network=192.168.60.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether2
/ip dhcp-server network
add address=192.168.60.0/24 gateway=192.168.60.1
/ip dns
set servers=10.66.12.15
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=2 gateway=192.168.50.1
/system clock
set time-zone-name=Europe/Rome
/system routerboard settings
set init-delay=0s
Re: Two connection and two gateway
Yes, it was giving an error because that table was completely empty.the "place-before = 0" command gives me an error does not exist.
Now we know that intranet works. Given your other settings, I'd say it is safe to change the dst-address=0.0.0.0/0 in your manually added route to dst-address=10.0.0.0/8 and its distance to 1, it should still work - try it.
Next, after a while of working with the intranet, do /ip dns cache print and identify items which include the company name, as DNS queries for these items should be sent to the intranet DNS while the rest should be sent to the public DNS server. The items should be something like xxx.yourcompanyname.it or xxx.yourcompanyname or xxx.intranet and the IP address associated to them should start with 10.. It depends on how the administrator has set it, there is no generic rule, you have to check. The goal is to find the string which is common for the intranet servers' domain names and let the layer7-protocol rule match on that string.
Re: Two connection and two gateway
Can I give Sindy a patience award. You continually impress me man!!
Somebody close to him buy him a good meal and a hearty beer! Assuming its a guy, if not, then an excellent meal and classy white wine.
Somebody close to him buy him a good meal and a hearty beer! Assuming its a guy, if not, then an excellent meal and classy white wine.
Re: Two connection and two gateway
I also think he is very patient, but it is thanks to him that people like me will have the chance to grow.Can I give Sindy a patience award. You continually impress me man!!
Somebody close to him buy him a good meal and a hearty beer! Assuming its a guy, if not, then an excellent meal and classy white wine.
As for good wine here from Italy there is plenty of it just tell me where I have to send it !!!
Re: Two connection and two gateway
Ok, changing with 10.0.0.0/8 is still fine.
From the cache I still don't see anything, however the domain name I know.
if from the pc I ping the PC of the intranet network to which I should connect via RDP the ip that I get can go well?
From the cache
Code: Select all
/ ip dns cache printif from the pc I ping the PC of the intranet network to which I should connect via RDP the ip that I get can go well?
Re: Two connection and two gateway
Well, as you've mentioned that the DNS is necessary for intranet access to work, I've concluded you really need it because you maybe run some thick clients (applications) which refer to domain names they don't show you. If you can RDP to a known IP address in the intranet, there is no need to do anything with the DNS redirection which makes the whole task about 17 times easier
What makes me quite scared is that your Mikrotik was connected to the internet with no firewall rules at all. I've initially thought that you removed the firewall rules from the configuration you've posted to make it smaller, but as the adding of the srcnat rule has shown, there are really none. So I suppose the ADSL router you use for regular internet connection does NAT and no port forwarding, and no access from WAN side is permitted on it, but I would still recommend to use the default firewall rules modified for your interface roles (i.e. set ether2 as the only member of interface list WAN) also on the Mikrotik as you never know how well secured the ADSL router is. Especially if the "filth from the net" can get to your company's network via your setup if it bites its way through the ADSL router and squats on your Tik (not that something couldn't squat on your PC and get to the Tik from there, or attack the intranet machines directly - the crypto-currencies are rising again so all the bad guys want your processor resources ).
Leaving the scary side of life aside for a while: if it is enough for you that the PC at ether3 of your Tik stays on and accepts incoming TeamViewer connections, and that you can RDP from there to an IP in the intranet, all you have to do right now is to add another masquerade rule which will be exactly the same like the one you've added before but for ether2 (the ADSL WAN), set the DNS server of the Tik back to 8.8.8.8, and enable the ether2 again.
What makes me quite scared is that your Mikrotik was connected to the internet with no firewall rules at all. I've initially thought that you removed the firewall rules from the configuration you've posted to make it smaller, but as the adding of the srcnat rule has shown, there are really none. So I suppose the ADSL router you use for regular internet connection does NAT and no port forwarding, and no access from WAN side is permitted on it, but I would still recommend to use the default firewall rules modified for your interface roles (i.e. set ether2 as the only member of interface list WAN) also on the Mikrotik as you never know how well secured the ADSL router is. Especially if the "filth from the net" can get to your company's network via your setup if it bites its way through the ADSL router and squats on your Tik (not that something couldn't squat on your PC and get to the Tik from there, or attack the intranet machines directly - the crypto-currencies are rising again so all the bad guys want your processor resources
).Leaving the scary side of life aside for a while: if it is enough for you that the PC at ether3 of your Tik stays on and accepts incoming TeamViewer connections, and that you can RDP from there to an IP in the intranet, all you have to do right now is to add another masquerade rule which will be exactly the same like the one you've added before but for ether2 (the ADSL WAN), set the DNS server of the Tik back to 8.8.8.8, and enable the ether2 again.
Re: Two connection and two gateway
Everything works OK !!!
Thank you very much, now I try to fix the firewall
Thank you
Thank you very much, now I try to fix the firewall
Thank you
Re: Two connection and two gateway
I wrote too soon 
now it doesn't work.
If I leave the intranet disconnected (by not using any program towards it) after a while you can no longer connect
now it doesn't work.
If I leave the intranet disconnected (by not using any program towards it) after a while you can no longer connect
Re: Two connection and two gateway
Can you ping the server to which you RDP from the Mikrotik? There is nothing what should go wrong this way.
Re: Two connection and two gateway
When it works trying to ping it only replies to ping to DNS.
It stops working when I am disconnected to intrante for some time,
and to redo everything, you need to disable eth2 and wait 10 minutes
It stops working when I am disconnected to intrante for some time,
and to redo everything, you need to disable eth2 and wait 10 minutes
Re: Two connection and two gateway
Post the current configuration, please. If blocking ether2 has some effect, something must be configured different than I expect.
Re: Two connection and two gateway
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-4G
set [ find default-name=ether2 ] comment=WAN-ADSL
set [ find default-name=ether3 ] comment=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.60.2-192.168.60.254
add name=dhcp_pool1 ranges=192.168.60.2-192.168.60.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether3 name=dhcp1
/ip address
add address=192.168.50.2/30 interface=ether1 network=192.168.50.0
add address=192.168.60.1/24 interface=ether3 network=192.168.60.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether2
/ip dhcp-server network
add address=192.168.60.0/24 gateway=192.168.60.1
/ip dns
set servers=10.66.22.15,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add distance=2 dst-address=10.0.0.0/8 gateway=192.168.50.1
/system clock
set time-zone-name=Europe/Rome
/system routerboard settings
set init-delay=0s
Last edited by cusna on Fri May 24, 2019 10:18 am, edited 1 time in total.
Re: Two connection and two gateway
Okay. So instead of replacing the dns server 10.66.22.15 by 8.8.8.8, you've added the 8.8.8.8. So I suspect that the 4G router or something behind it checks whether you use the intranet DNS and if you don't for a while, it blocks the access to the rest of the intranet. And, presumably, the intranet DNS may not resolve domain names in the internet (or resolve them to some special address instead of the real one), making it complicated to use servers on public internet. So please try to keep ether2 enabled but remove 8.8.8.8 from the list of DNS servers. This way you should be able to access intranet even if ether2 is up, and you should be able to ping 8.8.8.8 but you may have problems to access web pages by their domain name.
Re: Two connection and two gateway
If I remove 8.8.8.8 as DNS it changes nothing.
I didn't tell you though, and for this I apologize, that the ETH3 is connected to another mikrotik that acts as a router for the public adsl connection, isn't it dependent on that?
But should it not be, because since the PC makes a request on an address 10.0.0.0/8 it should not redirect it to the ETH1, without sending it to the ETH3 where there is the other mikrotik?
I didn't tell you though, and for this I apologize, that the ETH3 is connected to another mikrotik that acts as a router for the public adsl connection, isn't it dependent on that?
But should it not be, because since the PC makes a request on an address 10.0.0.0/8 it should not redirect it to the ETH1, without sending it to the ETH3 where there is the other mikrotik?
Re: Two connection and two gateway
If the other Mikrotik has no other uplink than via the ether3 of this Mikrotik, routing should not be the problem.I didn't tell you though, and for this I apologize, that the ETH3 is connected to another mikrotik that acts as a router for the public adsl connection, isn't it dependent on that?
But should it not be, because since the PC makes a request on an address 10.0.0.0/8 it should not redirect it to the ETH1, without sending it to the ETH3 where there is the other mikrotik?
However, if that other Mikrotik also acts as a DNS server for the connected hosts (like this one does), it caches the DNS answers, so when the hosts query the same domain names, that other Mikrotik responds to them from its cache and doesn't send the query upwards. So if the blocking mechanism tracks DNS queries, it cannot see any requests for long time and blocks the access. So change the /ip dhcp network on the "other Mikrotik" to indicate 10.66.12.15 as DNS server and see what happens.
Re: Two connection and two gateway
If change in the "other Mikrotik" /ip dhcp networks dns in 10.66.12.15 it doesn't work anyway, obviously not even web browsing works
I ask can we hear you by email?
Thank you
I ask can we hear you by email?
Thank you