Community discussions

MikroTik App
 
Drageir
just joined
Topic Author
Posts: 15
Joined: Fri May 15, 2020 5:45 pm

Mikrotik + Movistar Fusión Empresas

Fri May 22, 2020 6:09 pm

Hello everyone.
First of all, I'm a noob at networking. I'm an electrician and I've been forced to take care of the company network because our technician recenly got corona, so I'm sorry if I can't understand you perfectly or I make a mistake trying to explain my case.

Recently in my workplace we changed to Movistar Fusión Empresas (I'm from Spain). Before that, we worked with a ONT + Mikrotik (RB750GL) and a static IP. Now the internet provider installed a new ONT, a Teldat and a Switch and changed the Static IP (for example: 54.87.19.52). The structure stay as follows: ONT - Teldat - Switch Movistar - Mikrotik - Local network. When I plug in the MikroTik to the switch we don't have connection. I've tried to factory reset the device (we have backups saved), changing the vlan 3/6 to 20/21 (data and VoIP) and trying several ports, but I cannot make it work.

Mikrotik's configuration:
WAN 192.168.100.0
LAN 192.168.10.0

Again, I'm sorry if I missed any crucial information. I didn't study networking, I just have to deal with my boss decisions.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik + Movistar Fusión Empresas

Sat May 23, 2020 12:32 pm

Since no one familiar with Movistar's habits seems to wander around, let me ask you a question, because to debug a blackbox is not easy even for a network specialist, leaving aside regular users.

Should the static public IP be used to access some server in your premises remotely (web server, VPN connection, anything where you set up the public IP of your connection to a web browser or anything else on a remote PC or mobile)?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
msatter
Forum Guru
Forum Guru
Posts: 1633
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mikrotik + Movistar Fusión Empresas

Sat May 23, 2020 2:11 pm

You should have put VLAN 20 at the ethernet port connected to the switch and the PPPoE connects to VLAN 20. Is the Teldat/switch in bridge mode then you can use PPPoE and if not you let the stuff from Moviestar do the work.

I assume that VOIP is handled by the Teldat/Moviestar switch itself.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. 4011 Does PPPoE/IKEv2.
Running:
RouterOS 6.47 / Winbox 3.24 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
Drageir
just joined
Topic Author
Posts: 15
Joined: Fri May 15, 2020 5:45 pm

Re: Mikrotik + Movistar Fusión Empresas

Mon May 25, 2020 4:27 pm

Since no one familiar with Movistar's habits seems to wander around, let me ask you a question, because to debug a blackbox is not easy even for a network specialist, leaving aside regular users.

Should the static public IP be used to access some server in your premises remotely (web server, VPN connection, anything where you set up the public IP of your connection to a web browser or anything else on a remote PC or mobile)?
Yes, we have a VPN for some employees and a Exchange server too. We have the outsorced DNS and we will change it to the new public IP after we get conection.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik + Movistar Fusión Empresas

Mon May 25, 2020 4:54 pm

Yes, we have a VPN for some employees and a Exchange server too. We have the outsorced DNS and we will change it to the new public IP after we get conection.
OK. In that case:
  • configure one of the VPN clients to connect to the new public IP (rather than to the domain name if set like that),
  • open a command line window to the Mikrotik (ssh, [Terminal] button in Winbox/WebFig) and make it as wide as your screen allows
  • run /tool sniffer quick interface=ether1 in that window (if you know the IP address of the client, add ip-address=ip.of.that.client to the command)
  • let the client (which must not be on your LAN) attempt to connect
You should see either the IP packets carrying the VPN initial request trying to reach your device, or ARP packets trying to determine some IP address, or nothing at all.
If only ARP requests are coming, you should see the VLAN ID which is used for internet connection (I don't expect VoIP traffic to be arriving spontaneously, except if you have a specifically configured PBX). If nothing is coming at all, the forwarding of traffic which arrives to the public IP further to the private WAN IP of the Mikrotik is not configured on the Movistar gear.

So post the result of this test and your configuration export in anonymized text form, following the hint in my automatic signature right below.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
nostromog
Member Candidate
Member Candidate
Posts: 175
Joined: Wed Jul 18, 2018 3:39 pm

Re: Mikrotik + Movistar Fusión Empresas

Mon May 25, 2020 5:27 pm

Hello everyone.
First of all, I'm a noob at networking. I'm an electrician and I've been forced to take care of the company network because our technician recenly got corona, so I'm sorry if I can't understand you perfectly or I make a mistake trying to explain my case.

Recently in my workplace we changed to Movistar Fusión Empresas (I'm from Spain). Before that, we worked with a ONT + Mikrotik (RB750GL) and a static IP. Now the internet provider installed a new ONT, a Teldat and a Switch and changed the Static IP (for example: 54.87.19.52). The structure stay as follows: ONT - Teldat - Switch Movistar - Mikrotik - Local network. When I plug in the MikroTik to the switch we don't have connection. I've tried to factory reset the device (we have backups saved), changing the vlan 3/6 to 20/21 (data and VoIP) and trying several ports, but I cannot make it work.

Mikrotik's configuration:
WAN 192.168.100.0
LAN 192.168.10.0

Again, I'm sorry if I missed any crucial information. I didn't study networking, I just have to deal with my boss decisions.
I am familiar with the configuration. The problem is that the movistar fiber uses VLANs after the ONT. If your previous configuration is as you said (ONT<->Mikrotik) the configuration of the Mikrotik is using VLANs and it gets the public ip directly. If now you have a new hardware interconnections the Teldat removes the VLAN tags, gets the IP and does NAT. The configuration for the Mikrotik has to be different unless you remove Teldat+Switch Movistar.

If the "Switch Movistar" (I don't know what this is) is just a switch, you might have a working configuration by setting up ONT<->Mikrotik<->Switch using the same ethernet (probably 1) that was used before.
 
Drageir
just joined
Topic Author
Posts: 15
Joined: Fri May 15, 2020 5:45 pm

Re: Mikrotik + Movistar Fusión Empresas

Mon May 25, 2020 5:50 pm

You should have put VLAN 20 at the ethernet port connected to the switch and the PPPoE connects to VLAN 20. Is the Teldat/switch in bridge mode then you can use PPPoE and if not you let the stuff from Moviestar do the work.

I assume that VOIP is handled by the Teldat/Moviestar switch itself.
I don't think the Teldat is in bridge mode. When I plug in a laptop directly to the Movistar' Switch I get the address 192.168.1.X, so it must be in router mode.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik + Movistar Fusión Empresas

Mon May 25, 2020 5:54 pm

When I plug in a laptop directly to the Movistar' Switch I get the address 192.168.1.X, so it must be in router mode.
So what happens if you attach a DHCP client directly (no /interface vlan in between) to Mikrotik's ether1 rather than a fixed address? Does it get a dynamic one too?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Drageir
just joined
Topic Author
Posts: 15
Joined: Fri May 15, 2020 5:45 pm

Re: Mikrotik + Movistar Fusión Empresas

Mon May 25, 2020 6:39 pm

First of all, thank you all for your help.
Sadly I can't try your solutions untill tomorrow (I have my own work as electrician and the company doesn't stop until 22:00). The only moment I can touch the network without being yelled is at lunch break. Tomorrow I'll tell you, every idea is welcomed.

Clarification: while the new configuration is fixed, Movistar kept the old ONT still running so we don't loose functionality. When everyone stops working I go to the comunications room, plug the Mikrotik to the Teldat and the new ONT, and try to solve the puzzle.
 
nostromog
Member Candidate
Member Candidate
Posts: 175
Joined: Wed Jul 18, 2018 3:39 pm

Re: Mikrotik + Movistar Fusión Empresas

Mon May 25, 2020 7:53 pm

First of all, thank you all for your help.
Sadly I can't try your solutions untill tomorrow (I have my own work as electrician and the company doesn't stop until 22:00). The only moment I can touch the network without being yelled is at lunch break. Tomorrow I'll tell you, every idea is welcomed.
My guess would be that if you disconnect/unplug the Teldat router and connect straight away the ONT to port 1 of the Mikrotik (which is how I guess things were installed before), things will work:

* mikrotik will get the public IP address
* internet will work
* if you plug the switch to any of the remaining ports of the mikrotik, all the network will work.

This is assuming that before the connection was as you reported, and that the Movistar person only changed a standard consumer fiber by a enterprise fiber, no extra config.
 
Drageir
just joined
Topic Author
Posts: 15
Joined: Fri May 15, 2020 5:45 pm

Re: Mikrotik + Movistar Fusión Empresas

Tue May 26, 2020 4:35 pm

Yes, we have a VPN for some employees and a Exchange server too. We have the outsorced DNS and we will change it to the new public IP after we get conection.
OK. In that case:
  • configure one of the VPN clients to connect to the new public IP (rather than to the domain name if set like that),
  • open a command line window to the Mikrotik (ssh, [Terminal] button in Winbox/WebFig) and make it as wide as your screen allows
  • run /tool sniffer quick interface=ether1 in that window (if you know the IP address of the client, add ip-address=ip.of.that.client to the command)
  • let the client (which must not be on your LAN) attempt to connect
You should see either the IP packets carrying the VPN initial request trying to reach your device, or ARP packets trying to determine some IP address, or nothing at all.
If only ARP requests are coming, you should see the VLAN ID which is used for internet connection (I don't expect VoIP traffic to be arriving spontaneously, except if you have a specifically configured PBX). If nothing is coming at all, the forwarding of traffic which arrives to the public IP further to the private WAN IP of the Mikrotik is not configured on the Movistar gear.

So post the result of this test and your configuration export in anonymized text form, following the hint in my automatic signature right below.

INTERFACE TIME NUM DI SRC-MAC DST-MAC VLAN SRC-ADDRESS
ether1-gateway 3.74 12 <- 94:24:E3:3H:2J:FE 01:80:C2:00:00:00
ether1-gateway 3.782 13 -> 7D:6T:Y6:GF:8W:1G FF:FF:FF:FF:FF:FF 6
ether1-gateway 3.907 14 <- 94:24:E3:3H:2J:FE 00:54:ER:00:70:04
ether1-gateway 4.053 15 <- 00:G0:24:D4:8R:3R FF:FF:FF:FF:FF:FF 741.258.963.159: who has 741.258.963.159
ether1-gateway 4.824 16 -> 7D:6T:Y6:GF:8W:1G FF:FF:FF:FF:FF:FF 6
ether1-gateway 5.74 17 <- 94:24:E3:3H:2J:FE 01:80:C2:00:00:00
ether1-gateway 5.905 18 -> 7D:6T:Y6:GF:8W:1G FF:FF:FF:FF:FF:FF 6
ether1-gateway 6.741 19 <- 94:24:E3:3H:2J:FE 01:80:C2:00:00:0U
ether1-gateway 6.837 20 -> 7D:6T:Y6:GF:8W:1G FF:FF:FF:FF:FF:FF 6
ether1-gateway 7.74 21 <- 94:24:E3:3H:2J:FE 01:80:C2:00:00:00
ether1-gateway 7.78 22 -> 7D:6T:Y6:GF:8W:1G FF:FF:FF:FF:FF:FF 6
ether1-gateway 8.811 23 -> 7D:6T:Y6:GF:8W:1G FF:FF:FF:FF:FF:FF 6
ether1-gateway 8.929 24 <- 00:G0:24:D4:8R:3R FF:FF:FF:FF:FF:FF 741.258.963.159: who has 741.258.963.159
ether1-gateway 9.26 25 -> 7D:6T:Y6:GF:8W:1G FF:FF:FF:FF:FF:FF 3 0.0.0.0:xx (bootpc)
ether1-gateway 9.74 26 <- 94:24:E3:3H:2J:FE 01:80:C2:00:00:00
ether1-gateway 9.773 27 -> 7D:6T:Y6:GF:8W:1G FF:FF:FF:FF:FF:FF 6

741.258.963.159 is my WAN
Last edited by Drageir on Tue May 26, 2020 5:27 pm, edited 2 times in total.
 
Drageir
just joined
Topic Author
Posts: 15
Joined: Fri May 15, 2020 5:45 pm

Re: Mikrotik + Movistar Fusión Empresas

Tue May 26, 2020 4:46 pm

First of all, thank you all for your help.
Sadly I can't try your solutions untill tomorrow (I have my own work as electrician and the company doesn't stop until 22:00). The only moment I can touch the network without being yelled is at lunch break. Tomorrow I'll tell you, every idea is welcomed.
My guess would be that if you disconnect/unplug the Teldat router and connect straight away the ONT to port 1 of the Mikrotik (which is how I guess things were installed before), things will work:

* mikrotik will get the public IP address
* internet will work
* if you plug the switch to any of the remaining ports of the Mikrotik, all the network will work.

This is assuming that before the connection was as you reported, and that the Movistar person only changed a standard consumer fiber by a enterprise fiber, no extra config.
I did what you said: I connected the Mikrotik directly to the new ONT, but nothing changed. Probably the Teldat has some new configuration and Movistar disabled the ONT so I'm forced to use the Teldat.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik + Movistar Fusión Empresas

Tue May 26, 2020 6:28 pm

INTERFACE       TIME  NUM DI     SRC-MAC            DST-MAC       VLAN SRC-ADDRESS
ether1-gateway  3.74   12 <- 94:24:E3:3H:2J:FE  01:80:C2:00:00:00  
ether1-gateway  3.782  13 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  6
ether1-gateway  3.907  14 <- 94:24:E3:3H:2J:FE  00:54:ER:00:70:04      
ether1-gateway  4.053  15 <- 00:G0:24:D4:8R:3R  FF:FF:FF:FF:FF:FF      741.258.963.159: who has 741.258.963.159
ether1-gateway  4.824  16 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  6
ether1-gateway  5.74   17 <- 94:24:E3:3H:2J:FE  01:80:C2:00:00:00
ether1-gateway  5.905  18 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  6
ether1-gateway  6.741  19 <- 94:24:E3:3H:2J:FE  01:80:C2:00:00:0U
ether1-gateway  6.837  20 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  6
ether1-gateway  7.74   21 <- 94:24:E3:3H:2J:FE  01:80:C2:00:00:00
ether1-gateway  7.78   22 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  6
ether1-gateway  8.811  23 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  6
ether1-gateway  8.929  24 <- 00:G0:24:D4:8R:3R  FF:FF:FF:FF:FF:FF      741.258.963.159: who has 741.258.963.159
ether1-gateway  9.26   25 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  3   0.0.0.0:xx (bootpc)
ether1-gateway  9.74   26 <- 94:24:E3:3H:2J:FE  01:80:C2:00:00:00
ether1-gateway  9.773  27 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  6
741.258.963.159 is my WAN
You were quite aggressive with the obfuscation, can you double-check in the original data that in the "741.258.963.159: who has 741.258.963.159", both addresses are really the same? I would expect their last byte to differ, which would mean that it is the modem/router (the gateway) asking for the translation of the IP address of your WAN to its MAC address so that it could deliver the actual packet to it. Can you confirm?

Second, to speed things up, is that address the new public one or it is one of (10.x.x.x, 172.16-31.x.x, 192.168.x.x, 100.64-127.x.x)?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Drageir
just joined
Topic Author
Posts: 15
Joined: Fri May 15, 2020 5:45 pm

Re: Mikrotik + Movistar Fusión Empresas

Tue May 26, 2020 6:47 pm

INTERFACE       TIME  NUM DI     SRC-MAC            DST-MAC       VLAN SRC-ADDRESS
ether1-gateway  3.74   12 <- 94:24:E3:3H:2J:FE  01:80:C2:00:00:00  
ether1-gateway  3.782  13 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  6
ether1-gateway  3.907  14 <- 94:24:E3:3H:2J:FE  00:54:ER:00:70:04      
ether1-gateway  4.053  15 <- 00:G0:24:D4:8R:3R  FF:FF:FF:FF:FF:FF      741.258.963.159: who has 741.258.963.159
ether1-gateway  4.824  16 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  6
ether1-gateway  5.74   17 <- 94:24:E3:3H:2J:FE  01:80:C2:00:00:00
ether1-gateway  5.905  18 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  6
ether1-gateway  6.741  19 <- 94:24:E3:3H:2J:FE  01:80:C2:00:00:0U
ether1-gateway  6.837  20 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  6
ether1-gateway  7.74   21 <- 94:24:E3:3H:2J:FE  01:80:C2:00:00:00
ether1-gateway  7.78   22 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  6
ether1-gateway  8.811  23 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  6
ether1-gateway  8.929  24 <- 00:G0:24:D4:8R:3R  FF:FF:FF:FF:FF:FF      741.258.963.159: who has 741.258.963.159
ether1-gateway  9.26   25 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  3   0.0.0.0:xx (bootpc)
ether1-gateway  9.74   26 <- 94:24:E3:3H:2J:FE  01:80:C2:00:00:00
ether1-gateway  9.773  27 -> 7D:6T:Y6:GF:8W:1G  FF:FF:FF:FF:FF:FF  6
741.258.963.159 is my WAN
You were quite aggressive with the obfuscation, can you double-check in the original data that in the "741.258.963.159: who has 741.258.963.159", both addresses are really the same? I would expect their last byte to differ, which would mean that it is the modem/router (the gateway) asking for the translation of the IP address of your WAN to its MAC address so that it could deliver the actual packet to it. Can you confirm?

Second, to speed things up, is that address the new public one or it is one of (10.x.x.x, 172.16-31.x.x, 192.168.x.x, 100.64-127.x.x)?
Sorry for the aggressiveness. Yes, the last byte differ, my mistake.

The address begins with 217.x.x.x. The technician told me that I must change the MikroTik's WAN to that addres so their firewall works. I think it's a GRE tunnel inside the Teldat.
 
nostromog
Member Candidate
Member Candidate
Posts: 175
Joined: Wed Jul 18, 2018 3:39 pm

Re: Mikrotik + Movistar Fusión Empresas

Tue May 26, 2020 6:52 pm

I did what you said: I connected the Mikrotik directly to the new ONT, but nothing changed. Probably the Teldat has some new configuration and Movistar disabled the ONT so I'm forced to use the Teldat.
I doubt that you are forced to use the Movistar router, their fiber is quite standard through Spain. But without knowing the current configuration of your router it is difficult to know what is failing/missing. I expected that the Mikrotik had the right config to work without the router, but it doesn't look so

Movistar uses vlans for its configuration, so adding something like the following to a default config of mikrotik, (removing ether1 from the WAN list and the dhcp-client on it is not even needed) should be close to enough to make it work without the teldat router, ethernet cable from ether1 straight to the ONT ether.
/interface vlan
add comment="VLAN PPPoE Movistar" interface=ether1 name=vlan6-movistar vlan-id=6
/interface pppoe-client
add add-default-route=yes comment="PPPoE Movistar" disabled=no interface=vlan6-movistar name=pppoe-out1 password=adslppp \
    use-peer-dns=yes user=adslppp@telefonicanetpa
/interface list member
add interface=pppoe-out1 list=WAN
**Note the passwords are the same for every customer**, they authenticate using the fiber circuit.

On the other hand, a default Mikrotik configuration should work "through" the teldat router straight out of the box. ( any teldat ethernet port to ether1)

If you have an export of the whole config it might be simpler to start with either a VLAN configuration that works without the Teldat router or a NATted dhcp-client configuration that works through the Teldat router, and then add the specifics of your mikrotik configuration on top of it (VPN, etc).
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik + Movistar Fusión Empresas

Tue May 26, 2020 7:10 pm

Sorry for the aggressiveness. Yes, the last byte differ, my mistake.

The address begins with 217.x.x.x. The technician told me that I must change the MikroTik's WAN to that addres so their firewall works. I think it's a GRE tunnel inside the Teldat.
We will learn that in the next round. To get there, you have to assign the 217.x.x.x address to the uplink interface of the Mikrotik directly*) (no VLAN, because no VLAN is indicated in the sniff output for the ARP packets), so that the Mikrotik would respond to the ARP and get some IP packet. And from there, we will see whether it is a GRE one or a direct UDP one, attempting to establish the VPN connection. But as it is a public IP, my guess is that it will be direct IP and you'll have the public IP directly on the Mikrotik itself, making some things easier.

I intentionally ignore the VoIP part for now.

What would make the whole process faster would be if you could use some other Mikrotik (a hAP lite for €20 would be sufficient) to allow debugging the new setup outside lunch time. A virtualized CHR for € 0,- would do as well but I guess it might be even further outside your scope.

*) before doing that, I'd strongly recommend to post the export of your configuration - even though Movistar mentions their firewall, I'd prefer to verify that there are decent firewall rules in your 'Tik.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Drageir
just joined
Topic Author
Posts: 15
Joined: Fri May 15, 2020 5:45 pm

Re: Mikrotik + Movistar Fusión Empresas

Tue May 26, 2020 7:20 pm

Here is the config file. This is the configuration of the Mikrotik when we have connection with the old ONT. No changes made.

/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/interface vlan
add interface=ether1-gateway name=vlan3 vlan-id=3
add interface=ether1-gateway name=vlan6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=vlan6 \
max-mru=1492 max-mtu=1492 name=pppoe-out1 password=adslppp \
use-peer-dns=yes user=adslppp@telefonicanetpa
/ip pool
add name=dhcp ranges=192.168.10.101-192.168.10.199
add name=vpn ranges=192.168.3.10-192.168.3.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2-master-local name=dhcp1
/ppp profile
set 1 dns-server=192.168.3.250 local-address=192.168.3.250 remote-address=vpn
/interface pptp-server server
set authentication=mschap2 enabled=yes
/ip address
add address=192.168.10.1/24 interface=ether2-master-local
add address=192.168.100.10/24 interface=ether1-gateway
/ip dhcp-client
add add-default-route=no disabled=no interface=vlan3 use-peer-ntp=no
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 \
netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input disabled=yes dst-port=23,80 in-interface=pppoe-out1 protocol=\
tcp
add chain=input dst-port=8291 in-interface=pppoe-out1 protocol=tcp
add chain=input dst-port=1723 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
pppoe-out1
add chain=forward comment="default configuration" connection-state=\
established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=1 out-interface=\
pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=vlan3
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.10.125
add action=dst-nat chain=dstnat disabled=yes dst-port=21 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.10.125
/ip route
add distance=255 gateway=255.255.255.255
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether2-master-local type=internal
add interface=pppoe-out1 type=external
/routing rip interface
add interface=vlan3 passive=yes receive=v2
/routing rip network
add network=10.0.0.0/8
/system clock
set time-zone-name=Europe/Madrid
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik + Movistar Fusión Empresas

Tue May 26, 2020 7:42 pm

The configuration doesn't seem to fit to the description you gave before, especially because I can see no traces of this device itself acting as a VPN server. But that's for later.

Can you tell me the RouterOS version there? It seems to me it is way outdated (older than 6.41). Also the Winbox port open for access via WAN (so to anyone in the internet) along with a historical version of RouterOS makes me cry. The router may easily have been squatted in by some malware years ago.

But I mainly ask about the version as I'd like to suggest a script which would modify the firewall so that it would still work in the old condiguration but at the same time with the new one depending on where it would be connected, but if the RouterOS is too old, it might not support some things. We may come back to the security issues later, but they need to be addressed.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
msatter
Forum Guru
Forum Guru
Posts: 1633
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mikrotik + Movistar Fusión Empresas

Tue May 26, 2020 8:04 pm

To me the old config is over a bridge.
add address=192.168.100.10/24 interface=ether1-gateway
Is that IP matching the new configuration?

Try 192.168.1.10 if it is free and also change the VLAN 6 to 20 and 3 to21.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. 4011 Does PPPoE/IKEv2.
Running:
RouterOS 6.47 / Winbox 3.24 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
nostromog
Member Candidate
Member Candidate
Posts: 175
Joined: Wed Jul 18, 2018 3:39 pm

Re: Mikrotik + Movistar Fusión Empresas

Tue May 26, 2020 8:12 pm

Here is the config file. This is the configuration of the Mikrotik when we have connection with the old ONT. No changes made.
This configuration contains the fragment I told you to connect to vlan6:
/interface vlan
add interface=ether1-gateway name=vlan3 vlan-id=3
add interface=ether1-gateway name=vlan6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=vlan6 \
    max-mru=1492 max-mtu=1492 name=pppoe-out1 password=adslppp \
	use-peer-dns=yes user=adslppp@telefonicanetpa
pppoe-out1 will get the public IPv4 from there

It also has the vlan3 (VoIP) configuration and a pptp vpn definition.

Now, unless your Movistar connection is fairly strange, your router should work straight away without the teldat, connected ONT<->ether1, and offer internet in ether2...ether5.
 
msatter
Forum Guru
Forum Guru
Posts: 1633
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mikrotik + Movistar Fusión Empresas

Tue May 26, 2020 9:13 pm

@Nostromog look at my posting for the new situation. The router should be in bridge or the device before it. The pppoe + vlan only have to find gateway.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. 4011 Does PPPoE/IKEv2.
Running:
RouterOS 6.47 / Winbox 3.24 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
Drageir
just joined
Topic Author
Posts: 15
Joined: Fri May 15, 2020 5:45 pm

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 10:13 am

The configuration doesn't seem to fit to the description you gave before, especially because I can see no traces of this device itself acting as a VPN server. But that's for later.

Can you tell me the RouterOS version there? It seems to me it is way outdated (older than 6.41). Also the Winbox port open for access via WAN (so to anyone in the internet) along with a historical version of RouterOS makes me cry. The router may easily have been squatted in by some malware years ago.

But I mainly ask about the version as I'd like to suggest a script which would modify the firewall so that it would still work in the old condiguration but at the same time with the new one depending on where it would be connected, but if the RouterOS is too old, it might not support some things. We may come back to the security issues later, but they need to be addressed.
The RouterOS version is v6.45.8.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 10:45 am

The RouterOS version is v6.45.8.
6.45.8 would not be that bad, but the export you've posted doesn't match 6.45.8, because in 6.45.8, there is no master-port property of /interface ethernet any more. So maybe it is an export from the past (possibly saved on the device itself)? Would you mind doing /export hide-sensitive file=export-from-today, downloading that one and posting it?

As for the advice you're getting here from several people, as you can see each of us follows a different assumption regarding the configuration on the new connectivity. So I would try @nostromog's one first, as it means the least effort to spend, just connect the 'Tik's ether1 to a different box. I am, however, afraid that the PPPoE client attached to VLAN 6 won't get the same IP address you've been told to use by Movistar even if there is a PPPoE server listening in VLAN 6, because the new Movistar gear uses the whole subnet around your 217.x.x.x as seen from the ARP request, and that would not be the case if the 217.x.x.x address was assigned via PPPoE. So if they do use PPPoE internally, they most likely use it as an interconnect link and route the 217.x.x.y/m subnet they use at their LAN side (where you connect the Mikrotik) via the PPPoE tunnel. But if it is the teldat which actively tells the upstream router that the public subnet is accessible through it, it would be possible to do the same on the 'Tik.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Drageir
just joined
Topic Author
Posts: 15
Joined: Fri May 15, 2020 5:45 pm

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 10:54 am

To me the old config is over a bridge.
add address=192.168.100.10/24 interface=ether1-gateway
Is that IP matching the new configuration?

Try 192.168.1.10 if it is free and also change the VLAN 6 to 20 and 3 to21.
No, that IP is the MikroTik's WAN and I must change it to 217.X.X.X in the new configuration.
 
Drageir
just joined
Topic Author
Posts: 15
Joined: Fri May 15, 2020 5:45 pm

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 11:21 am

The RouterOS version is v6.45.8.
6.45.8 would not be that bad, but the export you've posted doesn't match 6.45.8, because in 6.45.8, there is no master-port property of /interface ethernet any more. So maybe it is an export from the past (possibly saved on the device itself)? Would you mind doing /export hide-sensitive file=export-from-today, downloading that one and posting it?

As for the advice you're getting here from several people, as you can see each of us follows a different assumption regarding the configuration on the new connectivity. So I would try @nostromog's one first, as it means the least effort to spend, just connect the 'Tik's ether1 to a different box. I am, however, afraid that the PPPoE client attached to VLAN 6 won't get the same IP address you've been told to use by Movistar even if there is a PPPoE server listening in VLAN 6, because the new Movistar gear uses the whole subnet around your 217.x.x.x as seen from the ARP request, and that would not be the case if the 217.x.x.x address was assigned via PPPoE. So if they do use PPPoE internally, they most likely use it as an interconnect link and route the 217.x.x.y/m subnet they use at their LAN side (where you connect the Mikrotik) via the PPPoE tunnel. But if it is the teldat which actively tells the upstream router that the public subnet is accessible through it, it would be possible to do the same on the 'Tik.
Here is the configuration exported from your command. Sorry for my mistake.
# may/27/2020 10:16:16 by RouterOS 6.45.8
# software id = 49EJ-U4T5
#
# model = 750GL
# serial number = 467A0460B26D
/interface bridge
add admin-mac=4C:5E:0C:E1:9B:EE arp=proxy-arp auto-mac=no comment=\
    "created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp name=ether2-master-local \
    speed=100Mbps
set [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
/interface vlan
add interface=ether1-gateway name=vlan3 vlan-id=3
add interface=ether1-gateway name=vlan6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,chap default-route-distance=0 disabled=no \
    interface=vlan6 keepalive-timeout=60 max-mru=1492 max-mtu=1492 name=\
    pppoe-out1 use-peer-dns=yes user=adslppp@telefonicanetpa
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 name=profile_1
add dh-group=modp1024 name=profile_2
add dh-group=modp1024 name=profile_3
add dh-group=modp1024 enc-algorithm=3des name=profile_4
/ip ipsec peer
# This entry is unreachable
add name=peer4 passive=yes profile=profile_4
# This entry is unreachable
add name=peer3 passive=yes profile=profile_3
# This entry is unreachable
add name=peer2 passive=yes profile=profile_2
# This entry is unreachable
add name=peer1 passive=yes profile=profile_1
/ip pool
add name=dhcp ranges=192.168.10.121-192.168.10.200
add name=vpn ranges=192.168.10.214-192.168.10.234
add name=l2tp-pool ranges=192.168.10.220-192.168.10.225
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge1 name=dhcp1
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.10.1 name=\
    l2tp remote-address=l2tp-pool use-encryption=yes
add local-address=192.168.10.1 name=openvpn remote-address=l2tp-pool
add dns-server=8.8.8.8 local-address=192.168.10.1 name=vpn remote-address=vpn \
    use-encryption=yes wins-server=8.8.4.4
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=1
/interface bridge port
add bridge=bridge1 interface=ether3-slave-local
add bridge=bridge1 interface=ether4-slave-local
add bridge=bridge1 interface=ether5-slave-local
add bridge=bridge1 interface=ether2-master-local
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes max-mru=1460 \
    max-mtu=1460 mrru=1600 use-ipsec=yes
/interface ovpn-server server
set certificate=mikrotik cipher=blowfish128,aes128,aes192,aes256 \
    require-client-certificate=yes
/interface pptp-server server
set enabled=yes keepalive-timeout=180 max-mru=1500 max-mtu=1500
/ip address
add address=192.168.10.1/24 interface=bridge1 network=192.168.10.0
add address=192.168.100.10/24 interface=ether1-gateway network=192.168.100.0
/ip arp
add address=192.168.10.40 interface=bridge1 mac-address=D8:CB:8A:9C:19:06
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
    interface=vlan3 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.10.172 always-broadcast=yes mac-address=BC:83:85:D4:CF:EC \
    server=dhcp1
add address=192.168.10.6 mac-address=68:FF:7B:44:C0:E8
add address=192.168.10.5 mac-address=68:FF:7B:44:BE:D8
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.205 gateway=192.168.10.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.10.1 name=router
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established
add action=accept chain=input comment="default configuration" \
    connection-state=related
add action=accept chain=input disabled=yes dst-port=23,80 in-interface=\
    pppoe-out1 protocol=tcp
add action=accept chain=input disabled=yes dst-port=8291 in-interface=\
    pppoe-out1 protocol=tcp
add action=accept chain=input dst-port=1723 in-interface=pppoe-out1 protocol=\
    tcp
add action=accept chain=forward comment="default configuration" \
    connection-state=related
add action=accept chain=input dst-port=1701 in-interface=pppoe-out1 protocol=\
    udp
add action=accept chain=input dst-port=500 in-interface=pppoe-out1 protocol=\
    udp
add action=accept chain=input in-interface=pppoe-out1 protocol=ipsec-ah
add action=accept chain=input dst-port=4500 in-interface=pppoe-out1 protocol=\
    udp
add action=accept chain=input in-interface=pppoe-out1 protocol=ipsec-esp
add action=accept chain=input in-interface=pppoe-out1 protocol=gre
add action=accept chain=input disabled=yes dst-port=1194 protocol=tcp
add action=accept chain=input disabled=yes protocol=udp src-port=1194
add action=accept chain=forward comment="default configuration" \
    connection-state=established
add action=accept chain=input disabled=yes protocol=tcp src-port=50000-65000
add action=drop chain=input comment="default configuration" disabled=yes \
    in-interface=pppoe-out1 log-prefix=rechazadas
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid disabled=yes log-prefix=forw
add action=drop chain=forward disabled=yes src-address=192.168.10.21
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3 \
    passthrough=yes
add action=set-priority chain=postrouting new-priority=1 out-interface=\
    pppoe-out1 passthrough=yes
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3 \
    passthrough=yes
add action=set-priority chain=postrouting new-priority=1 out-interface=\
    pppoe-out1 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=vlan3
add action=dst-nat chain=dstnat comment="Mapeo Servidor - 443" dst-port=443 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.243
add action=dst-nat chain=dstnat comment="CERT SAIT" disabled=yes dst-port=443 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.215
add action=dst-nat chain=dstnat comment="Mapeo Servidor O- 443" disabled=yes \
    dst-port=443 in-interface=pppoe-out1 protocol=tcp to-addresses=\
    192.168.10.214
add action=dst-nat chain=dstnat comment="Mapeo Servidor O- 445" dst-port=445 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.216 \
    to-ports=445
add action=dst-nat chain=dstnat comment="Mapeo Servidor Nextcloud - 443" \
    disabled=yes dst-port=443 in-interface=pppoe-out1 protocol=tcp \
    to-addresses=192.168.10.213
add action=dst-nat chain=dstnat comment="R renovacion CERT  Office" disabled=\
    yes dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=\
    192.168.10.216
add action=dst-nat chain=dstnat comment="Mapeo Servidor Nextcloud - 443" \
    disabled=yes dst-port=443 in-interface=pppoe-out1 protocol=tcp \
    to-addresses=192.168.10.216
add action=dst-nat chain=dstnat comment="Mapeo Servidor Nextcloud - 9980" \
    disabled=yes dst-port=9980 in-interface=pppoe-out1 protocol=tcp \
    to-addresses=192.168.10.131
add action=dst-nat chain=dstnat comment="Puerto SMTP SSL" dst-port=465 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.243 \
    to-ports=465
add action=dst-nat chain=dstnat comment="Puerto SMTP" dst-port=25 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.243 \
    to-ports=25
add action=dst-nat chain=dstnat comment="Puerto SSH" dst-port=22 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.213 \
    to-ports=22
add action=dst-nat chain=dstnat comment="Puerto SSH" dst-port=81 \
    in-interface=pppoe-out1 protocol=tcp src-port="" to-addresses=\
    192.168.10.212 to-ports=80
add action=dst-nat chain=dstnat comment="Redireccion Owncloud" dst-port=444 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.213 \
    to-ports=443
add action=dst-nat chain=dstnat comment=\
    "Network News Transfer Protocol (NNTP)" dst-port=119 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.10.243 to-ports=119
add action=dst-nat chain=dstnat comment="Mail Transfer Agent (MTA)" dst-port=\
    102 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.243 \
    to-ports=102
add action=dst-nat chain=dstnat comment="Domain Name System (DNS)" dst-port=\
    53 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.243 \
    to-ports=53
add action=dst-nat chain=dstnat comment="Remote Procedure Protocol (RPC)" \
    dst-port=135 in-interface=pppoe-out1 protocol=tcp to-addresses=\
    192.168.10.243 to-ports=135
add action=dst-nat chain=dstnat comment="SSL secured NNTP" dst-port=563 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.243 \
    to-ports=563
add action=dst-nat chain=dstnat comment=\
    "LDAP communications with an Active Directory Global Catalog Server" \
    dst-port=3268 in-interface=pppoe-out1 protocol=tcp to-addresses=\
    192.168.10.243 to-ports=3268
add action=dst-nat chain=dstnat comment=WEBMAIL dst-port=80 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.10.243 to-ports=443
add action=dst-nat chain=dstnat comment="CERT ITSA" disabled=yes dst-port=80 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.215 \
    to-ports=80
add action=dst-nat chain=dstnat comment=WEBMAIL disabled=yes dst-port=4422 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.213 \
    to-ports=4422
add action=dst-nat chain=dstnat disabled=yes dst-port=4423 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.10.216 to-ports=4423
add action=dst-nat chain=dstnat disabled=yes dst-port=4424 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.10.214 to-ports=4424
add action=dst-nat chain=dstnat dst-port=37777 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.49 to-ports=37777
add action=dst-nat chain=dstnat comment="WEBMAIL 2" disabled=yes dst-port=\
    8080 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.200 \
    to-ports=8080
add action=dst-nat chain=dstnat comment="Puerto STARTTLS" dst-port=587 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.243 \
    to-ports=587
add action=dst-nat chain=dstnat comment="Puerto IMAP SSL" dst-port=993 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.243 \
    to-ports=993
add action=dst-nat chain=dstnat comment="Puerto POP SSL" dst-port=995 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.243 \
    to-ports=995
add action=dst-nat chain=dstnat comment="Puerto IMAP" dst-port=143 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.243 \
    to-ports=143
add action=dst-nat chain=dstnat comment="Puerto POP" dst-port=110 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.243 \
    to-ports=110
add action=dst-nat chain=dstnat comment="Mapeo Servidor .200- WAN1" disabled=\
    yes dst-port=3395 in-interface=pppoe-out1 protocol=tcp to-addresses=\
    192.168.10.200 to-ports=3395
add action=dst-nat chain=dstnat disabled=yes dst-port=3398 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.10.205 to-ports=3398
add action=dst-nat chain=dstnat dst-port=56994 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.49 to-ports=3399
add action=dst-nat chain=dstnat dst-port=56856 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.52 to-ports=3340
add action=dst-nat chain=dstnat dst-port=56022 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.216 to-ports=56022
add action=dst-nat chain=dstnat disabled=yes dst-port=3397 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.10.209 to-ports=3397
add action=dst-nat chain=dstnat comment="Mapeo Servidor EX- WAN1" disabled=\
    yes dst-port=4443 in-interface=pppoe-out1 protocol=tcp to-addresses=\
    192.168.10.243 to-ports=4443
add action=dst-nat chain=dstnat comment="Mapeo Servidor EX- WAN1" dst-port=\
    3010 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.101 \
    to-ports=3010
add action=dst-nat chain=dstnat comment="Mapeo Servidor EX- WAN1" dst-port=\
    3011 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.101 \
    to-ports=3011
add action=dst-nat chain=dstnat comment="Mapeo Servidor EX- WAN1" dst-port=\
    3010 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.10.101 \
    to-ports=3010
add action=dst-nat chain=dstnat comment="Mapeo Servidor EX- WAN1" dst-port=\
    3011 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.10.101 \
    to-ports=3011
add action=dst-nat chain=dstnat comment="Mapeo Servidor AD" disabled=yes \
    dst-port=3394 in-interface=pppoe-out1 protocol=tcp to-addresses=\
    192.168.10.245 to-ports=3394
add action=dst-nat chain=dstnat dst-port=6767 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.20 to-ports=6767
add action=dst-nat chain=dstnat dst-port=20 in-interface=pppoe-out1 protocol=\
    tcp to-addresses=192.168.10.20 to-ports=20
add action=dst-nat chain=dstnat dst-port=8090 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.150 to-ports=8090
add action=dst-nat chain=dstnat dst-port=8090 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.10.150 to-ports=8090
add action=dst-nat chain=dstnat dst-port=3080 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.150 to-ports=3080
add action=dst-nat chain=dstnat dst-port=3080 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.10.150 to-ports=3080
add action=dst-nat chain=dstnat dst-port=7000 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.150 to-ports=7000
add action=dst-nat chain=dstnat dst-port=7000 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.10.150 to-ports=7000
add action=dst-nat chain=dstnat dst-port=8000 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.150 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8000 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.10.150 to-ports=8000
add action=dst-nat chain=dstnat dst-port=9000 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.150 to-ports=9000
add action=dst-nat chain=dstnat dst-port=9000 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.10.150 to-ports=9000
add action=dst-nat chain=dstnat dst-port=10510 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.150 to-ports=10510
add action=dst-nat chain=dstnat dst-port=10510 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.10.150 to-ports=10510
add action=dst-nat chain=dstnat dst-port=8091 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.151 to-ports=8091
add action=dst-nat chain=dstnat dst-port=8091 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.10.151 to-ports=8091
add action=dst-nat chain=dstnat dst-port=3081 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.151 to-ports=3081
add action=dst-nat chain=dstnat dst-port=3081 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.10.151 to-ports=3081
add action=dst-nat chain=dstnat disabled=yes dst-port=7001 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.10.151 to-ports=7001
add action=dst-nat chain=dstnat disabled=yes dst-port=7001 in-interface=\
    pppoe-out1 protocol=udp to-addresses=192.168.10.151 to-ports=7001
add action=dst-nat chain=dstnat disabled=yes dst-port=8001 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.10.151 to-ports=8001
add action=dst-nat chain=dstnat disabled=yes dst-port=8001 in-interface=\
    pppoe-out1 protocol=udp to-addresses=192.168.10.151 to-ports=8001
add action=dst-nat chain=dstnat dst-port=9001 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.151 to-ports=9001
add action=dst-nat chain=dstnat dst-port=9001 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.10.151 to-ports=9001
add action=dst-nat chain=dstnat dst-port=10520 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.151 to-ports=10520
add action=dst-nat chain=dstnat dst-port=10520 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.10.151 to-ports=10520
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.10.19 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface=\
    pppoe-out1 protocol=udp to-addresses=192.168.10.19 to-ports=3389
add action=dst-nat chain=dstnat dst-port=44444-44445 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.19 to-ports=44444-44445
add action=dst-nat chain=dstnat dst-port=56529 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.21 to-ports=3393
add action=dst-nat chain=dstnat disabled=yes dst-port=3396 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.10.46 to-ports=3396
add action=dst-nat chain=dstnat comment="admin remota 2" disabled=yes \
    dst-port=8291 in-interface=pppoe-out1 protocol=tcp to-addresses=\
    192.168.10.1 to-ports=8291
add action=dst-nat chain=dstnat disabled=yes in-interface=pppoe-out1 \
    protocol=ipsec-ah to-addresses=192.168.10.1
add action=dst-nat chain=dstnat disabled=yes in-interface=pppoe-out1 \
    protocol=ipsec-esp to-addresses=192.168.10.1
add action=dst-nat chain=dstnat disabled=yes dst-port=500 in-interface=\
    pppoe-out1 protocol=udp to-addresses=192.168.10.1 to-ports=500
add action=dst-nat chain=dstnat disabled=yes dst-port=1701 in-interface=\
    pppoe-out1 protocol=udp to-addresses=192.168.10.1 to-ports=1701
add action=dst-nat chain=dstnat dst-port=4233 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.221 to-ports=22
add action=dst-nat chain=dstnat disabled=yes in-interface=pppoe-out1 \
    protocol=gre to-addresses=192.168.10.1
add action=dst-nat chain=dstnat dst-port=1723 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.1 to-ports=1723
add action=dst-nat chain=dstnat dst-port=44444-44445 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.10.19 to-ports=44444-44445
add action=dst-nat chain=dstnat dst-port=3333-3334 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.10.33 to-ports=3333-3334
add action=dst-nat chain=dstnat disabled=yes dst-port=3390 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.10.33 to-ports=3390
add action=dst-nat chain=dstnat comment="WEB RENOVAR CERT NUBE" disabled=yes \
    dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=\
    192.168.10.213 to-ports=80
add action=dst-nat chain=dstnat comment="WEB RENOVAR CERT SERVICIO" disabled=\
    yes dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=\
    192.168.10.219 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=3390 in-interface=\
    pppoe-out1 protocol=udp to-addresses=192.168.10.33 to-ports=3390
add action=dst-nat chain=dstnat comment="MAPEO SERVIDOR 3 VODAFONE" disabled=\
    yes dst-port=5900-5909 in-interface=ether1-gateway protocol=tcp \
    to-addresses=192.168.1.131 to-ports=5900-5909
add action=dst-nat chain=dstnat disabled=yes dst-port=47 in-interface=\
    ether1-gateway protocol=udp to-addresses=192.168.1.20 to-ports=47
add action=dst-nat chain=dstnat dst-port=8060-8070 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.201 to-ports=8060-8070
add action=dst-nat chain=dstnat dst-port=1234 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.120 to-ports=1234
add action=dst-nat chain=dstnat disabled=yes in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.100 to-ports=10000-10020
add action=dst-nat chain=dstnat comment="SSL secured SMTP" dst-port=26 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.243 \
    to-ports=26
add action=dst-nat chain=dstnat disabled=yes protocol=tcp src-port=1194 \
    to-addresses=192.168.10.1
add action=dst-nat chain=dstnat dst-port=56443 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.10.216 to-ports=56443
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add peer=peer1
# Suggestion to use stronger pre-shared key or different authentication method
add peer=peer2
# Suggestion to use stronger pre-shared key or different authentication method
add peer=peer3
add generate-policy=port-override peer=peer4 remote-id=ignore
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set enabled=yes
/ip proxy access
add action=deny
/ip route
add distance=255 gateway=255.255.255.255
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox disabled=yes port=44606
set api-ssl disabled=yes
/ip socks
set enabled=yes port=34605
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=pppoe-out1 type=external
/ppp secret
add name=victorl2 profile=l2tp service=l2tp
add name=informatica profile=l2tp service=l2tp
add name=d.garcia profile=l2tp service=l2tp
/routing rip interface
add interface=vlan3 passive=yes receive=v2
/routing rip network
add network=10.0.0.0/8
/system clock
set time-zone-name=Europe/Madrid
/system logging
add topics=l2tp
add disabled=yes topics=ovpn
/system ntp client
set enabled=yes primary-ntp=213.251.52.234 secondary-ntp=46.165.221.137
/system package update
set channel=long-term
/system scheduler
add interval=1d name=Reinicio on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=feb/05/2019 start-time=05:30:00
 
 
msatter
Forum Guru
Forum Guru
Posts: 1633
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 12:03 pm

To me the old config is over a bridge.
add address=192.168.100.10/24 interface=ether1-gateway
Is that IP matching the new configuration?

Try 192.168.1.10 if it is free and also change the VLAN 6 to 20 and 3 to21.
No, that IP is the MikroTik's WAN and I must change it to 217.X.X.X in the new configuration.
No it the track on which the PPPoE train rides.

The PPPoE will give a public 217.x.x.x address and not the ethernet port.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. 4011 Does PPPoE/IKEv2.
Running:
RouterOS 6.47 / Winbox 3.24 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 12:38 pm

Hm, that's quite a difference :)

Now the first thing is a backup of the current configuration:

/system backup save name=before-changes-20200527 (maybe you need the name to be flash/before-changes-20200527 to survive a reboot, I don't know whether it is the case on the 750GL model). But download the file to your PC before proceeding anyway.
If you need to return to the old configuration, use /system backup load name=before-changes-20200527.

Now, what I want to do is to modify the firewall to work with both the old and the new setup of WAN; to do that, I add an interface list named WAN, and add both pppoe-out1 and ether1-gateway to it, and then replace (in|out)-interface=pppoe-out1 by (in|out)-interface-list=WAN in all firewall rules which refer to the former. This modification can be done during operation on the old connectivity, it doesn't break anything. Only one WAN will be active at a time, depending on to which Movistar gear the Mikrotik will be connected.

/interface list add name=WAN
/interface list member add list=WAN interface=pppoe-out1
/interface list member add list=WAN interface=ether1-gateway


Now the replacement commands:
/ip firewall filter set [find in-interface~"pppoe-out1"] in-interface-list=WAN
/ip firewall filter unset [find in-interface-list~"WAN"] in-interface

/ip firewall nat set [find in-interface~"pppoe-out1"] in-interface-list=WAN
/ip firewall nat unset [find in-interface-list~"WAN"] in-interface
/ip firewall nat set [find out-interface~"pppoe-out1"] out-interface-list=WAN
/ip firewall nat unset [find out-interface-list~"WAN"] out-interface

/ip firewall mangle set [find out-interface~"pppoe-out1"] out-interface-list=WAN
/ip firewall mangle unset [find out-interface-list~"WAN"] out-interface


Now you have to set up the IP configuration - they should have given you the address (here, I use 217.x.x.2), gateway (I use 217.x.x.1) and netmask (supposingly, /30 but you may have actually got a different one):

/ip address add address=217.x.x.2/30 interface=ether1-gateway
/ip route add gateway=217.x.x.1 distance=3


Again, you can do this setup while the 'Tik is still connected to the old Movistar gear; it will only start actually using it once you connect ether1 to the new gear, and if you connect it back to the old one, it will use the pppoe-out1 again.

VoIP may not work!!! In the old setup, they divert all the VoIP traffic to another VLAN, by sending you specific routes towards the VoIP exchange using a dynamic routing protocol, to be able to give the VoIP packets priority on the link; here, I suppose they do the same in their router internally, but it may not be the case.

The current firewall rules (already before my modificaton) do not protect the router itself because the last "drop all the rest" one in chain=input is disabled.

So I strongly recommend to export (not backup save) the configuration once you know it works, save the export on the PC, netinstall the router (which rewrites the flash completely, including any malware eventually present), import the configuration back, add necessary firewall rules (by just enabling the disabled one mentioned above, you would lock yourself out from the management of the router), and only then connect the router back to internet. If certificates are in use, a specific procedure is necessary to export them before the netinstall, and the import of the configuration also requires special measures. So I'll provide a separate instruction once we get there.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
msatter
Forum Guru
Forum Guru
Posts: 1633
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 12:48 pm

I give up. The solution is so simple but no one wants to see it.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. 4011 Does PPPoE/IKEv2.
Running:
RouterOS 6.47 / Winbox 3.24 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 1:05 pm

I give up. The solution is so simple but no one wants to see it.
Is it really? @Drageir has stated in his first post that he's tried exactly that, using vlan 20 instead of 6 and 21 instead of 3. If you are sure that no other option exists at Movistar than these two (data 6 / voip 3 and data 20 / voip 21), maybe he's mixed up the two VLANs (20<->21) or didn't connect the Mikrotik directly to the ONT, but I've obtained a feeling that he's tried this first.

As I've written above, what bothers me are the ARP requests asking for the public IP coming from the teldat device - I cannot see how this could be done if the same public IP was assigned using PPPoE.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Drageir
just joined
Topic Author
Posts: 15
Joined: Fri May 15, 2020 5:45 pm

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 2:03 pm

I give up. The solution is so simple but no one wants to see it.
I changed VLAN 6 and 3 to VLAN 20 and 21, even switching between them in case I got them wrong. It didn't work in any case.
 
msatter
Forum Guru
Forum Guru
Posts: 1633
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 2:28 pm

And which subnet are you using. Old 192.168.100.x and new 192.168.1.x so you are on the wrong track in the new config when using 192.168.100.10/24
One RB4011 (cooled) and a RB760iGS (hEX S) in series. 4011 Does PPPoE/IKEv2.
Running:
RouterOS 6.47 / Winbox 3.24 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
Drageir
just joined
Topic Author
Posts: 15
Joined: Fri May 15, 2020 5:45 pm

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 3:01 pm

And which subnet are you using. Old 192.168.100.x and new 192.168.1.x so you are on the wrong track in the new config when using 192.168.100.10/24
Old: WAN=192.168.100.x; subnet=192.168.10.x
New: WAN=217.124.116.x; subnet=192.168.10.x
 
msatter
Forum Guru
Forum Guru
Posts: 1633
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 4:31 pm

When I plug in a laptop directly to the Movistar' Switch I get the address 192.168.1.X, so it must be in router mode.
Your subnet is then 192.168.1.0/24 and your Mikrotik has to use the same subnet to communicate with the Moviestar 'switch". When you changed to the new settings then the DHCP also changes on the Moviestar and gives out different subnet.

From you config:
/ip address
add address=192.168.10.1/24 interface=ether2-master-local
add address=192.168.100.10/24 interface=ether1-gateway
192.168.100.10/24 can't see 192.168.1.x/24 because it is a different subnet.

The public IP obtained by the PPPoE is going to be routed so no subnet needed there.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. 4011 Does PPPoE/IKEv2.
Running:
RouterOS 6.47 / Winbox 3.24 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 4:41 pm

@msatter, 192.168.1.x and 192.168.10.x are different subnets, so no conflict there, you may have WAN address in 192.168.1.0/24 and LAN address in 192.168.10.0/24 and route between them. But the point is that in parallel to handing out addresses in 192.168.1.x dynamically, the Movistar gear seems to run a public subnet on the same LAN, and @Drageir needs to have the public address from that subnet up on the Mikrotik, so that all the port forwardings to internal services would keep working as before, except that the public IP itself changes.

It may be possible to exclude the teldat from the chain later on, after making it work the way the intend, by sniffing the traffic between the ONU and the teldat, to see what's actually running through there and how to replicate the teldat behaviour on the Mikrotik itself. But right now I am afraid that my suggestion on how to configure the Mikrotik to be connected to the Movistar switch is the only way forward.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
msatter
Forum Guru
Forum Guru
Posts: 1633
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 5:03 pm

Nostromog put in and the VLAN seems already to be removed by the Teldat so the the Internet + VOIP is terminated there. All behind that is then local. I only see this now and so a PPPoE on you Mikrotik is futile unless the Teldat is bridged. I don't even know what the Teldat is but I could be something like Fritz 5490/5491
If now you have a new hardware interconnections the Teldat removes the VLAN tags, gets the IP and does NAT. The configuration for the Mikrotik has to be different unless you remove Teldat+Switch Movistar.
First we have to check if a notebook goes directly on Moviestar switch if there is a Internet connection active?
One RB4011 (cooled) and a RB760iGS (hEX S) in series. 4011 Does PPPoE/IKEv2.
Running:
RouterOS 6.47 / Winbox 3.24 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
Drageir
just joined
Topic Author
Posts: 15
Joined: Fri May 15, 2020 5:45 pm

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 5:06 pm

Hm, that's quite a difference :)

Now the first thing is a backup of the current configuration:

/system backup save name=before-changes-20200527 (maybe you need the name to be flash/before-changes-20200527 to survive a reboot, I don't know whether it is the case on the 750GL model). But download the file to your PC before proceeding anyway.
If you need to return to the old configuration, use /system backup load name=before-changes-20200527.

Now, what I want to do is to modify the firewall to work with both the old and the new setup of WAN; to do that, I add an interface list named WAN, and add both pppoe-out1 and ether1-gateway to it, and then replace (in|out)-interface=pppoe-out1 by (in|out)-interface-list=WAN in all firewall rules which refer to the former. This modification can be done during operation on the old connectivity, it doesn't break anything. Only one WAN will be active at a time, depending on to which Movistar gear the Mikrotik will be connected.

/interface list add name=WAN
/interface list member add list=WAN interface=pppoe-out1
/interface list member add list=WAN interface=ether1-gateway


Now the replacement commands:
/ip firewall filter set [find in-interface~"pppoe-out1"] in-interface-list=WAN
/ip firewall filter unset [find in-interface-list~"WAN"] in-interface

/ip firewall nat set [find in-interface~"pppoe-out1"] in-interface-list=WAN
/ip firewall nat unset [find in-interface-list~"WAN"] in-interface
/ip firewall nat set [find out-interface~"pppoe-out1"] out-interface-list=WAN
/ip firewall nat unset [find out-interface-list~"WAN"] out-interface

/ip firewall mangle set [find out-interface~"pppoe-out1"] out-interface-list=WAN
/ip firewall mangle unset [find out-interface-list~"WAN"] out-interface


Now you have to set up the IP configuration - they should have given you the address (here, I use 217.x.x.2), gateway (I use 217.x.x.1) and netmask (supposingly, /30 but you may have actually got a different one):

/ip address add address=217.x.x.2/30 interface=ether1-gateway
/ip route add gateway=217.x.x.1 distance=3


Again, you can do this setup while the 'Tik is still connected to the old Movistar gear; it will only start actually using it once you connect ether1 to the new gear, and if you connect it back to the old one, it will use the pppoe-out1 again.

VoIP may not work!!! In the old setup, they divert all the VoIP traffic to another VLAN, by sending you specific routes towards the VoIP exchange using a dynamic routing protocol, to be able to give the VoIP packets priority on the link; here, I suppose they do the same in their router internally, but it may not be the case.

The current firewall rules (already before my modificaton) do not protect the router itself because the last "drop all the rest" one in chain=input is disabled.

So I strongly recommend to export (not backup save) the configuration once you know it works, save the export on the PC, netinstall the router (which rewrites the flash completely, including any malware eventually present), import the configuration back, add necessary firewall rules (by just enabling the disabled one mentioned above, you would lock yourself out from the management of the router), and only then connect the router back to internet. If certificates are in use, a specific procedure is necessary to export them before the netinstall, and the import of the configuration also requires special measures. So I'll provide a separate instruction once we get there.

This worked wonderfully!!! Right now I'm connected as it follows: ONT(new) --- Teldat --- Mikrotik, and it works.
 
msatter
Forum Guru
Forum Guru
Posts: 1633
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 5:32 pm

Pleased to see how it works and I see that routing is used to project the public IP, on the port of the Mikrotik. The Moviestar is 'switch' removed, so that one is out of the picture.

This is used where you can't put the router in bridge mode. Going to test it for myself and can used it in those situations where you can't or do not like to put the router in bridge mode.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. 4011 Does PPPoE/IKEv2.
Running:
RouterOS 6.47 / Winbox 3.24 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik + Movistar Fusión Empresas

Wed May 27, 2020 8:26 pm

This worked wonderfully!!! Right now I'm connected as it follows: ONT(new) --- Teldat --- Mikrotik, and it works.
Great. Now as mentioned earlier, to get rid of the Teldat (not just for the fun of it, but to have yet another potential point of failure less), you would have to sniff the traffic between the Teldat and the Mikrotik and find out what VLANs are actually used, how the IP addresses for the data WAN and the VoIP WAN are assigned to the Teldat, and how the routes for VoIP are propagated. An interesting task but for several hours for someone who knows what to look for.

So let's address the security first - the Mikrotik has spent some time exposed to direct http access from anywhere in the internet due to the disabled firewall rule, so even if there is a firewall in the Teldat (I doubt so, as your port forwarding works and you didn't need to ask Movistar to provision it on the Teldat), the chance that the Mikrotik has already been infected is too high.

I can see from your configuration that you use WebFig (using plain http, not https) to configure the Mikrotik. If it is the case (please confirm), the next sequence of actions is the following:
  • enter /ip firewall filter add chain=input protocol=tcp dst-port=80 in-interface-list=!WAN action=accept comment="permitir administrar usando http desde adentro" place-before=[find chain=input action=drop]
  • open another browser tab or window and connect again to the Mikrotik
  • check that the rule above has counted at least one packet
  • switch on "safe mode" and enable the very last action=drop rule in chain=input
  • log in from yet another tab/window of the browser; if you succeed (actually, it is enough if you get the login prompt, no need to actually log in), you can exit the safe mode; if you get a timeout, first disable the drop rule again and only then exit the safe mode.
If you successfuly pass through this intro, you have to export the resulting configuration again, this time without the hide-sensitive, and download it to your PC so that you could netinstall the router (with 6.45.8 again so that the configuration format would fit!) and import this configuration back. If you need to preserve certificates (your configuration suggests that they may be there but currently not in use), let me know, there's a separate procedure. User names and passwords will be destroyed by a netinstall in any case, but that's no big deal, you'll set them up again before disabling the admin account.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Drageir
just joined
Topic Author
Posts: 15
Joined: Fri May 15, 2020 5:45 pm

Re: Mikrotik + Movistar Fusión Empresas

Tue Jun 02, 2020 11:16 am

This worked wonderfully!!! Right now I'm connected as it follows: ONT(new) --- Teldat --- Mikrotik, and it works.
Great. Now as mentioned earlier, to get rid of the Teldat (not just for the fun of it, but to have yet another potential point of failure less), you would have to sniff the traffic between the Teldat and the Mikrotik and find out what VLANs are actually used, how the IP addresses for the data WAN and the VoIP WAN are assigned to the Teldat, and how the routes for VoIP are propagated. An interesting task but for several hours for someone who knows what to look for.

So let's address the security first - the Mikrotik has spent some time exposed to direct http access from anywhere in the internet due to the disabled firewall rule, so even if there is a firewall in the Teldat (I doubt so, as your port forwarding works and you didn't need to ask Movistar to provision it on the Teldat), the chance that the Mikrotik has already been infected is too high.

I can see from your configuration that you use WebFig (using plain http, not https) to configure the Mikrotik. If it is the case (please confirm), the next sequence of actions is the following:
  • enter /ip firewall filter add chain=input protocol=tcp dst-port=80 in-interface-list=!WAN action=accept comment="permitir administrar usando http desde adentro" place-before=[find chain=input action=drop]
  • open another browser tab or window and connect again to the Mikrotik
  • check that the rule above has counted at least one packet
  • switch on "safe mode" and enable the very last action=drop rule in chain=input
  • log in from yet another tab/window of the browser; if you succeed (actually, it is enough if you get the login prompt, no need to actually log in), you can exit the safe mode; if you get a timeout, first disable the drop rule again and only then exit the safe mode.
If you successfuly pass through this intro, you have to export the resulting configuration again, this time without the hide-sensitive, and download it to your PC so that you could netinstall the router (with 6.45.8 again so that the configuration format would fit!) and import this configuration back. If you need to preserve certificates (your configuration suggests that they may be there but currently not in use), let me know, there's a separate procedure. User names and passwords will be destroyed by a netinstall in any case, but that's no big deal, you'll set them up again before disabling the admin account.
Sorry for the long waiting, a lot went wrong when the Mikrotik started working; mail, web, hosting, everything went down due to changing to the new public IP.
Yes, I use WebFig but also use winbox sometimes.
I'll try this new comands at lunch break.

Who is online

Users browsing this forum: eworm, Jotne, msatter, zer0tech and 160 guests