Community discussions

MikroTik App
 
tompark
just joined
Topic Author
Posts: 8
Joined: Tue Sep 18, 2018 5:05 pm

Routing not working Correctly

Mon Jun 15, 2020 7:37 pm

Hi Guys,

I have recently replaced my old router with a MicroTik router as it gets better performance than the one I was using prior.

I have a site-to-site VPN which is provided by a PFSense box (this is the same way the VPN was provided before I changed to the MirkoTik).

If I use the MikroTik as the Default Gateway and then just route the VPN Traffic via the PFSense Box, I get a long delay between anything connecting and routing doesn't work correctly, E.g I can't ping Client Machines from the VPN. So to resolve this I configured the PFSense box to be the Default Gateway problem went away.

I now have the MikroTik Router as the DG of all my other VLAN's and I want it to route the traffic for the 'Cop' vlan to the IP of the PFSense Box. Config Below;

Corp VLAN;
IP Range 172.26.0.0/24
DG: 172.26.0.3 - pfsense
MikroTik: 172.26.0.1

VLAN2;
DG: 192.168.5.1 - MikroTik Router


If I attempt to ping 172.26.0.50 from 192.168.5.5 I am unable to route, if I try and do this the other way ping 192.168.5.5 from 172.26.0.50 it works fine.

Has anyone seen anything like this before?

PFSense Routes
192.168.5.0/27 via 172.26.0.1

This is currently being a bit of a pain in the ass and I really need a solution that works better than this current setup.

Regards,
Tom
 
sindy
Forum Guru
Forum Guru
Posts: 5343
Joined: Mon Dec 04, 2017 9:19 pm

Re: Routing not working Correctly

Mon Jun 15, 2020 9:46 pm

You haven't even specified the VPN type (OpenVPN, SSTP, IPsec, ...), nor have you posted the configuration at Mikrotik side (see my automatic signature below for a mini-howto). The VPN setup at the pfsense side is also important. Also there, remove any usernames, passwords or other secrets, and public IP addresses before posting.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tompark
just joined
Topic Author
Posts: 8
Joined: Tue Sep 18, 2018 5:05 pm

Re: Routing not working Correctly

Sun Jun 21, 2020 2:14 pm

Hi,
Apologies for the missing information. My config for Mikrotik router is as follows;

# jun/21/2020 11:47:23 by RouterOS 6.47
# software id = N89I-V5LI
#
# model = RouterBOARD 750G r3
# serial number = 6F3808EBCD72
/interface bridge
add admin-mac=CC:2D:E0:52:4F:82 auto-mac=no fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface vlan
add interface=bridge1 name=DemoVLAN25 vlan-id=25
add interface=bridge1 name=Home vlan-id=5
add interface=bridge1 name=HomeGame vlan-id=2
add interface=bridge1 name=TestVLAN27 vlan-id=27
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option sets
add name=Home
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.5.5-192.168.5.20
add name=HomeIPPool ranges=172.26.0.100-172.26.0.250
add name=GameIPPool ranges=10.202.1.100-10.202.1.240
add name=TestNetworkVLAN27 ranges=172.28.2.100-172.28.2.200
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge1 name=defconf
add address-pool=HomeIPPool authoritative=after-2sec-delay disabled=no \
interface=Home lease-time=10h name=HomeDHCPServer
add address-pool=GameIPPool disabled=no interface=HomeGame lease-time=1h \
name=GameDHCP
add address-pool=TestNetworkVLAN27 interface=TestVLAN27 name=VLAN27
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether2-master
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=discover
add interface=Home list=discover
add interface=HomeGame list=discover
add interface=ether2-master list=mactel
add interface=ether2-master list=mac-winbox
/ip address
add address=192.168.5.1/27 comment=defconf interface=ether2-master network=\
192.168.5.0
add address=172.26.0.1/24 comment=MainHomeIP interface=Home network=\
172.26.0.0
add address=10.202.1.1/24 interface=HomeGame network=10.202.1.0
add address=172.28.2.1/24 interface=TestVLAN27 network=172.28.2.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.202.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.202.1.1 \
netmask=24
add address=172.26.0.0/24 dns-server=10.201.0.6,172.26.0.1 domain=\
domain.local gateway=172.26.0.1 netmask=24
add address=172.28.2.0/24 dns-server=172.28.2.8,172.28.2.1 gateway=172.28.2.1 \
netmask=24
add address=192.168.5.0/27 comment=defconf gateway=192.168.5.1 netmask=27
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router type=A
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1
/ip route
add distance=1 dst-address=10.201.0.0/27 gateway=172.26.0.3
add disabled=yes distance=1 dst-address=172.25.100.0/24 gateway=172.26.0.3
add distance=1 dst-address=192.168.100.0/24 gateway=172.26.0.3
/ip service
set www port=81
set www-ssl certificate=RouterCertificate disabled=no port=8443
/system clock
set time-zone-name=Europe/London
/system resource irq rps
set ether1 disabled=no
set ether2-master disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

My VPN that is running is OpenVPN and is configured as a tun

PFsense confiugration

Local Interface is 172.26.0.3

Protocol TCP
Deice Mode tun
IPv4 Tunnel Network 172.21.0.0/29
IPv4 Remote Network 10.201.0.0/27
Custom Options none set

## Server Configuration ## - Again PFSense Box
OpenVPN is configured as a TUN
Protocol: TCP
Device Mode: tun - layer 3 tunnel mode
Interface: WAN
IPV4 Tunnel Network 172.21.0.0/29
IPv4 Remote Networks 172.26.0.0/24
Custom Option - none set

I have removed information like port and public IP's and Encryption Methods as the VPN is Established and if I change the client computers Default Gateway to use the PFSense Box the traffic routes fine. I am guessing I am missing a configuration parameter that will force the traffic heading to 172.26.0.0/24 range to go via 172.26.0.1.
 
anav
Forum Guru
Forum Guru
Posts: 4606
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Routing not working Correctly

Sun Jun 21, 2020 2:39 pm

I am not VPN savvy so cannot comment there.
However in the regular config part I see some possible conflict.

Just to ensure I am reading it right.
You have four vlans (one which you dont seem to use vlan25 - demo).
However, you do have 3 vlans and 1 subnet on the go.

The subnet by itself, not attached to a VLAN seems to be the 192.168 subnet ON ETHER 2
Evidence.......
/ip pool
add name=dhcp ranges=192.168.5.5-192.168.5.20
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge1 name=defconf
/ip address
add address=192.168.5.1/27 comment=defconf interface=ether2-master network=\
/ip dhcp-server network
add address=192.168.5.0/27 comment=defconf gateway=192.168.5.1 netmask=27

and finally.........
/interface bridge port
add bridge=bridge1 interface=ether2-master

In other words, I am not sure if this will work.
Can you have a subnet on the bridge, that is not being provided dhcp by the bridge but belongs on the bridge but is somehow hardwired into ether2???

My brain feels like a pretzel.
I am thinking just remove eth2 from the bridge is all that is required????
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
sindy
Forum Guru
Forum Guru
Posts: 5343
Joined: Mon Dec 04, 2017 9:19 pm

Re: Routing not working Correctly

Sun Jun 21, 2020 2:55 pm

Sorry, I have misunderstood what you wrote in your OP, I thought you've kept pfSense as the VPN server but started using Mikrotik as a client of that server directly, that's why I've asked about the VPN type.

As it is actually a different case, the issue is just that your home PCs have a single default route, but the gateway to the office network (172.26.0.3) is in the same subnet like the default gateway (172.26.0.1).

Normally, it should be enough to add a route to 10.201.0.0/27 via 172.26.0.3 at the Mikrotik as you did. When the Mikrotik receives a packet from 172.26.0.x for something in 10.201.0.0/27, it sends an ICMP redirect to the sender, informing it that 172.26.0.3 is a better gateway to that destination than itself. It seems that the sender does not accept this redirection. So either you can change the PCs' settings to accept the redirection, or you'll have to add the routes to the PCs themselves.

Yet another possibility would be to create a dedicated interconnection subnet between the home pfSense and the Mikrotik, so the IP address of the home pfSense would not be in the same subnet, and the Mikrotik would regularly route the traffic via the pfSense rather than redirecting it. On the home pfSense, a route to 172.26.0.0/24 via Mikrotik's IP in the interconnection subnet would have to be added as well.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tompark
just joined
Topic Author
Posts: 8
Joined: Tue Sep 18, 2018 5:05 pm

Re: Routing not working Correctly

Fri Jun 26, 2020 9:51 pm

Hi All,

Ok so I have now moved the 192.168.5.x IP Network to be on Bridge1 as this is used as a default Management Network for configuration only so uses DHCP.

What is puzzling me is that when I was using a Unifi Router the same routing configuration was working fine

Default Gateway on computers set to router 172.26.0.1 and then route 10.201.0.0/27 via 172.26.0.3. I can completely re-configure the VPN to us a local transport network if needed.

The VPN does have a transport network itself of 172.21.0.0/28 for the different VPN Connections.

I will keep testing and see what I come up with.

Regards,
Tom

Who is online

Users browsing this forum: Google [Bot], jvanhambelgium, ochaconm, prozak, sindy and 53 guests