Hello everyone,
I'm trying to setup a PPTP (i know...) Site to Site VPN.
Only some users will be allowed, so I did setup mangle prerouting mark routing rules in both sites.
Also, since I would like to access the routers directly from both sites, I added an output mark routing rule.
Now one of the issues I am dealing with, is in one direction the packets are going with the public IP.
I tried to add Pref. Source to the marking route with the private IP but even that way packets are flowing with the public.
Any tips ?
Thanks!
Re: PPTP S2S bridge - Wrong output IP
My first tip is for you to ditch PPTP. Use SSTP, OVPN or L2TP over IPSec.
As to the issue at hand, you'll need to post your routing and mangle rules. Though it'll essentially boil down to one of your routing rules not being applied and therefore your traffic being routed to the default gateway.
As to the issue at hand, you'll need to post your routing and mangle rules. Though it'll essentially boil down to one of your routing rules not being applied and therefore your traffic being routed to the default gateway.
Re: PPTP S2S bridge - Wrong output IP
I keep in mind that PPTP is an unsecure protocol.
Before I start pasting my rules, I've been digging into this for the last couple hours,
and I've seen a couple very old topics that touched a sensible topic...
Does "ping", "tracert", "traffic generator" ignore the route's Pref. source ?
It seems that when I configure the output mangle rule it starts to talk correctly with the other site, but when I use ping it uses another source IP (not the one specified in the route)
Before I start pasting my rules, I've been digging into this for the last couple hours,
and I've seen a couple very old topics that touched a sensible topic...
Does "ping", "tracert", "traffic generator" ignore the route's Pref. source ?
It seems that when I configure the output mangle rule it starts to talk correctly with the other site, but when I use ping it uses another source IP (not the one specified in the route)
Re: PPTP S2S bridge - Wrong output IP
I recall something about all "services" like pptp in routeros always use the main table, regardless what the "source ip" is set to. So you have to route in the main table and can't use mangle rules.
Re: PPTP S2S bridge - Wrong output IP
Yes, my experiments seem to match your explanation.
It is misleading though. Usually I use ping to test some rules but I'll have to manage another way.
Thanks!
It is misleading though. Usually I use ping to test some rules but I'll have to manage another way.
Thanks!
Re: PPTP S2S bridge - Wrong output IP [SOLVED]
The thing is how the mangling works in the output chain. First of all, an output packet is routed using the main table, which includes assignment of the source address, which is the pref-src one if specified for the route or the IP address associated to the out-interface otherwise. The mangle rules are only matched afterwards, and if a routing-mark is assigned there, the packet gets routed again using that routing-mark, but its source address remains unchanged unless you use the srcnat table to adjust it.
Re: PPTP S2S bridge - Wrong output IP
Ahh. That makes sense.The thing is how the mangling works in the output chain. First of all, an output packet is routed using the main table, which includes assignment of the source address, which is the pref-src one if specified for the route or the IP address associated to the out-interface otherwise. The mangle rules are only matched afterwards, and if a routing-mark is assigned there, the packet gets routed again using that routing-mark, but its source address remains unchanged unless you use the srcnat table to adjust it.
Exactly, I am assigning a routing-mark for the PPTP tunnel, and in the main table it first matches the 0.0.0.0/0 route, thus assigning the public IP.
So the packets originated in the router output with the correct IP, should I src-nat based on Out-interface, Routing-mark or any of them?
Code: Select all
/ip firewall nat
add chain=srcnat action=src-nat to-addresses=192.168.1.250 out-interface=pptp_home2
add chain=srcnat action=src-nat to-addresses=192.168.1.250 routing-mark=rmark_home2
Re: PPTP S2S bridge - Wrong output IP
If the same out-interface and/or the same routing-mark are used also for forwarded traffic, and you want to prevent forwarded connections from getting src-nated, add src-address-type=local to the action=src-nat rule. This condition matches on packets whose source address is any of the router's own ones.
Other than that, matching on out-interface is sufficient unless you want to choose an individual source address per routing-mark value on the same out-interface.
Other than that, matching on out-interface is sufficient unless you want to choose an individual source address per routing-mark value on the same out-interface.
Re: PPTP S2S bridge - Wrong output IP
It did the trick! Thanks so much.If the same out-interface and/or the same routing-mark are used also for forwarded traffic, and you want to prevent forwarded connections from getting src-nated, add src-address-type=local to the action=src-nat rule. This condition matches on packets whose source address is any of the router's own ones.
Other than that, matching on out-interface is sufficient unless you want to choose an individual source address per routing-mark value on the same out-interface.
Everyday learning a bit more :)
Who is online
Users browsing this forum: nichky, SMARTNETTT and 23 guests