Community discussions

MikroTik App
 
derRaumbaer
just joined
Topic Author
Posts: 3
Joined: Sat Jan 22, 2022 11:41 am

No outbound packages via LTE passthrough on Chateau LTE12

Sat Jan 22, 2022 12:03 pm

Hi.
I hope someone here can help me figure this out...

I've got a Chateau LTE12 and I'm trying to configure it in a way that it basically handles two functions at once.
  1. it provides the LTE passthrough to my core router (also Mikrotik)
  2. it forwards all the wifi clients to the core router (eth2), which acts as the central firewall for those
My naive approach was to setup the LTE APN with a passthrough interface which and connect it as WAN on my core router.
Additionally, I connected a second link to the chateau which is part of the bridge and also acts as a regular DHCP client.

The problem now is the following..

While I have verified that the LTE indeed works, the main router correctly receives a public IP address and I already see some random internet connections coming to the core router via the LTE link, no packet ever makes it back out.
Regardless whether it's a reply to an incoming connection or a ping from my internal network.
Everything I tried ended in a timeout so far.

So far I could indeed verify that the issue is likely not with the core router as packets are indeed received on the passthrough interface (Rx) on the chateau and then forwarded via Fast Path (FP Rx).
But I never see any traffic on the lte1 interface itself.
But that's where I'm at the end of my wisdom.
Except for the DHCP replies nothing ever is transmitted toward the core router on the passthrough interface. I verified that by packet logging on the core router. Leading me to believe that it's somewhere dropped within the passthrough from ether1 to lte1.

I already tried various configs in the firewall including basically accepting everything. I'm currently thinking that this might be some routing table issue since eth2 is a regular DHCP client and creates the default route. However, when I tried moving passthrough interface to its own routing table with the default route set to lte1 and the other network routes hardcoded, the whole setup was rather unimpressed by that and nothing changed.

This is the current simplified config on the Chateau:
# jan/22/2022 10:55:09 by RouterOS 7.2rc1
# software id = L9QH-9KW9
#
# model = D53G-5HacD2HnD
/interface bridge
add admin-mac=DC:2C:6E:52:DB:18 auto-mac=no comment=defconf name=bridge

/interface lte
set [ find ] allow-roaming=no band="" name=lte1

/interface ethernet
set [ find default-name=ether1 ] name=lte-passthrough

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=austria disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=<ssid> wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=austria disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=<ssid> wireless-protocol=802.11

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface lte apn
set [ find default=yes ] add-default-route=no apn=<isp-apn> passthrough-interface=lte-passthrough passthrough-mac=auto use-network-apn=no use-peer-dns=no

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN

/ip dhcp-client
add interface=bridge

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
After many configuration attempts, I basically reverted back to the starting point and started from scratch from the default config.

Did anyone experience this before?
Am I missing something completely obvious?
I'd appreciate any hint.

I also tested with these ROS versions: 7.1, 7.1.1, 7.2rc1 (as it contains the "lte - fixed packet forwarding on R11e-4G and R11e-LTE-US;")
 
derRaumbaer
just joined
Topic Author
Posts: 3
Joined: Sat Jan 22, 2022 11:41 am

Re: No outbound packages via LTE passthrough on Chateau LTE12  [SOLVED]

Tue Jan 25, 2022 12:23 am

After a lot of trial and error, I've been able to figure it out on my own.
In order to successfully establish the LTE passthrough with my core router, I've had to set the arp mode on both interfaces (Passthrough and core router interface) to proxy-arp, which makes sense thinking about it now.
I just wished that would be mentioned somewhere in the context of passthrough.
After that it was just some firewall shenanigans to sort out, but the "weird" sneaky package dropping was gone.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3258
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: No outbound packages via LTE passthrough on Chateau LTE12

Tue Jan 25, 2022 5:06 am

After a lot of trial and error, I've been able to figure it out on my own.
In order to successfully establish the LTE passthrough with my core router, I've had to set the arp mode on both interfaces (Passthrough and core router interface) to proxy-arp, which makes sense thinking about it now.
I just wished that would be mentioned somewhere in the context of passthrough.
After that it was just some firewall shenanigans to sort out, but the "weird" sneaky package dropping was gone.
The other approach is you could have use the MAC address of the core router in the LTE APN settings as the "passthrough MAC", e.g. don't use "auto", instead use the MAC of ether interface of the core router as the passthrough MAC on the Chateau APN settings.
passthrough-mac=auto
 
derRaumbaer
just joined
Topic Author
Posts: 3
Joined: Sat Jan 22, 2022 11:41 am

Re: No outbound packages via LTE passthrough on Chateau LTE12

Tue Jan 25, 2022 10:15 am

Setting the "passthrough mac" alone didn't fix it. Only the combination with proxy-arp seems to work for me.

Who is online

Users browsing this forum: sindy, slimmerwifi and 84 guests