Community discussions

MikroTik App
  4. RouterOS
  5. General

Multiple gateways, multiple LANs and VPN

Post Reply
 
User avatar
tplecko
Member Candidate
Member Candidate
Topic Author
Posts: 120
Joined: Mon Jun 11, 2007 12:18 pm
Location: Croatia
Contact:
Contact tplecko

Multiple gateways, multiple LANs and VPN

Wed Jun 29, 2011 6:47 pm

I have a MT router with two ISPs and three LANs.
LAN1 has internet access through ISP1 via default route
LAN2 has internet access through ISP2 via route that checks for routing mark for LAN2
LAN3 has internet access through ISP2 via route that checks for routing mark for LAN3

I have multiple VPNs (PPTP and L2TP) that have access to LAN1 (this works)
I have one VPN (PPTP) that must have access to LAN3 (this doesn't work)

What do i need to do for this to work? I didn't find any examples of this.

Thanks
Top
 
User avatar
Egate
Long time Member
Long time Member
Posts: 554
Joined: Thu May 15, 2008 10:43 am
Location: South Africa

Re: Multiple gateways, multiple LANs and VPN

Fri Jul 01, 2011 8:09 pm

So many things it could be.
LAN2 has internet access through ISP2 via route that checks for routing mark for LAN2
Does this work? If yes Lan3 should be identical than Lan2, if no,
put mangle rules and routing label hear.
Top
 
User avatar
tplecko
Member Candidate
Member Candidate
Topic Author
Posts: 120
Joined: Mon Jun 11, 2007 12:18 pm
Location: Croatia
Contact:
Contact tplecko

Re: Multiple gateways, multiple LANs and VPN

Sat Jul 02, 2011 9:47 am

all Lans can access the internet.

Here is what i have:
LAN 10.0.0.1/24
LAN 10.0.1.1/24
LAN 10.3.72.1/24

NAT:
add action=masquerade chain=srcnat comment="Na internet" disabled=no out-interface=ISP1
add action=masquerade chain=srcnat comment="Na internet" disabled=no out-interface=ISP2 routing-mark=TV+
add action=masquerade chain=srcnat comment="Na internet" disabled=no out-interface=ISP2 routing-mark=TV+AD

Routing marks:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="TV+: Routing Mark" disabled=no new-routing-mark=TV+ passthrough=yes src-address=10.0.1.0/24
add action=mark-routing chain=prerouting comment="TV+AD: Routing Mark" disabled=no new-routing-mark=TV+AD passthrough=yes src-address=10.3.72.0/24

Routes:
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=213.?.?.201 routing-mark=TV+ scope=255 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=213.?.?.201 routing-mark=TV+AD scope=255 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=213.?.?.145 scope=255 target-scope=10


PPP Profiles:
add change-tcp-mss=default local-address=10.0.0.1 name=Servis-Enc only-one=default remote-address=pool-Servis use-compression=default use-encryption=yes use-mpls=default use-vj-compression=default
add change-tcp-mss=default local-address=10.3.72.1 name=Tv+-Enc only-one=default remote-address=pool-Tv+Vpn use-compression=default use-encryption=yes use-mpls=default use-vj-compression=default

PPP Secrets:
add caller-id="" comment=X disabled=yes limit-bytes-in=0 limit-bytes-out=0 name=user1 password=**** profile=Servis-Enc routes="" service=pptp
add caller-id="" comment="Tv+ Talijani" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=user2 password=**** profile=Tv+-Enc routes="" service=pptp


Both user1 and user2 can only access LAN 10.0.0.1/24. There are no firewall rules so it can't be the problem.
Top
 
prakashbabugc
just joined
Posts: 2
Joined: Thu Jun 30, 2011 7:35 am

Re: Multiple gateways, multiple LANs and VPN

Sat Jul 02, 2011 9:57 am

you can masqurade your wan interface to lan interface .



WWW.allinoneitsolutions.blogspot.com
Top
 
User avatar
Egate
Long time Member
Long time Member
Posts: 554
Joined: Thu May 15, 2008 10:43 am
Location: South Africa

Re: Multiple gateways, multiple LANs and VPN

Sat Jul 02, 2011 10:24 am

/ip firewall mangle
add action=mark-routing chain=prerouting comment="TV+: Routing Mark" disabled=no new-routing-mark=TV+ passthrough=yes src-address=10.0.1.0/24
PPP Profiles:
add change-tcp-mss=default local-address=10.0.0.1 name=Servis-Enc only-one=default remote-address=pool-Servis use-compression=default use-encryption=yes use-mpls=default use-vj-compression=default
Have a look at the address.
Top
 
User avatar
tplecko
Member Candidate
Member Candidate
Topic Author
Posts: 120
Joined: Mon Jun 11, 2007 12:18 pm
Location: Croatia
Contact:
Contact tplecko

Re: Multiple gateways, multiple LANs and VPN

Sat Jul 02, 2011 11:32 am

/ip firewall mangle
add action=mark-routing chain=prerouting comment="TV+: Routing Mark" disabled=no new-routing-mark=TV+ passthrough=yes src-address=10.0.1.0/24
PPP Profiles:
add change-tcp-mss=default local-address=10.0.0.1 name=Servis-Enc only-one=default remote-address=pool-Servis use-compression=default use-encryption=yes use-mpls=default use-vj-compression=default
Have a look at the address.
One has nothing to do with the other. Routing mark is for outgoing traffic originating from 10.0.1.0/24
this ppp profile is used for the user that is used to access the 10.0.0.0/24 network.

The problem is that user wich should access 10.3.72.0/24 network, can't access it. It too can access 10.0.0.0/24
Top
 
User avatar
Egate
Long time Member
Long time Member
Posts: 554
Joined: Thu May 15, 2008 10:43 am
Location: South Africa

Re: Multiple gateways, multiple LANs and VPN

Sat Jul 02, 2011 12:35 pm

Sorry, read like an ass. :?
I have multiple VPNs (PPTP and L2TP) that have access to LAN1 (this works)
I have one VPN (PPTP) that must have access to LAN3 (this doesn't work)
Is user that need acces to Lan3 from Lan1 or Lan2?
NAT:
add action=masquerade chain=srcnat comment="Na internet" disabled=no out-interface=ISP1
add action=masquerade chain=srcnat comment="Na internet" disabled=no out-interface=ISP2 routing-mark=TV+
add action=masquerade chain=srcnat comment="Na internet" disabled=no out-interface=ISP2 routing-mark=TV+AD
Should work like this.

NAT:
add action=masquerade chain=srcnat comment="Na internet" disabled=no out-interface=ISP1
add action=masquerade chain=srcnat comment="Na internet" disabled=no out-interface=ISP2

Routing marks:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="TV+: Routing Mark" disabled=no new-routing-mark=TV+ passthrough=yes src-address=10.0.1.0/24
add action=mark-routing chain=prerouting comment="TV+AD: Routing Mark" disabled=no new-routing-mark=TV+AD passthrough=yes src-address=10.3.72.0/24
Also your problem probably is this rule.

First off add an in interface in rule, also make passthrough=no, think this is good practices to save CPU and then for your actual solution. Add mangle rule on top of these rules with action=accept for dst-address 10.3.72.0/24 and one for destination 10.0.1.0/24 and one for destination 10.0.0.1/24. This will allow internal routing between Lan1, lan2 and lan3
Top
 
User avatar
tplecko
Member Candidate
Member Candidate
Topic Author
Posts: 120
Joined: Mon Jun 11, 2007 12:18 pm
Location: Croatia
Contact:
Contact tplecko

Re: Multiple gateways, multiple LANs and VPN

Mon Jul 04, 2011 12:09 pm

Sorry, read like an ass. :?
Is user that need acces to Lan3 from Lan1 or Lan2?
The user is somewhere out there. He is connecting to IP from ISP2
NAT:
add action=masquerade chain=srcnat comment="Na internet" disabled=no out-interface=ISP1
add action=masquerade chain=srcnat comment="Na internet" disabled=no out-interface=ISP2 routing-mark=TV+
add action=masquerade chain=srcnat comment="Na internet" disabled=no out-interface=ISP2 routing-mark=TV+AD
Should work like this.

NAT:
add action=masquerade chain=srcnat comment="Na internet" disabled=no out-interface=ISP1
add action=masquerade chain=srcnat comment="Na internet" disabled=no out-interface=ISP2
I didn't even consider this. Thanks
Routing marks:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="TV+: Routing Mark" disabled=no new-routing-mark=TV+ passthrough=yes src-address=10.0.1.0/24
add action=mark-routing chain=prerouting comment="TV+AD: Routing Mark" disabled=no new-routing-mark=TV+AD passthrough=yes src-address=10.3.72.0/24
Also your problem probably is this rule.

First off add an in interface in rule, also make passthrough=no, think this is good practices to save CPU and then for your actual solution.
Add mangle rule on top of these rules with action=accept for dst-address 10.3.72.0/24 and one for destination 10.0.1.0/24 and one for destination 10.0.0.1/24. This will allow internal routing between Lan1, lan2 and lan3
Internal routing works (between lans)
Will try this. Thanks
Top
 
User avatar
Egate
Long time Member
Long time Member
Posts: 554
Joined: Thu May 15, 2008 10:43 am
Location: South Africa

Re: Multiple gateways, multiple LANs and VPN

Mon Jul 04, 2011 8:43 pm

The user is somewhere out there. He is connecting to IP from ISP2
Ok, was under the impression the user is on your LAN. If a connection is made from your lan to external user, this would be no problem because nat knows where to send external users data coming back. However if connection is created from the external user the router, the router do not know what to do with the data and will drop it. Only way for this to function is if your user is going to access a specific ip on your lan, in your case probably a Vlan ip. This you will have to route something like this.
Code: Select all
add action=dst-nat chain=dstnat comment="Rout to Vlan" disabled=no \
in-interface="ISP2" protocol=tcp to-addresses= 41.11.11.165
Where in interface is the name of my PPPoE client and to-addresses is the internal ip. You external user will use the ip of the PPPoE client and the nat rule will route him to the internal ip. Piece of cake. 8) Also would be good to add preroute marking for external traffic entering your router and use this mark on output route to ensure the data exit on the same interface it came from. In your example on ISP2. Should do the trick.
Top
Post Reply

Who is online

Users browsing this forum: mquan1984 and 125 guests
  4. RouterOS
  5. General