Community discussions

MikroTik App
 
AlejandroRh
just joined
Topic Author
Posts: 8
Joined: Sat Feb 10, 2024 10:02 pm

Its this config possible?? 2ISP, port forwarding and VPN

Mon Jun 24, 2024 10:17 pm

Hi guys, im gonna try to explain me.

I need config a router with 2 ISP, VPN pptp (or similar but no sstp (i need this port 443 for guacamole)) and port forwarding for VM connection. I tried a lot of config i find here but its impossible for me.

I want to believe that I am doing something wrong because although it is not easy, I don't believe it has never been done.I attached a simple plan of what I want to do.

With this config:https://wiki.mikrotik.com/wiki/Manual:PCC#NAT only work port forwarding the first ISP.

With this viewtopic.php?t=190308 not work.

If someone can help me with another post or something i appreciate, tomorrow can update this post with my last config (in this the 2 wan work, port forwarding work but the VPN not connect )
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20273
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Its this config possible?? 2ISP, port forwarding and VPN

Tue Jun 25, 2024 12:46 am

Yeah I took a look and commented on your other post---> your mangles made no sense, totally wrong, besides the fact you failed to provide any useful context for mangling.
As well your routes were completely hosed. Not surprized nothing works for you.

Post your config, explain the requirements fully
 
AlejandroRh
just joined
Topic Author
Posts: 8
Joined: Sat Feb 10, 2024 10:02 pm

Re: Its this config possible?? 2ISP, port forwarding and VPN

Thu Jul 04, 2024 10:06 pm

Yeah I took a look and commented on your other post---> your mangles made no sense, totally wrong, besides the fact you failed to provide any useful context for mangling.
As well your routes were completely hosed. Not surprized nothing works for you.

Post your config, explain the requirements fully
Sorry for the delay, i cant go to the office this week.
# jul/04/2024 20:47:11 by RouterOS 6.49.10
# software 
#
# model = RB3011UiAS

/interface bridge
add admin-mac=78 arp=proxy-arp auto-mac=no comment=LAN name=\
    bridge

/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=WAN1
set [ find default-name=ether2 ] arp=proxy-arp name=WAN2

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf

/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=Vegafibra interface=WAN1 list=WAN
add comment=Telfy interface=WAN2 list=WAN

/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.20.5/24 interface=WAN2 network=192.168.20.0
add address=192.168.18.5/24 interface=WAN1 network=192.168.18.0

/ip cloud
set ddns-enabled=yes

/ip dhcp-client
add interface=WAN1
add interface=WAN2

/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8

/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
    dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
    protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    in-interface=WAN2 protocol=tcp
add action=accept chain=input comment=sstp disabled=yes dst-port=443 \
    in-interface=WAN2 protocol=tcp

/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.18.0/24 in-interface=\
    bridge
add action=accept chain=prerouting dst-address=192.168.20.0/24 in-interface=\
    bridge
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=WAN1_conn \
    per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=WAN2_conn \
    passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=bridge new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=bridge new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=WAN1 src-address-type=""
add action=masquerade chain=srcnat out-interface=WAN2 src-address-type=""
add action=dst-nat chain=dstnat comment=Proxy dst-port=8181 in-interface=WAN1 \
    protocol=tcp to-addresses=192.168.1.233 to-ports=8181
add action=dst-nat chain=dstnat comment=VPN dst-port=443 in-interface=WAN1 \
    protocol=tcp to-addresses=192.168.1.103 to-ports=443
add action=dst-nat chain=dstnat comment="VPN WAN2" dst-port=443 in-interface=\
    WAN2 protocol=tcp to-addresses=192.168.1.141 to-ports=443
add action=dst-nat chain=dstnat comment=Resultados disabled=yes dst-port=8085 \
    in-interface=WAN2 protocol=tcp to-addresses=192.168.1.83 to-ports=80
add action=dst-nat chain=dstnat dst-port=80 in-interface=WAN1 protocol=tcp \
    to-addresses=192.168.1.103 to-ports=80

/ip firewall service-port
set sip disabled=yes

/ip route
add check-gateway=ping distance=1 gateway=192.168.18.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.20.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=192.168.18.1
add distance=2 gateway=192.168.20.1

/ip route rule
add dst-address=192.168.18.0/24 routing-mark=to_WAN1 table=to_WAN1
add dst-address=192.168.20.0/24 routing-mark=to_WAN2 table=to_WAN2
This configuration is from a client but it is basically the same as what I have in the office

i tried to explain me. With this config can use port forwarding in the 2WAN (can redirect ports to ip) at the same time and obviously can access to internet but if i tried to config a VPN (l2tp or pptp for example not work) Im not using the ports vpn use.

What I need is to forward ports from both WAN and access from one of the two WAN with VPN, I don't care which of the two the VPN access

sorry if something is not understood, I'm still learning English :D
 
Sob
Forum Guru
Forum Guru
Posts: 9159
Joined: Mon Apr 20, 2009 9:11 pm

Re: Its this config possible?? 2ISP, port forwarding and VPN

Fri Jul 05, 2024 3:13 am

What exactly doesn't work as you want? None of your forwarded ports is configured to work exactly same from both WANs. Ports 80 and 8181 are limited to WAN1 (in-interface=WAN1). And 443 is forwarded to different internal address, depending on used WAN.

Btw, SSTP can use any port, it doesn't require 443.
 
AlejandroRh
just joined
Topic Author
Posts: 8
Joined: Sat Feb 10, 2024 10:02 pm

Re: Its this config possible?? 2ISP, port forwarding and VPN

Sat Jul 06, 2024 10:06 pm

What exactly doesn't work as you want? None of your forwarded ports is configured to work exactly same from both WANs. Ports 80 and 8181 are limited to WAN1 (in-interface=WAN1). And 443 is forwarded to different internal address, depending on used WAN.

Btw, SSTP can use any port, it doesn't require 443.
VPN, When I configure a connection it does not connect and I do not see traffic on the corresponding port.

i know can change the sstp port but not in the windows client (not easily)
 
Sob
Forum Guru
Forum Guru
Posts: 9159
Joined: Mon Apr 20, 2009 9:11 pm

Re: Its this config possible?? 2ISP, port forwarding and VPN

Sun Jul 07, 2024 12:19 am

By VPN you mean L2TP or PPTP on router? If so, did you have you firewall rules in same order as now when testing? Because that wouldn't work. Rules are checked from top to bottom, so any connection from WAN is blocked by fifth rule and further ones that allow it don't matter.

As for different SSTP port, how is writing e.g. "myvpnserver.mydomain.tld:1443" not easy?
 
AlejandroRh
just joined
Topic Author
Posts: 8
Joined: Sat Feb 10, 2024 10:02 pm

Re: Its this config possible?? 2ISP, port forwarding and VPN

Tue Jul 09, 2024 10:02 pm

By VPN you mean L2TP or PPTP on router? If so, did you have you firewall rules in same order as now when testing? Because that wouldn't work. Rules are checked from top to bottom, so any connection from WAN is blocked by fifth rule and further ones that allow it don't matter.

As for different SSTP port, how is writing e.g. "myvpnserver.mydomain.tld:1443" not easy?

I didn't know that the rules had to have an order ( although it is logical if you think about it :-| )

So for the VPN to work, I should enter the rules before the fifth in firewall filter?

About the sstp port, I don't know why but I had always thought that if you selected sstp in Windows it would always try to connect to that port, I had not thought about adding it to the IP.

I'm sorry if I ask very simple things, I'm still learning (with english and mikrotik :lol: )

Who is online

Users browsing this forum: rj11 and 41 guests