Hi all
I have a setup and an issue to explain,
I have a router provided me by a supplier that allows me to connect into a secure broadband connection its a managed cisco, as we would expect, that I have no access to (though is not the issue here)
What I have done is added my Mikrotik to this router and set one of the ports as a WAN, this port on the Mikrotik is using a static public IP from the range on the Cisco [lets say its 144.x.x.x/28] with the ciscos DG being 144.x.x.1/28
I then have a Network on this Mikrotik [we can call this Site A] the network settings are as follows:
192.168.100.0/24
DG:192.168.100.1
Pool: 192.168.100.10-192.168.100.240
DNS: 99.99.99.1, 99.99.99.2 - NB: the actual DNS servers are hosted on the secure broadband mentioned above so I have just made up some random numbers - though these are important to the issue i am having
The above network is bridged over several ports on the router, with DHCP on obs
There is a secure website hosted on the secure broadband [lets call the URL secure.website.org] when I connect to one of the bridged ports I get an IP in the range [192.168.100.0/24] and I can resolve secure.website.org no issue, on 77.77.77.1 | secure.website.org/correct/web/page/index.html
More context on this website, it has split DNS. this is so you "can" access it from a regular old broadband. However over the secure network when you resolve secure.website.org you should get - 77.77.77.1 | secure.website.org/correct/web/page/index.html [again placeholder] but if you access this over the internet you get 66.66.66.2 | secure.website.org/insecure/web/page/index.html
Where the issue comes in is that - Site A also has an SSTP Interface setup acting as the server gateway. Its as simple as it gets really
PPP profile setup - only config in there is ensuring anything using the profile is attached to the bridge for network 192.168.100.0/24
Then a secret setup with the above profile to ensure the connection hits the bridge
Lastly I have some firewall rules just saying forward all traffic from the above bridge to the WAN connected to secure BB, and vis versa
This is where the issue comes in
I then have another Mikrotik [Site B] that is connected to this SSTP connection
the setup for this is that I build a bridge -lets call it Bridge_One - this bridge is attached to the SSTP connection profile that links the Mikrotik back to Site A.
Bridge_One then gets DHCP and an IP of: eg, 192.168.100.20/24 - and is set as a DHCP client
Standard NAT Masq set up for Bridge_One
Nothing else is on this bridge - just the SSTP connection
I then have a local network on Site B lets call this network Bridge_two
10.10.10.0/24
DG:10.10.10.1
Pool: 10.10.10.10-10.10.250
DNS: 99.99.99.1, 99.99.99.2 ---> note secure DNS servers
I then have a route set called: rtab-Route1
a mangle rule that says: prerouting on scr-address: 10.10.10.0/24, Action: Mark Routing: rtab-Route1, Passthrough-Yes
Lastly I have a route on Site B that says: 0.0.0.0/0, Gateway: 192.168.100.1 ---> SSTP Bridge back to Site A
The above setup works a dream, not an issue; ALL traffic from Site B routes all the way across the SSTP to Site A and is passed to the Secure Router and out to the broadband, all secure websites -as there are many more than the ones mentioned - work 100%
however the issue comes when I tried to access the Split DNS Secure Site mentioned above.
On a PC attached at Site B if I do:
nslookup secure.website.org
It returns:
resolved by: 99.99.99.1
77.77.77.1
secure.website.org
All good right
However, when I actually then browse to the site [which is a citrix portal fyi] I hit 66.66.66.2 | secure.website.org/insecure/web/page/index.html and I can see this in the connections as such
The PC resolves it by the Router connects it to the wrong IP
If I browse to https://77.77.77.1 [the actual IP] the site pops up as 77.77.77.1/correct/web/page/index.html, but I can log in --> not logging in is neither here nor there
what the issue is, is I cant seem to resolve the DNS correctly at Site B but connected straight into Site A on the 192.168.100.0/24 its perfectly fine
To test what the issue might be I went to Site A [the server connected to the secure line]
I put another Mikrotik [Site C] on there and set up a network on it as below
192.168.88.0/24
DG:192.168.88.1
Pool: 192.168.88.10-192.168.88.240
DNS: 99.99.99.1, 99.99.99.2
Ether1 --> DHCP Client | connected to Port 4 of Site A getting IP: 192.168.100.33
NO SSTP on this one [basically default config apart from the DNS Servers on the network specifically]
I got the same results as Site B I the Mikrotik was unable to resolve the correct IP but the PC I had connected to Site C Mikrotik nslookup was fine
What I then did was I added the 2 CNAMEs and the A name for the secure website as DNS Static - this worked....
However setting on Site B the same DNS static did not work and I suspect thats because on Site C as it was using the WAN connection with no rules this static DNS rule kicked in, but on Site B, traffic on the LAN is Route Marked and pushed to the Bridge connected to the SSTP and as such misses this static route.
But it again makes no sense really as other secure websites that need to be resolved by 99.99.99.1 connect with not trouble....
Apologies for the long winded explanation any help would be awesome, any initial first steps or check would be great just to get me thinking on the right lines.
I am happy to get any config you might want though I will redact some IPs.
Thank you all in advance!