Community discussions

MikroTik App
 
User avatar
boxybh
newbie
Topic Author
Posts: 31
Joined: Sat Jul 29, 2017 11:16 am

Mikrotik cloud access via wan2

Sat Aug 21, 2021 9:58 am

OK so here it is
Wan1 = internet 1 no fixed ip double natted by isp provider
Wan2 = internet 2 fixed ip provided by isp provider
Wan3 = internet 3 no fixed ip double natted by isp provider

Router
1 Wan1 -> on failure Wan2 ->on failure Wan3

How do i make Mr Mik Route the cloud services to Wan2 so that i can access the Router from outside?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3348
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Mikrotik cloud access via wan2

Sat Aug 21, 2021 12:49 pm

On the Mangles Facility create a Rule on the output chain, with destination address cloud.mikrotik.com or cloud2.mikrotik.com (depends on the device ROS version) and then create a new Routing Mark to the WAN you want to use (that Routing Mark should ofcorse exist in your Routing Table)...
You could as well create an address list with the above servers... (Recommended)

Another choice would be the Routing Rules instead of the Mangles Facility...
 
User avatar
boxybh
newbie
Topic Author
Posts: 31
Joined: Sat Jul 29, 2017 11:16 am

Re: Mikrotik cloud access via wan2

Sat Aug 21, 2021 7:23 pm

On the Mangles Facility create a Rule on the output chain, with destination address cloud.mikrotik.com or cloud2.mikrotik.com (depends on the device ROS version) and then create a new Routing Mark to the WAN you want to use (that Routing Mark should ofcorse exist in your Routing Table)...
You could as well create an address list with the above servers... (Recommended)

Another choice would be the Routing Rules instead of the Mangles Facility...
SO Chain output. dst address to address list say (cloud) and cloud has entry cloud.mikrotik.com which it shows resolved to ipaddress . mark routing new routing mark(ispB)
Now in routing table
dst address 0.0.0.0/0
gateway is wan2 which is static ipaddress.
distance 1
routing mark (ispB)

doesnot work with any cloud or cloud 2 the only way it will work is if i give want to distance 1 in routing table which is generally 2

i had tried accessing previously through ipaddress and routed the winbox port to the wan2 in routing table then also it did not work

Routing mark (ispB)

well does not work the cloud feature picks up ipaddress of the wan1
 
Zacharias
Forum Guru
Forum Guru
Posts: 3348
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Mikrotik cloud access via wan2

Sat Aug 21, 2021 9:46 pm

There is something wrong with your configuration then...

Working example:

Routing Table:
/ip route
add check-gateway=ping distance=10 gateway=192.168.33.1 routing-mark=Test
Address List:
/ip firewall address-list
add address=cloud.mikrotik.com list=Cloud
add address=cloud2.mikrotik.com list=Cloud2
Mangle Facility:
/ip firewall mangle
add action=mark-routing chain=output dst-address-list=Cloud new-routing-mark=\
    Test passthrough=yes
add action=mark-routing chain=output dst-address-list=Cloud2 new-routing-mark=\
    Test passthrough=yes
 
User avatar
boxybh
newbie
Topic Author
Posts: 31
Joined: Sat Jul 29, 2017 11:16 am

Re: Mikrotik cloud access via wan2

Sun Aug 22, 2021 9:28 am

There is something wrong with your configuration then...

Working example:

Routing Table:
/ip route
add check-gateway=ping distance=10 gateway=192.168.33.1 routing-mark=Test
Address List:
/ip firewall address-list
add address=cloud.mikrotik.com list=Cloud
add address=cloud2.mikrotik.com list=Cloud2
Mangle Facility:
/ip firewall mangle
add action=mark-routing chain=output dst-address-list=Cloud new-routing-mark=\
    Test passthrough=yes
add action=mark-routing chain=output dst-address-list=Cloud2 new-routing-mark=\
    Test passthrough=yes

1) why distance 10 and not 1.

My config is exactly same as your example and the ip does update. but in the bottom it says router is behind a nat.
this is to update the ipaddress on the cloud . so cloud will hit back on my ipaddress.
Back to the same problem i have static ipaddress from provider. This static ip is on wan2. with distance 2 in route.
if i make it distance one and all other internet are greater (2,3) then i can access it through direct static ip i do not need cloud and same thing is happening with the cloud.

SO finally how do i keep the static ip to distance 2 yet still access the router remotely.

Lastly what i have tried now is adding under NAT
chain dstnat
Protocol tcp6
dst port 8291 (for winbox )
in interface WAN2
action dstnat
to address (ip address to the mikrotik router Lan)
to port 8291
so what now i am getting is if i use the log feature

dstnat: in:WAN_2 out:(unknown 0), src-mac cc:d8:1f:1a:49:ce, proto TCP (SYN), muremoteipaddress from where i am accessing:1035->wan2staticipaddressof mikro router to be accessed:8291, len 52
 
Zacharias
Forum Guru
Forum Guru
Posts: 3348
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Mikrotik cloud access via wan2

Sun Aug 22, 2021 5:52 pm

1) why distance 10 and not 1.
That is a route with a Routing Mark, in my case there was no reason to set it to 1 or 100...

When you update the IP address successfully you will be able to access your Router through your static IP... Ofcorse you should allow TCP 8291 on your Firewall (not good for Security reasons)

Also, you need to NAT rules to access the Mikrotik itself that already has a Public IP address assigned to one of its interfaces...

If it still doesn't work, you might have a conflicting rule on your Mangles...
 
User avatar
boxybh
newbie
Topic Author
Posts: 31
Joined: Sat Jul 29, 2017 11:16 am

Re: Mikrotik cloud access via wan2

Sun Aug 22, 2021 5:59 pm

1) why distance 10 and not 1.
That is a route with a Routing Mark, in my case there was no reason to set it to 1 or 100...

When you update the IP address successfully you will be able to access your Router through your static IP... Ofcorse you should allow TCP 8291 on your Firewall (not good for Security reasons)

Also, you need to NAT rules to access the Mikrotik itself that already has a Public IP address assigned to one of its interfaces...

If it still doesn't work, you might have a conflicting rule on your Mangles...
1) why distance 10 and not 1.
That is a route with a Routing Mark, in my case there was no reason to set it to 1 or 100...

When you update the IP address successfully you will be able to access your Router through your static IP... Ofcorse you should allow TCP 8291 on your Firewall (not good for Security reasons)

Also, you need to NAT rules to access the Mikrotik itself that already has a Public IP address assigned to one of its interfaces...

If it still doesn't work, you might have a conflicting rule on your Mangles...
1) no other rules in Mangle
2) How do i Nat the rules to access The Mik itself? any more insight on this will be appreciates

as we can see its already hitting the router but router is rejecting the packets in the log
 
Zacharias
Forum Guru
Forum Guru
Posts: 3348
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Mikrotik cloud access via wan2

Sun Aug 22, 2021 6:12 pm

You need no NAT, i already said that before...
If the Cloud is updated with a public IP, it is accessible...

Check in your firewall the Drop rules in the Input chain..
Or just creat an accept rule on chain input for 8291 and place it on top (we always prefer VPN Tunnels to access our Devices)...

Can you ping the cloud dns ?
 
User avatar
boxybh
newbie
Topic Author
Posts: 31
Joined: Sat Jul 29, 2017 11:16 am

Re: Mikrotik cloud access via wan2

Sun Aug 22, 2021 7:12 pm

You need no NAT, i already said that before...
If the Cloud is updated with a public IP, it is accessible...

Check in your firewall the Drop rules in the Input chain..
Or just creat an accept rule on chain input for 8291 and place it on top (we always prefer VPN Tunnels to access our Devices)...

Can you ping the cloud dns ?
i agree nat becomes risky.
ok so disabled all filter rules and created on top
chain input
protocol 6(tcp)
dst port 8291
accept

and i logged it
input: in:WAN_2 out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 103.72.xxx.xxx:1059->182.76.xxx.xxx:8291, len 52


Ping comes to Request timed out.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3348
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Mikrotik cloud access via wan2

Sun Aug 22, 2021 7:44 pm

ok, so the cloud is updated but you can not access the device nor you can ping it, correct ?
There must be something wrong in your configuration ...

Maybe you should post your configuration with hide-sensitive ...
 
User avatar
boxybh
newbie
Topic Author
Posts: 31
Joined: Sat Jul 29, 2017 11:16 am

Re: Mikrotik cloud access via wan2

Thu Aug 26, 2021 10:32 am

ok, so the cloud is updated but you can not access the device nor you can ping it, correct ?
There must be something wrong in your configuration ...

Maybe you should post your configuration with hide-sensitive ...
ok will do that

if you see at fixed ipadress Mik
input: in:WAN_2 out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 103.72.xxx.xxx:1059->182.76.xxx.xxx:8291, len 52

what is the above error exactly??
 
Zacharias
Forum Guru
Forum Guru
Posts: 3348
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Mikrotik cloud access via wan2

Thu Aug 26, 2021 4:50 pm

That is not an error...
Somewhere in your Firewall you have enabled the Log and it actually shows input traffic to port 8291 (MikroTik)...
 
User avatar
boxybh
newbie
Topic Author
Posts: 31
Joined: Sat Jul 29, 2017 11:16 am

Re: Mikrotik cloud access via wan2

Fri Aug 27, 2021 11:51 am

That is not an error...
Somewhere in your Firewall you have enabled the Log and it actually shows input traffic to port 8291 (MikroTik)...
/interface ethernet
set [ find default-name=ether1 ] name=WAN_1 comment=wan1_interface
set [ find default-name=ether2 ] name=WAN_2 comment=wan2_interface  ((((fixed ip)))
set [ find default-name=ether3 ] name=WAN_3 comment=wan3_interface 
set [ find default-name=ether4 ] name=LAN_4 comment=lan4_interface disabled=yes
set [ find default-name=ether5 ] name=LAN_5 comment=lan5_interface 

/interface pppoe-client
add disabled=no interface=WAN_1 name=pppoe-out-wan1 password=test\
user=8test

/ip pool
add name=Lan5_Dhcp_pool ranges=192.168.88.100-192.168.88.150

/ip dhcp-server
add address-pool=Lan5_Dhcp_pool authoritative=after-2sec-delay \
disabled=no interface=LAN_5 lease-time=23h59m59s name=Lan5_Dhcp
	
/ip address
add address=192.168.88.254/24 interface=LAN_5 network=192.168.88.0 \
comment=Local_Lan
add address=192.168.1.200/24 interface=WAN_1 network=192.168.1.0 disabled=yes
add address=192.168.2.200/24 interface=WAN_2 network=192.168.2.0 disabled=yes
add address=192.168.3.200/24 interface=WAN_3 network=192.168.3.0 disabled=yes

/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.254 netmask=24

/ip dns
set servers=8.8.8.8,8.8.4.4

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN_1
add action=masquerade chain=srcnat out-interface=WAN_2
add action=masquerade chain=srcnat out-interface=WAN_3
add action=masquerade chain=srcnat out-interface=pppoe-out-wan1

/ip route
add check-gateway=ping comment=WAN_1_ROUTE distance=1 gateway=192.168.1.1 \
disabled=yes
add check-gateway=ping comment=WAN_2_ROUTE distance=2 gateway=192.168.2.254
add check-gateway=ping comment=WAN_3_ROUTE distance=3 gateway=192.168.3.254
add check-gateway=ping comment=pppoe-out-wan1_ROUTE distance=1 \
gateway=pppoe-out-wan1
add check-gateway=ping comment=WAN_2_ROUTE distance=2 gateway=192.168.2.254
add check-gateway=ping comment=WAN_3_ROUTE distance=3 gateway=192.168.3.254
add check-gateway=ping comment=pppoe-out-wan1_ROUTE distance=1 \
gateway=pppoe-out-wan1
add comment=WAN_1_Redundancy_check distance=1 gateway=pppoe-out-wan1  \
dst-address=8.8.8.8
add comment=WAN_2_Redundancy_check distance=1 gateway=192.168.2.254  \
dst-address=8.8.4.4
add comment=WAN_3_Redundancy_check distance=1 gateway=192.168.3.254  \
dst-address=8.8.4.4



/ip firewall filter (these were diabled to check fixed ip)
add chain=input comment="Accept established and related packets" \
connection-state=established,related
add chain=input comment="Accept all connections from local network" \
in-interface=LAN_5
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" \
dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" \
src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" \
in-interface=WAN_1 src-address-list=NotPublic
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" \
in-interface=WAN_2 src-address-list=NotPublic
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" \
in-interface=WAN_3 src-address-list=NotPublic
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network"\
 in-interface=pppoe-out-wan1 src-address-list=NotPublic


/ip firewall filter (these were diabled to check fixed ip)
add chain=forward comment="Accept established and related packets" connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN_1
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN_2
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN_3
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out-wan1

add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN_1 src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN_2 src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN_3 src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=pppoe-out-wan1 src-address-list=NotPublic


add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=NotPublic in-interface=LAN_5
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=LAN_5 src-address=!192.168.88.254/24


/ip firewall filter (these were disabled to check fixed ip)
add chain=input in-interface=LAN_5 protocol=icmp action=accept comment="allow ICMP2";
add chain=input in-interface=LAN_5 protocol=tcp port=8291 action=accept comment="allow Winbox2";
add chain=input in-interface=LAN_5 protocol=tcp port=22 action=drop comment="allow SSH";
add chain=input in-interface=LAN_5 action=drop comment="block everything else";
Here is the last code i tried the ips are changed but you can see wan2 is the fixed ip

Above + the address list of cloud and mangle for cloud in firewall
 
Zacharias
Forum Guru
Forum Guru
Posts: 3348
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Mikrotik cloud access via wan2

Fri Aug 27, 2021 3:40 pm

I see no Routing Marks in your Routing Table...
 
User avatar
boxybh
newbie
Topic Author
Posts: 31
Joined: Sat Jul 29, 2017 11:16 am

Re: Mikrotik cloud access via wan2

Fri Aug 27, 2021 3:43 pm

I see no Routing Marks in your Routing Table...
removed them and kept it simple as only one route will be used at one time so did not

but did make them mangle one for cloud as we discussed earlier
 
Zacharias
Forum Guru
Forum Guru
Posts: 3348
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Mikrotik cloud access via wan2

Fri Aug 27, 2021 3:50 pm

If you create a Route with a Routing Mark, the Route will not be used unless you Route traffic specifically to that Route, by using Mangles for example...

I would suggest you to add the Route and give it some time... it might take some time to update the IP of the Cloud.. normally it should be 60 seconds...
You could also try to force-update the cloud from terminal...
 
User avatar
boxybh
newbie
Topic Author
Posts: 31
Joined: Sat Jul 29, 2017 11:16 am

Re: Mikrotik cloud access via wan2

Fri Aug 27, 2021 3:52 pm

If you create a Route with a Routing Mark, the Route will not be used unless you Route traffic specifically to that Route, by using Mangles for example...

I would suggest you to add the Route and give it some time... it might take some time to update the IP of the Cloud.. normally it should be 60 seconds...
You could also try to force-update the cloud from terminal...
as i said before i have mangle routes in place

Routing Table:
Code: Select all
/ip route
add check-gateway=ping distance=10 gateway=192.168.33.1 routing-mark=Test
Address List:
Code: Select all
/ip firewall address-list
add address=cloud.mikrotik.com list=Cloud
add address=cloud2.mikrotik.com list=Cloud2
Mangle Facility:
Code: Select all
/ip firewall mangle
add action=mark-routing chain=output dst-address-list=Cloud new-routing-mark=\
    Test passthrough=yes
add action=mark-routing chain=output dst-address-list=Cloud2 new-routing-mark=\
    Test passthrough=yes
the cloud updates to fixed ip and i gave you the result of that
 
User avatar
boxybh
newbie
Topic Author
Posts: 31
Joined: Sat Jul 29, 2017 11:16 am

Re: Mikrotik cloud access via wan2

Fri Aug 27, 2021 4:07 pm

OK so my code + those marking rules you gave to update the cloud.

firewall->
chain input
protocol 6(tcp)
dst port 8291
accept

and i logged it
input: in:WAN_2 out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 103.72.xxx.xxx:1059->182.76.xxx.xxx:8291, len 52

thats what it is so far
cannot ping the mikrotik cloud. i dont need cloud as i already have public ip but again that does not connect
 
Zacharias
Forum Guru
Forum Guru
Posts: 3348
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Mikrotik cloud access via wan2

Fri Aug 27, 2021 4:08 pm

the cloud updates to fixed ip and i gave you the result of that
ok, so where is the problem ?
 
User avatar
boxybh
newbie
Topic Author
Posts: 31
Joined: Sat Jul 29, 2017 11:16 am

Re: Mikrotik cloud access via wan2

Fri Aug 27, 2021 4:10 pm

the cloud updates to fixed ip and i gave you the result of that
ok, so where is the problem ?
this is the log

input: in:WAN_2 out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 103.72.xxx.xxx:1059->182.76.xxx.xxx:8291, len 52

and winbox does not connect. but i know the packet is hitting the router
 
Zacharias
Forum Guru
Forum Guru
Posts: 3348
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Mikrotik cloud access via wan2

Fri Aug 27, 2021 4:26 pm

As said earlier, you need no NAT to enter a Router that has a Public IP assigned to one of its interfaces ...
Check your NAT rules again ...

The only reason why you would need NAT, is if the MikroTIK is behind another Router...
In that case yes you would need NAT from the Router that is before the MikroTIK...
 
User avatar
boxybh
newbie
Topic Author
Posts: 31
Joined: Sat Jul 29, 2017 11:16 am

Re: Mikrotik cloud access via wan2

Sat Aug 28, 2021 12:56 pm

As said earlier, you need no NAT to enter a Router that has a Public IP assigned to one of its interfaces ...
Check your NAT rules again ...

The only reason why you would need NAT, is if the MikroTIK is behind another Router...
In that case yes you would need NAT from the Router that is before the MikroTIK...
OK tried some things today
1) made a mangle rule
chain - prerouting
in interface - wan2
action - markrouting
new routing mark -Forfixedip

2) route
dst addr - 0.0.0.0/0
gateway - isps gateway for public ip
distance - 10
routing mark - Forfixedip
preferred source - my public ip

Now i can ping from remote the cloud ip of the router but
still cannot winbox to the router.

I can only connect if the all other routes are greater and wan 2 route is 1

Should i mark all the routes wan1 wan2 and wan3 and leave their route priority as i ant them ?
 
User avatar
boxybh
newbie
Topic Author
Posts: 31
Joined: Sat Jul 29, 2017 11:16 am

Re: Mikrotik cloud access via wan2

Mon Aug 30, 2021 5:47 pm

As said earlier, you need no NAT to enter a Router that has a Public IP assigned to one of its interfaces ...
Check your NAT rules again ...

The only reason why you would need NAT, is if the MikroTIK is behind another Router...
In that case yes you would need NAT from the Router that is before the MikroTIK...
ok should i use this in masqurade
/ip firewall mangle

add action=mark-connection chain=prerouting comment=R1 connection-mark=\
    no-mark in-interface=pppoe-out-wan1 new-connection-mark=WAN_1_conn \
    passthrough=yes

add action=mark-routing chain=prerouting comment=R2 connection-mark=\
    WAN_1_conn in-interface=LAN_5 new-routing-mark=to_WAN_1 passthrough=yes

add action=mark-routing chain=output comment=R3 connection-mark=WAN_1_conn \
    new-routing-mark=to_WAN_1 passthrough=yes
and then the route for "to_WAN_1 "

Or just use single line
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface=pppoe-out-wan1 new-connection-mark=to_WAN_1   passthrough=yes
and then the route for "to_WAN_1 "
 
User avatar
boxybh
newbie
Topic Author
Posts: 31
Joined: Sat Jul 29, 2017 11:16 am

Re: Mikrotik cloud access via wan2  [SOLVED]

Tue Aug 31, 2021 5:46 pm

ok solved it

The mangle routes are important and the below code worked
/ip firewall mangle

add action=mark-connection chain=prerouting comment=R1 connection-mark=\
    no-mark in-interface=pppoe-out-wan2 new-connection-mark=WAN_2_conn \
    passthrough=yes

add action=mark-routing chain=prerouting comment=R2 connection-mark=\
    WAN_2_conn in-interface=LAN_5 new-routing-mark=to_WAN_2 passthrough=yes

add action=mark-routing chain=output comment=R3 connection-mark=WAN_2_conn \
    new-routing-mark=to_WAN_2 passthrough=yes and then the route for "to_WAN_1 "
after this create route with distance 1 with gateway ip address of wan2(public ip) and routing mark to to_WAN_2

Did not need to do anything else at all and despite the wan1 being primary i could access the router through wan 2 public ip

Who is online

Users browsing this forum: sutrus and 4 guests