Community discussions

MikroTik App
 
boximus
just joined
Topic Author
Posts: 1
Joined: Fri Jan 20, 2023 8:04 am

Multiple WAN IP Config issue - CCR1009

Mon Jan 23, 2023 10:07 pm

CCCR1009
- SFP+ connected as trunk for multiple vlans back to a switch
- Eth6 connected to WAN
- Eth5 not connected currently but will eventually be a second wan link to same gateway/subnet with a subset of the WAN IP’s I have been assigned

Local IP’s for the config are all in 10.0.0.0/8 range,
Wan IP’s end in x.x.x.120-127.
WAN IP x.x.x.120 is the current default route IP which works fine, including dstnat

CCR is intended to do inter-vlan routing for VMware/management and vm traffic which is all connected to the switch. I do not yet have a rule setup to block traffic between VLAN’s as I’m still working on the WAN side of it but that I know how to achieve.
I want to use multiple WAN IP’s in the same subnet, same gateway using multiple interfaces to ensure some large file transfer traffic doesn’t affect some other traffic (multiple interfaces isn’t a priority right now but it probably will mean certain things need doing differently)
I want to have some local IP’s to use different routing tables/external wan IP’s for external traffic.
I also want to dstnat certain ports on certain IP’s to some local IP’s too.



What I have is one gateway from the ISP/colocation host with a /29 range of public IP’s to use, the gateway sits outside that range however.

I have the srcnat and dstnat working perfectly for anything on the default routing table but no incoming traffic is working on any other public ip addresses, even ICMP which works on the ‘default route’ wan IP.

I added the next WAN IP I wanted to use (.121) to my WAN interface (eth6).
Then I set a dstnat for port 443 to the .121 WAN IP and when I send any requests to that IP on the port I don’t see anything on the dstnat rule traffic counter like I would expect.
I also created a new routing rule with a routing-mark to indicate a new default route with the pref-src set to the .121 wan ip, then I created some routing rules to indicate that single servers internal IP should do lookup-table-only using the new routing mark/route table.

Still nothing, however I notice that if I try connect to port 443 on that IP from a node that is connected to my Tailscale VPN with exit node turned on (essentially a full tunnel VPN), the page loads fine and I can see the traffic counter incrementing. So I suspect the return traffic isn’t using the .121 IP still and coming from the wrong IP which causes issues? Not sure on that.

Config is attached to fill in any gaps/details I have missed.
 # jan/22/2023 14:42:57 by RouterOS 6.46.7
# software id = KSLP-3I77
#
# model = CCR1009-7G-1C-1S+
# serial number = 
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=SFP+Trunk
/interface vlan
add interface=SFP+Trunk name=vlan15-D vlan-id=15
add interface=SFP+Trunk name=vlan20-R vlan-id=20
add interface=SFP+Trunk name=vlan30-Common vlan-id=30
add interface=SFP+Trunk name=vlan99-MGMT vlan-id=99
/interface list
add name=WAN
add name=LAN
add name=AllVLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=DHCP-MGMT ranges=10.10.99.50-10.10.99.100
add name=D-DHCP ranges=10.10.15.50-10.10.15.100
add name=OVPN-Pool ranges=10.10.60.1-10.10.60.50
add name=Common-DHCP ranges=10.10.30.100-10.10.30.200
add name=vpn-isec ranges=10.10.85.50-10.10.85.100
/ip dhcp-server
add address-pool=DHCP-MGMT disabled=no interface=vlan99-MGMT name=MGMT-DHCP
add address-pool=D-DHCP disabled=no interface=vlan15-D name=D-DHCP
add address-pool=Common-DHCP disabled=no interface=vlan30-Common name=\
    Common-DHCP
/ppp profile
set *0 local-address=10.10.85.1 remote-address=vpn-isec
/interface l2tp-server server
set default-profile=default enabled=yes use-ipsec=required
/interface list member
add list=LAN
add interface=ether5 list=WAN
add interface=ether6 list=WAN
add interface=vlan15-D list=LAN
add interface=vlan20-R list=LAN
add interface=vlan30-Common list=LAN
add interface=vlan99-MGMT list=LAN
/ip address
add address=10.10.99.1/24 interface=vlan99-MGMT network=10.10.99.0
add address=10.10.30.1/24 interface=vlan30-Common network=10.10.30.0
add address=10.10.15.1/24 interface=vlan15-D network=10.10.15.0
add address=10.10.20.1/24 interface=vlan20-R network=10.10.20.0
add address=x.x.x.120/24 interface=ether6 network=x.x.x.0
add address=x.x.x.121/24 interface=ether6 network=x.x.x.0
/ip dhcp-server lease
add address=10.10.30.100 client-id=\
    ff:bc:9a:4a:2d:0:2:0:0:ab:11:7f:d8:65:bf:16:cc:5c:2d mac-address=\
    00:0C:29:7C:1D:7F server=Common-DHCP
/ip dhcp-server network
add address=10.10.15.0/24 dns-server=10.10.15.1 gateway=10.10.15.1 netmask=24
add address=10.10.30.0/24 dns-server=10.10.30.1 gateway=10.10.30.1
add address=10.10.99.0/24 dns-server=10.10.99.1 gateway=10.10.99.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=1701,500,4500 in-interface-list=WAN \
    protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment=\
    "Accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=drop chain=input comment=\
    "Drop anything that is not from LAN interface" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related
add action=accept chain=forward comment=\
    "Accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    10.10.15.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    10.10.20.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    10.10.30.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    10.10.2.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    10.10.99.0/24
add action=dst-nat chain=dstnat comment="Plex port forward" dst-address=\
  x.x.x.120 dst-port=32400 log=yes log-prefix="Plex forward" protocol=\
    tcp to-addresses=10.10.15.2
add action=dst-nat chain=dstnat comment="Prox01 - HTTP" dst-address=\
    x.x.x.120 dst-port=80 protocol=tcp to-addresses=10.10.15.4 to-ports=\
    80
add action=dst-nat chain=dstnat comment="Prox01 - HTTPS" dst-address=\
  x.x.x.120 dst-port=443 protocol=tcp to-addresses=10.10.15.4 \
    to-ports=443
add action=dst-nat chain=dstnat comment="OpenVPN vpn01 port forward - 443" \
    dst-address=x.x.x.121 dst-port=443 protocol=tcp to-addresses=\
    10.10.30.100 to-ports=443
add action=dst-nat chain=dstnat comment="OpenVPN VPN01 - 943" dst-address=\
   x.x.x.121 dst-port=943 protocol=tcp to-addresses=10.10.30.100 \
    to-ports=943
add action=dst-nat chain=dstnat comment="Tailscale UDP port forward" \
    dst-address=x.x.x.120 dst-port=41641 protocol=udp to-addresses=\
    10.10.15.3
/ip route
add comment="121 ip default route" distance=1 gateway=x.x.x.1 pref-src=\
  x.x.x.121 routing-mark=121ip-out
add distance=1 gateway=x.x.x.1
add distance=1 dst-address=10.10.1.0/24 gateway=10.10.15.3
/ip route rule
add action=lookup-only-in-table comment=\
    "All interVLAN traffic use main routing table" dst-address=10.10.0.0/16 \
    src-address=10.10.0.0/16 table=main
add action=lookup-only-in-table comment="VPN Server External IP .121" \
    routing-mark=121ip-out src-address=10.10.30.100/32 table=121ip-out
/lcd
set time-interval=hour
/ppp secret
add name=admin
/system clock
set time-zone-name=Europe/London
/system identity
set name=RTR01


 

Who is online

Users browsing this forum: Amazon [Bot], apitsos, moorezilla, orionren and 76 guests