Community discussions

 
Alexybg
just joined
Topic Author
Posts: 12
Joined: Tue Dec 13, 2016 5:10 pm

( Solved )PCC Load Banance Router and VPN have no internet

Mon Jun 19, 2017 11:43 am

Hello,
I'm new in mikrotik and need some help.
I have configure my mikrotik with 2 WAN
eth1 - PPPOE - GW 85.91.151.8
eth2 - DHCP - GW 192.168.0.1
bridge - 192.168.3.3
Load banace work fine.
Configure PPTP and L2TP Servers , they connect successfuly
/ip pool
add name=dhcp ranges=192.168.3.4-192.168.3.60
add name=pptp-pool ranges=192.168.3.61-192.168.3.100
add name=L2TP-Pool ranges=192.168.3.101-192.168.3.150

I want then connect throw VPN to have internet
i don't know how to make it. Pls help

Regards
Last edited by Alexybg on Thu Jun 22, 2017 1:35 pm, edited 1 time in total.
 
gustavomam
Trainer
Trainer
Posts: 289
Joined: Tue Jul 23, 2013 6:29 pm
Location: Spain
Contact:

Re: PCC Load Banance Router and VPN have no internet

Mon Jun 19, 2017 5:05 pm

Hello.

Please give more information about your configuration

/ip route print

/ip route export

/ip firewall mangle

/ip firewall filter

or you can give us this full config

/export
-
Eng. Gustavo Angulo
Academy Xperts Spain
Mikrotik Certified Trainer
https://www.youtube.com/watch?v=Cbt2HVYwjYU
 
Alexybg
just joined
Topic Author
Posts: 12
Joined: Tue Dec 13, 2016 5:10 pm

Re: PCC Load Banance Router and VPN have no internet

Mon Jun 19, 2017 5:39 pm

Hello, that is my configuration. It work fine for me, just have no internet throw VPN, and I cant see local network
I cant ping router 192.168.3.3, but can open web interface ?


/ip route
add distance=1 gateway=85.91.151.8 routing-mark=ISP1
add distance=2 gateway=85.91.151.8 routing-mark=ISP1
add distance=1 dst-address=85.91.151.0/24 gateway=pppoe-out1 routing-mark=ISP1
add distance=1 dst-address=192.168.0.0/24 gateway=ether2-gateway routing-mark=ISP1
add distance=1 dst-address=192.168.3.0/24 gateway=bridge routing-mark=ISP1
add distance=1 gateway=192.168.0.1 routing-mark=ISP2
add distance=2 gateway=192.168.0.1 routing-mark=ISP2
add distance=1 dst-address=85.91.151.0/24 gateway=pppoe-out1 routing-mark=ISP2
add distance=1 dst-address=192.168.0.0/24 gateway=ether2-gateway routing-mark=ISP2
add distance=1 dst-address=192.168.3.0/24 gateway=bridge routing-mark=ISP2
add distance=1 gateway=192.168.0.1
add distance=1 gateway=85.91.151.8
add check-gateway=ping distance=10 gateway=85.91.151.8,192.168.0.1
add check-gateway=ping distance=1 dst-address=8.8.4.4/32 gateway=85.91.151.8 scope=10
add check-gateway=ping distance=1 dst-address=8.8.8.8/32 gateway=192.168.0.1 scope=10

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=ISP1
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2-gateway new-connection-mark=ISP2
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=ISP1 passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-routing chain=prerouting connection-mark=ISP1 new-routing-mark=ISP1 passthrough=no
add action=mark-connection chain=prerouting comment=" " connection-mark=no-mark new-connection-mark=ISP2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2 new-routing-mark=ISP2 passthrough=no
add action=mark-routing chain=output connection-mark=ISP1 new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=ISP2 passthrough=no

/ip firewall filter
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related disabled=yes
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=80 protocol=tcp
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=accept chain=input comment=VPN dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment="L2TP VPN" dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="D-Link access" disabled=yes dst-port=80 protocol=tcp
add action=drop chain=input in-interface=pppoe-out1
add action=drop chain=input in-interface=ether2-gateway
add action=drop chain=input dst-port=53 in-interface=ether2-gateway protocol=udp
add action=drop chain=input dst-port=53 in-interface=pppoe-out1 protocol=tcp


I try to change pptp pool to 192.168.3.50-192.168.3.10, VPN take IP same as my local network. but the problem is the same
 
gustavomam
Trainer
Trainer
Posts: 289
Joined: Tue Jul 23, 2013 6:29 pm
Location: Spain
Contact:

Re: PCC Load Banance Router and VPN have no internet

Tue Jun 20, 2017 1:02 am

I think your L2TP VPN is load balance and thats why you couldn't have internet connection as well

Try to add this line and the top of your firewall mangle
add action=mark-connection chain=prerouting src-address=192.168.3.101-192.168.3.150 action=accept
Where 192.168.3.101-192.168.3.150 is L2TP_Pool address.
-
Eng. Gustavo Angulo
Academy Xperts Spain
Mikrotik Certified Trainer
https://www.youtube.com/watch?v=Cbt2HVYwjYU
 
Alexybg
just joined
Topic Author
Posts: 12
Joined: Tue Dec 13, 2016 5:10 pm

Re: PCC Load Banance Router and VPN have no internet

Tue Jun 20, 2017 5:19 pm

I think your L2TP VPN is load balance and thats why you couldn't have internet connection as well

Try to add this line and the top of your firewall mangle
add action=mark-connection chain=prerouting src-address=192.168.3.101-192.168.3.150 action=accept
Where 192.168.3.101-192.168.3.150 is L2TP_Pool address.

do u mean : add action=accept chain=prerouting src-address=192.168.3.101-192.168.3.150
( cant mark it and accept it both )
that good is that it detect packages .. and now I have ping to remote IP
But no internet again
 
gustavomam
Trainer
Trainer
Posts: 289
Joined: Tue Jul 23, 2013 6:29 pm
Location: Spain
Contact:

Re: PCC Load Banance Router and VPN have no internet

Tue Jun 20, 2017 5:23 pm

You are right, thanks for correct me.

It is not necessary mark-connection, my post have two action in the same rule so it couldn't work as well.

I put here the correct rule
add chain=prerouting src-address=192.168.3.101-192.168.3.150 action=accept
-
Eng. Gustavo Angulo
Academy Xperts Spain
Mikrotik Certified Trainer
https://www.youtube.com/watch?v=Cbt2HVYwjYU
 
Alexybg
just joined
Topic Author
Posts: 12
Joined: Tue Dec 13, 2016 5:10 pm

Re: PCC Load Banance Router and VPN have no internet

Tue Jun 20, 2017 5:29 pm

You are right, thanks for correct me.

It is not necessary mark-connection, my post have two action in the same rule so it couldn't work as well.

I put here the correct rule
add chain=prerouting src-address=192.168.3.101-192.168.3.150 action=accept
Now I just have ping to remote IP , Before I don't have it.
but still not have internet
 
gustavomam
Trainer
Trainer
Posts: 289
Joined: Tue Jul 23, 2013 6:29 pm
Location: Spain
Contact:

Re: PCC Load Banance Router and VPN have no internet

Tue Jun 20, 2017 5:30 pm

Check step by step.

Can you reach other network? ping 8.8.8.8
Can you resolve dns? ping google.com
-
Eng. Gustavo Angulo
Academy Xperts Spain
Mikrotik Certified Trainer
https://www.youtube.com/watch?v=Cbt2HVYwjYU
 
Alexybg
just joined
Topic Author
Posts: 12
Joined: Tue Dec 13, 2016 5:10 pm

Re: PCC Load Banance Router and VPN have no internet

Tue Jun 20, 2017 5:47 pm

Check step by step.

Can you reach other network? ping 8.8.8.8
Can you resolve dns? ping google.com
Yes I can resolve , but no ping
I can ping my router 192.168.3.3, but can't ping other in local network
 
gustavomam
Trainer
Trainer
Posts: 289
Joined: Tue Jul 23, 2013 6:29 pm
Location: Spain
Contact:

Re: PCC Load Banance Router and VPN have no internet

Wed Jun 21, 2017 12:35 am

There is a trick to ping host in local network from vpn users in the same network.

Put your lan interface in this mode arp=proxy-arp
-
Eng. Gustavo Angulo
Academy Xperts Spain
Mikrotik Certified Trainer
https://www.youtube.com/watch?v=Cbt2HVYwjYU
 
Alexybg
just joined
Topic Author
Posts: 12
Joined: Tue Dec 13, 2016 5:10 pm

Re: PCC Load Banance Router and VPN have no internet

Wed Jun 21, 2017 12:59 am

There is a trick to ping host in local network from vpn users in the same network.

Put your lan interface in this mode arp=proxy-arp
I try all options bridge=local-proxy-arp and proxy-arp
not working in my case
 
Alexybg
just joined
Topic Author
Posts: 12
Joined: Tue Dec 13, 2016 5:10 pm

Re: PCC Load Banance Router and VPN have no internet

Wed Jun 21, 2017 11:31 am

I see that other people too have the same problem.
In load balancing with 2 WAN, they VPN connect but cant see local network and VPN have no internet :(
 
Alexybg
just joined
Topic Author
Posts: 12
Joined: Tue Dec 13, 2016 5:10 pm

Re: ( Solved )PCC Load Banance Router and VPN have no internet

Thu Jun 22, 2017 1:36 pm

I found problem in mangle
It's OK now :)
 
harimin
just joined
Posts: 1
Joined: Sat Jan 23, 2016 8:39 am

Re: ( Solved )PCC Load Banance Router and VPN have no internet

Sun Dec 10, 2017 2:19 am

I found problem in mangle
It's OK now :)
Hi Alexybg
Could you elaborate which part of your mangle is the problem? And how to fix it?

Best regards,
Harimin.
 
Alexybg
just joined
Topic Author
Posts: 12
Joined: Tue Dec 13, 2016 5:10 pm

Re: ( Solved )PCC Load Banance Router and VPN have no internet

Wed Dec 13, 2017 10:48 am

:)
Yes, I just add this rules in mangle
where 192.168.3.0/24 is my local network, and all work fine


add action=mark-connection chain=prerouting comment="VPN Internet" new-connection-mark=VPN passthrough=yes src-address=192.168.3.0/24
add action=accept chain=prerouting src-address=192.168.3.0/24

Who is online

Users browsing this forum: No registered users and 76 guests