I have a customer that needed 2 different WAN connecting to 2 different LAN. I installed a 16 port managed switch with 2 VLAN (VLAN1,VLAN2). From port 1 to 8 is VLAN1, from port 9 to15 is VLAN2 untagged. On port 16 I have VLAN1 and VLAN2 tagged. Then I installed an RB750Gr3 with this port configuration: ether1-WAN1, ether2-WAN2, ether3-LAN (with VLAN1 and VLAN2 tagged). This last port connects to port 16 of the switch. Port ether1-WAN1 have the IP 192.168.10.2 connecting to router for WAN1 with IP 192.168.10.1. Port ether2-WAN2 have the IP 192.168.20.2 connecting to router for WAN1 with IP 192.168.20.1.
/ip address add address=192.168.1.254/24 interface=vlan1 network=192.168.1.0 add address=192.168.2.254/24 interface=vlan2 network=192.168.2.0 add address=192.168.10.2/24 interface=ether1-WAN1 network=192.168.10.0 add address=192.168.20.2/24 interface=ether2-WAN2 network=192.168.20.0
I managed to separate the WANs for each LAN with this code:
/ip firewall mangle add action=mark-routing chain=prerouting comment="LAN1 -> WAN1" dst-address=0.0.0.0 new-routing-mark=WAN1 passthrough=yes src-address=192.168.1.0/24 add action=mark-routing chain=prerouting comment="LAN2 -> WAN2" dst-address=0.0.0.0 new-routing-mark=WAN2 passthrough=yes src-address=192.168.2.0/24 /ip firewall nat add action=masquerade chain=srcnat comment=WAN1 out-interface=ether1-WAN1 add action=masquerade chain=srcnat comment=WAN2 out-interface=ether2-WAN2 /ip route add distance=1 gateway=192.168.10.1 routing-mark=WAN1 add distance=1 gateway=192.168.20.1 routing-mark=WAN2 add distance=2 gateway=192.168.10.1
The customer dosent wan't access from LAN1 to LAN2 and vice versa, but on LAN2 they need to access two printers on LAN1. I configured the firewall like this and works:
/ip firewall filter add action=accept chain=forward dst-address-list=printers src-address=192.168.2.0/24 add action=reject chain=forward dst-address=192.168.2.0/24 reject-with=icmp-network-unreachable src-address=192.168.1.0/24 /ip firewall address-list add address=192.168.1.200 list=printers add address=192.168.1.201 list=printers
I need to access from outside to each LANs via VPN but no connection is made. On the each edge router I have NATed port 1723 to each WAN IP address (1723->192.168.10.2, 1723->192.168.20.2)
I've configured PPTP:
I believe I need something with Mangle but I'm not used with that. Can someone please help me?
/interface pptp-server server set enabled=yes /ppp secret add local-address=192.168.1.254 name=user1 password=******** profile=default-encryption remote-address=192.168.1.20 service=pptp