Community discussions

MikroTik App
 
s54mtb
just joined
Topic Author
Posts: 14
Joined: Wed Jan 13, 2016 2:43 pm

WAN access - IP addressing (OSPF route issue)

Tue Jan 03, 2023 1:14 pm

Hi,

I have RB850 with some strange issue, which appeared "out of nowhere".

My configuration is:
ETH1 - WAN with static IP
ETH2 - LAN 192.168.0.0/16
ETH3, ETH4 - LAN 44.150.168.0/24, bridged with sstp

The issue I have is between LAN 192.168.0.0/16 and WAN. When I set the local address to 192.168.1.x I could not access WAN (internet), internally I can see all other IPs.
But when I set the local address to 192.168.2.x everything works.

Could someone take a quick check on the config below (preserving few last hair remaing on my head after pulling for last two days....)

Thank you.

Here is my config:
# model = 850Gx2
/interface bridge
add name=bridge-s5net
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN speed=100Mbps
set [ find default-name=ether2 ] name=eth2-LAN speed=100Mbps
set [ find default-name=ether3 ] name=eth3-Radioamaterji speed=100Mbps
set [ find default-name=ether4 ] name=eth4-radioamaterji speed=100Mbps
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=pool-LAN ranges=192.168.2.10-192.168.2.250
add name=radioamaterji-pool ranges=44.150.168.110-44.150.168.159
/ip dhcp-server
add address-pool=pool-LAN authoritative=after-2sec-delay disabled=no \
    interface=eth2-LAN lease-time=1d name=dhcp-LAN
add address-pool=radioamaterji-pool authoritative=after-2sec-delay disabled=\
    no interface=bridge-s5net lease-time=1d name=DHCP-radioamaterji
/interface sstp-client
add add-default-route=yes connect-to=vpn.net.hamradio.si disabled=no name=\
    sstp-vtik-lj profile=default-encryption user=s54mtb-mtik \
    verify-server-address-from-certificate=no
/queue tree
/queue type
add kind=pcq name=pcq-download pcq-classifier=dst-address
add kind=pcq name=pcq-upload pcq-classifier=src-address
/routing ospf instance
set [ find default=yes ] router-id=44.150.168.1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 authentication-protocol=SHA1 \
    encryption-protocol=AES
/system logging action
set 1 disk-file-count=100 disk-lines-per-file=500 disk-stop-on-full=yes
set 3 bsd-syslog=yes remote=192.168.1.111 remote-port=5140 syslog-facility=\
    local0
/user group
add name=sniffer policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!\
    test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge-s5net interface=eth3-Radioamaterji
add bridge=bridge-s5net interface=eth4-radioamaterji
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set rp-filter=strict
/interface list member
add interface=eth2-LAN list=discover
add interface=eth3-Radioamaterji list=discover
add interface=eth4-radioamaterji list=discover
add interface=eth2-LAN list=mactel
add interface=eth3-Radioamaterji list=mactel
add interface=eth4-radioamaterji list=mactel
add interface=eth2-LAN list=mac-winbox
add interface=eth3-Radioamaterji list=mac-winbox
add interface=eth4-radioamaterji list=mac-winbox
/ip accounting
set enabled=yes threshold=2560
/ip address
add address=192.168.1.254/16 comment="LAN address" interface=eth2-LAN \
    network=192.168.0.0
add address=89.212.19.180/16 comment="WAN address" interface=eth1-WAN \
    network=89.212.0.0
add address=44.150.168.1/24 interface=eth3-Radioamaterji network=44.150.168.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
    eth1-WAN
/ip dhcp-server network
add address=44.150.168.0/24 gateway=44.150.168.1 netmask=24
add address=192.168.0.0/16 comment="default configuration" gateway=\
    192.168.1.254 netmask=16
/ip dns
set allow-remote-requests=yes servers=\
    84.255.209.79,84.255.210.79,8.8.8.8,4.4.4.4
/ip firewall address-list
add address=192.168.0.0/16 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=0.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
add address=44.0.0.0/8 list=Bogon
/ip firewall filter
add action=accept chain=input comment="Enable ICMP" log-prefix=ICMP protocol=\
    icmp
add action=accept chain=input comment="Accept Established/Related - Input" \
    connection-state=established,related
add action=drop chain=input comment="Drop everything else - input" \
    in-interface=eth1-WAN log-prefix="INPUT DROP"
add action=fasttrack-connection chain=forward comment=\
    "FastTrack Established/Related - Forward" connection-state=\
    established,related
add action=accept chain=forward comment=\
    "Accept Established/Related - Forward" connection-state=\
    established,related log-prefix=TEST-ACCEPT
add action=accept chain=forward comment="Allow forward traffic LAN >> WAN" \
    out-interface=eth1-WAN src-address=192.168.0.0/16
add action=accept chain=forward comment="Allow forward traffic LAN >> WAN" \
    out-interface=eth1-WAN src-address=44.150.168.0/24
add action=drop chain=forward comment="Drop Bogon Forward >> WAN" \
    in-interface=eth1-WAN log-prefix="BOGON FORWARD DROP" src-address-list=\
    Bogon
add action=drop chain=forward comment="Drop everything else - Forward" \
    connection-state=invalid log-prefix="FORWARD DROP"
add action=drop chain=forward comment="Drop un-NATed forwarded connections" \
    connection-nat-state=!dstnat connection-state=new in-interface=eth1-WAN
add action=drop chain=forward in-interface=bridge-s5net out-interface=\
    eth2-LAN
add action=accept chain=forward connection-state=established,related \
    dst-address=192.168.0.0/16 src-address=44.0.0.0/8
add action=drop chain=forward connection-state=invalid,new dst-address=\
    192.168.0.0/16 src-address=44.0.0.0/8
add action=drop chain=input dst-address=192.168.1.254 src-address=44.0.0.0/8
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=users-con \
    passthrough=yes src-address=192.168.0.0/16
add action=mark-packet chain=forward connection-mark=users-con \
    new-packet-mark=users passthrough=yes
add action=mark-connection chain=forward new-connection-mark=server-con \
    passthrough=yes src-address=192.168.1.111
add action=mark-packet chain=forward connection-mark=server-con \
    new-packet-mark=server passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment=OpenVPN dst-port=1194 log-prefix=\
    OpenVPN- protocol=udp to-addresses=192.168.2.83 to-ports=1194
add action=dst-nat chain=dstnat comment="1. Services hairpin to .80 " \
    dst-address=!192.168.0.0/16 dst-address-type=local dst-port=\
    80,21,443,3389,4430,24001 protocol=tcp to-addresses=192.168.2.80
add action=dst-nat chain=dstnat comment="Emajlirana po\9Ata" dst-address=\
    !192.168.0.0/16 dst-address-type=local dst-port=25,587,993,995 protocol=\
    tcp to-addresses=192.168.2.78
add action=dst-nat chain=dstnat comment="And the rest goes to the DMZ host" \
    in-interface=eth1-WAN to-addresses=192.168.1.80
add action=masquerade chain=srcnat comment=\
    "2. NAT all traffic from local to internet" out-interface=eth1-WAN \
    src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment=\
    "2. NAT all traffic from local to internet" out-interface=eth1-WAN \
    src-address=44.150.168.0/24
add action=masquerade chain=srcnat comment=\
    "3. NAT all traffic from local to local" dst-port=\
    80,21,443,3389,4430,24001,25,587,993,995 protocol=tcp src-address=\
    192.168.0.0/16
/ip route
add distance=1 gateway=89.212.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no domain=PAVLIN interfaces=eth2-LAN
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/routing ospf network
add area=backbone network=44.150.0.0/16
/snmp
set contact=jan@pavlin.si enabled=yes location=Kurilnica
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name=mtik-s54mtb
/system logging
add action=disk topics=critical
add topics=critical
add action=remote topics=firewall
add action=remote disabled=yes topics=critical
add topics=dhcp
add action=remote disabled=yes topics=error
add action=remote disabled=yes topics=warning
add action=disk topics=warning
add action=disk topics=error
add action=remote disabled=yes topics=system
add action=remote disabled=yes prefix=SNIFFER topics=packet
/system ntp client
set enabled=yes primary-ntp=193.2.1.117 secondary-ntp=193.2.1.92
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing queue
add allow-address=192.168.1.0/24
/tool graphing resource
add allow-address=192.168.1.0/24
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Last edited by s54mtb on Fri Jan 06, 2023 1:51 am, edited 1 time in total.
 
User avatar
satman1w
Member Candidate
Member Candidate
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: WAN access - IP addressing

Wed Jan 04, 2023 8:45 am

First I would like to know are you an ISP or what?

You have 65000 public addresses which is not usual if you are not ISP..
Also, why do you have another public IP range on E3-E4 (range owned by University of California, San Diego) ?

give some more details please...
 
s54mtb
just joined
Topic Author
Posts: 14
Joined: Wed Jan 13, 2016 2:43 pm

Re: WAN access - IP addressing

Wed Jan 04, 2023 9:15 am

Hi. 44.0.0.0 is radio amateur network (lot of IPs, I know). Slovenia has 44.150.0.0./16 and my router is part of that network. All IPs 44.150.168.0/23 are accessible via SSTP to other radio amateurs (webcams, weather stations, ...). I am not ISP, just experimenting radioamateur.
 
User avatar
satman1w
Member Candidate
Member Candidate
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: WAN access - IP addressing

Wed Jan 04, 2023 11:24 am

Pozdravljeni kolega, (73 de 9A7BZT)

I am talking about your public address on Ethernet1 which is 89.212.19.180/16 and network address is 89.212.0.0.
"/16" means that the whole range from 89.212.0.0 to 89.212.255.255 is yours !!!
I believe that your address (if static) is maybe /30 or something like that...
So I would try to rectify that for starters ....
 
s54mtb
just joined
Topic Author
Posts: 14
Joined: Wed Jan 13, 2016 2:43 pm

Re: WAN access - IP addressing

Fri Jan 06, 2023 1:41 am

Pozdrav 9A7BZT. HNY


The static WAN IP setup was provided from my ISP.

Meanwhile, I found source of the issue. In the OSPF routing table, there was one route with dest. address 192.168.1.0/24 with gateway of the OSPF interface. I don't know if this came from my side or from some invalid setup on one of the other clients in same network, but it prevented proper routing from 192.168.1.0/24. I temporarly switched off the OSPF and now everything works.


OK, I am not familiar with advanced networking and I have to learn a lot. I hope I am asking right question: Is it possible that external route propagates through OSPF into multiple local areas?
And next question: how is it possible to filter out such route?

Who is online

Users browsing this forum: Google [Bot] and 12 guests