Community discussions

MikroTik App
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Sat Jul 13, 2024 12:25 pm

Hi Dear MikroTik Champions

I am very beginner in Networks and especially in Mikrotik, can any senior help me to setup my network from scratch, I'll be very glade and obliged for kind help from seniors. (sorry for my poor English writing but hope it can be understandable)

******Head Office Setup
# model = CCR1036-12G-4S
# RouterOS 7.6

3 WAN (Static IP Addresses)
2 LAN (1 for LAN and 1 for WiFi Access Point)

***WAN IP Addresses (example IP addresses)***
1) 111.111.1.1 (ISP-1 using Mikrotik Port ether1)
2) 222.111.2.1 (ISP-2 using Mikrotik Port ether5)
3) 223.111.3.1 (ISP-3 using Mikrotik Port ether9)

***LAN IP Addresses***
1) 172.16.0.0/16 (Use Bridge with Name "WiFi-Bridge" for WiFi Access Point - using by Mikrotik Port "ether11")
DHCP Server Pool (172.16.0.61-172.16.5.254)

2) 172.17.0.0/16 (Use Bridge with Name "LAN-Bridge" for LAN Computers - using by Mikrotik Port "ether12")
DHCP Server Pool (172.17.0.61-172.17.5.254)


I request complete configuration as...
1) Network Load Balancing so if any WAN ISP goes down then internet will work on other ISP(s) smoothly
2) Website "ifconfig.me" will use only ISP-1, Website "whois.domaintools.com" will use only "ISP-2", and website "whatismyip.com" wil use only ISP-3
2) L2TP Server so from Branch Office Mikrotik Router can connect this Head Office Mikrotik Router (ability to connect all three ISPs static IP addresses from Branch Office)
*L2TP Local IP Address for ISP-1 will be 192.168.90.1-192.168.90.254
*L2TP Local IP Address for ISP-2 will be 192.168.91.1-192.168.91.254
*L2TP Local IP Address for ISP-3 will be 192.168.92.1-192.168.92.254

Please Note...
Existing Local Domain Controllers are installed:
1) 172.17.0.21
2) 172.17.0.22

Existing Local Free PBX or Issabel is installed:
1) 172.17.0.30

*************************************************************************************

******Branch Office Setup (SAME AS HEAD OFFICE NETWROK)
# model = CCR1036-12G-4S
# RouterOS 7.6

3 WAN (Static IP Addresses)
2 LAN (1 for LAN and 1 for WiFi Access Point)

***WAN IP Addresses (example IP addresses)***
1) 111.111.1.1 (ISP-1 using Mikrotik Port ether1)
2) 222.111.2.1 (ISP-2 using Mikrotik Port ether5)
3) 223.111.3.1 (ISP-3 using Mikrotik Port ether9)

***LAN IP Addresses***
1) 172.16.0.0/16 (Use Bridge with Name "WiFi-Bridge" for WiFi Access Point - using by Mikrotik Port "ether11")
DHCP Server Pool (172.16.0.61-172.16.5.254)

2) 172.17.0.0/16 (Use Bridge with Name "LAN-Bridge" for LAN Computers - using by Mikrotik Port "ether12")
DHCP Server Pool (172.17.0.61-172.17.5.254)


I request complete configuration as...
1) Network Load Balancing so if any WAN ISP goes down then internet will work on other ISP(s) smoothly

***************Here I need changes*************
2) L2TP Client setup that connect Head Office Mikrotik Router (ability to connect all three ISP's static IP addresses of Head Office on need basis or in-case any ISP goes down)

and I want to use Head Office Free PBX or Issabel ONLY in Branch Office
172.17.0.30

Please Note...
Existing Local Domain Controllers are installed in Branch Office same as Head Office:
1) 172.17.0.21
2) 172.17.0.22

I used both side same LAN IP Pool and subnet so other than PBX IP Address "172.17.0.30" all other IP addresses and Network request should be deny from both sides "from Branch Office and Head Office" (I mean no network interfere will occur between both Offices due to same LAN network and domain controllers on same IP addresses)

Thanks in advanced & Regards,
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20818
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Sat Jul 13, 2024 10:04 pm

So basically you want someone to provide the configs??
Have you tried, done any research or simply not trained?
If you are not willing to make the effort suggest --> https://mikrotik.com/consultants
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Sun Jul 14, 2024 1:23 pm

So basically you want someone to provide the configs??
Have you tried, done any research or simply not trained?
If you are not willing to make the effort suggest --> https://mikrotik.com/consultants
Yes I tried
Last edited by MSM on Thu Jul 18, 2024 4:01 pm, edited 1 time in total.
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Sun Jul 14, 2024 2:42 pm

So basically you want someone to provide the configs??
Have you tried, done any research or simply not trained?
If you are not willing to make the effort suggest --> https://mikrotik.com/consultants
Dear Sir,
Hereunder is my Head Office's current config that I learned from internet and implemented, but not sure it is optimized or not also my router is secure from external threats or not, also from Branch Office how can I use only VoIP server that is deployed here is Head Office.

*************************
[code/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.18.0/24 \
in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.19.0/24 \
in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.20.0/24 \
in-interface-list=LAN
add action=mark-connection chain=input comment="VPN inn from SF-Only_conn" \
in-interface=ether1-SF new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TW-Only_conn" \
in-interface=ether5-TW new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TCL-Only_conn" \
in-interface=ether9-TCL new-connection-mark=TCL-Only_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
SF-Only_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
TW-Only_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
TCL-Only_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/2
add action=mark-routing chain=output connection-mark=SF-Only_conn \
new-routing-mark=SF-ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=TW-Only_conn \
new-routing-mark=TW-ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=TCL-Only_conn \
new-routing-mark=TCL-ISP_conn passthrough=no
add action=mark-routing chain=prerouting comment="SF only VPN" \
dst-address-list=SF-Only new-routing-mark=SF-ISP_conn passthrough=yes \
src-address=192.168.92.0/24
add action=mark-routing chain=prerouting comment="TW only VPN" \
dst-address-list=TW-Only new-routing-mark=TW-ISP_conn passthrough=yes \
src-address=192.168.93.0/24
add action=mark-routing chain=prerouting comment="TCL only VPN" \
dst-address-list=TCL-Only new-routing-mark=TCL-ISP_conn passthrough=yes \
src-address=192.168.94.0/24
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=\
SF-Only new-routing-mark=SF-ISP_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=\
TW-Only new-routing-mark=TW-ISP_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=\
TCL-Only new-routing-mark=TCL-ISP_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=\
SF-Only new-routing-mark=SF-ISP_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=\
TW-Only new-routing-mark=TW-ISP_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=\
TCL-Only new-routing-mark=TCL-ISP_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-connection chain=prerouting comment=Ether5-TW-Only \
dst-address-list=TW-Only new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether1-SF-Only \
dst-address-list=SF-Only new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether9-TCL-Only \
dst-address-list=TCL-Only new-connection-mark=TCL-Only_conn passthrough=\
yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris[/code]
Last edited by MSM on Wed Jul 17, 2024 11:41 am, edited 2 times in total.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1429
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Sun Jul 14, 2024 2:51 pm

Considering the scope of this project (site-to-site tunneling with load balancing, advanced routing, Wi-Fi access points, PBX, Active Directory, etc.) and the technical expertise and experience needed to pull it off, if I were you, I'd pass on this (honestly, you'll never be able to handle this on your own).

Go to your boss and explain that you need to bring in a network specialist that the company need to pay for (not you!) to at least come up with a basic network topology that works with Mikrotik products. If it's hard to find someone available on-site, this can probably be solved using online resources. Then you might practice as a trainee during the implemenation and if you're up for it, take over operations and maintenance later on.
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Sun Jul 14, 2024 3:21 pm

Considering the scope of this project (site-to-site tunneling with load balancing, advanced routing, Wi-Fi access points, PBX, Active Directory, etc.) and the technical expertise and experience needed to pull it off, if I were you, I'd pass on this (honestly, you'll never be able to handle this on your own).

Go to your boss and explain that you need to bring in a network specialist that the company need to pay for (not you!) to at least come up with a basic network topology that works with Mikrotik products. If it's hard to find someone available on-site, this can probably be solved using online resources. Then you might practice as a trainee during the implemenation and if you're up for it, take over operations and maintenance later on.
Last edited by MSM on Thu Jul 18, 2024 3:59 pm, edited 1 time in total.
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Mon Jul 15, 2024 12:18 am

Kindly request for any kind person in this forum who could optimize, beautify and block security risks of router from my given below config, I’ll be very thankful please. I (msmalik247 at gmail) will request in this forum later to connect this Head Office RouterOS from Branch Office RouterOS via vpn tunnel to use only PBX of Head Office in Branch Office, thanks

****************************
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether1 \
new-connection-mark=ether1_conn passthrough=yes
add action=mark-connection chain=input in-interface=ether5 \
new-connection-mark=ether5_conn passthrough=yes
add action=mark-connection chain=input in-interface=ether9 \
new-connection-mark=ether9_conn passthrough=yes
add action=mark-routing chain=output connection-mark=ether1_conn \
new-routing-mark=main passthrough=yes
add action=mark-routing chain=output connection-mark=ether5_conn \
new-routing-mark=main passthrough=yes
add action=mark-routing chain=output connection-mark=ether9_conn \
new-routing-mark=main passthrough=yes
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
ether1
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=\
ether5
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface=\
ether9
add action=mark-connection chain=prerouting dst-address-type=local \
in-interface=LAN-Bridge new-connection-mark=ether1_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=local \
in-interface=WiFi-Bridge new-connection-mark=ether1_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=local \
in-interface=LAN-Bridge new-connection-mark=ether5_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=local \
in-interface=WiFi-Bridge new-connection-mark=ether5_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=local \
in-interface=LAN-Bridge new-connection-mark=ether9_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-connection chain=prerouting dst-address-type=local \
in-interface=WiFi-Bridge new-connection-mark=ether9_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-connection chain=prerouting connection-mark=ether1_conn \
in-interface=LAN-Bridge new-connection-mark=ether1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=ether1_conn \
in-interface=WiFi-Bridge new-connection-mark=ether1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=ether9_conn \
in-interface=LAN-Bridge new-connection-mark=ether9_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=ether9_conn \
in-interface=WiFi-Bridge new-connection-mark=ether9_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=ether5_conn \
in-interface=LAN-Bridge new-connection-mark=ether5_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=ether5_conn \
in-interface=WiFi-Bridge new-connection-mark=ether5_conn passthrough=yes
add action=mark-routing chain=prerouting comment="Ether1 only VPN" \
dst-address-list=Ether1-Only new-routing-mark=Ether1-Only_conn passthrough=yes \
src-address=192.168.90.0/24
add action=mark-routing chain=prerouting comment="Ether5 only VPN" \
dst-address-list=Ether5-Only new-routing-mark=Ether5-Only_conn passthrough=yes \
src-address=192.168.91.0/24
add action=mark-routing chain=prerouting comment=Ether5-Only dst-address-list=\
Ether5-Only new-routing-mark=Ether5-Only_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=Ether5-Only dst-address-list=\
Ether5-Only new-routing-mark=Ether5-Only_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-routing chain=prerouting comment=Ether1-Only dst-address-list=\
Ether1-Only new-routing-mark=Ether1-Only_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=Ether1-Only dst-address-list=\
Ether1-Only new-routing-mark=Ether1-Only_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-routing chain=prerouting comment=Ether9-Only dst-address-list=\
Ether9-Only new-routing-mark=Ether9-Only_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=Ether9-Only dst-address-list=\
Ether9-Only new-routing-mark=Ether9-Only_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-connection chain=input in-interface=\
ether1 new-connection-mark=Ether1-Only_conn passthrough=yes
add action=mark-connection chain=input in-interface=\
ether5 new-connection-mark=Ether5-Only_conn passthrough=yes
add action=mark-routing chain=output connection-mark=\
Ether1-Only_conn new-routing-mark=Ether1-Only_conn passthrough=no
add action=mark-routing chain=output connection-mark=\
Ether5-Only_conn new-routing-mark=Ether5-Only_conn passthrough=no
/system clock
set time-zone-name=Europe/Paris
Last edited by MSM on Wed Jul 17, 2024 11:44 am, edited 2 times in total.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1548
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Mon Jul 15, 2024 1:45 am

When you post your configuration, please use a Code block. Makes it easier to read.
In your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
Thank you.
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Mon Jul 15, 2024 6:10 am

When you post your configuration, please use a Code block. Makes it easier to read.
In your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
Thank you.
Edited as you’ve suggested, I am new here so was not aware about that, thanks
 
User avatar
TheCat12
Member
Member
Posts: 347
Joined: Fri Dec 31, 2021 9:13 pm

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Mon Jul 15, 2024 1:33 pm

1) Remove WiFi interface list and add ether11-WiFi to the LAN interface list (you'll see why short after):

/interface list
add name=WAN
add name=LAN
add name=WiFi
/interface list member
add interface=ether5 list=WAN
add interface=ether9 list=WAN
add interface=ether1 list=WAN
add interface=ether12-LAN list=LAN
add interface=ether11-WiFi list=WiFi


to:

/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether5 list=WAN
add interface=ether9 list=WAN
add interface=ether1 list=WAN
add interface=ether12-LAN list=LAN
add interface=ether11-WiFi list=LAN


2) Disable detect internet because it is known to cause mayhem:

/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
LAN wan-interface-list=WAN


to:

/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=\
none wan-interface-list=none


3) In the PPP profile add a new default-encryption profile to use for the L2TP server and remove the remnants of the old one (the one with *0):
/ppp profile
add name=default-encryption use-encryption=required

/interface l2tp-server server
set default profile=default-encryption
3) I suggest you change the naming conventions of the address lists and routing tables to reflect your situation. For example:

/routing table
add disabled=no fib name=Ether5-Only_conn
add disabled=no fib name=Ether1-Only_conn
add disabled=no fib name=Ether9-Only_conn
/ip firewall address-list
add address=whatismyip.com list=Ether9-Only
add address=ifconfig.me list=Ether1-Only
add address=whois.domaintools.com list=Ether5-Only


to:

/routing table
add disabled=no fib name=to_ISP2
add disabled=no fib name=to_ISP1
add disabled=no fib name=to_ISP3
/ip firewall address-list
add address=whatismyip.com list=through_ISP3
add address=ifconfig.me list=through_ISP1
add address=whois.domaintools.com list=through_ISP2


4) Your firewall is at the moment an open door for all kinds of security risks. That's why I suggest reverting it to the default one with the exception of the rules for the VPN ports

5) Because there are a lot of changes to be made in the firewall mangle I'll directly post how it should look (this is the place where the LAN interface list has a significant role - instead of writing a differnet rule for LAN and WiFi, you can combine them into one):
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether5 new-connection-mark=ISP2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether9 new-connection-mark=ISP3_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-connection chain=prerouting comment="Ether1 only VPN" new-connection-mark=ISP1_conn passthrough=yes src-address=192.168.90.0/24
add action=mark-connection chain=prerouting comment="Ether5 only VPN" new-connection-mark=ISP2_conn passthrough=yes src-address=192.168.91.0/24
add action=mark-connection chain=prerouting comment=Ether5-Only dst-address-list=through_ISP2 new-connection-mark=ISP2_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether1-Only dst-address-list=through_ISP1 new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether9-Only dst-address-list=through_ISP3 new-connection-mark=ISP3 passthrough=yes
add action=mark-routing chain=prerouting in-interface-list=LAN connection-mark=ISP1_conn new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting in-interface-list=LAN connection-mark=ISP2_conn new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=prerouting in-interface-list=LAN connection-mark=ISP3_conn new-routing-mark=to_ISP3 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP3_conn new-routing-mark=to_ISP3 passthrough=yes
6) Remove the masquerade rules for the L2TP (redundant)
7) For the routing you'll only need six entries which I'll wrote down. The others are either redundant or misconfigurations:
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=to_ISP1
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=to_ISP2
add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-table=to_ISP3
If there is something I missed or misspoken/miswritten/misconfigured, I'll kindly ask someone from the experts to give their second opinion

P.S. I haven't touched the subject of the PBX because the review of the above configuration was time-consuming enough for one person, especially the mangle part
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Mon Jul 15, 2024 7:12 pm

1) Remove WiFi interface list and add ether11-WiFi to the LAN interface list (you'll see why short after):

/interface list
add name=WAN
add name=LAN
add name=WiFi
/interface list member
add interface=ether5 list=WAN
add interface=ether9 list=WAN
add interface=ether1 list=WAN
add interface=ether12-LAN list=LAN
add interface=ether11-WiFi list=WiFi


to:

/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether5 list=WAN
add interface=ether9 list=WAN
add interface=ether1 list=WAN
add interface=ether12-LAN list=LAN
add interface=ether11-WiFi list=LAN


2) Disable detect internet because it is known to cause mayhem:

/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
LAN wan-interface-list=WAN


to:

/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=\
none wan-interface-list=none


3) In the PPP profile add a new default-encryption profile to use for the L2TP server and remove the remnants of the old one (the one with *0):
/ppp profile
add name=default-encryption use-encryption=required

/interface l2tp-server server
set default profile=default-encryption
3) I suggest you change the naming conventions of the address lists and routing tables to reflect your situation. For example:

/routing table
add disabled=no fib name=Ether5-Only_conn
add disabled=no fib name=Ether1-Only_conn
add disabled=no fib name=Ether9-Only_conn
/ip firewall address-list
add address=whatismyip.com list=Ether9-Only
add address=ifconfig.me list=Ether1-Only
add address=whois.domaintools.com list=Ether5-Only


to:

/routing table
add disabled=no fib name=to_ISP2
add disabled=no fib name=to_ISP1
add disabled=no fib name=to_ISP3
/ip firewall address-list
add address=whatismyip.com list=through_ISP3
add address=ifconfig.me list=through_ISP1
add address=whois.domaintools.com list=through_ISP2


4) Your firewall is at the moment an open door for all kinds of security risks. That's why I suggest reverting it to the default one with the exception of the rules for the VPN ports

5) Because there are a lot of changes to be made in the firewall mangle I'll directly post how it should look (this is the place where the LAN interface list has a significant role - instead of writing a differnet rule for LAN and WiFi, you can combine them into one):
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether5 new-connection-mark=ISP2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether9 new-connection-mark=ISP3_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-connection chain=prerouting comment="Ether1 only VPN" new-connection-mark=ISP1_conn passthrough=yes src-address=192.168.90.0/24
add action=mark-connection chain=prerouting comment="Ether5 only VPN" new-connection-mark=ISP2_conn passthrough=yes src-address=192.168.91.0/24
add action=mark-connection chain=prerouting comment=Ether5-Only dst-address-list=through_ISP2 new-connection-mark=ISP2_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether1-Only dst-address-list=through_ISP1 new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether9-Only dst-address-list=through_ISP3 new-connection-mark=ISP3 passthrough=yes
add action=mark-routing chain=prerouting in-interface-list=LAN connection-mark=ISP1_conn new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting in-interface-list=LAN connection-mark=ISP2_conn new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=prerouting in-interface-list=LAN connection-mark=ISP3_conn new-routing-mark=to_ISP3 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP3_conn new-routing-mark=to_ISP3 passthrough=yes
6) Remove the masquerade rules for the L2TP (redundant)
7) For the routing you'll only need six entries which I'll wrote down. The others are either redundant or misconfigurations:
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=to_ISP1
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=to_ISP2
add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-table=to_ISP3
If there is something I missed or misspoken/miswritten/misconfigured, I'll kindly ask someone from the experts to give their second opinion

P.S. I haven't touched the subject of the PBX because the review of the above configuration was time-consuming enough for one person, especially the mangle part
Dear TheCat12
First of all thank you very much for reply and your guidance, I did correct my config but your provided Mangle rules did not matched somehow, and I was unable to connect VPN after updating Mangle rules, also "/ip firewall list" was not working and trace route was showing other than specified WAN ip, so I changed them and now I am able to connect ether1-SF and ether5-TW IP address as I need only two vpn connections, also ip address list is going through right WAN address.
/ip firewall mangle
add action=mark-connection chain=input comment="VPN inn from SF-Only_conn" \
    in-interface=ether1-SF new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TW-Only_conn" \
    in-interface=ether5-TW new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TCL-Only_conn" \
    in-interface=ether9-TCL new-connection-mark=TCL-Only_conn passthrough=yes
add action=mark-routing chain=output connection-mark=SF-Only_conn \
    new-routing-mark=SF-Only_conn passthrough=no
add action=mark-routing chain=output connection-mark=TW-Only_conn \
    new-routing-mark=TW-Only_conn passthrough=no
add action=mark-routing chain=output connection-mark=TCL-Only_conn \
    new-routing-mark=TCL-Only_conn passthrough=no
add action=mark-routing chain=prerouting comment="SF only VPN" \
    dst-address-list=SF-Only new-routing-mark=SF-Only_conn passthrough=yes \
    src-address=192.168.92.0/24
add action=mark-routing chain=prerouting comment="TW only VPN" \
    dst-address-list=TW-Only new-routing-mark=TW-Only_conn passthrough=yes \
    src-address=192.168.93.0/24
add action=mark-routing chain=prerouting comment="TCL only VPN" \
    dst-address-list=TCL-Only new-routing-mark=TCL-Only_conn passthrough=yes \
    src-address=192.168.94.0/24
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=\
    SF-Only new-routing-mark=SF-Only_conn passthrough=yes src-address=\
    172.17.0.0/16
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=\
    TW-Only new-routing-mark=TW-Only_conn passthrough=yes src-address=\
    172.17.0.0/16
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=\
    TCL-Only new-routing-mark=TCL-Only_conn passthrough=yes src-address=\
    172.17.0.0/16
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=\
    SF-Only new-routing-mark=SF-Only_conn passthrough=yes src-address=\
    172.16.0.0/16
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=\
    TW-Only new-routing-mark=TW-Only_conn passthrough=yes src-address=\
    172.16.0.0/16
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=\
    TCL-Only new-routing-mark=TCL-Only_conn passthrough=yes src-address=\
    172.16.0.0/16
add action=accept chain=prerouting dst-address=192.168.18.0/24 \
    in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.19.0/24 \
    in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.20.0/24 \
    in-interface-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=LAN-Bridge new-connection-mark=\
    SF-Only_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=LAN-Bridge new-connection-mark=\
    TW-Only_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=LAN-Bridge new-connection-mark=\
    TCL-Only_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:3/2
add action=mark-connection chain=prerouting comment=Ether5-TW-Only \
    dst-address-list=TW-Only new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether1-SF-Only \
    dst-address-list=SF-Only new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether9-TCL-Only \
    dst-address-list=TCL-Only new-connection-mark=TCL-Only_conn passthrough=\
    yes
/system clock
set time-zone-name=Europe/Paris
Above is latest config I created from scratch and modified IP addresses and some rules as much as could I do, but still I need guidance about my config is perfect or any glitch made by me, kindly seniors your guidance will be much appreciated.
Kind Regards,
Last edited by MSM on Wed Jul 17, 2024 11:48 am, edited 1 time in total.
 
User avatar
TheCat12
Member
Member
Posts: 347
Joined: Fri Dec 31, 2021 9:13 pm

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Mon Jul 15, 2024 9:58 pm

Your firewall still lacks some essential rules, for example dropping all input not coming from LAN (a default config rule):
/ip firewall filter
add action=drop chain=input in-interface-list=!LAN
Another one is drop all forward from WAN not dstnat-ed:
/ip firewall filter
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Your mangle rules seem OK but some changes must take place like:

1) The accept input rules should be on the top and the output mark-routing last
2) Before the output rules, there must be three probably forgotten ones:
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=SF-Only_conn new-routing-mark=SF_Only_Conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TW-Only_conn new-routing-mark=TW_Only_Conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TCL-Only_conn new-routing-mark=TCL_Only_Conn passthrough=yes
3) I suggest changing the names of the routing tables to not be the same as their corresponding connection marks to avoid misconfigurations

4) Use in-interface-list=LAN instead of in-interface in the rules containing PCC

Further, I still suggest disabling detect-internet and create a different, more generalized PPP profile for the L2TP server

Also, don't use scope=255 in the routes, make it 30
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20818
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Mon Jul 15, 2024 10:16 pm

Also when you make changes please REPOST your config so that we can see the progress and any further mistakes, often made during changes.

IN TERMS OF JOB SECURITY, you could always hire a consultant on your own dime, if its worth it to help keep your job!!!
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Wed Jul 17, 2024 12:50 pm

Your firewall still lacks some essential rules, for example dropping all input not coming from LAN (a default config rule):
/ip firewall filter
add action=drop chain=input in-interface-list=!LAN
Another one is drop all forward from WAN not dstnat-ed:
/ip firewall filter
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Your mangle rules seem OK but some changes must take place like:

1) The accept input rules should be on the top and the output mark-routing last
2) Before the output rules, there must be three probably forgotten ones:
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=SF-Only_conn new-routing-mark=SF_Only_Conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TW-Only_conn new-routing-mark=TW_Only_Conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TCL-Only_conn new-routing-mark=TCL_Only_Conn passthrough=yes
3) I suggest changing the names of the routing tables to not be the same as their corresponding connection marks to avoid misconfigurations

4) Use in-interface-list=LAN instead of in-interface in the rules containing PCC

Further, I still suggest disabling detect-internet and create a different, more generalized PPP profile for the L2TP server

Also, don't use scope=255 in the routes, make it 30


Dear TheCat12
I am very thankful to you because you are very kind person.
/ip firewall filter add action=drop chain=input in-interface-list=!LAN
After adding that broken external access on Router and VPN not Connecting

Another one is drop all forward from WAN not dstnat-ed:
/ip firewall filter add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN enable=no
I added this rule

1) The accept input rules should be on the top and the output mark-routing last
I did this

2) Before the output rules, there must be three probably forgotten ones:
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=SF-Only_conn new-routing-mark=SF-Only_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TW-Only_conn new-routing-mark=TW-Only_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TCL-Only_conn new-routing-mark=TCL-Only_conn passthrough=yes
After adding above three rules internet totally wont work

3) I suggest changing the names of the routing tables to not be the same as their corresponding connection marks to avoid misconfigurations
I did and renamed ISPs and connection mark names

4) Use in-interface-list=LAN instead of in-interface in the rules containing PCC
I did this and you are right if I select LAN-Bridge then WiFi-Bridge will not work, thanks

Further, I still suggest disabling detect-internet and create a different, more generalized PPP profile for the L2TP server
I disabled detect internet

Also, don't use scope=255 in the routes, make it 30
I did and changed to scope=30

************************

Here is detect interface print...
/interface/detect-internet> print
detect-interface-list: none
lan-interface-list: none
wan-interface-list: none
internet-interface-list: none

Current /ip/route print is...
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.18.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.20.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.19.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping comment=TW-Only disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=192.168.19.1 pref-src="" routing-table=TW-ISP_conn \
    scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=TCL-Only disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=192.168.20.1 pref-src="" routing-table=TCL-ISP_conn \
    scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=SF-Only disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=192.168.18.1 pref-src="" routing-table=SF-ISP_conn \
    scope=30 suppress-hw-offload=no target-scope=10

Current Mangle rules are...
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.18.0/24 \
    in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.19.0/24 \
    in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.20.0/24 \
    in-interface-list=LAN
add action=mark-connection chain=input comment="VPN inn from SF-Only_conn" \
    in-interface=ether1-SF new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TW-Only_conn" \
    in-interface=ether5-TW new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TCL-Only_conn" \
    in-interface=ether9-TCL new-connection-mark=TCL-Only_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    SF-Only_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    TW-Only_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    TCL-Only_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:3/2
add action=mark-routing chain=output connection-mark=SF-Only_conn \
    new-routing-mark=SF-ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=TW-Only_conn \
    new-routing-mark=TW-ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=TCL-Only_conn \
    new-routing-mark=TCL-ISP_conn passthrough=no
add action=mark-routing chain=prerouting comment="SF only VPN" \
    dst-address-list=SF-Only new-routing-mark=SF-ISP_conn passthrough=yes \
    src-address=192.168.92.0/24
add action=mark-routing chain=prerouting comment="TW only VPN" \
    dst-address-list=TW-Only new-routing-mark=TW-ISP_conn passthrough=yes \
    src-address=192.168.93.0/24
add action=mark-routing chain=prerouting comment="TCL only VPN" \
    dst-address-list=TCL-Only new-routing-mark=TCL-ISP_conn passthrough=yes \
    src-address=192.168.94.0/24
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=\
    SF-Only new-routing-mark=SF-ISP_conn passthrough=yes src-address=\
    172.17.0.0/16
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=\
    TW-Only new-routing-mark=TW-ISP_conn passthrough=yes src-address=\
    172.17.0.0/16
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=\
    TCL-Only new-routing-mark=TCL-ISP_conn passthrough=yes src-address=\
    172.17.0.0/16
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=\
    SF-Only new-routing-mark=SF-ISP_conn passthrough=yes src-address=\
    172.16.0.0/16
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=\
    TW-Only new-routing-mark=TW-ISP_conn passthrough=yes src-address=\
    172.16.0.0/16
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=\
    TCL-Only new-routing-mark=TCL-ISP_conn passthrough=yes src-address=\
    172.16.0.0/16
add action=mark-connection chain=prerouting comment=Ether5-TW-Only \
    dst-address-list=TW-Only new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether1-SF-Only \
    dst-address-list=SF-Only new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether9-TCL-Only \
    dst-address-list=TCL-Only new-connection-mark=TCL-Only_conn passthrough=\
    yes
And now VPN connection and internet is working to me but still I need guidance to make my config better than perfect like pro, thanks
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1429
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Wed Jul 17, 2024 1:04 pm

@anav - IN TERMS OF JOB SECURITY...

/system clock
set time-zone-name=Europe/Paris
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Wed Jul 17, 2024 1:20 pm

Also when you make changes please REPOST your config so that we can see the progress and any further mistakes, often made during changes.

IN TERMS OF JOB SECURITY, you could always hire a consultant on your own dime, if its worth it to help keep your job!!!
Dear Mr. Anav,

If I had such a good salary package then I would have taken up consultancy from any professional at my own, but I am hand to mouth and if I pay the consultant's fee from my current salary then how will I spend this month without money because I have no other source of income, and there is no one to support my family except me.

Honestly, I assumed from your replies about you are here for providing paid consultancy only. (sorry for my wrong assumption but believe me I wrote what I felt)

World is filled with kind persons who earn from those who can pay but also help free of cost to those peoples who cannot bare consultancy charges, and in the return… God blessed upon them a lot.

Again, I am really very sorry if my any single word hurt you

Thank you very much
Kind Regards,
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Wed Jul 17, 2024 1:25 pm

@anav - IN TERMS OF JOB SECURITY...

/system clock
set time-zone-name=Europe/Paris
I did not set my time zone yet because MikroTik router is not operational because of configuration issues not resolved yet, but kerio is operational since years
 
User avatar
TheCat12
Member
Member
Posts: 347
Joined: Fri Dec 31, 2021 9:13 pm

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Wed Jul 17, 2024 1:29 pm

For the firewall filter rules I forgot that the order in which they are is of importance baecause the matching is dome sequentially. That's why the drop input expecr from LAN should be after all other input rules and analogously for the drop forward from WAN except dst-nated rule. As for the three suggested mangle rules that should be somewhere around the output ones, probably broke internet access because I forgot to add in-interface-list=LAN to them. Regardless of that, could you send afresh a full export of the config to see how everything is at the moment?
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Wed Jul 17, 2024 3:19 pm

For the firewall filter rules I forgot that the order in which they are is of importance baecause the matching is dome sequentially. That's why the drop input expecr from LAN should be after all other input rules and analogously for the drop forward from WAN except dst-nated rule. As for the three suggested mangle rules that should be somewhere around the output ones, probably broke internet access because I forgot to add in-interface-list=LAN to them. Regardless of that, could you send afresh a full export of the config to see how everything is at the moment?
Thanks for your quick response, hereunder is my fresh config
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.18.0/24 \
    in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.19.0/24 \
    in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.20.0/24 \
    in-interface-list=LAN
add action=mark-connection chain=input comment="VPN inn from SF-Only_conn" \
    in-interface=ether1-SF new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TW-Only_conn" \
    in-interface=ether5-TW new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TCL-Only_conn" \
    in-interface=ether9-TCL new-connection-mark=TCL-Only_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    SF-Only_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    TW-Only_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    TCL-Only_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting comment="SF only VPN" \
    dst-address-list=SF-Only new-routing-mark=SF-ISP_conn passthrough=yes \
    src-address=192.168.92.0/24
add action=mark-routing chain=prerouting comment="TW only VPN" \
    dst-address-list=TW-Only new-routing-mark=TW-ISP_conn passthrough=yes \
    src-address=192.168.93.0/24
add action=mark-routing chain=prerouting comment="TCL only VPN" \
    dst-address-list=TCL-Only new-routing-mark=TCL-ISP_conn passthrough=yes \
    src-address=192.168.94.0/24
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=\
    SF-Only new-routing-mark=SF-ISP_conn passthrough=yes src-address=\
    172.17.0.0/16
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=\
    TW-Only new-routing-mark=TW-ISP_conn passthrough=yes src-address=\
    172.17.0.0/16
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=\
    TCL-Only new-routing-mark=TCL-ISP_conn passthrough=yes src-address=\
    172.17.0.0/16
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=\
    SF-Only new-routing-mark=SF-ISP_conn passthrough=yes src-address=\
    172.16.0.0/16
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=\
    TW-Only new-routing-mark=TW-ISP_conn passthrough=yes src-address=\
    172.16.0.0/16
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=\
    TCL-Only new-routing-mark=TCL-ISP_conn passthrough=yes src-address=\
    172.16.0.0/16
add action=mark-connection chain=prerouting comment=Ether5-TW-Only \
    dst-address-list=TW-Only new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether1-SF-Only \
    dst-address-list=SF-Only new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether9-TCL-Only \
    dst-address-list=TCL-Only new-connection-mark=TCL-Only_conn passthrough=\
    yes
add action=mark-routing chain=output connection-mark=SF-Only_conn \
    new-routing-mark=SF-ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=TW-Only_conn \
    new-routing-mark=TW-ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=TCL-Only_conn \
    new-routing-mark=TCL-ISP_conn passthrough=no
Last edited by MSM on Thu Jul 18, 2024 3:57 pm, edited 1 time in total.
 
User avatar
TheCat12
Member
Member
Posts: 347
Joined: Fri Dec 31, 2021 9:13 pm

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Wed Jul 17, 2024 3:43 pm

I see that you've reverted to the old naming convention for the routing tables and marks. That's why I'll suggest once more to change it as in the previous sniplets of configuration. Bear in mind that you should not only change the names of the routing marks but also that of the routing tables to match them.
Regarding my previous comment, could you rearrange your firewall rules in the following manner:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN protocol=udp src-port=""
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=add-dst-to-address-list address-list=SF-Only address-list-timeout=none-dynamic chain=forward comment="SF only VPN" src-address=192.168.92.0/24
add action=add-dst-to-address-list address-list=TW-Only address-list-timeout=none-dynamic chain=forward comment="TW only VPN" src-address=192.168.93.0/24
add action=add-dst-to-address-list address-list=TCL-Only address-list-timeout=none-dynamic chain=forward comment="TCL only VPN" src-address=192.168.94.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
As for the mangle, could you once again try adding the following rules before the output ones:
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=SF-Only_conn in-interface-list=LAN new-routing-mark=SF-Only passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TW-Only_conn in-interface-list=LAN new-routing-mark=TW-Only passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TCL-Only_conn in-interface-list=LAN new-routing-mark=TCL-Only passthrough=yes
This time I've modified them as per my previous comment
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Wed Jul 17, 2024 4:35 pm

I see that you've reverted to the old naming convention for the routing tables and marks. That's why I'll suggest once more to change it as in the previous sniplets of configuration. Bear in mind that you should not only change the names of the routing marks but also that of the routing tables to match them.
Regarding my previous comment, could you rearrange your firewall rules in the following manner:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN protocol=udp src-port=""
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=add-dst-to-address-list address-list=SF-Only address-list-timeout=none-dynamic chain=forward comment="SF only VPN" src-address=192.168.92.0/24
add action=add-dst-to-address-list address-list=TW-Only address-list-timeout=none-dynamic chain=forward comment="TW only VPN" src-address=192.168.93.0/24
add action=add-dst-to-address-list address-list=TCL-Only address-list-timeout=none-dynamic chain=forward comment="TCL only VPN" src-address=192.168.94.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
As for the mangle, could you once again try adding the following rules before the output ones:
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=SF-Only_conn in-interface-list=LAN new-routing-mark=SF-Only passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TW-Only_conn in-interface-list=LAN new-routing-mark=TW-Only passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TCL-Only_conn in-interface-list=LAN new-routing-mark=TCL-Only passthrough=yes
This time I've modified them as per my previous comment

Dear TheCat12
Thank you for your appreciable kind cooperation

I've added your provided /ip firewall filter rules as it is, and deleted my old rules

also I added your provided mangle rules (slightly changed "new-mark-routing=NEW-FIB-NAMES" due to I recently renamed FIB names) before Output Rules

/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=SF-Only_conn in-interface-list=LAN new-routing-mark=SF-ISP_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TW-Only_conn in-interface-list=LAN new-routing-mark=TW-ISP_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TCL-Only_conn in-interface-list=LAN new-routing-mark=TCL-ISP_conn passthrough=yes

One thing is happen now I am unable to connect Mikrotik from remote location via Winbox or Webfig (because right now I am at my home and not have physically access on mikrotik, yesterday I'll check when go to my office), but able to connect VPN and ping IP addresses 192.168.18.5, 192.168.19.5, 192.168.20.5

Kindly look into attached snapshot of Mangle rules, is I need to change anything?

Thanks & Regards,
Last edited by MSM on Wed Jul 17, 2024 5:55 pm, edited 1 time in total.
 
User avatar
TheCat12
Member
Member
Posts: 347
Joined: Fri Dec 31, 2021 9:13 pm

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Wed Jul 17, 2024 4:57 pm

One minor suggestion - remove the dst-address-lists of the "X only VPN" rules (rules no. 12,13,14) so that all traffic originating from the VPN can be matched against them, not only destined to the addresses in the lists. Also you could combine rules no. 15-20 by using in-interface-list=LAN instead of src-address:
/ip firewall mangle
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=SF-Only in-interface-list=LAN new-routing-mark=SF-ISP_conn passthrough=yes
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=TW-Only in-interface-list=LAN new-routing-mark=TW-ISP_conn passthrough=yes
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=TCL-Only in-interface-list=LAN new-routing-mark=TCL-ISP_conn passthrough=yes
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Wed Jul 17, 2024 5:57 pm

One minor suggestion - remove the dst-address-lists of the "X only VPN" rules (rules no. 12,13,14) so that all traffic originating from the VPN can be matched against them, not only destined to the addresses in the lists. Also you could combine rules no. 15-20 by using in-interface-list=LAN instead of src-address:
/ip firewall mangle
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=SF-Only in-interface-list=LAN new-routing-mark=SF-ISP_conn passthrough=yes
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=TW-Only in-interface-list=LAN new-routing-mark=TW-ISP_conn passthrough=yes
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=TCL-Only in-interface-list=LAN new-routing-mark=TCL-ISP_conn passthrough=yes
Dear I noted, will update you once I'll go to office and access physically as for now unknown reason I am unable to open via Winbox or Webfig after adding the rules

Regards.
 
User avatar
TheCat12
Member
Member
Posts: 347
Joined: Fri Dec 31, 2021 9:13 pm

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Thu Jul 18, 2024 11:15 am

I'll once again try to rewrite and rearrange your mangle rules so that hopefully everything works after that. In my previous posts I was pretty sloppy about the order of the rules on which I emphasized earlier that it is of importance (shame on me) and probably that's the reason why you lost remote access to the router
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.18.0/24 in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.19.0/24 in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.20.0/24 in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.18.0/24 src-address=192.168.92.0/24
add action=accept chain=prerouting dst-address=192.168.19.0/24 src-address=192.168.93.0/24
add action=accept chain=prerouting dst-address=192.168.20.0/24 src-address=192.168.94.0/24
add action=mark-connection chain=input comment="VPN inn from SF-Only_conn" in-interface=ether1-SF new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TW-Only_conn" in-interface=ether5-TW new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TCL-Only_conn" in-interface=ether9-TCL new-connection-mark=TCL-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment="SF only VPN" connection-mark=no-mark new-connection-mark=SF-Only_conn passthrough=yes src-address=192.168.92.0/24
add action=mark-connection chain=prerouting comment="TW only VPN" connection-mark=no-mark new-connection-mark=TW-Only_conn passthrough=yes src-address=192.168.93.0/24
add action=mark-connection chain=prerouting comment="TCL only VPN" connection-mark=no-mark new-connection-mark=TCL-Only_conn passthrough=yes src-address=192.168.94.0/24
add action=mark-routing chain=prerouting comment="SF only VPN" connection-mark=TCL-Only_Conn new-routing-mark=SF-ISP_conn passthrough=no src-address=192.168.92.0/24
add action=mark-routing chain=prerouting comment="TW only VPN" connection-mark=TW-Only_conn new-routing-mark=TW-ISP_conn passthrough=no src-address=192.168.93.0/24
add action=mark-routing chain=prerouting comment="TCL only VPN" connection-mark=TCL-Only_conn new-routing-mark=TCL-ISP_conn passthrough=no src-address=192.168.94.0/24
add action=mark-connection chain=prerouting comment=SF-Only connection-mark=no-mark dst-address-list=SF-Only in-interface-list=LAN new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=TW-Only connection-mark=no-mark dst-address-list=TW-Only in-interface-list=LAN new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=TCL-Only connection-mark=no-mark dst-address-list=TCL-Only in-interface-list=LAN new-connection-mark=TCL-Only_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=SF-Only_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=TW-Only_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=TCL-Only_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=SF-Only_conn in-interface-list=LAN new-connection-mark=SF_ISP_conn passthrough=no
add action=mark-routing chain=prerouting connection-mark=TW-Only_conn in-interface-list=LAN new-connection-mark=TW_ISP_conn passthrough=no
add action=mark-routing chain=prerouting connection-mark=TCL-Only_conn in-interface-list=LAN new-connection-mark=TCL_ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=SF-Only_conn new-routing-mark=SF-ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=TW-Only_conn new-routing-mark=TW-ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=TCL-Only_conn new-routing-mark=TCL-ISP_conn passthrough=no
Last edited by TheCat12 on Thu Jul 18, 2024 3:47 pm, edited 1 time in total.
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Thu Jul 18, 2024 1:53 pm

One minor suggestion - remove the dst-address-lists of the "X only VPN" rules (rules no. 12,13,14) so that all traffic originating from the VPN can be matched against them, not only destined to the addresses in the lists. Also you could combine rules no. 15-20 by using in-interface-list=LAN instead of src-address:
/ip firewall mangle
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=SF-Only in-interface-list=LAN new-routing-mark=SF-ISP_conn passthrough=yes
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=TW-Only in-interface-list=LAN new-routing-mark=TW-ISP_conn passthrough=yes
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=TCL-Only in-interface-list=LAN new-routing-mark=TCL-ISP_conn passthrough=yes
Dear I noted, will update you once I'll go to office and access physically as for now unknown reason I am unable to open via Winbox or Webfig after adding the rules

Regards.
Dear TheCat12

I've made changes as you've suggested, now looking and there are minor issues I am facing

Images are attached herewith

Thank you very much
Kind Regards,
Last edited by MSM on Thu Jul 18, 2024 3:55 pm, edited 1 time in total.
 
User avatar
TheCat12
Member
Member
Posts: 347
Joined: Fri Dec 31, 2021 9:13 pm

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Thu Jul 18, 2024 2:27 pm

For the firewall filter just add the following rule before the drop all input not from LAN and remove from the latter connection-state=established:
/ip firewall filter
add action=accept chain=input ipsec-policy=in:ipsec
And please try to implement my new revision of the mangle rules and give me a feedback whether it worked or you had to revert to your version of them
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Thu Jul 18, 2024 3:40 pm

For the firewall filter just add the following rule before the drop all input not from LAN and remove from the latter connection-state=established:
/ip firewall filter
add action=accept chain=input ipsec-policy=in:ipsec
And please try to implement my new revision of the mangle rules and give me a feedback whether it worked or you had to revert to your version of them

Dear TheCat12

/ip firewall filter
add chain=input action=accept ipsec-policy=in,ipsec
Did not worked

So I did this...

/interface list
add name=PPP

Then assigned PPP lists to my two L2TP server bindings as...

PPP List assigned to l2tp-in-SF
PPP List assigned to l2tp-in-TW


Then I created Filter Rule as mentioned under, and added the following rule before the drop all input not from LAN

********
/ip firewall filter
chain=input action=accept in-interface-list=PPP
********

At the end I removed "connection-state=established" that I marked for accessing Mikrotik remotely

Now I am able to connect Mikrotik from remote location by VPN via Winbox and Webfig

All snapshots of changes are attached herewith

Did I correct that or not did in proper manner?

Kindly suggest

Thanks & Regards,
Last edited by MSM on Thu Jul 18, 2024 3:55 pm, edited 1 time in total.
 
User avatar
TheCat12
Member
Member
Posts: 347
Joined: Fri Dec 31, 2021 9:13 pm

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Thu Jul 18, 2024 3:42 pm

Yes, quite a nice and proper correction
 
User avatar
TheCat12
Member
Member
Posts: 347
Joined: Fri Dec 31, 2021 9:13 pm

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Thu Jul 18, 2024 3:45 pm

You could also remove the add-dst-to-address-list rules because they should be covered by the mangle
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Thu Jul 18, 2024 3:49 pm

Yes, quite a nice and proper correction

Thanks a lot dear "TheCat12"

You are the only one who helped me to configure Mikrotik router, may God will make you happy and bless upon you always

Further for MT to MT VPN tunneling to use only VoIP server from head office, I'll learn from internet and I am sure I'll do that too by my little knowledge and by help of kind persons like you

Anyway thanks you very much again for your kindness

Stay Blessed & Best Regards,
 
User avatar
TheCat12
Member
Member
Posts: 347
Joined: Fri Dec 31, 2021 9:13 pm

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Thu Jul 18, 2024 4:17 pm

I can try to help you with that problem too - firstly you have to turn on IP firewall for the bridge:
/interface bridge settings set use-ip-firewall=yes
After that add a firewall to drop all forward for the PBX address except for in-interface-list=PPP:
/ip firewall filter
add action=drop chain=forward dst-address=172.17.0.30 in-interface-list=!PPP
After you have configured the L2TP clients on the branch router, just add the following routes:
/ip route
add dst-address=172.17.0.30 gateway=l2tp-out_1
add dst-address=172.17.0.30 gateway=l2tp-out_2
add dst-address=172.17.0.30 gateway=l2tp-out_3
where l2tp-out_X are the different L2TP client interfaces
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Thu Jul 18, 2024 5:39 pm

I can try to help you with that problem too - firstly you have to turn on IP firewall for the bridge:
/interface bridge settings set use-ip-firewall=yes
After that add a firewall to drop all forward for the PBX address except for in-interface-list=PPP:
/ip firewall filter
add action=drop chain=forward dst-address=172.17.0.30 in-interface-list=!PPP
After you have configured the L2TP clients on the branch router, just add the following routes:
/ip route
add dst-address=172.17.0.30 gateway=l2tp-out_1
add dst-address=172.17.0.30 gateway=l2tp-out_2
add dst-address=172.17.0.30 gateway=l2tp-out_3
where l2tp-out_X are the different L2TP client interfaces

Dear TheCat12

I am testing firt it on Virtual Machine and given only 1 WAN and 1 LAN


Run command on Head Office Router (That is recently configured with whole help of you):
/interface bridge settings set use-ip-firewall=yes

Then added Rule in Head Office Router
/ip firewall filter add action=drop chain=forward dst-address=172.17.0.30 in-interface-list=!PPP


And on Virtual Machine (Assume that is Branch Office):

I added route (using one l2tp route for now)
/ip route add dst-address=172.17.0.31 gateway=l2tp-out1

After that I can ping to 172.17.0.31 (VoIP Server IP) from /tools ping utility, but unable to ping 172.17.0.31 from windows computer that is linked with virtual machine (Branch Office MT) directly

[Note: There is no any firewall rules and mangle rules created in VM (Branch Office)]


Best Regards,
Last edited by MSM on Mon Aug 05, 2024 12:10 pm, edited 1 time in total.
 
User avatar
TheCat12
Member
Member
Posts: 347
Joined: Fri Dec 31, 2021 9:13 pm

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Thu Jul 18, 2024 6:03 pm

It probably happens because the addresses of local and remote LAN are the same. I think that could be overcome with the help of an EoIP tunnel spanned over the L2TP tunnel but that would require a static address for the branch office router instead of a random one from the VPN pool:
# Head office
/ppp secret
set 0 remote-address=192.168.92.2
/interface eoip
add name=eoip-main tunnel-id=101 local-address=192.168.92.1 remote-address=192.168.92.2 ipsec-secret=securepassword allow-fast-path=no
/interface bridge port
add bridge=LAN-Bridge interface=eoip-main

# Branch office router
/interface eoip
add name=eoip-remote tunnel-id=101 local-address=192.168.92.2 remote-address=192.168.92.1 ipsec-secret=securepassword allow-fast-path=no
/ip route
remove [find gateway=l2tp-out1]
/interface bridge port
add bridge=LAN-Bridge interface=eoip-remote
Now the LAN-Bridge will be as if it's on one router
Last edited by TheCat12 on Fri Jul 19, 2024 9:56 am, edited 2 times in total.
 
User avatar
TheCat12
Member
Member
Posts: 347
Joined: Fri Dec 31, 2021 9:13 pm

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Thu Jul 18, 2024 6:55 pm

And make sure not to run a DHCP server for the 172.17.0.0 range on the branch office router as it may lead to undesired effects
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Fri Jul 19, 2024 4:44 pm

And make sure not to run a DHCP server for the 172.17.0.0 range on the branch office router as it may lead to undesired effects

Above changes not worked for me, till now I am able to configure router with 3 wan and 2 lan load balancing, address list, and vpn connection from external side via laptop or computer is fine but mikrotik site to site tunnel is still in pending, and I setup l2tp client in branch office mikrotik that is connecting to head office mikrotik successfully, but from both sides I am unable to ping and unable to access LAN computers, anyway searching solution on internet or if someone has it's solution kindly help me.

Kind Regards,
 
MSM
just joined
Topic Author
Posts: 19
Joined: Thu Jun 13, 2024 10:49 am

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Thu Aug 01, 2024 9:24 pm

It probably happens because the addresses of local and remote LAN are the same. I think that could be overcome with the help of an EoIP tunnel spanned over the L2TP tunnel but that would require a static address for the branch office router instead of a random one from the VPN pool:
# Head office
/ppp secret
set 0 remote-address=192.168.92.2
/interface eoip
add name=eoip-main tunnel-id=101 local-address=192.168.92.1 remote-address=192.168.92.2 ipsec-secret=securepassword allow-fast-path=no
/interface bridge port
add bridge=LAN-Bridge interface=eoip-main

# Branch office router
/interface eoip
add name=eoip-remote tunnel-id=101 local-address=192.168.92.2 remote-address=192.168.92.1 ipsec-secret=securepassword allow-fast-path=no
/ip route
remove [find gateway=l2tp-out1]
/interface bridge port
add bridge=LAN-Bridge interface=eoip-remote
Now the LAN-Bridge will be as if it's on one router

Dear TheCat12

I did my job done about what I requested here, I got very kind help form you (thanks), and searched and learned on internet and implemented, and I got to able by making L2TP tunnel and now my VoIP server from Head Office to Branch Office is accessible and working fine, also I can do alot with both side networks

Head Office is on Mikrotik Router (3 WAN 2 LAN)
Branch Office (1 WAN 1 LAN) is a testing machine on ESXi, and I'll add 2 WANs and 1 LAN more in production environment

And now I can connect Head Office and Branch Office from my home or by cellphone too from anywhere.


Thanks to all seniors
Kind Regards,
Last edited by MSM on Mon Aug 05, 2024 12:10 pm, edited 1 time in total.
 
User avatar
TheCat12
Member
Member
Posts: 347
Joined: Fri Dec 31, 2021 9:13 pm

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Fri Aug 02, 2024 12:37 pm

I have nothing to add. Even if the code is bad-shaped, which it is not, what matters most is that it works.

P.S. For your information, what you have achieved between the routers is not a L2TP tunnel but rather an IPsec tunnel

Who is online

Users browsing this forum: roomcays, Speednet1 and 21 guests