Hi,
I have an RB750 and it is functioning great with the exclusion of my inability to complete a couple of tasks. I have the following configuration:
two PPPoE connections port 1 & 2
two lans port 3 & 4
Internet connection on port 1 has a block of WAN ips which i have all of the dst-nat working as required. The first problem i have is when determining the external IP of a PC, it is showing as one of the IPs from the block not the primary IP of that connection.
Second problem, i have two seperate networks, one connected to port 3 192.168.0.0 and one connected to port 4 10.0.0.0. i am unable to access any device on the other network from each port, eg ping from 10.0.0.55 to 192.168.0.2
third problem, browsing from a device on port 3 to an external IP address forwarded to a device on port 4, the router's web config is resolved instead of the website hosted on a device in port 4.
eg. 192.168.0.5 browses to test.com hosted on 10.0.0.5 but instead sees the router's config.
any help would be greatly appreciated.
Thanks, Tom
Re: Multiple Questions RB750
Post the output of "/ip address print detail", "/ip route print detail", "/interface print", "/interface ethernet print detail", "/ip firewall export", and an accurate network diagram. Wrap output in
Code: Select all
tags.Re: Multiple Questions RB750
hi fewi, thanks for the response.
The biggest problem is we need to be able to access all PCs between ethernet 3 and ethernet 4.
Code: Select all
[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=192.168.0.254/24 network=192.168.0.0 interface=ether3-local-newearth actual-interface=ether3-local-newearth
1 address=10.0.0.254/24 network=10.0.0.0 interface=ether4-local-neuvo actual-interface=ether4-local-neuvo
2 address=203.206.137.16/30 network=203.206.137.16 interface=IINET actual-interface=IINET
3 address=203.206.137.17/30 network=203.206.137.16 interface=IINET actual-interface=IINET
4 address=203.206.137.18/30 network=203.206.137.16 interface=IINET actual-interface=IINET
5 address=203.206.137.19/30 network=203.206.137.16 interface=IINET actual-interface=IINET
6 D address=192.168.1.100/24 network=192.168.1.0 interface=ether1-gateway actual-interface=ether1-gateway
7 D address=27.33.2.228/32 network=10.20.21.173 interface=TPG actual-interface=TPG
8 D address=203.206.171.5/32 network=203.215.9.250 interface=IINET actual-interface=IINET
Code: Select all
[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=TPG gateway-status=TPG reachable distance=1 scope=30 target-scope=10 routing-mark=newearth
1 A S dst-address=0.0.0.0/0 pref-src=203.206.171.5 gateway=IINET gateway-status=IINET reachable distance=1 scope=30 target-scope=10 routing-mark=neuvo
2 A S dst-address=0.0.0.0/0 gateway=IINET gateway-status=IINET reachable distance=1 scope=30 target-scope=10 routing-mark=SMTP NewEarth
3 A S dst-address=0.0.0.0/0 gateway=IINET,TPG gateway-status=IINET reachable,TPG reachable check-gateway=ping distance=1 scope=30 target-scope=10
4 ADC dst-address=10.0.0.0/24 pref-src=10.0.0.254 gateway=ether4-local-neuvo gateway-status=ether4-local-neuvo reachable distance=0 scope=10
5 ADC dst-address=10.20.21.173/32 pref-src=27.33.2.228 gateway=TPG gateway-status=TPG reachable distance=0 scope=10
6 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.254 gateway=ether3-local-newearth gateway-status=ether3-local-newearth reachable distance=0 scope=10
7 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.100 gateway=ether1-gateway gateway-status=ether1-gateway reachable distance=0 scope=10
8 ADC dst-address=203.206.137.16/30 pref-src=203.206.137.16 gateway=IINET gateway-status=IINET reachable distance=0 scope=10
9 ADC dst-address=203.215.9.250/32 pref-src=203.206.171.5 gateway=IINET gateway-status=IINET reachable distance=0 scope=10
Code: Select all
[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R ether1-gateway ether 1500 1524
1 R ether2-gateway2 ether 1500 1524
2 R ether3-local-newearth ether 1500 1524
3 R ether4-local-neuvo ether 1500 1524
4 ether5-local-service ether 1500 1524
5 R IINET pppoe-out 1480
6 R TPG pppoe-out 1480
Code: Select all
[admin@MikroTik] > /interface ethernet print detail
Flags: X - disabled, R - running, S - slave
0 R name="ether1-gateway" mtu=1500 l2mtu=1524 mac-address=00:0C:42:A4:DF:A7 arp=enabled auto-negotiation=yes full-duplex=yes speed=100Mbps master-port=none bandwidth=unlimited/unlimited switch=switch1
1 R name="ether2-gateway2" mtu=1500 l2mtu=1524 mac-address=00:0C:42:A4:DF:A8 arp=enabled auto-negotiation=yes full-duplex=yes speed=100Mbps master-port=none bandwidth=unlimited/unlimited switch=switch1
2 R name="ether3-local-newearth" mtu=1500 l2mtu=1524 mac-address=00:0C:42:A4:DF:A9 arp=enabled auto-negotiation=yes full-duplex=yes speed=100Mbps master-port=none bandwidth=unlimited/unlimited switch=switch1
3 R name="ether4-local-neuvo" mtu=1500 l2mtu=1524 mac-address=00:0C:42:A4:DF:AA arp=enabled auto-negotiation=yes full-duplex=yes speed=100Mbps master-port=none bandwidth=unlimited/unlimited switch=switch1
4 name="ether5-local-service" mtu=1500 l2mtu=1524 mac-address=00:0C:42:A4:DF:AB arp=enabled auto-negotiation=yes full-duplex=yes speed=100Mbps master-port=none bandwidth=unlimited/unlimited switch=switch1
Code: Select all
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=reject chain=input disabled=no reject-with=icmp-network-unreachable src-address=218.38.58.157
add action=reject chain=input disabled=no reject-with=icmp-network-unreachable src-address=211.56.230.117
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no in-interface=ether3-local-newearth new-routing-mark=newearth passthrough=yes
add action=mark-routing chain=prerouting disabled=no in-interface=ether4-local-neuvo new-routing-mark=neuvo passthrough=yes
add action=mark-routing chain=prerouting disabled=no dst-port=25 in-interface=ether3-local-newearth new-routing-mark="SMTP NewEarth" passthrough=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=IINET
add action=masquerade chain=srcnat disabled=no out-interface=TPG
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.171.5 dst-port=53 in-interface=IINET protocol=udp to-addresses=192.168.0.3 to-ports=53
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.171.5 dst-port=80 in-interface=IINET protocol=tcp to-addresses=192.168.0.5 to-ports=80
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.171.5 dst-port=443 in-interface=IINET protocol=tcp to-addresses=192.168.0.5 to-ports=443
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.171.5 dst-port=987 in-interface=IINET protocol=tcp to-addresses=192.168.0.5 to-ports=987
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.171.5 dst-port=444 in-interface=IINET protocol=tcp to-addresses=192.168.0.5 to-ports=444
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.171.5 dst-port=110 in-interface=IINET protocol=tcp to-addresses=192.168.0.5 to-ports=110
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.171.5 dst-port=1723 in-interface=IINET protocol=tcp to-addresses=192.168.0.5 to-ports=1723
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.171.5 dst-port=21 in-interface=IINET protocol=tcp to-addresses=192.168.0.5 to-ports=21
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.171.5 dst-port=25 in-interface=IINET protocol=tcp to-addresses=192.168.0.5 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.19 dst-port=25 in-interface=IINET protocol=tcp to-addresses=10.0.0.5 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.19 dst-port=80 in-interface=IINET protocol=tcp to-addresses=10.0.0.5 to-ports=80
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.19 dst-port=443 in-interface=IINET protocol=tcp to-addresses=10.0.0.5 to-ports=443
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.19 dst-port=3389 in-interface=IINET protocol=tcp to-addresses=10.0.0.5 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.19 dst-port=110 in-interface=IINET protocol=tcp to-addresses=10.0.0.5 to-ports=110
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.19 dst-port=445 in-interface=IINET protocol=tcp to-addresses=10.0.0.5 to-ports=445
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.18 dst-port=25 in-interface=IINET protocol=tcp to-addresses=10.0.0.10 to-ports=25
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.18 dst-port=80 in-interface=IINET protocol=tcp to-addresses=10.0.0.10 to-ports=80
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.18 dst-port=443 in-interface=IINET protocol=tcp to-addresses=10.0.0.10 to-ports=443
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.18 dst-port=3389 in-interface=IINET protocol=tcp to-addresses=10.0.0.10 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.18 dst-port=3390 in-interface=IINET protocol=tcp to-addresses=10.0.0.51 to-ports=3390
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.18 dst-port=3391 in-interface=IINET protocol=tcp to-addresses=10.0.0.11 to-ports=3391
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.17 dst-port=443 in-interface=IINET protocol=tcp to-addresses=192.168.0.253 to-ports=443
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.17 dst-port=80 in-interface=IINET protocol=tcp to-addresses=192.168.0.253 to-ports=80
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.17 dst-port=23 in-interface=IINET protocol=tcp to-addresses=192.168.0.253 to-ports=23
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.17 dst-port=5900 in-interface=IINET protocol=tcp to-addresses=192.168.0.253 to-ports=5900
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.17 dst-port=5901 in-interface=IINET protocol=tcp to-addresses=192.168.0.253 to-ports=5901
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.16 dst-port=5090 in-interface=IINET protocol=tcp to-addresses=192.168.0.5 to-ports=5090
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.16 dst-port=5060 in-interface=IINET protocol=udp to-addresses=192.168.0.5 to-ports=5060
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.137.16 dst-port=9000-9050 in-interface=IINET protocol=udp to-addresses=192.168.0.5 to-ports=9000-9050
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.171.5 dst-port=3389 in-interface=IINET protocol=tcp to-addresses=192.168.0.6 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=203.206.171.5 dst-port=3390 in-interface=IINET protocol=tcp to-addresses=192.168.0.5 to-ports=3390
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=yes ports=5060,5061
set pptp disabled=no
Re: Multiple Questions RB750
The problem are the routing marks. You have to make sure you don't apply any to traffic between those two networks or the routing mark takes and the packets don't get routed out the right interface. The easiest and most understandable way to me is to add the following:
Then move them above the rules that assign routing marks. I don't fully understand your other question. Can you elaborate?
Code: Select all
/ip firewall mangle
add chain=prerouting src-address=10.0.0.0/24 dst-address=192.168.0.0/24 action=accept passthrough=no
add chain=prerouting src-address=192.168.0.0/24 dst-address=10.0.0.0/24 action=accept passthrough=noRe: Multiple Questions RB750
fewi, that worked great for internal traffic!!
ok, three more issues:
1) when browsing to a website hosted on 10.0.0.5 from 192.168.0.5 it doesnt get through. Pinging it has no response either. eg, http://mail.neuvo.com.au has IP of 203.206.137.19. this is unaccessible from 192.168.0.0/24
2) there is a SIP server hosted on 192.168.0.5 which belongs to another business. i have a sip sever hosted offsite at 203.161.143.70. when connecting my desk phone as i used to go through existing router which used to work fine, i now have 1 way audio.
3) when i do an external IP address check from a PC on 10.0.0.0/24, it shows 203.206.137.16 instead of 203.206.171.5 which is what is used to show with existing router and this is the 'main' external IP? are we able to get it to show that?
thank you so much in advance for your help
ok, three more issues:
1) when browsing to a website hosted on 10.0.0.5 from 192.168.0.5 it doesnt get through. Pinging it has no response either. eg, http://mail.neuvo.com.au has IP of 203.206.137.19. this is unaccessible from 192.168.0.0/24
2) there is a SIP server hosted on 192.168.0.5 which belongs to another business. i have a sip sever hosted offsite at 203.161.143.70. when connecting my desk phone as i used to go through existing router which used to work fine, i now have 1 way audio.
3) when i do an external IP address check from a PC on 10.0.0.0/24, it shows 203.206.137.16 instead of 203.206.171.5 which is what is used to show with existing router and this is the 'main' external IP? are we able to get it to show that?
thank you so much in advance for your help
Re: Multiple Questions RB750
1) add more rules like you did for the previous now solved issue, also exempting traffic to the public IPs. Prerouting mangle happens before destination NAT, so the packet still gets marked with the routing mark it should not get. Then destination NAT rewrites the destination IP to the 10.0.0.5 address, but the routing mark persists. To optimize this you can make an address-list under "/ip firewall address-lists" that contains entries for all your local IP addresses, private and public. Then the exempt rule becomes a one liner:
You can even remove the two rules you just made after that.
2) sorry I don't really deal with SIP much, and particularly not through Mikrotik routers. Someone else may be able to help.
3) right now your source NAT uses an action of masquerade, which means "automagically pick an IP to NAT to". Replace it with a rule that has an action of src-nat and specifically list a to-address to NAT to, just like you do in your destination NAT rules.
Hope that helps. I can clarify more if needed, and I hope someone picks you up on question number 2.
Code: Select all
/ip firewall mangle add chain=prerouting src-address-list=local-addresses dst-address-list=local-addresses action=accept2) sorry I don't really deal with SIP much, and particularly not through Mikrotik routers. Someone else may be able to help.
3) right now your source NAT uses an action of masquerade, which means "automagically pick an IP to NAT to". Replace it with a rule that has an action of src-nat and specifically list a to-address to NAT to, just like you do in your destination NAT rules.
Hope that helps. I can clarify more if needed, and I hope someone picks you up on question number 2.
Re: Multiple Questions RB750
thank you, your answer to question 3 worked a charm.
i am still a little lost on question 1.
1) are you able to show me an example from 192.168.0.0/24 to 203.206.137.19 ? i tried a couple of lines but couldnt get it to resolve still.
2) i apologise again but i dont really understand the local addresses, if i had to enter one for each PC for example i would be here for a month
i am still a little lost on question 1.
1) are you able to show me an example from 192.168.0.0/24 to 203.206.137.19 ? i tried a couple of lines but couldnt get it to resolve still.
2) i apologise again but i dont really understand the local addresses, if i had to enter one for each PC for example i would be here for a month
Re: Multiple Questions RB750
Code: Select all
/ip firewall address-list
add list=local-nets address=192.168.0.0/24
add list=local-nets address=10.0.0.0/24
add list=local-nets address=203.206.137.16/30
add list=local-nets address=192.168.1.0/24
add list=local-nets address=27.33.2.228/32
add list=local-nets address=203.206.171.5/32
/ip firewall mangle
add chain=prerouting src-address-list=local-nets dst-address-list=local-nets action=accept passthrough=noRe: Multiple Questions RB750
thanks fewi, i have added the lines you specified and disabled the ones from earlier but i still have the same problem
the test i am doing is trying to browse to http://mail.neuvo.com.au from 192.168.0.5 or ping 203.206.139.16 from 192.168.0.5. both of those tests fail.
the test i am doing is trying to browse to http://mail.neuvo.com.au from 192.168.0.5 or ping 203.206.139.16 from 192.168.0.5. both of those tests fail.
Code: Select all
[admin@MikroTik] /ip firewall mangle>> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=accept src-address-list=local-nets dst-address-list=local-nets
1 X chain=prerouting action=accept src-address=10.0.0.0/24 dst-address=192.168.0.0/24
2 X chain=prerouting action=accept src-address=192.168.0.0/24 dst-address=10.0.0.0/24
3 chain=prerouting action=mark-routing new-routing-mark=newearth passthrough=yes in-interface=ether3-local-newearth
4 chain=prerouting action=mark-routing new-routing-mark=neuvo passthrough=yes in-interface=ether4-local-neuvo
5 chain=prerouting action=mark-routing new-routing-mark=SMTP NewEarth passthrough=yes protocol=tcp in-interface=ether3-local-newearth dst-port=25
6 chain=prerouting action=mark-routing new-routing-mark=SMTP Neuvo passthrough=yes protocol=tcp in-interface=ether4-local-neuvo dst-port=25
Code: Select all
[admin@MikroTik] /ip firewall address-list>> print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 local-nets 192.168.0.0/24
1 local-nets 10.0.0.0/24
2 local-nets 203.206.137.16/30
3 local-nets 27.33.2.228
4 local-nets 203.206.171.5
Code: Select all
[admin@MikroTik] /ip route>> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 TPG 1
1 A S 0.0.0.0/0 IINET 1
2 A S 0.0.0.0/0 IINET 1
3 A S 0.0.0.0/0 IINET 1
4 A S 0.0.0.0/0 IINET 1
TPG
5 ADC 10.0.0.0/24 10.0.0.254 ether4-local-neuvo 0
6 ADC 10.20.21.173/32 27.33.2.228 TPG 0
7 ADC 192.168.0.0/24 192.168.0.254 ether3-local-ne... 0
8 ADC 203.206.137.16/30 203.206.137.16 IINET 0
9 ADC 203.215.9.250/32 203.206.171.5 IINET 0
Re: Multiple Questions RB750
Hello , I am wondering if someone could solve the problem of 1 way voice on the Mikrotik for neuvotech. please post the solution. thank you
Re: Multiple Questions RB750
hi ted77, we never ended up resolving the issue, we setup gre tunnels between the locations as a workaround which has actually been working now reliably since this post.
kind regards, Tom
kind regards, Tom
Who is online
Users browsing this forum: gigabyte091 and 102 guests