Hey cbrown,
Thank you for taking the time to answer; I found a useful page on hidemyass.com (
http://wiki.hidemyass.com/Mikrotik_Rout ... L2TP_Setup) although it cleared some of black holes I had configuring it and following routing form my LAN could ping and connect to services on the VPN network now this morning I tried it didn't work, just like that
According to that wiki I had to add a Route, a Mangle Rule and NAT Rule, I have them like this:
Addresses:
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.5.254/24 192.168.5.0 LAN
1 192.168.0.254/24 192.168.0.0 ETB
2 192.168.169.254/24 192.168.169.0 UNE
3 D 10.10.10.209/32 10.10.10.200 pptp-out1
Routes
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.0.1 1
1 A S 0.0.0.0/0 192.168.169.1 1
2 A S ;;; HTTP
0.0.0.0/0 192.168.169.1 2
3 A S ;;; SSL
0.0.0.0/0 192.168.169.1 2
4 A S ;;; SMTP
0.0.0.0/0 192.168.169.1 1
5 A S ;;; IMAP
0.0.0.0/0 192.168.0.1 1
6 X S ;;; P2P
0.0.0.0/0 192.168.0.1 1
7 X S ;;; UnKNWON
0.0.0.0/0 192.168.0.1 1
UNE
8 A S 0.0.0.0/0 192.168.0.1 1
9 S 0.0.0.0/0 192.168.169.1 2
10 A S ;;; MUNDO VPN
10.10.10.0/24 pptp-out1
11 ADC 10.10.10.200/32 10.10.10.209 pptp-out1 0
12 ADC 192.168.0.0/24 192.168.0.254 ETB 0
13 ADC 192.168.5.0/24 192.168.5.254 LAN 0
14 ADC 192.168.169.0/24 192.168.169.254 UNE 0
Mangle Rules
[admin@MikroTik] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=mark-connection new-connection-mark=ETB_conn
passthrough=yes in-interface=ETB
1 chain=input action=mark-connection new-connection-mark=UNE_conn
passthrough=yes in-interface=UNE
2 chain=output action=mark-routing new-routing-mark=to_ETB passthrough=yes
connection-mark=ETB_conn
3 chain=output action=mark-routing new-routing-mark=to_UNE passthrough=yes
connection-mark=UNE_conn
4 chain=prerouting action=accept dst-address=192.168.0.0/24 in-interface=LA>
5 chain=prerouting action=accept dst-address=192.168.169.0/24
in-interface=LAN
6 chain=prerouting action=mark-connection new-connection-mark=ETB_conn
passthrough=yes dst-address-type=!local in-interface=LAN
per-connection-classifier=both-addresses-and-ports:2/0
7 chain=prerouting action=mark-connection new-connection-mark=UNE_conn
passthrough=yes dst-address-type=!local in-interface=LAN
per-connection-classifier=both-addresses-and-ports:2/1
8 chain=prerouting action=mark-routing new-routing-mark=to_ETB
passthrough=yes in-interface=LAN connection-mark=ETB_conn
9 chain=prerouting action=mark-routing new-routing-mark=to_UNE
passthrough=yes in-interface=LAN connection-mark=UNE_conn
10 ;;; MUNDO PPTP VPN
chain=prerouting action=mark-routing new-routing-mark=PAYMUNDO VPN
passthrough=yes in-interface=LAN
NAT Rules
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ETB
1 chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=UNE
2 ;;; NAT TO MUNDO VPN
chain=srcnat action=masquerade out-interface=pptp-out1 connection-limit=100,32 limit=1,5
connection-type=pptp
I don't really know how to diagnose this as I now can't ping from any internal machine to any host on the 10.10.10.0/24 network except fropm Mikrotik itself.
I might have something there on my configuration that's wrong, now I'm new to mikrotik way of doing things I know some Linux and Cisco but the Mikrotik has my head spinning. I know this would be an advanced topic for a n00b like me but Mikrotik as I said on another post is the only solution I've gotten to work with my two WANs in tandem, eventhough SSL continues to be broken but tha's topic for another day.
Thank you for your invaluable help.
Cheers.
Hello guys at Mikrotik,
Let;s try another approach to see if I get an answer
.
I have setup PCC routing load balancing on my mikrotik using:
http://aacable.wordpress.com/2011/07/27 ... t-by-zaib/
I've setup a pptp connection to my office VPN I can connect just fine, I created a routing rule like this:
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.0.1 1
1 S 0.0.0.0/0 192.168.169.1 1
8 A S 0.0.0.0/0 192.168.0.1 1
9 S 0.0.0.0/0 192.168.169.1 2
10 A S 10.10.10.0/24 pptp-out1 1
11 ADC 10.10.10.200/32 10.10.10.206 pptp-out1 0
12 ADC 192.168.0.0/24 192.168.0.254 ETB 0
13 ADC 192.168.5.0/24 192.168.5.254 LAN 0
I also have a NAT rule fot machines behind MK that look like this:
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ETB
1 I chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=UNE
2 ;;; NAT TO VPN
chain=srcnat action=masquerade out-interface=pptp-out1
When I enable route number 10 I can ping from mikrotik terminal to IPs behind the VPN what doesn't happen when I turn it off.
I'm just network student so I'm no expert on routing issues, so any help or correction to what I'm doing here will be greatly appreciated.
Thanks
