I've got a mikrotik configured with a connection to two different ISPs. It is load-balancing across these, and also performing NAT.
I configured a PPTP server, and clients can successfully connect to it. The clients can also access the Internet.
The problem I am having is that clients cannot access resources on the normal wired or wireless network. they cannot even ping anything.
I've enabled proxy arp on every single interface possible, but its still not working.
I suspect the issue may be something to do with the firewall mangle rules I have that load balances across the 2 WAN links.
Has anyone got any idea about what to try next?
The relevant config should be below.
Code: Select all
/interface bridge
add admin-mac=4C:5E:0C:F8:54:D3 arp=proxy-arp auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp name="ISPB"
set [ find default-name=ether1 ] arp=proxy-arp mtu=1508 name="ISPA"
set [ find default-name=ether3 ] arp=proxy-arp name=ether3-slave-local
set [ find default-name=ether4 ] arp=proxy-arp name=ether4-slave-local
set [ find default-name=ether5 ] arp=proxy-arp name=ether5-slave-local
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=vpn-pool ranges=192.168.90.10-192.168.90.20
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.90.1 name=vpn-profile use-encryption=yes
set *FFFFFFFE bridge=bridge-local
/interface bridge port
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
/interface pptp-server server
set default-profile=vpn-profile enabled=yes
/ip address
add address=192.168.1.1/24 comment="default configuration" interface=bridge-local network=192.168.1.0
/ip firewall address-list
add address=192.168.1.234 list=Send_To_ISPA
add address=192.168.1.244 list=Send_To_ISPA
add address=192.168.1.245 list=Send_To_ISPA
add address=192.168.1.246 list=Send_To_ISPA
add address=192.168.1.160 list=Send_To_ISPA
add address=192.168.1.251 list=Send_To_ISPA
add address=192.168.1.253 list=Send_To_ISPA
add address=192.168.1.242 list=Send_To_ISPA
add address=192.168.1.157 list=Send_To_ISPA
/ip firewall filter
add chain=forward comment="LAN traffic can go anywhere" in-interface=bridge-local
add chain=forward comment="PPP Traffic can go anywhere" in-interface=pptp-server
add chain=forward comment="Established traffic" connection-state=established
add chain=forward comment="Related traffic" connection-state=related
add chain=forward comment=ICMP protocol=icmp
add action=drop chain=forward comment="Drop the rest"
add chain=output
add chain=input comment="LAN traffic can go anywhere" in-interface=bridge-local
add chain=input comment="PPP Traffic can go anywhere" in-interface=pptp-server
add chain=input comment="Established traffic" connection-state=established
add chain=input comment="Related traffic" connection-state=related
add chain=input comment="Allow pptp control traffic" dst-port=1723 protocol=tcp
add chain=input comment="Allow GRE traffic for pptp" protocol=gre
add chain=input comment=ICMP protocol=icmp
add action=drop chain=input comment="Drop the rest"
/ip firewall mangle
add action=mark-connection chain=input in-interface="ISPA" new-connection-mark=ISPA_Mark
add action=mark-connection chain=input in-interface="ISPB" new-connection-mark=ISPB_Mark
add action=mark-routing chain=output connection-mark=ISPA_Mark new-routing-mark=to_ISPA
add action=mark-routing chain=output connection-mark=ISPB_Mark new-routing-mark=to_ISPB
add chain=prerouting dst-address=1.2.3.0/29 in-interface=bridge-local
add chain=prerouting dst-address=5.4.3.2 in-interface=bridge-local
add action=mark-routing chain=prerouting new-routing-mark=to_ISPA passthrough=no src-address-list=Send_To_ISPA
add action=mark-routing chain=prerouting new-routing-mark=to_ISPB passthrough=no src-address-list=Send_To_ISPB
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge-local new-connection-mark=ISPA_Mark per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge-local new-connection-mark=ISPB_Mark per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISPA_Mark in-interface=bridge-local new-routing-mark=to_ISPA
add action=mark-routing chain=prerouting connection-mark=ISPB_Mark in-interface=bridge-local new-routing-mark=to_ISPB
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ISPA"
add action=masquerade chain=srcnat out-interface="ISPB"
/ip route
add check-gateway=ping distance=1 gateway="ISPA" routing-mark=to_ISPA
add check-gateway=ping distance=1 gateway="ISPB" routing-mark=to_ISPB
add check-gateway=ping distance=1 gateway="ISPA"
add check-gateway=ping distance=2 gateway="ISPB"
/ppp secret
add name=ppp1 password=ppp1pass profile=vpn-profile service=pptp
