Community discussions

MikroTik App
  4. RouterOS
  5. General

same config but different routing issue

Post Reply
 
User avatar
suszi
just joined
Topic Author
Posts: 13
Joined: Mon Apr 10, 2017 2:08 pm

same config but different routing issue

Mon Apr 10, 2017 2:38 pm

Hi
I have two client routers configured for site-to-site access (engineers at the office can connect to devices installed on client sites).
On main site, there is SSTP server, both client routers are configured to connect over 4G LTE modem (PPP protocol) and SSTP type VPN.
On site1, it is possible to ping connected devices, on site two it is not.
The difference is that, on site 1 hardware is RB951Ui-2HnD, on site 2 the hardware is RB951Ui-2nD. Same firmware, same software version.

I have no idea, what is wrong...

the configuration scripts:
site1
Code: Select all
# apr/10/2017 13:27:38 by RouterOS 6.38.5
# software id = 5SVQ-YCPK
#
/interface bridge
add admin-mac=6C:3B:6B:E3:79:3E name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=poland disabled=no frequency=auto mode=ap-bridge ssid=**** wireless-protocol=802.11
/ip neighbor discovery
set ether1-wan discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=**** wpa2-pre-shared-key=****
/ip pool
add name=dhcp ranges=192.168.118.100-192.168.118.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/port
set 0 name=usb1
/interface ppp-client
add apn=internet dial-on-demand=no disabled=no name=ppp-out1 port=usb1
/interface sstp-client
add authentication=mschap2 connect-to=**** disabled=no mrru=1600 name=sstp-out1 password=**** profile=default-encryption tls-version=only-1.2 user=**** \
    verify-server-certificate=yes
/interface bridge port
add bridge=bridge1 interface=ether2-master
add bridge=bridge1 interface=wlan1
/ip address
add address=192.168.118.1/24 interface=ether2-master network=192.168.118.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-wan
/ip dhcp-server network
add address=192.168.118.0/24 gateway=192.168.118.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan
add action=masquerade chain=srcnat out-interface=ppp-out1
/ip route
add distance=1 dst-address=192.168.10.0/24 gateway=192.168.2.254
add distance=1 dst-address=192.168.11.0/24 gateway=192.168.2.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=****
/system ntp client
set enabled=yes server-dns-names=tempus1.gum.gov.pl,tempus2.gum.gov.pl
/system routerboard settings
set init-delay=0s
site2
Code: Select all
# apr/10/2017 13:27:35 by RouterOS 6.38.5
# software id = MD8S-ESJH
#
/interface bridge
add admin-mac=6C:3B:6B:50:0E:76 auto-mac=no comment=defconf name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=poland disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=**** wireless-protocol=802.11
/ip neighbor discovery
set ether1-wan discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=**** wpa2-pre-shared-key=****
/ip pool
add name=dhcp ranges=192.168.117.100-192.168.117.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=defconf
/port
set 0 name=usb1
/interface ppp-client
add apn=internet dial-on-demand=no disabled=no name=ppp-out1 port=usb1
/interface sstp-client
add authentication=mschap2 connect-to=**** disabled=no name=sstp-out1 password=**** profile=default-encryption tls-version=only-1.2 user=**** \
    verify-server-certificate=yes
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2-master
add bridge=bridge1 comment=defconf interface=wlan1
/ip address
add address=192.168.117.1/24 interface=ether2-master network=192.168.117.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-wan
/ip dhcp-server network
add address=192.168.117.0/24 gateway=192.168.117.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ppp-out1
add action=masquerade chain=srcnat out-interface=ether1-wan
/ip route
add distance=1 dst-address=192.168.10.0/24 gateway=192.168.2.254
add distance=1 dst-address=192.168.11.0/24 gateway=192.168.2.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=****
/system leds
set 5 interface=wlan1
/system ntp client
set enabled=yes server-dns-names=tempus1.gum.gov.pl,tempus2.gum.gov.pl
/system routerboard settings
set init-delay=0s
Top
 
Plutone
just joined
Posts: 15
Joined: Mon Jun 06, 2016 11:48 am

Re: same config but different routing issue

Mon Apr 10, 2017 5:50 pm

The issue is the masquerade in different order. You're masquerading site1 behing ether1-wan and site2 behing ppp-out-1

site1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan
add action=masquerade chain=srcnat out-interface=ppp-out1

site2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ppp-out1
add action=masquerade chain=srcnat out-interface=ether1-wan
Top
 
User avatar
suszi
just joined
Topic Author
Posts: 13
Joined: Mon Apr 10, 2017 2:08 pm

Re: same config but different routing issue

Tue Apr 11, 2017 2:52 pm

I don't think so, the WAN port is not used in both cases...
I've changed the order and still same issue :-/
Top
 
tangram
Member Candidate
Member Candidate
Posts: 132
Joined: Wed Nov 16, 2016 9:55 pm

Re: same config but different routing issue

Tue Apr 11, 2017 3:50 pm

Can you post the routing table of both routers ?
Top
 
User avatar
suszi
just joined
Topic Author
Posts: 13
Joined: Mon Apr 10, 2017 2:08 pm

Re: same config but different routing issue

Wed Apr 12, 2017 3:39 pm

Code: Select all
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.112.112.137            0
 1 ADC  10.112.112.137/32  100.119.157.77  ppp-out1                  0
 2 ADC  192.168.2.254/32   192.168.11.218  sstp-out1                 0
 3 A S  192.168.10.0/24                    192.168.2.254             1
 4 A S  192.168.11.0/24                    192.168.2.254             1
 5 ADC  192.168.118.0/24   192.168.118.1   bridge1                   0
Code: Select all
 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.118.1/24   192.168.118.0   ether2-master
 1 D 100.119.157.77/32  10.112.112.137  ppp-out1
 2 D 192.168.11.218/32  192.168.2.254   sstp-out1

Code: Select all
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.112.112.124            0
 1 ADC  10.112.112.124/32  100.118.182.19  ppp-out1                  0
 2 ADC  192.168.2.254/32   192.168.11.217  sstp-out1                 0
 3 A S  192.168.10.0/24                    192.168.2.254             1
 4 A S  192.168.11.0/24                    192.168.2.254             1
 5 ADC  192.168.117.0/24   192.168.117.1   bridge1                   0
Code: Select all
 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.117.1/24   192.168.117.0   ether2-master
 1 D 100.118.182.19/32  10.112.112.124  ppp-out1 
 2 D 192.168.11.217/32  192.168.2.254   sstp-out1
Top
 
tangram
Member Candidate
Member Candidate
Posts: 132
Joined: Wed Nov 16, 2016 9:55 pm

Re: same config but different routing issue

Fri Apr 14, 2017 10:57 am

Have you checked the server? Maybe there's a route missing to your second site - 192.168.117.0/24.

Do traceroutes from both sites, compare and see last hop where it get's stuck.
Top
 
User avatar
suszi
just joined
Topic Author
Posts: 13
Joined: Mon Apr 10, 2017 2:08 pm

Re: same config but different routing issue

Fri Apr 14, 2017 12:10 pm

It gets stuck on sstp interface on client side (192.168.11.217)
Top
 
tangram
Member Candidate
Member Candidate
Posts: 132
Joined: Wed Nov 16, 2016 9:55 pm

Re: same config but different routing issue

Sat Apr 15, 2017 10:02 am

Shouldn't you have routes for 192.168.117.0/24 and 192.168.118.0/24 with gw 192.168.2.254 on client 1 and 2 ?
There's something else i don't understand:

5 ADC 192.168.118.0/24 192.168.118.1 bridge1 0
and
0 192.168.118.1/24 192.168.118.0 ether2-master

The ip isn't suppose to go on interface bridge1 instead of ether2 ? I mean if you bridge ports you set ip on bridge not on member ports.
Top
Post Reply
  4. RouterOS
  5. General