Hey there!
I have a 2011UiAS routerboard, that serves as my gateway.
I want to add an interface, that would only be used for Microsoft KMS server authentication of the LAN clients (since the bandwidth of the service is abysma otherwisel) !
The interface would have its own static DNS and IP settings and would serve as our connection to a particular telco.
In pseudo code, here is what I am thinking:
- IF PACKET FROM LAN INTERFACE WANTS TO REACH "KMS SERVER IP ADDRESS AND PORT" THAN ROUTE TO INTERFACE X.
- LET KMS SERVER REACH CLIENTS ON LAN INTERFACE SO THE TCP SESSION CAN FINISH, AND CLIENTS CAN AUTHENTICATE ON DEMAND.
Can you guys help me out with a valid config?
Thanks in advance!
Kind regards,
IBR
-
-
bajzaadmin
newbie
- Posts: 48
- Joined:
Re: config help request: reaching KMS servers through a particular interface
It's simple policy routing. Connect the second interface and add route to KMS server (or just default one) in another routing table. Mark routing for packets to KMS to use this alternative route. And you're probably done (unless some firewall rules need adjusting, e.g. if you had some interface based ones which would not allow to use the other interface).
-
-
bajzaadmin
newbie
- Posts: 48
- Joined:
Re: config help request: reaching KMS servers through a particular interface
Hey there, thanks for the reply!
You assume that I am savvy enough to translate what you said into config.
I'll link my cfg export as well as most of the details; could you help me with an actual config pretty please?
Thanks in advance!
Kind regards,
IBR
Target telco router uses a public port with statis public IP addresses available, there is no NAT going on here.
I wish to use ethernet 3 as "to-KMS interface":
Static address: 195.199.158.84 / 29 (already set but disabled)
Gateway: 195.199.158.86
It uses its own DNS servers #These servers should only be used on this interface:
195.199.255.57
195.199.255.58
195.199.255.4
KMS server:
IP: 195.199.255.195
port: 1688
________________________________
Here is my cfg export, I hid some of the details, but they are not related to firewall settings.
# mar/12/2018 10:48:51 by RouterOS 6.41
# software id = 5IAZ-WMI5
#
# model = 2011UiAS
...
/ip pool
add name=dhcp_pool_1 ranges=192.168.249.1-192.168.251.254
/ip dhcp-server
add address-pool=dhcp_pool_1 disabled=no interface=ether5 lease-time=2d10m \
name=dhcp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.248.1/22 comment=LAN interface=ether5 network=\
192.168.248.0
add address=192.168.3.1 comment=_To_sec_contractor_LAN interface=ether10 \
network=255.255.255.0
add address=195.199.158.84 comment=Sulinet interface=ether3 network=\
255.255.255.248
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.248.0/22 dns-server=193.110.57.4,8.8.8.8 gateway=\
192.168.248.1
...
/ip firewall mangle
add action=mark-routing chain=prerouting comment="routing mark for KMS" \
dst-address=195.199.255.195 dst-port=1688 new-routing-mark=wan2KMS \
passthrough=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT WAN1-hez" out-interface=\
ether1 src-address=192.168.248.0/22
add action=masquerade chain=srcnat comment="NAT KMS-hez" dst-address=\
195.199.255.195 out-interface=ether3
/ip route
add comment="KMS on ether3" distance=1 dst-address=195.199.255.195/32 \
gateway=195.199.158.86 routing-mark=wan2KMS
add distance=1 dst-address=192.168.3.0/24 gateway=ether10
....
You assume that I am savvy enough to translate what you said into config.
I'll link my cfg export as well as most of the details; could you help me with an actual config pretty please?
Thanks in advance!
Kind regards,
IBR
Target telco router uses a public port with statis public IP addresses available, there is no NAT going on here.
I wish to use ethernet 3 as "to-KMS interface":
Static address: 195.199.158.84 / 29 (already set but disabled)
Gateway: 195.199.158.86
It uses its own DNS servers #These servers should only be used on this interface:
195.199.255.57
195.199.255.58
195.199.255.4
KMS server:
IP: 195.199.255.195
port: 1688
________________________________
Here is my cfg export, I hid some of the details, but they are not related to firewall settings.
# mar/12/2018 10:48:51 by RouterOS 6.41
# software id = 5IAZ-WMI5
#
# model = 2011UiAS
...
/ip pool
add name=dhcp_pool_1 ranges=192.168.249.1-192.168.251.254
/ip dhcp-server
add address-pool=dhcp_pool_1 disabled=no interface=ether5 lease-time=2d10m \
name=dhcp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.248.1/22 comment=LAN interface=ether5 network=\
192.168.248.0
add address=192.168.3.1 comment=_To_sec_contractor_LAN interface=ether10 \
network=255.255.255.0
add address=195.199.158.84 comment=Sulinet interface=ether3 network=\
255.255.255.248
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.248.0/22 dns-server=193.110.57.4,8.8.8.8 gateway=\
192.168.248.1
...
/ip firewall mangle
add action=mark-routing chain=prerouting comment="routing mark for KMS" \
dst-address=195.199.255.195 dst-port=1688 new-routing-mark=wan2KMS \
passthrough=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT WAN1-hez" out-interface=\
ether1 src-address=192.168.248.0/22
add action=masquerade chain=srcnat comment="NAT KMS-hez" dst-address=\
195.199.255.195 out-interface=ether3
/ip route
add comment="KMS on ether3" distance=1 dst-address=195.199.255.195/32 \
gateway=195.199.158.86 routing-mark=wan2KMS
add distance=1 dst-address=192.168.3.0/24 gateway=ether10
....
Last edited by bajzaadmin on Mon Mar 12, 2018 11:51 am, edited 1 time in total.
Re: config help request: reaching KMS servers through a particular interface
Actually, it can be even simpler, if all traffic to KMS server address can use second WAN:
If you'd want to only send specific port there, it can be done like this:
In both cases, you'll most likely need masquerade on ether3.
Code: Select all
/ip address
add address=195.199.158.84/29 interface=ether3
/ip route
add dst-address=195.199.255.195/32 gateway=195.199.158.86Code: Select all
/ip address
add address=195.199.158.84/29 interface=ether3
/ip route
add dst-address=0.0.0.0/0 gateway=195.199.158.86 routing-mark=wan2
/ip firewall mangle
add chain=prerouting dst-address=195.199.255.195 protocol=tcp dst-port=1688 \
action=mark-routing new-routing-mark=wan2-
-
bajzaadmin
newbie
- Posts: 48
- Joined:
Re: config help request: reaching KMS servers through a particular interface [SOLVED]
Hey there matey, thanks again!Actually, it can be even simpler, if all traffic to KMS server address can use second WAN:If you'd want to only send specific port there, it can be done like this:Code: Select all/ip address add address=195.199.158.84/29 interface=ether3 /ip route add dst-address=195.199.255.195/32 gateway=195.199.158.86In both cases, you'll most likely need masquerade on ether3.Code: Select all/ip address add address=195.199.158.84/29 interface=ether3 /ip route add dst-address=0.0.0.0/0 gateway=195.199.158.86 routing-mark=wan2 /ip firewall mangle add chain=prerouting dst-address=195.199.255.195 protocol=tcp dst-port=1688 \ action=mark-routing new-routing-mark=wan2
I've configured what you've suggested, but the route seems to be "unreachable".
Can you take a look at my cfg again? I've updated my previous post with the recent changes, and ommited irrelevant lines.
Thanks in advance!
Re: config help request: reaching KMS servers through a particular interface
Change the address to:
Code: Select all
/ip address
add address=195.199.158.84/29 interface=ether3-
-
bajzaadmin
newbie
- Posts: 48
- Joined:
Re: config help request: reaching KMS servers through a particular interface
Many kisses on your forehead bröder, it works like a charm now !!Change the address to:Code: Select all/ip address add address=195.199.158.84/29 interface=ether3
I must wonder, why on earth have I given a network mask when a network id was asked..
Anyhow, case is closed, KUDOS to you!