Hello All!

I want to point my local network to my CRS125-24G-1S-RM as the gateway. In the CRS125-24G-1S-RM I want to tell it that for all networks with 10.XXX.XXX.XXX to go out through my pfsense, Else Go out through the CRS125-24G-1S-RM gateway.

IE: 10.60.77.0/24 LAN.... non-routable addresses go to 10.60.77.1
Everything else go out though ether1-gateway.


How can I do that?

Thanks!

Also, If I can not choose a subnet, Can I do a host? If so how?

Thanks!

Your description is unclear, it appears to be recursive.
You you know basic IP routing?

lol I do... I just don't know how to say it the right way.

If my mikrotik is my gateway, how can I tell it to send non-routable addresses (meaning the internet) through my pfsense box? I know how to do this with a brocade but mikrotik is a whole different monster..

It still is not any clearer provide a network diagram so we can see the physical and IP relationships between the devices,.,.,.,.,.,.,.,.

It still is not any clearer provide a network diagram so we can see the physical and IP relationships between the devices,.,.,.,.,.,.,.,.

Look at the attached diagram

Are you saying that the mikrotik and Pfsense routers are both attached to the same modem?
That the modem provides two public IP addresses??

That the modem provides two public IP addresses??

That is right.

@anav, You dont happen to hang around the DSLReports Forum?

Code: Select all

/ip route add distance=1 gateway=10.30.2.1 routing-mark=pfsence

/ip firewall mangle add action=mark-routing chain=prerouting dst-address=!10.30.2.0/24 new-routing-mark=pfsence passthrough=no src-address=10.30.2.0/24

I think this is what I am looking for.
Thanks for the help.
All inputs/ideas/comments are still welcome.

Code: Select all

/ip route add distance=1 gateway=10.30.2.1 routing-mark=pfsense

/ip firewall mangle add action=mark-routing chain=prerouting dst-address=!10.30.2.0/24 new-routing-mark=pfsense passthrough=no src-address=10.30.2.0/24

It did the trick but is causing a huge performance degradation on going out to the internet... Not sure whats going on... It takes about 10 Seconds to resolve an address...
The DNS Server is pfsense....

yes the very same xcom, I was wondering about your nick LOL. I recently bought a hEX to play with.

yes the very same xcom, I was wondering about your nick LOL. I recently bought a hEX to play with.

LOL!
Small world after all!
Does are very nice. I own one and love it!

Okay so the diagram helped!
I now understand that mikrotik is responsible for handling an amount of the traffic from your networks to the ISP modem and to the internet.
However for some network traffic you want to be able to shift that traffic from the MIcrotik to the pFSENSE router and use a DNS the PSFSENSE router is dictating and then out the door, and on a separate public IP.

Here is my take on your situation. Overly complicated!
Why not use the mikrotik to do both?? Get rid of pfsense, the p is for PUNT!!!

ISP1 - Mikrotik interface ether1
ISP2 - Mikcrotik interface ether10

Create
BridgeMikcrotik ether2-5
BridgePFsense ether3-9

Assign
Ip address Bridgemikrotik 192.168.88.1/24 network 192.168.88.0
IP address BridgePFsense 10.60.77.1/24 network 10.60.77.0

IP interface list
WAN
isp1
isp2
LAN
BridgeMikrotik
BridgePFsense

Assign DHCP servers and pools as appropriate.

Routes and Mangles ( a new combo chips & fruit snack I will invent)
There is two ways I would think about doing this and remember I am a complete newb at this router.
1. a. assign route rules such that mikrotik is default go to router for internet traffic, with old pfsense route as secondary and not used unless primary fails.
b. mark thru mangle rule oldpfsense traffic and tell it to go through ISP2 with another route rule

OR
2. assign both interfaces mangle rules and route rules separately.

1. route mikrotik
0.0.0.0/0
interface: actual gateway IP of ISP1
distance = 1
ping gateway

route oldpfsense
0.0.0.0/0
interface: actual gateway IP of ISP2
distance=2

Mangle Rule for oldpfsense traffic,
Chain - prerouting
Source address 10.60.77.0 ****
In-Interface: LAN
Action TAB
action - mark routing
new routing mark - OldPF

route
0.0.0.0/0
gateway IP - actual IP of ISP2 Gateway
Routing mark - OldPF

OR Approach

2. Two routes and two mangle rules........

route mikrotik
0.0.0.0/0
interface: actual gateway IP of ISP1
routing mark - mikrotik_traffic

route oldpfsense
0.0.0.0/0
interface: actual gateway IP of ISP2
routing mark - pfsense_traffic

Mangle Rule for mikrotic traffic,
Chain - prerouting
Source address 192.168.88.0 ****
In-Interface: LAN
Action TAB
action - mark routing
new routing mark - mikrotik_traffic

Mangle Rule for oldpfsense traffic,
Chain - prerouting
Source address 10.60.77.0 ****
In-Interface: LAN
Action TAB
action - mark routing
new routing mark - pfsense_traffic

There you have it, and hopefully the sobs and solars of the world will point out where I have gone horribly wrong.
**** I am not sure how to actually describe source address as from any IP within the particular LAN is it 192.168.88.0 or 192.168.88.0/0


PS....... DNS hmmmmm I am piss poor at understand how DNS works on any router but suggest at the DCHP server settings under the NETWORK TAB, there is a spot, normally blank for you to put in the DNS server of your choice vice the default ISP ones normally used. If I am not mistaken the Mikrotik will use the ones you setup first (can be more than one) prior to using the ISP DNS servers.

On the other hand there is a more direct IP DNS settings tab. Here one can see a blank spot at the top perhaps to add servers and below this it shows the default ISP DNS servers being used.
However at this spot I am not sure what use it is if you have TWO WANS? The DHCP server Network Tab seems more useful in that you are telling each network to use a specific DNS server.

I would like to kinow the purpose and hierarchy of this IP DNS Tab.
For example if one puts a specific DNS server under the IP DNS Tab does that automatically overide the default DNS servers from ISP for all networks?
For example if one puts a specific DNS Server under the IP DNS Tab does that automatcially overide the DHCP SERVER additions one could make at the Networks Tab?
What is the relationship??

So your options work and like the others is what I need.
But what I dont understand is... As soon as I make the changes... Internet out pfsense slows down... I actually thought it was DNS but is not. a simple curl to get an IP response over the internet takes over 5 seconds.

Hence my suggestion to only use the mikrotik and Punt the pfsense unit out the door, down the street and into a body of water of your choice............... (probably to join your old zyxel unit).

Hence my suggestion to only use the mikrotik and Punt the pfsense unit out the door, down the street and into a body of water of your choice............... (probably to join your old zyxel unit).

I wish I could anav. LOL
Work has me tide down to it.

I would need some serious help to transition from pfsense to Mikrotik, Trust me when I say I really want too.... The other part is that I would need something like a Mikrotik RouterBoard RB1100AHx4
Because of work, I have to proxy and we use openvpn.

Thoughts?

No unfortunately, way above my pay grade LOL.

No unfortunately, way above my pay grade LOL.

Bah!
LOL!

Use Tools>Traceroute with routing-table=pfsense and see if it shows you where the bottleneck is. Compare to routing-table=main.

And/Or

Connect a device directly to the pfsense and see if you get the same results.

Use Tools>Traceroute with routing-table=pfsense and see if it shows you where the bottleneck is. Compare to routing-table=main.

And/Or

Connect a device directly to the pfsense and see if you get the same results.

Systems with gateway out through the pfsense have no issues.

Change your mangle rule from src-address=10.30.2.0/24 to src-address-list=pfsense and create address-list=pfsense address=10.30.2.3-10.30.2.254.

And make sure your not catching that traffic with a src-nat rule or something silly like that.

And as always, a /export hide-sensitive is always appreciated!

Working on it!

Another thing I just thought of, is the port your pfsense connected to part of your LAN or is it isolated like a WAN?

Yes pfsense has one leg in the mikrotik switch and is part of my Lan all living under one subnet.... Than it has another leg carrying its own wan.

And as always, a /export hide-sensitive is always appreciated!

hide-sensitive really does not hide sensitive...

hide-sensitive really does not hide sensitive...

and you can download the created export.rsc file and edit with your favorite text editor.

Is there a reason to have the pfsense in the same IP Scope as your LAN? Could you change it to a different IP scope?

hide-sensitive really does not hide sensitive...

Code: Select all

/export filename=export

and you can download the created export.rsc file and edit with your favorite text editor.

Is there a reason to have the pfsense in the same IP Scope as your LAN? Could you change it to a different IP scope?

I think that what I am trying to do by design is just plain broken due to the fact that both devices have their own GW and both leave under the same subnet.... I think that it has to be ether or and make ether device decide which GW to use... Meaning what ever device I decide to make primary has to handle which GW to use for which ever traffic....
Like Anav posted... I made things overly complicated by trying to fix a broken design...
I think I am going leave this one alone unless you really think we can make everybody get along under the same roof.... Though thoughts are still welcome

No, I think it is something simple that is being overlooked somewhere. Either a setting on the Mikrotik or on pfsense.

I just setup a test running pfsense on a virtual machine on my desktop with two virtual nics. My router is 192.168.88.1/24 on bridge1. pfsense LAN is Static to 192.168.88.5. I set 192.168.254.1/24 also on bridge1 on my router and set 192.168.254.2 on pfsense WAN. Using the mangle code I provided originally (modified to my IP’s) and Route (modified to 192.168.88.5), I have no issues what so ever. A tracert from my desktop shows it going from my router to LAN of pfsense, then out the WAN of pfsense and back to my router and out my isp. And did so without even a blip!

No, I think it is something simple that is being overlooked somewhere. Either a setting on the Mikrotik or on pfsense.

I just setup a test running pfsense on a virtual machine on my desktop with two virtual nics. My router is 192.168.88.1/24 on bridge1. pfsense LAN is Static to 192.168.88.5. I set 192.168.254.1/24 also on bridge1 on my router and set 192.168.254.2 on pfsense WAN. Using the mangle code I provided originally (modified to my IP’s) and Route (modified to 192.168.88.5), I have no issues what so ever. A tracert from my desktop shows it going from my router to LAN of pfsense, then out the WAN of pfsense and back to my router and out my isp. And did so without even a blip!

Ok, That sounds very promising!
Here is what I got on my code:

/interface bridge
add admin-mac= auto-mac=no fast-forward=no mtu=1500 name=\
bridge-local
add fast-forward=no mtu=1500 name=bridge-trunk
/interface ethernet
set [ find default-name=ether1 ] mac-address= name=\
ether1-gateway
set [ find default-name=ether2 ] mac-address= name=\
ether2-master-local
set [ find default-name=ether3 ] mac-address= name=\
ether3-slave-local
set [ find default-name=ether4 ] mac-address= name=\
ether4-slave-local
set [ find default-name=ether5 ] mac-address= name=\
ether5-slave-local
set [ find default-name=ether6 ] mac-address= name=\
ether6-slave-local
set [ find default-name=ether7 ] mac-address= name=\
ether7-slave-local
set [ find default-name=ether8 ] mac-address= name=\
ether8-slave-local
set [ find default-name=ether9 ] mac-address= name=\
ether9-slave-local
set [ find default-name=ether10 ] mac-address= name=\
ether10-slave-local
set [ find default-name=ether11 ] mac-address= name=\
ether11-slave-local
set [ find default-name=ether12 ] mac-address= name=\
ether12-slave-local
set [ find default-name=ether13 ] mac-address= name=\
ether13-slave-local
set [ find default-name=ether14 ] mac-address= name=\
ether14-slave-local
set [ find default-name=ether15 ] mac-address= name=\
ether15-slave-local
set [ find default-name=ether16 ] mac-address= name=\
ether16-slave-local
set [ find default-name=ether17 ] mac-address= name=\
ether17-slave-local
set [ find default-name=ether18 ] mac-address= name=\
ether18-slave-local
set [ find default-name=ether19 ] mac-address= name=\
ether19-slave-local
set [ find default-name=ether20 ] mac-address= name=\
ether20-slave-local
set [ find default-name=ether21 ] mac-address= name=\
ether21-slave-local
set [ find default-name=ether22 ] mac-address= name=\
ether22-slave-local
set [ find default-name=ether23 ] mac-address= name=\
ether23-slave-local
set [ find default-name=ether24 ] mac-address= name=\
ether24-slave-local
set [ find default-name=sfp1 ] mac-address= name=\
sfp1-gateway
/interface vlan
add interface=bridge-local name=vlan2 vlan-id=2
add interface=bridge-local name=vlan3 vlan-id=3
/interface list
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vlan2 ranges=10.30.XX.100-10.30.XX.200
add name=vlan3 ranges=10.30.XX.100-10.30.XX.200
add name=dhcp_pool1 ranges=10.30.XX.1,10.XX.2.100-10.30.XX.254
/ip dhcp-server
add address-pool=vlan2 authoritative=after-2sec-delay disabled=no interface=\
vlan2 lease-time=3d name=server1-wireless
add address-pool=vlan3 authoritative=after-2sec-delay disabled=no interface=\
vlan3 lease-time=3d name=dmz_vlan3
add address-pool=dhcp_pool1 authoritative=after-2sec-delay interface=\
bridge-local name=dhcp1
/queue simple
add name=VoIP packet-marks=VoIP priority=2/2 target=10.30.XX.0/24
add max-limit=20M/100M name="Internal Network" priority=3/3 target=\
bridge-local,bridge-local
/snmp community
set [ find default=yes ] addresses=10.30.XX.13/32,10.30.XX.34/32
/user group
add name=sniffer policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!\
test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local disabled=yes hw=no interface=ether1-gateway
add bridge=bridge-local hw=no interface=sfp1-gateway
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
add bridge=bridge-local interface=ether6-slave-local
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
add bridge=bridge-local interface=ether10-slave-local
add bridge=bridge-local interface=ether11-slave-local
add bridge=bridge-local interface=ether12-slave-local
add bridge=bridge-local interface=ether13-slave-local
add bridge=bridge-local interface=ether14-slave-local
add bridge=bridge-local interface=ether15-slave-local
add bridge=bridge-local interface=ether16-slave-local
add bridge=bridge-local interface=ether17-slave-local
add bridge=bridge-local interface=ether18-slave-local
add bridge=bridge-local interface=ether19-slave-local
add bridge=bridge-local interface=ether20-slave-local
add bridge=bridge-local interface=ether21-slave-local
add bridge=bridge-local interface=ether22-slave-local
add bridge=bridge-local interface=ether23-slave-local
add bridge=bridge-local interface=ether24-slave-local
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch port
set 0 dscp-based-qos-dscp-to-dscp-mapping=no
set 1 dscp-based-qos-dscp-to-dscp-mapping=no
set 2 dscp-based-qos-dscp-to-dscp-mapping=no
set 3 dscp-based-qos-dscp-to-dscp-mapping=no
set 4 dscp-based-qos-dscp-to-dscp-mapping=no
set 5 dscp-based-qos-dscp-to-dscp-mapping=no
set 6 dscp-based-qos-dscp-to-dscp-mapping=no
set 7 dscp-based-qos-dscp-to-dscp-mapping=no
set 8 dscp-based-qos-dscp-to-dscp-mapping=no
set 9 dscp-based-qos-dscp-to-dscp-mapping=no
set 10 dscp-based-qos-dscp-to-dscp-mapping=no
set 11 dscp-based-qos-dscp-to-dscp-mapping=no
set 12 dscp-based-qos-dscp-to-dscp-mapping=no
set 13 dscp-based-qos-dscp-to-dscp-mapping=no
set 14 dscp-based-qos-dscp-to-dscp-mapping=no
set 15 dscp-based-qos-dscp-to-dscp-mapping=no
set 16 dscp-based-qos-dscp-to-dscp-mapping=no
set 17 dscp-based-qos-dscp-to-dscp-mapping=no
set 18 dscp-based-qos-dscp-to-dscp-mapping=no
set 19 dscp-based-qos-dscp-to-dscp-mapping=no
set 20 dscp-based-qos-dscp-to-dscp-mapping=no
set 21 dscp-based-qos-dscp-to-dscp-mapping=no
set 22 dscp-based-qos-dscp-to-dscp-mapping=no
set 23 dscp-based-qos-dscp-to-dscp-mapping=no
set 24 dscp-based-qos-dscp-to-dscp-mapping=no
set 25 dscp-based-qos-dscp-to-dscp-mapping=no
/interface list member
add interface=ether2-master-local list=mactel
add interface=sfp1-gateway list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=sfp1-gateway list=mac-winbox
/ip accounting
set enabled=yes threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=10.30.XX.0/24
/ip address
add address=10.30.XX.2/24 comment="default configuration" interface=\
ether2-master-local network=10.30.XX.0
add address=MYEXTIP/29 interface=ether1-gateway network=MYEXTIPNETWORK
add address=10.30.XX.1/24 interface=vlan2 network=10.30.XX.0
add address=10.30.XX.1/24 interface=vlan3 network=10.30.XX.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
ether1-gateway
/ip dhcp-server network
add address=10.30.XX.0/24 comment="default configuration" dns-server=10.30.XX.1 \
gateway=10.30.XX.2 netmask=24 next-server=192.168.88.1
add address=10.30.XX.0/24 dns-server=8.8.8.8 gateway=10.30.XX.1
add address=10.30.XX.0/24 dns-server=8.8.8.8 gateway=10.30.XX.1
/ip dns
set allow-remote-requests=yes servers=10.30.2.1
/ip dns static
add address=10.30.XX.2 name=router
/ip firewall address-list
add address=10.0.0.0/8 list=bogons
add address=172.16.0.0/26 list=bogons
add address=192.168.0.0/16 list=bogons
/ip firewall filter
add action=log chain=forward dst-address-list=bogons in-interface=vlan2
add action=accept chain=forward comment="default configuration" \
connection-state=established
add action=accept chain=forward comment="default configuration" \
connection-state=related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1-gateway
/ip firewall mangle
add action=mark-packet chain=forward new-packet-mark=VoIP passthrough=yes \
src-address=10.30.XX.53
add action=mark-packet chain=forward dst-address=10.30.XX.53 new-packet-mark=\
VoIP passthrough=yes
add action=mark-routing chain=prerouting dst-address=!10.30.XX.3-10.30.XX.254 \
in-interface=bridge-local new-routing-mark=mikrotik passthrough=no \
src-address=10.30.XX.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=web-proxy1
/ip route
add distance=1 gateway=10.30.XX.1 routing-mark=pfsense
add distance=1 gateway=MYEXTGW routing-mark=mikrotik
add check-gateway=ping distance=1 dst-address=10.30.XX.0/24 gateway=10.30.XX.1
add check-gateway=ping disabled=yes distance=1 dst-address=10.60.XX.0/24 \
gateway=10.30.XX.1
add check-gateway=ping distance=1 dst-address=172.29.XX.0/16 gateway=10.30.XX.1
add check-gateway=ping distance=1 dst-address=172.30.XX.0/16 gateway=10.30.XX.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
/lcd
set backlight-timeout=1h30m default-screen=stats
/lcd interface pages
set 0 interfaces="ether1-gateway,ether2-master-local,ether3-slave-local,ether4\
-slave-local,ether5-slave-local,ether6-slave-local,ether7-slave-local,ethe\
r8-slave-local,ether9-slave-local"
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system leds
set 0 interface=ether1-gateway leds=""
/system ntp client
set enabled=yes primary-ntp=162.210.196.6 secondary-ntp=50.7.0.66
/tool e-mail
set address=10.30.XX.51 from=switch@domain
/tool graphing interface
add allow-address=10.30.XX.0/24
add allow-address=172.30.XX.0/24
/tool graphing resource
add allow-address=10.30.XX.0/24
add allow-address=172.30.XX.0/24
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon port
add

BumP

Send $$$$ ;-PPP

What is the purpose of the IP neighbour discovery being set to everything but dynamic addresses??


your inteface list makes no sense to me,
THe purpose of the list is to define what is WAN and what is LAN.

Lastly I would have to better understand what the heck your mangle rule is doing.............. and what a mess the IP route seems to be...
Butt ugly IMHO

So the Mikrotik only has access to ISP1 through ether1 and The PFsense only has access to ISP2.
Gateway IP of ISP1?? xx.yy.cc.vv

You seem to have three networks, the standard default LAN 192.168.88.x
and you have two VLANs but not sure for what??
SHould I assume 10.30.2.5 is for VLAN2 and 10.30.2.4 is for VLAN1??

Now nowhere in the thread can I find what the trigger is for 10.30.2.5 traffic to go to ISP2 vice ISP1.
Thus I am going to assume that the destination of the traffic from 10.30.2.5 is the trigger???
But I do not know if the trigger is the LAN gateway destination (Ie the PFSENSE 10.30.2.1)) or the ISP2 Gateway being the trigger ?????

Or is it via VLAN.
In other words 10.30.5.2 device is smart enough to send out ISP1 traffic on VLAN1 and ISP2 traffic on VLAN2???

Okay reading more slowly, basically the idea is this
All traffic from 10.30.2.5 intended for LAN destinations should use the Mikrotik LAN network
When 10.30.2.5 traffic needs to reach the internet it must go out the PFSENSE and ISP2.

Well eff me gently cause I have no clue on how to handle that.
Other than state when source address is 10.30.2.5 and destination is a WANIP, then mark this traffic in a Mangle Rule.
THen Route this traffic to the pfsense gateway.

Then use another mangle rule to identify all traffic coming into the pfsense gateway
then route this traffic to ISP2

Am I close LOL.
As per most posts the logic is missing or not explained of what exactly the program is functionally doing and thus I dont learn a damn thing

/me takes a deep breath...

Ok.... Accounting for everything else and not local? I Only want to know what my vlans consume. Local is just me and I account for that in the pfsense.

vlan 2 and 3 are Guest vlan and test vlan

The dhcp pools the default one is disable. The rest are for the vlans. I also have one in there as the local network for a "Just in case"

The routes I agree is a cluster fuck but I was just testing. I deleted most of them.

The Mangle rules are advices that I got on this thread. Look further up and you will see what they mean.
With the exception of the mangle rule for QoS.

Can I rename my ports without causing down time?

What do have for: Set arp=proxy-arp and protocol-mode==none.

You can change Interface names with out any down time. Any rule you have pointing to that interface will change with out it breaking any thing.

What do have for:

Code: Select all

/interface bridge print

Set arp=proxy-arp and protocol-mode==none.

You can change Interface names with out any down time. Any rule you have pointing to that interface will change with out it breaking any thing.

[admin@MikroTik] > /interface bridge print
Flags: X - disabled, R - running
0 R name="bridge-local" mtu=1500 actual-mtu=1500 l2mtu=1588 arp=enabled arp-timeout=auto mac-address= protocol-mode=rstp fast-forward=no igmp-snooping=no
priority=0x8000 auto-mac=no admin-mac=4C:5E:0C:95:6D:76 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m region-name="" region-revision=0
max-hops=20 vlan-filtering=no pvid=1

1 R name="bridge-trunk" mtu=1500 actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto mac-address= protocol-mode=rstp fast-forward=no igmp-snooping=no
priority=0x8000 auto-mac=yes max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m region-name="" region-revision=0 max-hops=20 vlan-filtering=no
pvid=1
[admin@MikroTik] >

bridge-trunk is nothing and has no traffic... Well I think... I vaguely remember creating that.

Set arp=proxy-arp and protocol-mode==none.

You want me to set those options?

Set arp=proxy-arp and protocol-mode==none.

You want me to set those options?

Yes, try those settings on your bridge.

Set arp=proxy-arp and protocol-mode==none.

You want me to set those options?

Yes, try those settings on your bridge.

Can you tell me how to run the command? Cant seem to see it under /ip arp...

Thanks!

Clue XCOM - Bridge settings my friend, in WINBOX

Clue XCOM - Bridge settings my friend, in WINBOX

Ah.... I dont use Winbox, Linux here.
Ill spin up my VM and run it.

Edit:
You can also use the interface name like:

2frogs, how is the traffic on 10.30.2.5 that is destined for ISP2 (internet bound) sent to the pfsense and then out to ISP2 (where all the 10.30.2.5 other traffic is simply interlan traffic that intereacts with the MIkrotik router).
As Led Zepplin said....... Dazed and Confused!!
I cannot figure out from the rules how this is being done??

@ Anav This creates a route for 0.0.0.0/0 (which basically means anything not local) to go out gateway=10.30.2.1(which is the pfsence), but only if it has a routing-mark=pfsence.
This is where we set the routing-mark=pfsence with a src-address=10.30.2.0/24 (which means any address from that range) going to dst-address=!10.30.2.0/24(which means any address NOT(!=not) 10.30.2.0/24, basically 0.0.0.0/0) and chain=prerouting(means we do this before routing desicion is made).

Hope this helps.

@ Anav

Code: Select all

/ip route add distance=1 gateway=10.30.2.1 routing-mark=pfsense

This creates a route for 0.0.0.0/0 (which basically means anything not local) to go out gateway=10.30.2.1(which is the pfsence), but only if it has a routing-mark=pfsence.

Code: Select all

/ip firewall mangle add action=mark-routing chain=prerouting dst-address=!10.30.2.0/24 new-routing-mark=pfsense passthrough=no src-address=10.30.2.0/24

This is where we set the routing-mark=pfsence with a src-address=10.30.2.0/24 (which means any address from that range) going to dst-address=!10.30.2.0/24(which means any address NOT(!=not) 10.30.2.0/24, basically 0.0.0.0/0) and chain=prerouting(means we do this before routing desicion is made).

Hope this helps.

I did the same for my vlans and works like a champ. Is just the forwarding of the traffic up to the pfsense that has a delay.

Did you try with the changes to bridge?

Okay,
So you answered one of my questions..........
Do you route to the ISP2 or to the PFSense and the answer is the PFSense, which now makes sense because the PFsense rules will take care of what then happens to that traffic and thus clearer.

BUT.......you do two things I didnt think of.

a. you didn't narrow down your rules to traffic coming from 10.30.2.5
b. you applied the mangle rule to all traffic from 10.30.2.0.

Although this works, I disagree with the logic applied because you made an assumption that is not clear and I think false.
1. that no traffic from 10.30.2.0 was also destined for ISP1

In other words, you didnt take into account traffic from 10.30.2.4, the other box, that might be destined for ISP1.
In summary, you lumped in all traffic NOT going from the LAN to other LAN devices, as the mangle rule, and then routed this traffic to ISP2.

I would like comments from 2frogs and Xcom on the above analysis.
SHOOT ME DOWN please.

@Anav

Hello All!

I want to point my local network to my CRS125-24G-1S-RM as the gateway. In the CRS125-24G-1S-RM I want to tell it that for all networks with 10.XXX.XXX.XXX to go out through my pfsense, Else Go out through the CRS125-24G-1S-RM gateway.

IE: 10.60.77.0/24 LAN.... non-routable addresses go to 10.60.77.1
Everything else go out though ether1-gateway.


How can I do that?

Thanks!

This, the original post is where I got for the whole IP scope, although i used then IP's from his diagram.

@Anav

Hello All!

I want to point my local network to my CRS125-24G-1S-RM as the gateway. In the CRS125-24G-1S-RM I want to tell it that for all networks with 10.XXX.XXX.XXX to go out through my pfsense, Else Go out through the CRS125-24G-1S-RM gateway.

IE: 10.60.77.0/24 LAN.... non-routable addresses go to 10.60.77.1
Everything else go out though ether1-gateway.


How can I do that?

Thanks!

This, the original post is where I got for the whole IP scope, although i used then IP's from his diagram.

Concur, that on the surface it looks okay, but its not clear to me what if any traffic goes out ISP 1 then???
It appears all traffic from 10.30.2.0 devices with destination to something other than 10.30.2.0 addresses (non-local) get sent to the PFsense and thus out ISP2 ???

@Anav

Hello All!

I want to point my local network to my CRS125-24G-1S-RM as the gateway. In the CRS125-24G-1S-RM I want to tell it that for all networks with 10.XXX.XXX.XXX to go out through my pfsense, Else Go out through the CRS125-24G-1S-RM gateway.

IE: 10.60.77.0/24 LAN.... non-routable addresses go to 10.60.77.1
Everything else go out though ether1-gateway.


How can I do that?

Thanks!

This, the original post is where I got for the whole IP scope, although i used then IP's from his diagram.

Concur, that on the surface it looks okay, but its not clear to me what if any traffic goes out ISP 1 then???
It appears all traffic from 10.30.2.0 devices with destination to something other than 10.30.2.0 addresses (non-local) get sent to the PFsense and thus out ISP2 ???

Anav,

This is not complex. What is it about the logic that is wrong?
Is actually working but there is a delay on the packet and I am thinking because of the mark there is in the packet....

It is a hack and it is broken by design because a L3 Switch can only have one Default route. Not two hence why we mark the packet and do post routing. Once the packet goes up stream to pfsense, pfsense than routes the packet accordingly... Is happening... But pfsense is not liking something... That something is why I am seen a delay... We are getting there!

you didnt answer the question directly XCOM.
What I needed to hear was

a. all non-local traffic from the 10.30.2.0 network (regardless if from 10.30.2.4 or 10.30.2.5) ie needs to go to the internet shall get routed to the PFSENSE device (for eventual TX thru ISP2)

b. no traffic from 10.30.2.0 network is required to go out ISP1 (regardless if from 10.30.2.4 or 10.30.2.5)

Logic is fallible when you miss out parts............

please confirm!

you didnt answer the question directly XCOM.
What I needed to hear was

a. all non-local traffic from the 10.30.2.0 network (regardless if from 10.30.2.4 or 10.30.2.5) ie needs to go to the internet shall get routed to the PFSENSE device (for eventual TX thru ISP2)

b. no traffic from 10.30.2.0 network is required to go out ISP1 (regardless if from 10.30.2.4 or 10.30.2.5)

Logic is fallible when you miss out parts............

please confirm!

All 10.30.2.0/24 Goes out to the internet through pfsense. Evertyhing else (My vlans) out to the internet through Mikrotik.

Thanks, the seas have parted, I am going to cross the ocean bottom to the promised land to MT programming.

I hope you can see where I was uncertain.................
In your diagram you explicitly stated that 10.30.2.5 internet traffic had to go via the PFSENSE unit but there was no mention of the 10.30.2.4 which threw me off.
Where was 10.30.2.4s internet traffic going?? I asked myself.

It would have been less confusing if the statement was all 10.30.2.0 traffic or all traffic from 10.30.2.4 and 10.30.2.5 that had to go out the internet needed routing through the pfsense.

I understand now that only the 10.30.2.5 box has any requirement to go out the internet............

I quite like 2frogs method of stating, mark any traffic from 10.30.2.0/24 that is not going to 10.30.2.0/24 LOL
route this marked traffic to the pfsense.

On the other hand this would have worked as well too.
mark any traffic from 10.30.2.5 that is not going to 10.30.2.0/24
route this marked traffic to the pfsense.

I like this rule better because it is more focussed, and the MT CPU will not be bogged down inspecting all 10.30.2.0 traffic in the mangle rule.
/ip route add distance=1 gateway=10.30.2.1 routing-mark=pfsense
/ip firewall mangle add action=mark-routing chain=prerouting dst-address=!10.30.2.0/24 new-routing-mark=pfsense passthrough=no src-address=10.30.2.5

thoughts??

as to why pfsense is slowing down the traffic ???

Thanks, the seas have parted, I am going to cross the ocean bottom to the promised land to MT programming.

I hope you can see where I was uncertain.................
In your diagram you explicitly stated that 10.30.2.5 internet traffic had to go via the PFSENSE unit but there was no mention of the 10.30.2.4 which threw me off.
Where was 10.30.2.4s internet traffic going?? I asked myself.

It would have been less confusing if the statement was all 10.30.2.0 traffic or all traffic from 10.30.2.4 and 10.30.2.5 that had to go out the internet needed routing through the pfsense.

I understand now that only the 10.30.2.5 box has any requirement to go out the internet............

I quite like 2frogs method of stating, mark any traffic from 10.30.2.0/24 that is not going to 10.30.2.0/24 LOL
route this marked traffic to the pfsense.

On the other hand this would have worked as well too.
mark any traffic from 10.30.2.5 that is not going to 10.30.2.0/24
route this marked traffic to the pfsense.

I like this rule better because it is more focussed, and the MT CPU will not be bogged down inspecting all 10.30.2.0 traffic in the mangle rule.
/ip route add distance=1 gateway=10.30.2.1 routing-mark=pfsense
/ip firewall mangle add action=mark-routing chain=prerouting dst-address=!10.30.2.0/24 new-routing-mark=pfsense passthrough=no src-address=10.30.2.5

thoughts??

as to why pfsense is slowing down the traffic ???

Thats a good sugestion and yes I like it better instead of the whole subnet.
I found the problem!

LAN THEPUBLICIPOFMIKROTIK:5060 REGISTRATIONSERVER:5060 UDP

Mikrotik is passing the packets with the external address. WTF
LOL
Now I am the one that is puzzled.

Traffic from where is going out the mikrotik??
Are you sure the source is 10.30.2.5
Are you sure this is not lan traffic leaking out the mikrotik or is it traffic intended for the internet??

Traffic from where is going out the mikrotik??
Are you sure the source is 10.30.2.5
Are you sure this is not lan traffic leaking out the mikrotik or is it traffic intended for the internet??

Yes.
Its an asterisk server trying to qualify a registration server. This is .5. And is trying to go out of the pfsense as instructed by the preroute but SOMEHOW is going via the Mikrotik GW and inside the LAN. and because is inside the LAN with a public address, Is been blocked.

Try narrowing down the mangle rule to 10.30.2.5
although its probably some other cockup in the rules maybe a srcnat situation ???

Try narrowing down the mangle rule to 10.30.2.5
although its probably some other cockup in the rules maybe a srcnat situation ???

I did set the source to. 5
Its funny you say that the GW port of the mikrotik is set to NAT. Is it not suppose to?

I would assume its set correctly ie the mikrotik router for all outgoing connections to ISP1 has masquerate applied.

Not sure how the 10.30.2.0 packets are getting confused in the mix though..........
I read something about preventing packets leaking out of the LAN but cannot remember where...............


Maybe you need a masquerade rule to the pfsense? for 10.30.2.0 traffic???

I would assume its set correctly ie the mikrotik router for all outgoing connections to ISP1 has masquerate applied.

Not sure how the 10.30.2.0 packets are getting confused in the mix though..........
I read something about preventing packets leaking out of the LAN but cannot remember where...............


Maybe you need a masquerade rule to the pfsense? for 10.30.2.0 traffic???

I hope somebody can chime in.... This is causing chaos