2 WAN -> 2 LAN. Need access from VPN to the 2 LAN's but no connection

esantos999 · Fri Nov 02, 2018 9:04 pm

Hi,

I have a customer that needed 2 different WAN connecting to 2 different LAN. I installed a 16 port managed switch with 2 VLAN (VLAN1,VLAN2). From port 1 to 8 is VLAN1, from port 9 to15 is VLAN2 untagged. On port 16 I have VLAN1 and VLAN2 tagged. Then I installed an RB750Gr3 with this port configuration: ether1-WAN1, ether2-WAN2, ether3-LAN (with VLAN1 and VLAN2 tagged). This last port connects to port 16 of the switch. Port ether1-WAN1 have the IP 192.168.10.2 connecting to router for WAN1 with IP 192.168.10.1. Port ether2-WAN2 have the IP 192.168.20.2 connecting to router for WAN1 with IP 192.168.20.1.

IP configuration:

/ip address
add address=192.168.1.254/24 interface=vlan1 network=192.168.1.0
add address=192.168.2.254/24 interface=vlan2 network=192.168.2.0
add address=192.168.10.2/24 interface=ether1-WAN1 network=192.168.10.0
add address=192.168.20.2/24 interface=ether2-WAN2 network=192.168.20.0

I managed to separate the WANs for each LAN with this code:

/ip firewall mangle
add action=mark-routing chain=prerouting comment="LAN1 -> WAN1" dst-address=0.0.0.0 new-routing-mark=WAN1 passthrough=yes src-address=192.168.1.0/24
add action=mark-routing chain=prerouting comment="LAN2 -> WAN2" dst-address=0.0.0.0 new-routing-mark=WAN2 passthrough=yes src-address=192.168.2.0/24

/ip firewall nat
add action=masquerade chain=srcnat comment=WAN1 out-interface=ether1-WAN1
add action=masquerade chain=srcnat comment=WAN2 out-interface=ether2-WAN2

/ip route
add distance=1 gateway=192.168.10.1 routing-mark=WAN1
add distance=1 gateway=192.168.20.1 routing-mark=WAN2
add distance=2 gateway=192.168.10.1

The customer dosent wan't access from LAN1 to LAN2 and vice versa, but on LAN2 they need to access two printers on LAN1. I configured the firewall like this and works:

/ip firewall filter
add action=accept chain=forward dst-address-list=printers src-address=192.168.2.0/24
add action=reject chain=forward dst-address=192.168.2.0/24 reject-with=icmp-network-unreachable src-address=192.168.1.0/24

/ip firewall address-list
add address=192.168.1.200 list=printers
add address=192.168.1.201 list=printers

I need to access from outside to each LANs via VPN but no connection is made. On the each edge router I have NATed port 1723 to each WAN IP address (1723->192.168.10.2, 1723->192.168.20.2)
I've configured PPTP:

/interface pptp-server server set enabled=yes

/ppp secret
add local-address=192.168.1.254 name=user1 password=******** profile=default-encryption remote-address=192.168.1.20 service=pptp

I believe I need something with Mangle but I'm not used with that. Can someone please help me?

vasilaos · Fri Nov 02, 2018 11:10 pm

Along with TCP port 1723 that allow PPTP tunnel maintenance traffic you also need to o allow PPTP tunneled data to pass through router so you need open Protocol ID 47 (GRE) but consider that PPTP is no longer considered secure

esantos999 · Fri Nov 02, 2018 11:13 pm

I tried to NAT port 8291 (Winbox) too and doesn't work as well.

Enviado do meu ONEPLUS A3003 através do Tapatalk

vasilaos · Fri Nov 02, 2018 11:18 pm

You haven't explained how you are trying to map ports yet. The IP addresses on your wan interfaces are private ip adresses and are not routable throught internet so you must be behind another router. Are you mapping ports on the edge router that has a real ip address reachable from the internet?

esantos999 · Sat Nov 03, 2018 1:07 am

Sorry I was not clear on that. So, I have the ISP router connected to the internet with public IP. The private IP of the this router is 192.168.10.1. I have another router with another public IP and with private IP 192.168.20.1. Each of this routers connect to WAN1 and WAN2 ports on MikroTik router.

esantos999 · Wed Nov 07, 2018 8:51 pm

Today I went back to the customer I tried once more to NAT ports 1723 and 8291 on the ISP's router, it worked. Now I can access from outise the Winbox and the VPN.

But I have another problem that I can't solve it.

This mangle rules I first post is wrong:

/ip firewall mangle
add action=mark-routing chain=prerouting comment="LAN1 -> WAN1" dst-address=0.0.0.0 new-routing-mark=WAN1 passthrough=yes src-address=192.168.1.0/24
add action=mark-routing chain=prerouting comment="LAN2 -> WAN2" dst-address=0.0.0.0 new-routing-mark=WAN2 passthrough=yes src-address=192.168.2.0/24

It should be like this (without the dst-address):

/ip firewall mangle
add action=mark-routing chain=prerouting comment="LAN1 -> WAN1" new-routing-mark=WAN1 passthrough=yes src-address=192.168.1.0/24
add action=mark-routing chain=prerouting comment="LAN2 -> WAN2" new-routing-mark=WAN2 passthrough=yes src-address=192.168.2.0/24

I need to access from vlan2 (192.168.2.0/24) to two printers only on vlan1 (192.168.1.200 and 192.1681.201), but it seems to me that the second mangle rule is redirecting the trafic to the WAN2.

How can I let it pass to the vlan1 without going to WAN2?

2 WAN -> 2 LAN. Need access from VPN to the 2 LAN's but no connection

2 WAN -> 2 LAN. Need access from VPN to the 2 LAN's but no connection

Re: 2 WAN -> 2 LAN. Need access from VPN to the 2 LAN's but no connection

Re: 2 WAN -> 2 LAN. Need access from VPN to the 2 LAN's but no connection

Re: 2 WAN -> 2 LAN. Need access from VPN to the 2 LAN's but no connection

Re: 2 WAN -> 2 LAN. Need access from VPN to the 2 LAN's but no connection

Re: 2 WAN -> 2 LAN. Need access from VPN to the 2 LAN's but no connection