Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Connection between 3dhcp

Locked
 
amirali
just joined
Topic Author
Posts: 6
Joined: Thu Nov 16, 2017 11:33 pm

Connection between 3dhcp

Mon Nov 05, 2018 2:13 am

hi dear devs
ihave 3 dhcp like this but icant connect from 192.168.88.0/24 to 192.168.11.0/24 and also 192.168.22.0/24 (vice versa)

thanks in advance

Code: Select all
# nov/03/2018 21:33:08 by RouterOS 6.43.4
# software id = 8N73-VK7Q
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 71AF072C6DF5
/interface bridge
add comment=L2tp-out1 fast-forward=no name="Bridge-L2tp1 (MAIN)"
add comment=L2tp-out2 fast-forward=no name=Bridge-L2tp2
add comment=Ovpn-out1 fast-forward=no name=Bridge-Ovpn
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
    Shatel
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
    "Empty "
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
    "DM  900"
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
    "LG Oled B7"
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=Empty
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
    comment="2 Ghz Wireless" country=iran disabled=no frequency=auto mode=\
    ap-bridge ssid=Shahrestani-MikroTik-2ghz wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-eeeC comment="5 Ghz Wireless" country=iran disabled=no \
    frequency=auto mode=ap-bridge ssid=Shahrestani-MikroTik-5ghz \
    wireless-protocol=802.11 wps-mode=disabled
/interface wireless nstreme
set wlan1 comment="2 Ghz Wireless"
set wlan2 comment="5 Ghz Wireless"
/interface wireless manual-tx-power-table
set wlan1 comment="2 Ghz Wireless"
set wlan2 comment="5 Ghz Wireless"
/interface ovpn-client
add add-default-route=yes certificate=England-UDP-old.ovpn_1 comment=\
    "PPP - Ovpn1" connect-to=uk.ovadd.com mac-address=02:86:38:6D:63:D1 name=\
    ovpn-out1 password=amirali port=1900 user=amirali_shahrestani
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface lte apn
set [ find default=yes ] apn=mcinet name=apn1 passthrough-interface=\
    Bridge-L2tp2 passthrough-mac=auto
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=minoo5760 \
    wpa2-pre-shared-key=minoo5760
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=Wifi-Profile supplicant-identity=MikroTik \
    wpa-pre-shared-key=minoo5760 wpa2-pre-shared-key=minoo5760
/interface wireless
add disabled=no mac-address=66:D1:54:52:37:5A master-interface=wlan2 name=\
    "L2tp 2 -Wifi (Virtual)" security-profile=Wifi-Profile ssid=\
    L2tp-Shahrestani vlan-id=40 vlan-mode=use-tag wds-default-bridge=\
    "Bridge-L2tp1 (MAIN)" wps-mode=disabled
add disabled=no mac-address=66:D1:54:52:37:5B master-interface=wlan1 name=\
    "Ovpn-Wifi (Virtual)" security-profile=Wifi-Profile ssid=Ovpn-Shahrestani \
    vlan-id=20 vlan-mode=use-tag wds-default-bridge="Bridge-L2tp1 (MAIN)" \
    wps-mode=disabled
/interface vlan
add comment=" Ovpn 1 Virtual Vlan" interface="Ovpn-Wifi (Virtual)" name=\
    vlan20 vlan-id=20
add comment="L2tp 2 Virtual Vlan" interface="L2tp 2 -Wifi (Virtual)" name=\
    vlan40 vlan-id=40
/ip firewall layer7-protocol
add name="Youtube BandWidth" regexp=\
    "^..+\\.(youtube.com|googlevideo.com|akamaihd.net).*\$"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.11.10-192.168.11.254
add name=dhcp_pool7 ranges=192.168.22.10-192.168.22.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface="Bridge-L2tp1 (MAIN)" name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=Bridge-Ovpn name=dhcp2
add address-pool=dhcp_pool7 disabled=no interface=Bridge-L2tp2 name=dhcp3
/ppp profile
set *FFFFFFFE dns-server=192.168.88.1 local-address=192.168.89.1 \
    remote-address=vpn
/interface l2tp-client
add add-default-route=yes comment="PPP - L2tp1" connect-to=ca.hiserver.in \
    disabled=no ipsec-secret=123456789 keepalive-timeout=disabled name=\
    l2tp-out1 password=amirali profile=default use-ipsec=yes user=\
    shahrestani
add add-default-route=yes comment="PPP - L2tp2" connect-to=us.tuadd.com \
    default-route-distance=2 disabled=no ipsec-secret=vpn2key \
    keepalive-timeout=disabled name=l2tp-out2 password=amirali profile=\
    default use-ipsec=yes user=amirali_shahrestani
/queue tree
add limit-at=400k max-limit=400k name=Youtube-Download packet-mark=\
    Youtube-Download-Packets parent=global queue=pcq-download-default
add max-limit=100k name=Youtube-Upload packet-mark=Youtube-Upload-Packets \
    parent=global queue=pcq-upload-default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge="Bridge-L2tp1 (MAIN)" hw=no interface=ether2
add bridge="Bridge-L2tp1 (MAIN)" hw=no interface=ether3
add bridge="Bridge-L2tp1 (MAIN)" hw=no interface=ether4
add bridge="Bridge-L2tp1 (MAIN)" hw=no interface=ether5
add bridge="Bridge-L2tp1 (MAIN)" interface=wlan1
add auto-isolate=yes bridge="Bridge-L2tp1 (MAIN)" interface=wlan2
add bridge="Bridge-L2tp1 (MAIN)" interface="Ovpn-Wifi (Virtual)"
add bridge=Bridge-Ovpn interface=vlan20
add bridge=Bridge-L2tp2 interface=vlan40
add bridge="Bridge-L2tp1 (MAIN)" interface="L2tp 2 -Wifi (Virtual)"
/interface bridge settings
set use-ip-firewall-for-pppoe=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface l2tp-server server
set enabled=yes ipsec-secret=77129333 use-ipsec=yes
/interface list member
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=wlan1 list=discover
add interface="Bridge-L2tp1 (MAIN)" list=discover
add interface=wlan2 list=discover
add interface=l2tp-out1 list=discover
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=wlan2 list=mactel
add interface=ether5 list=mac-winbox
add interface=wlan1 list=mactel
add interface=wlan2 list=mac-winbox
add interface=wlan1 list=mac-winbox
add interface=ether1 list=WAN
add interface="Bridge-L2tp1 (MAIN)" list=mactel
/interface ovpn-server server
set certificate=England-UDP-old.ovpn_0 enabled=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=192.168.11.1/24 interface=Bridge-Ovpn network=192.168.11.0
add address=192.168.22.1/24 interface=Bridge-L2tp2 network=192.168.22.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
add dhcp-options=hostname,clientid interface="Bridge-L2tp1 (MAIN)"
/ip dhcp-relay
add dhcp-server=192.168.88.10 interface="Bridge-L2tp1 (MAIN)" name=relay1
/ip dhcp-server lease
add address=192.168.88.105 client-id=1:10:62:eb:f2:6e:b8 mac-address=\
    10:62:EB:F2:6E:B8 server=dhcp1
add address=192.168.88.10 client-id=1:0:9:34:40:64:e6 comment=\
    "----->>>>>     192.168.88.1/24        ->>>        L2tp" mac-address=\
    00:09:34:40:64:E6 server=dhcp1
add address=192.168.88.50 client-id=1:34:23:87:10:a1:9b mac-address=\
    34:23:87:10:A1:9B server=dhcp1
add address=192.168.88.102 client-id=1:a0:99:9b:60:6c:d8 mac-address=\
    A0:99:9B:60:6C:D8 server=dhcp1
add address=192.168.88.40 client-id=1:94:87:e0:4d:2c:7c mac-address=\
    94:87:E0:4D:2C:7C server=dhcp1
add address=192.168.88.20 client-id=1:78:5d:c8:30:7c:da mac-address=\
    78:5D:C8:30:7C:DA server=dhcp1
add address=192.168.88.30 client-id=1:70:de:e2:a3:39:b3 mac-address=\
    70:DE:E2:A3:39:B3 server=dhcp1
add address=192.168.88.104 mac-address=54:A0:50:EA:FD:A6 server=dhcp1
add address=192.168.88.201 client-id=1:20:1a:6:6b:bd:50 mac-address=\
    20:1A:06:6B:BD:50 server=dhcp1
add address=192.168.11.40 client-id=1:94:87:e0:4d:2c:7c mac-address=\
    94:87:E0:4D:2C:7C server=dhcp2
add address=192.168.11.50 client-id=1:34:23:87:10:a1:9b mac-address=\
    34:23:87:10:A1:9B server=dhcp2
add address=192.168.11.20 client-id=1:4:4e:af:28:22:a comment=\
    "----->>>>>     192.168.11.1/24     ->>>     Ovpn-Virtual" mac-address=\
    04:4E:AF:28:22:0A server=dhcp2
add address=192.168.22.40 client-id=1:94:87:e0:4d:2c:7c comment=\
    "----->>>>>     192.168.22.1/24        ->>>        L2tp 2" mac-address=\
    94:87:E0:4D:2C:7C server=dhcp3
/ip dhcp-server network
add address=192.168.11.0/24 gateway=192.168.11.1 netmask=24
add address=192.168.22.0/24 gateway=192.168.22.1 netmask=24
add address=192.168.42.0/24 gateway=192.168.42.129 netmask=24
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
add address=192.168.89.0/24 gateway=192.168.89.1 netmask=24
/ip dns
set servers=1.0.0.1,1.1.1.1
/ip dns static
add address=84.200.69.80 name=DNS-Watch1
add address=84.200.70.40 name=DNS-Watch2
add address=9.9.9.9 name=Quad1
add address=149.112.112.112 name=Quad2
add address=8.26.56.26 name=Comodo1
add address=8.20.247.20 name=Comodo2
add address=8.8.8.8 name=Google1
add address=8.8.4.4 name=Google2
add address=4.2.2.1 name=4.2.2.1
add address=4.2.2.2 name=4.2.2.2
add address=4.2.2.3 name=4.2.2.3
add address=1.0.0.1 name=1.0.0.1
add address=1.1.1.1 name=1.1.1.1
add address=208.67.220.220 name=OpenDns1
add address=208.67.222.222 name=OpenDns2
/ip firewall address-list
add address=192.168.88.30 list="Block Porn Content"
add address=192.168.88.102 list="Block Porn Content"
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input in-interface=ether1
add action=drop chain=input disabled=yes dst-address=192.168.88.1 protocol=\
    icmp src-address=192.168.11.0/24
add action=drop chain=input disabled=yes dst-address=192.168.11.1 protocol=\
    icmp src-address=192.168.88.0/24
add action=accept chain=forward disabled=yes
add action=accept chain=forward disabled=yes dst-address=192.168.88.10 \
    dst-port=21 in-interface=Bridge-Ovpn out-interface="Bridge-L2tp1 (MAIN)" \
    out-interface-list=all protocol=udp src-address=192.168.11.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=l2tp-route \
    passthrough=yes src-address=192.168.89.1-192.168.89.254 src-address-list=\
    ""
add action=mark-routing chain=prerouting new-routing-mark=l2tp-route \
    passthrough=yes src-address=192.168.88.10-192.168.88.254
add action=mark-routing chain=prerouting new-routing-mark=Ovpn-Out \
    passthrough=yes src-address=192.168.11.10-192.168.11.254
add action=mark-routing chain=prerouting new-routing-mark=l2tp-out2 \
    passthrough=yes src-address=192.168.22.10-192.168.22.254
add action=mark-connection chain=forward in-interface=Bridge-L2tp2 \
    layer7-protocol="Youtube BandWidth" new-connection-mark=Youtube-Limit \
    passthrough=yes
add action=mark-packet chain=forward connection-mark=Youtube-Limit \
    new-packet-mark=Youtube-Download-Packets passthrough=no
add action=mark-connection chain=prerouting in-interface=Bridge-L2tp2 \
    layer7-protocol="Youtube BandWidth" new-connection-mark=Youtube_Upload \
    passthrough=yes
add action=mark-packet chain=forward connection-mark=Youtube_Upload \
    new-packet-mark=Youtube-Upload-Packets passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 out-interface-list=\
    WAN
add action=masquerade chain=srcnat out-interface=l2tp-out1
add action=masquerade chain=srcnat out-interface=l2tp-out2
add action=masquerade chain=srcnat out-interface=ovpn-out1
add action=masquerade chain=srcnat comment="masq. vpn traffic" out-interface=\
    "Bridge-L2tp1 (MAIN)" src-address=192.168.89.0/24
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="Block Porn Content For Address List" \
    dst-port=53 protocol=udp src-address-list="Block Porn Content" \
    to-addresses=199.85.126.20 to-ports=53
/ip route
add distance=1 gateway=l2tp-out1 routing-mark=l2tp-route
add distance=1 gateway=ovpn-out1 routing-mark=Ovpn-Out
add check-gateway=ping distance=2 gateway=l2tp-out2 routing-mark=l2tp-out2
/ip smb shares
set [ find default=yes ] disabled=yes
add directory=/disk3 name=mikrotik
/ip smb users
add name=amirali password=amirali read-only=no
/ip traffic-flow
set enabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface="Bridge-L2tp1 (MAIN)" type=internal
add interface=ether1 type=external
/port firmware
set directory=mikrotik ignore-directip-modem=yes
/ppp secret
add name=vpn password=77129333 profile=default-encryption
/system clock
set time-zone-name=Asia/Tehran
/system clock manual
set dst-end="sep/22/2018 00:00:00" dst-start="mar/22/2018 00:00:00" \
    time-zone=+03:30
/system leds
set 0 interface=l2tp-out1
set 1 interface=l2tp-out2
set 2 interface=ovpn-out1
set 3 interface=Bridge-Ovpn
set 4 interface=Bridge-Ovpn
add interface=wlan2 leds=user-led type=interface-activity
/system ntp client
set enabled=yes primary-ntp=62.210.103.129 secondary-ntp=185.105.186.198
/system routerboard settings
set auto-upgrade=yes silent-boot=no
/system scheduler
add interval=23h name="Package Upgrade" on-event=\
    "system package update install" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=nov/03/2018 start-time=06:55:19
add interval=23h name="Routerboard Upgrade" on-event=":global Var1\
    \n:global Var2\
    \n:set Var1 \"\$[/system package get system version]\"\
    \n:set Var2 \"\$[/system routerboard get current-firmware]\"\
    \n:if (\$Var1>\$Var2) do={/system routerboard upgrade;\
    \n/system reboot;\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=nov/03/2018 start-time=07:00:30
/system watchdog
set watchdog-timer=no
/tool graphing interface
add interface=l2tp-out1
add interface=wlan2
add interface=wlan1
add interface=l2tp-out2
add interface=ovpn-out1
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool traffic-monitor
add interface=l2tp-out1 name=tmon1 threshold=0
Top
 
WeWiNet
Long time Member
Long time Member
Posts: 610
Joined: Thu Sep 27, 2018 4:11 pm

Re: Connection between 3dhcp

Tue Nov 06, 2018 3:00 pm

Could be due to the routes which only seems to be defined for marked connection traffic?
Top
 
amirali
just joined
Topic Author
Posts: 6
Joined: Thu Nov 16, 2017 11:33 pm

Re: Connection between 3dhcp

Sun Jan 20, 2019 4:23 am

hi sorry for late answer
yes you are right , each vpn routed via routing mark ,

what should i do for accessing between these three networks?
thanks in advance
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21917
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Connection between 3dhcp

Sun Jan 20, 2019 4:44 am

I personally think your entire configuration is a convoluted screaming mess.
You would be best served by starting fresh from defaults and building slowly here.
a. add the additional LANs
b. add the VLANs
c. add VPN
d. etc.........
By the way your layer7 usage for youtube is not recommended anymore, what were you hoping to accomplish with it.........
Top
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Connection between 3dhcp

Sun Jan 20, 2019 1:36 pm

@anav You should point out what need to be corrected / improved so that it doesn't seem like a cheap shot and because otherwise the final result of rebuild will be the same configuration...

For example, you could have pointed out that:
* as of version 6.41 of RouterOS, the recommendation is to use single bridge (where optional vlans can be defined)
* that in current configuration the nets are completely isolated from each other by use of different route-markings in mangle
* youtube (and others) traffic is encrypted and matching should be on the level of TLS SNI, see slide 42+ https://mum.mikrotik.com/presentations/ ... 360368.pdf
* that connection markings are direction-less and apply for both upload & download traffic. Packet marks do have direction, because packets travel from A -to-> B
* ip should be assigned to the bridge not interface in the bridge (ether2)
* "add action=accept chain=input dst-port=8291 protocol=tcp" allows connection from WAN. Intentional?
* for IPSec to work, it may not be masqueraded
* Norton TM ConnectSafe is discontinued (199.85.126.20), see https://connectsafe.norton.com/configureRouter.html
* "/ip traffic-flow set enabled=yes" with no target?

And also mention that next time "/export hide-sensitive compact" should be used, so the passwords/keys are not on forum.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21917
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Connection between 3dhcp

Sun Jan 20, 2019 3:41 pm

Thanks Sebastia I was running out of patience last night................... Glad you are here! :-) (where is that heart emoji?)
Top
Locked

Who is online

Users browsing this forum: No registered users and 17 guests
  4. RouterOS
  5. Beginner Basics