MikroTik

Posted: **Sun Nov 06, 2016 7:02 pm**

Hi,

I am new here and this is my first post so please be patient with me. I have a situation in whitch my client ISP has alocated him 2 pppoe conections ( 2 different username and passwords) on the single FTP cable. Now it is working as ISP cable is into a 5 port switch from where leave 2 ftp cables into two distinct wi-fi routers in order to make concurent connections in the same time.
I was wondering if it could be possible to do that with one mikrotik equipment, let's say hEX-RB750Gr2 or RB951G-2HnD with latest firmware 6.37.1 ( before i recommend them to my client i just want to be sure that it is works), like image below:

I have searched the forum and google and came up with a basic configuration for that, if would be plausible:

# setting up bridges and populate them with proper ports

/interface bridge
add comment="Bridge ports 2-3 to LAN1" name=bridge1-LAN1
add comment="Bridge ports 4-5 to LAN2" name=bridge2-LAN2
/interface ethernet
set [ find default-name=ether1 ] comment="WAN ISP"
set [ find default-name=ether2 ] comment="Bridge ports 2-3 to LAN1"
set [ find default-name=ether4 ] comment="Bridge ports 4-5 to LAN2"
/interface bridge port
add bridge=bridge1-LAN1 interface=ether2
add bridge=bridge1-LAN1 interface=ether3
add bridge=bridge2-LAN2 interface=ether4
add bridge=bridge2-LAN2 interface=ether5

# alocate ip addresses to bridges

/ip address
add address=172.16.1.254/24 interface=bridge1-LAN1 network=172.16.1.0
add address=172.16.2.254/24 interface=bridge2-LAN2 network=172.16.2.0

# creating pools for two Lans

/ip pool
add name=pool-lan1 ranges=172.16.1.50-172.16.1.100
add name=pool-lan2 ranges=172.16.2.50-172.16.2.100

# creating dhcp servers for both lans and alocate them proper pool

/ip dhcp-server
add address-pool=pool-lan1 disabled=no interface=bridge1-LAN1 lease-time=1d name=dchp-lan1
add address-pool=pool-lan2 disabled=no interface=bridge2-LAN2 lease-time=1d name=dchp-lan2
/ip dhcp-server network
add address=172.16.1.0/24 dns-server=8.8.8.8 gateway=172.16.1.254
add address=172.16.2.0/24 dns-server=8.8.8.8 gateway=172.16.2.254

# change default services

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=9999
set ssh disabled=yes
set winbox port=8299

# create pppoe connections
# i have left out/unchecked "add default route" since i am interesting in manually manipulate
# the routing table, routing lan1 to pppoe1 and lan2 to pppoe2
# As for "dial on demand" i am not sure if i have to let it check or uncheck; for now i will
# leave it checked to see what is happened

/interface pppoe-client
add add-default-route=no allow=pap,chap,mschap2 comment="PPPOE1 on WAN" dial-on-demand=yes \ 
	disabled=no interface=ether1 max-mru=1480 max-mtu=1480 mrru=1600 name= \
    	pppoe-out1 password=xxxxx use-peer-dns=yes user=yyyyy
add add-default-route=no allow=pap,chap,mschap2 comment="PPPOE2 on WAN" dial-on-demand=yes \ 
	disabled=no interface=ether1 max-mru=1480 max-mtu=1480 mrru=1600 name= \
    	pppoe-out2 password=zzzzz use-peer-dns=yes user=wwwww

# filter rules

/ ip firewall filter
add action=accept chain=input comment="Accept winbox conectivity on 8299 port - pppoe1" dst-port=8299 \
	in-interface=pppoe-out1 log=yes protocol=tcp
add action=accept chain=input comment="Accept winbox conectivity on 8299 port - pppoe2" dst-port=8299 \
	in-interface=pppoe-out2 log=yes protocol=tcp
add action=accept chain=input comment="Web access on 9999 port - pppoe-out1" dst-port=9999 \
	in-interface=pppoe-out1 log=yes protocol=tcp
add action=accept chain=input comment="Web access on 9999 port - pppoe-out2" dst-port=9999 \
	in-interface=pppoe-out2 log=yes protocol=tcp
add chain=input connection-state=established \
	comment="Accept established connections"
add chain=input connection-state=related \
	comment="Accept related connections"
add chain=input connection-state=invalid action=drop \
	comment="Drop invalid connections" 
add chain=input protocol=udp action=accept \
	comment="UDP" disabled=no 
add chain=input action=log log-prefix="Drop input" \
	comment="Log everything else"
add chain=input action=drop \
	comment="Drop everything else"

# mangle rules
# marking packets for 2 lans

/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark packets for LAN1" new-packet-mark=lan1 passthrough=yes src-address=172.16.1.0/24
add action=mark-packet chain=prerouting comment="Mark packets for LAN2" new-packet-mark=lan2 passthrough=yes src-address=172.16.2.0/24
add action=mark-routing chain=prerouting comment="Send packets to right routing table - LAN1" new-routing-mark=lan1 packet-mark=lan1 passthrough=no
add action=mark-routing chain=prerouting comment="Send packets to right routing table - LAN2" new-routing-mark=lan2 packet-mark=lan2 passthrough=no

# nat both networks

/ip firewall nat
add action=masquerade chain=srcnat comment="NAT LAN1" out-interface=pppoe-out1 src-address=172.16.1.0/24
add action=masquerade chain=srcnat comment="NAT LAN2" out-interface=pppoe-out2 src-address=172.16.2.0/24

# manual routing two connections / pppoe{1,2} for lan1/2

/ip route
add check-gateway=ping disabled=no distance=1 gateway=pppoe-out1 routing-mark=lan1
add check-gateway=ping disabled=no distance=1 gateway=pppoe-out2 routing-mark=lan2

Is there anyone kind enough to guide me if such a scenario is possible ? If it is, are ok my lines of config ?

Thank you very much for your patience; kind regards.

Posted: **Wed Nov 09, 2016 9:48 am**

Hi,

Please, forgive my insistence as well as i do not want to be rude, at least anyone could give me an advice?
Thanks in advance.

kind regards,

Posted: **Wed Nov 09, 2016 7:46 pm**

For a start you could disable dial on demand and see if both interfaces connect at the same time.
(I have never tried such config)

Posted: **Wed Nov 09, 2016 10:21 pm**

Hi,

Thanks a lot ( multumesc frumos) @docmarius. I will buy the equipment and made some tests with "dial on demand" disabled. Most probable on monday next week i will be back with an input.

Thank you very much once again.

kind reagrds,

Posted: **Wed Dec 28, 2016 12:17 am**

Hi everybody,

Great news. I have made it using a hex RB750gr3, firmware 6.37.3 and a few modifications beside original configuration above. Here is a speed test on a workstation connected directly to mikrotik router ( i have choosen Amsterdam server for testing external bandwidth), CPU was about 50-60% during test:
http://www.speedtest.net/my-result/5905304204

Althought everything is working just fine, ( first network is routed to pppoe1 connection, other network to pppoe2 connection ) i have a little situation regarding making a remote desktop connection after i have connected via PPTP into local network; i will detail this problem after posting entire configuration ( might be useful for someone else at least for setting up 2 concurent pppoe connections on the same wan interface with one phisical ftp cable )

1. PPPOE connections

2. Route list

My final configuration is as follows:

ether1 = wan connections for PPPOE1 ( pppoe-local) + PPPOE2 ( pppoe-paul )
bridge-local = ether2-ether4, local lan for one office network ( 192.168.0.0/24 )
ether5 = local lan2 for other office, currently is only workstation which is connected directly into this port ( 172.16.21.240/28 )

1. setting up interfaces and bridge

/interface ethernet
set [ find default-name=ether1 ] comment="WAN RDS - PPPOE1 + PPPOE2"
set [ find default-name=ether2 ] comment="LOCAL LAN - switch"
set [ find default-name=ether3 ] comment="LOCAL LAN - free"
set [ find default-name=ether4 ] comment="LOCAL LAN - free"
set [ find default-name=ether5 ] comment="Paul workstation"

/interface bridge
add comment="BRIDGE LOCAL  LAN" name=bridge-local	
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4

/ip neighbor discovery
set ether1 comment="WAN RDS - PPPOE1 + PPPOE2"
set ether2 comment="LOCAL LAN  - switch"
set ether3 comment="LOCAL LAN - free"
set ether4 comment="LOCAL LAN - free"
set ether5 comment="Paul workstation"
set bridge-local comment="BRIDGE LOCAL LAN"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

2. PPPOE connections ( have checked on both "add default route" otherwise would not work )

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-local \
    password=XXX user=YYY
add add-default-route=yes disabled=no interface=ether1 name=pppoe-paul \
    password=AAA user=BBB

3. Define ip addresses on interfaces, dhcp pools, dhcp networks

/ip address
add address=192.168.0.254/24 interface=bridge-local network=192.168.0.0
add address=172.16.21.254/28 interface=ether5 network=172.16.21.240
/ip pool
add name=dhcp ranges=192.168.0.2-192.168.0.150
add name=pool-paul ranges=172.16.21.240-172.16.21.250
add name=pool-pptp-paul ranges=172.16.21.251
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=1h name=dhcp-local
add address-pool=pool-paul disabled=no interface=ether5 lease-time=1h name=dhcp-paul
/ip dhcp-server network
add address=172.16.21.240/28 dns-server=213.154.124.1,8.8.8.8 gateway=\
    172.16.21.254 netmask=28
add address=192.168.0.0/24 dns-server=213.154.124.1,8.8.8.8 gateway=\
    192.168.0.254 netmask=24
/ip dns
set cache-size=4096KiB servers=213.154.124.1,8.8.8.8

4. PPTP ( i have set it up for management purpose from outside local network as well as remote desktop connections into local workstation from outside; did not want to port forward RDP to public ip just thought that would be more secure if you connect into local network fisrt via PPTP and then execute remote desktop into desired workstation )

/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=pptp-paul-in enabled=\
    yes max-mru=1460 max-mtu=1460
/ppp profile
add change-tcp-mss=yes dns-server=172.16.21.254,8.8.8.8 local-address=172.16.21.254 \ 
	name=pptp-paul-in only-one=yes remote-address=pool-pptp-paul use-encryption=required \
    use-upnp=no
/ppp secret
add name=XXXX password=XXXX profile=pptp-paul-in service=pptp

5. FIREWALL Filter

add chain=input comment="Accept established connections" connection-state=\
    established
add chain=input comment="Accept related connections" connection-state=\
    related,new
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=accept chain=input comment=UDP protocol=udp
add action=fasttrack-connection chain=forward comment="Accept fasttracking" \
    connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input comment="Acces winbox" dst-port=XXXX \
    in-interface=bridge-local protocol=tcp
add action=accept chain=input comment="Acces winbox" dst-port=XXXX \
    in-interface=all-ppp protocol=tcp	
add action=accept chain=input comment="Accept PPTP Paul" dst-port=1723 in-interface=\
    pppoe-paul log=yes log-prefix=pptp-paul protocol=tcp	
add action=drop chain=forward comment=\
    "Isolate networks" dst-address=\
    172.16.21.240/28 in-interface=bridge-local log=yes out-interface=ether5 \
    src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 in-interface=ether5 \
    log=yes out-interface=bridge-local src-address=172.16.21.240/28	
add action=log chain=input comment="Log everything else" log-prefix=\
    "DROP INPUT"
add action=drop chain=input comment="Drop everything else"

6. FIREWALL NAT

add action=masquerade chain=srcnat comment="NAT LOCAL LAN" log=yes \
    log-prefix=nat-local out-interface=pppoe-local src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="NAT Paul network" log=yes \
    log-prefix=nat-paul out-interface=pppoe-paul src-address=172.16.21.240/28
add action=masquerade chain=srcnat comment="NATing pptp connection" log=yes log-prefix=msq-pptp out-interface=\
    ether5 src-address=172.16.21.251

7. FIREWALL Mangle

add action=mark-packet chain=prerouting comment="Mark packets for LOCAL LAN" \
    new-packet-mark=lan-local passthrough=yes src-address=192.168.0.0/24
add action=mark-packet chain=prerouting comment="Mark packets for Paul network" \
    new-packet-mark=lan-paul passthrough=yes src-address=172.16.21.240/28
add action=mark-routing chain=prerouting comment="Send packets to right routing table - LAN local" \
    new-routing-mark=lan-local packet-mark=lan-local passthrough=no
add action=mark-routing chain=prerouting comment="Send packets to right routing table - Paul network" \
    new-routing-mark=lan-paul packet-mark=lan-paul passthrough=no
add action=mark-connection chain=output comment="Mark packets for right output PPPOE connections" \
    connection-mark=no-mark log=yes new-connection-mark=lan-local out-interface=pppoe-local passthrough=yes
add action=mark-connection chain=output connection-mark=no-mark log=yes \
    new-connection-mark=lan-paul out-interface=pppoe-paul passthrough=yes

8. Default ROUTING

/ip route
add check-gateway=ping distance=1 gateway=pppoe-local routing-mark=lan-local
add check-gateway=ping distance=2 gateway=pppoe-paul routing-mark=lan-paul

9. IP settings

/ip settings
set allow-fast-path=no rp-filter=loose tcp-syncookies=yes

Now, what is not working right. Into second network, 172.16.21.240/28 there is only one workstation connected directly to mikrotik into ether5 interface. This workstation has a static ip, 172.16.21.252/28. Right now, after i initiate PPTP conenction i have got connected into local network ( 172.16.21.240/28 ), on pptp connection i have ip 172.16.21.251/32 AND i can not connect via remote desktop on 172.16.21.252 workstation.

In log i see:
00:08:52 echo: firewall,info nat-paul: nat-paul srcnat: in:(none) out:pppoe-paul, proto TCP (SYN), 172.16.21.251:51891->172.16.21.252:3389, len 60
00:08:54 echo: firewall,info nat-paul: nat-paul srcnat: in:(none) out:pppoe-paul, proto UDP, 172.16.21.251:64522->8.8.8.8:53, len 71
00:09:01 echo: firewall,info nat-paul: nat-paul srcnat: in:(none) out:pppoe-paul, proto TCP (SYN), 172.16.21.251:51891->172.16.21.252:3389, len 56

Do not have ping neither ether5 interface ( 172.16.21.254 ) or workstation 172.16.21.252. Workstation 172.16.21.252 is win 10 home but i have installed RDPWrap from here ( http://www.softwareok.com/?seite=faq-Windows-10&faq=129 ) and have already disabled firewall.
Remote desktop on workstation is working because i am able to connect if i do a port forward on public ip like:

/ip firewall filter
add action=accept chain=forward comment="Forward Remote Desktop Paul" disabled=no dst-port=35000 in-interface=pppoe-paul log=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=35000 in-interface=pppoe-paul protocol=tcp to-addresses=172.16.21.252 to-ports=3389

and also is working from inside lan ( i have tested puting ether5 cable into a switch in which both my laptop and workstation were connected )

Sincerly, I was surprised a little because on other client i have almost similar configuration but not with 2 connections: same RB750gr3, 1 wan static public ip but with same firewall rules regarding PPTP connection and NAT and only difference is that workstation on which i can connect after initiating pptp connection is xp professional sp3.

So, am i missing something? is there something wrong with my firewall rules ?
Is there someone kind enough to help me out with this ?

Thank you very much in advance.

kind regards,

Posted: **Tue Jan 03, 2017 12:19 am**

I would try to enable proxy-arp on ether5 (or local-proxy-arp if you are already on 6.38),

Posted: **Tue Jan 03, 2017 5:34 pm**

Thanks @bajodel for your answer.

I just did but nothing change:

[freya@gw-BFY] > /interface ethernet export
# jan/03/2017 01:26:10 by RouterOS 6.37.3
# software id = QEKX-Y5VI
#
/interface ethernet
set [ find default-name=ether1 ] comment="WAN RDS - PPPOE1 + PPPOE2"
set [ find default-name=ether2 ] comment="LOCAL LAN - switch"
set [ find default-name=ether3 ] comment="LOCAL LAN  - free"
set [ find default-name=ether4 ] comment="LOCAL LAN  - free"
set [ find default-name=ether5 ] arp=proxy-arp comment="Paul workstation"

or detailed:

4 R  ;;; Paul workstation
      name="ether5" default-name="ether5" mtu=1500 l2mtu=1596 mac-address=6C:3B:6B:XX:XX:XX orig-mac-address=6C:3B:6B:XX:XX:XX arp=proxy-arp arp-timeout=auto 
      loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m auto-negotiation=yes 
      advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full full-duplex=yes tx-flow-control=off rx-flow-control=off speed=100Mbps master-port=none 
      bandwidth=unlimited/unlimited switch=switch1

I have upgraded to 6.38 and have enabled "local-proxy-arp" for interface ether5 as:

4 R  ;;; Paul workstation
 name="ether5" default-name="ether5" mtu=1500 l2mtu=1596 mac-address=6C:3B:6B:XX:XX:XX orig-mac-address=6C:3B:6B:XX:XX:XX arp=local-proxy-arp arp-timeout=auto 
      loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m auto-negotiation=yes 
      advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full full-duplex=yes tx-flow-control=off rx-flow-control=off speed=100Mbps master-port=none 
      bandwidth=unlimited/unlimited switch=switch1

No change at all! Can connect via pptp, i have arping to 172.16.21.252 workstation but could not connect via remote desktop due to the same error.
From outside if i do port forwarding on pppoe-paul connection ( accesing on public ip) or if i put my lpatop and workstation into a switch, inside network, i can connect via RDP ( accesing 172.16.21.252 localy )

Thank you very much for your time.

kind regards,

Posted: **Wed Jan 04, 2017 6:13 am**

/ip firewall filter
add action=accept chain=forward comment="Forward Remote Desktop Paul" disabled=no dst-port=35000 in-interface=pppoe-paul log=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=35000 in-interface=pppoe-paul protocol=tcp to-addresses=172.16.21.252 to-ports=3389

Are those hit counters increasing when you try connecting to rdp through pptp ?
Check you don't have any previous fw rule blocking it.

Posted: **Wed Jan 04, 2017 9:55 am**

Hi @bajodel.

Nope; Code you listed is working fine ( as i have already mentioned above ) but i want to connect via RDP from inside lan after i have been connected over PPTP ( which is always giving me address 172.16.21.252/32 after connected ) and not on direct from outside using port forwarding on public ip.

Here is my firewall:
1. FILTER

/ip firewall filter
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related,new
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=accept chain=input comment=UDP protocol=udp
add action=fasttrack-connection chain=forward comment="Aceptare fasttracking" connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input comment="Acces winbox" dst-port=XXXX in-interface=bridge-local protocol=tcp
add action=accept chain=input comment="Acces winbox" dst-port=XXXX in-interface=all-ppp protocol=tcp
add action=accept chain=input comment="Acces webfig" dst-port=XXXX in-interface=bridge-local protocol=tcp
add action=accept chain=input comment="Acces webfig" dst-port=XXXX in-interface=all-ppp protocol=tcp
add action=accept chain=input comment="PPTP Paul" dst-port=1723 in-interface=pppoe-paul log=yes log-prefix=pptp-paul protocol=tcp
add action=accept chain=input comment="Accept ping from local and pptp" in-interface=ether5 protocol=icmp src-address=172.16.21.240/28
add action=accept chain=input in-interface=bridge-local protocol=icmp src-address=192.168.0.0/24
add action=accept chain=input in-interface=pppoe-paul log=yes log-prefix=ping protocol=icmp
add action=drop chain=forward comment="Isolate lan's" dst-address=172.16.21.240/28 in-interface=bridge-local log=yes \
    out-interface=ether5 src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 in-interface=ether5 log=yes out-interface=bridge-local src-address=172.16.21.240/28
add action=log chain=forward comment="Block port 25 - smtp virus" dst-address=0.0.0.0 dst-port=25 log=yes log-prefix=spam-virus protocol=tcp \
    src-address=172.16.21.240/28
add action=log chain=forward dst-address=0.0.0.0 dst-port=25 log=yes log-prefix=spam-virus protocol=tcp src-address=192.168.0.0/24
add action=drop chain=forward dst-address=0.0.0.0 dst-port=25 in-interface=pppoe-paul log=yes log-prefix=smtp-virus protocol=tcp src-address=172.16.21.240/28
add action=drop chain=forward dst-address=0.0.0.0 dst-port=25 in-interface=pppoe-local log=yes log-prefix=smtp-virus protocol=tcp src-address=192.168.0.0/24
add action=log chain=input comment="Log everything else" log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop everything else"

2. NAT

/ip firewall nat
add action=masquerade chain=srcnat comment="NAT local LAN" log=yes log-prefix=nat-local out-interface=pppoe-local src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="NAT Paul LAN" log=yes log-prefix=nat-paul out-interface=pppoe-paul src-address=172.16.21.240/28
add action=masquerade chain=srcnat comment="NAt PPTP" out-interface=ether5 src-address=172.16.21.251

3. MANGLE

/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark packets for LAN local" new-packet-mark=lan-local passthrough=yes src-address=192.168.0.0/24
add action=mark-packet chain=prerouting comment="Mark packets for Paul workstation/lan" new-packet-mark=lan-paul passthrough=yes src-address=172.16.21.240/28
add action=mark-routing chain=prerouting comment="Send packets to right routing table - LAN local" new-routing-mark=lan-local packet-mark=lan-local passthrough=no
add action=mark-routing chain=prerouting comment="Send packets to right routing table - Paul workstation/lan" new-routing-mark=lan-paul packet-mark=lan-paul passthrough=no
add action=mark-connection chain=output comment="Mark packets for right output" connection-mark=no-mark log=yes new-connection-mark=lan-local out-interface=\
    pppoe-local passthrough=yes
add action=mark-connection chain=output connection-mark=no-mark log=yes new-connection-mark=lan-paul out-interface=pppoe-paul passthrough=yes

4. IP addresses and bridge

/interface bridge
add comment="BRIDGE LOCAL LAN" name=bridge-local
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4

/ip address
add address=192.168.0.254/24 interface=bridge-local network=192.168.0.0
add address=172.16.21.254/28 interface=ether5 network=172.16.21.240

I do not know where to look. I just feel like i left out something.

Thank you very much for your time, once again.

kind regards,

Posted: **Wed Jan 04, 2017 11:40 pm**

Hi @bajodel.
Nope; Code you listed is working fine ( as i have already mentioned above ) but i want to connect via RDP from inside lan after .. [CUT] ..

Yes, my bad .. I've copy&pasted wrong rules.

Let's have another approach:

1) leave proxy-arp enabled on ether5
2) put an explicit (early positioned) firewall filter rule allowing 172.16.21.240/28 to 172.16.21.240/28 (you can refine it later) .. add action=accept chain=forward dst-address=172.16.21.240/28 src-address=172.16.21.240/28

You need (1) AND (2) because your pptp assigned virtual ip (172.16.21.252/32) is not on ethet5 but on pptp interface. Proxy-arp make forwarding to ether5 possible but packets pass through firewall forward and need to be accepted.
For debug, you can also put (temporarily) a default accept rule on firewall filter forward.

P.S. Your vpn pptp client profile must be set to change his default gateway ("Use default gateway on remote network")

Posted: **Thu Jan 05, 2017 12:46 am**

Hi,

1. - done ( tested with proxy-arp and also with local-proxy-arp );
2. - done ( i see bytes and packets moving ), i put it as a 3th rule before even "drop invalid rule";

/ip firewall filter
add action=accept chain=forward comment="Explicit forward" dst-address=172.16.21.240/28 log=yes log-prefix=rdp src-address=172.16.21.240/28

3. i have in windows pptp profile already checked ("Use default gateway on remote network")
after got connected via pptp i have:

Windows IP Configuration

PPP adapter VPN Q 172:

Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.21.251
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0

4. i put a default temporary default accept rule on firewall filter before 2. rule

Still no change. In logs i see only:

00:02:08 echo: firewall,info rdp: nat-paul srcnat: in:(none) out:pppoe-paul, proto UDP, 172.16.21.251:58562->8.8.8.8:53, len 65
00:02:09 echo: firewall,info rdp: rdp forward: in:<pptp-XXX> out:pppoe-paul, proto TCP (SYN), 172.16.21.251:24283->172.16.21.252:3389, len 60
00:02:09 echo: firewall,info rdp: nat-paul srcnat: in:(none) out:pppoe-paul, proto TCP (SYN), 172.16.21.251:24283->172.16.21.252:3389, len 60
00:02:12 echo: firewall,info rdp: rdp forward: in:<pptp-XXX> out:pppoe-paul, proto TCP (SYN), 172.16.21.251:24283->172.16.21.252:3389, NAT (172.16.21.251:24283->_pppoe-paul_publicIP_:24283)->172.16.21.252:3389, len 60
00:02:18 echo: firewall,info rdp: rdp forward: in:<pptp-XXX> out:pppoe-paul, proto TCP (SYN), 172.16.21.251:24283->172.16.21.252:3389, len 56
00:02:18 echo: firewall,info rdp: nat-paul srcnat: in:(none) out:pppoe-paul, proto TCP (SYN), 172.16.21.251:24283->172.16.21.252:3389, len 56

I have noticed "out:pppoe-paul"; should not be "out:ether5 ? When i have tested from local network with both workstation and my laptop connected into same switch, and was working, i did not pay attention on this. I will try tomorrow to see it.

Thanks you very much once again.

kind regards,

Posted: **Thu Jan 05, 2017 9:02 am**

..[CUT] ..
I have noticed "out:pppoe-paul"; should not be "out:ether5 ? When i have tested from local network with both workstation and my laptop connected into same switch, and was working, i did not pay attention on this. I will try tomorrow to see it.

Absolutely. So double check logs when you test from local network.

Probably your conn/packet marking is confusing things. Paste here the /ip route (export|print) and maybe a full export.

Posted: **Sun Jan 08, 2017 10:45 am**

@janus20. ..any update?

Posted: **Mon Jan 09, 2017 10:31 am**

Hi @bajodel,

Very sorry for delay i was away last 3 days. I was testing inside network like i said in last post but i could not see anything in logs. Maybe because both laptop and workstation were connected into same switch and they have made a direct connection and not through mikrotik or maybe i did not know how to capture it. However here is what you have requested:

I. /export ( full config )

# jan/09/2017 10:10:07 by RouterOS 6.38
# software id = QEKX-Y5VI
#
/interface bridge
add comment="BRIDGE LAN LOCAL " name=bridge-local protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment="WAN RDS - PPPOE1 + PPPOE2"
set [ find default-name=ether2 ] comment="LAN LOCAL - TpLINK AC50 ( switch only )"
set [ find default-name=ether3 ] comment="LAN LOCAL - liber"
set [ find default-name=ether4 ] comment="LAN LOCAL - liber"
set [ find default-name=ether5 ] arp=proxy-arp comment=\
    "Paul Workstation"
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-local \
    password=XXXX user=YYYYYY
add add-default-route=yes disabled=no interface=ether1 name=pppoe-paul \
    password=XXXX user=YYYYYY
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.0.2-192.168.0.150
add name=pool-paul ranges=172.16.21.240-172.16.21.250
add name=pool-pptp-paul ranges=172.16.21.251
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=1h name=\
    dhcp-local
add address-pool=pool-paul disabled=no interface=ether5 lease-time=1h name=\
    dhcp-paul
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=172.16.21.254 name=pptp-paul-in \
    only-one=yes remote-address=pool-pptp-paul use-encryption=required \
    use-upnp=no
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
/ip settings
set allow-fast-path=no rp-filter=loose tcp-syncookies=yes
/interface pptp-server server
set default-profile=pptp-paul-in enabled=yes max-mru=1480 max-mtu=1480
/ip address
add address=192.168.0.254/24 interface=bridge-local network=192.168.0.0
add address=172.16.21.254/28 interface=ether5 network=172.16.21.240
/ip dhcp-server network
add address=172.16.21.240/28 dns-server=213.154.124.1,8.8.8.8 gateway=\
    172.16.21.254 netmask=28
add address=192.168.0.0/24 dns-server=213.154.124.1,8.8.8.8 gateway=\
    192.168.0.254 netmask=24
/ip dns
set cache-size=4096KiB servers=213.154.124.1,8.8.8.8
/ip firewall filter
add chain=input comment="Accept established connections" connection-state=\
    established
add chain=input comment="Accept related connections" connection-state=\
    related,new
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=accept chain=input comment=UDP protocol=udp
add action=fasttrack-connection chain=forward comment="Aceptare fasttracking" \
    connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input comment="Acces winbox local lan" dst-port=XXXX \
    in-interface=bridge-local protocol=tcp
add action=accept chain=input comment="Acces winbox PPPOE PAUL" dst-port=XXXX \
    in-interface=pppoe-paul protocol=tcp
add action=accept chain=input comment="PPTP Paul" dst-port=1723 in-interface=\
    pppoe-paul log=yes log-prefix=pptp-paul protocol=tcp
add action=accept chain=input comment="Accept ping from outside" \
    in-interface=pppoe-paul log=yes log-prefix=ping protocol=icmp
add action=drop chain=forward comment=\
    "Isolate lans" dst-address=\
    172.16.21.240/28 in-interface=bridge-local log=yes out-interface=ether5 \
    src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 in-interface=ether5 \
    log=yes out-interface=bridge-local src-address=172.16.21.240/28
add action=log chain=forward comment=\
    "Block port 25 - smtp virus" dst-address=0.0.0.0 \
    dst-port=25 log=yes log-prefix=spam-virus protocol=tcp src-address=\
    172.16.21.240/28
add action=log chain=forward dst-address=0.0.0.0 dst-port=25 log=yes \
    log-prefix=spam-virus protocol=tcp src-address=192.168.0.0/24
add action=drop chain=forward dst-address=0.0.0.0 dst-port=25 in-interface=\
    pppoe-paul log=yes log-prefix=smtp-virus protocol=tcp src-address=\
    172.16.21.240/28
add action=drop chain=forward dst-address=0.0.0.0 dst-port=25 in-interface=\
    pppoe-local log=yes log-prefix=smtp-virus protocol=tcp src-address=\
    192.168.0.0/24
add action=drop chain=input comment=\
    "Prevent dns request from outside - pppoe paul" dst-port=53 \
    in-interface=pppoe-paul protocol=tcp
add action=drop chain=input dst-port=53 in-interface=pppoe-paul protocol=udp
add action=drop chain=input comment=\
    "Prevent dns request from outside - pppoe local" dst-port=53 \
    in-interface=pppoe-local protocol=tcp
add action=drop chain=input dst-port=53 in-interface=pppoe-local protocol=udp
add action=log chain=input comment="Log everything else" log-prefix=\
    "DROP INPUT"
add action=drop chain=input comment="Drop everything else"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark packets for LAN local" \
    log-prefix=mark-local new-packet-mark=lan-local passthrough=yes \
    src-address=192.168.0.0/24
add action=mark-packet chain=prerouting comment=\
    "Mark packets for Paul lan/workstation" log-prefix=mark-paul new-packet-mark=\
    lan-paul passthrough=yes src-address=172.16.21.240/28
add action=mark-routing chain=prerouting comment=\
    "Send packets to right routing table - LAN local" log-prefix=mrt-local \
    new-routing-mark=lan-local packet-mark=lan-local passthrough=no
add action=mark-routing chain=prerouting comment=\
    "Send packets to right routing table - Paul lan/workstation" log-prefix=\
    mrt-paul new-routing-mark=lan-paul packet-mark=lan-paul passthrough=no
add action=mark-connection chain=output comment=\
    "Mark packets PPPOE on output" connection-mark=no-mark \
    log-prefix=output-local new-connection-mark=lan-local out-interface=\
    pppoe-local passthrough=yes
add action=mark-connection chain=output connection-mark=no-mark log-prefix=\
    output-paul new-connection-mark=lan-paul out-interface=pppoe-paul \
    passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT local lan" log=yes \
    log-prefix=nat-local out-interface=pppoe-local src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="NAT Paul lan" log=yes \
    log-prefix=nat-paul out-interface=pppoe-paul src-address=172.16.21.240/28
add action=masquerade chain=srcnat comment=\
    "Hairpin NAt for pptp PPTP" log=yes log-prefix=hairpin \
    out-interface=ether5 src-address=172.16.21.251
/ip route
add check-gateway=ping distance=1 gateway=pppoe-local routing-mark=lan-local
add check-gateway=ping distance=2 gateway=pppoe-paul routing-mark=lan-paul
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=YYYY
set ssh disabled=yes
set winbox port=XXX
/ppp secret
add name=XXX password=YYYY profile=pptp-paul-in service=pptp
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=gw-BFY
/system logging
add action=disk disabled=yes prefix=rdp topics=firewall
add action=disk disabled=yes prefix=nat-paul topics=firewall
add action=disk disabled=yes topics=firewall
/system routerboard settings
# Warning: memory overclocked
set memory-frequency=1200DDR
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=pppoe-local
add interface=pppoe-paul
/tool sniffer
set filter-interface=ether5

II. /ip route ( export|print )

/ip route export
# jan/09/2017 10:12:52 by RouterOS 6.38
# software id = QEKX-Y5VI
#
/ip route
add check-gateway=ping distance=1 gateway=pppoe-local routing-mark=lan-local
add check-gateway=ping distance=2 gateway=pppoe-paul routing-mark=lan-paul
/ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          pppoe-local               1
 1 A S  0.0.0.0/0                          pppoe-paul                2
 2 ADS  0.0.0.0/0                          10.0.0.1                  0
 3  DS  0.0.0.0/0                          10.0.0.1                  0
 4 ADC  10.0.0.1/32        84.232.X.X   pppoe-local               0
                                           pppoe-paul        
 5 ADC  172.16.21.240/28   172.16.21.254   ether5                    0
 6 ADC  192.168.0.0/24     192.168.0.254   bridge-local              0

Thank you very much for your time.

kind regards,

Posted: **Thu Jan 12, 2017 10:51 am**

Hi @bajodel,

Have you got a little spare time to look over my config ? Is there any info you'd need ?

Thank you very much for your time, once again.

kind regards,

Posted: **Sat Jan 14, 2017 3:17 pm**

(Safely backup your config and) try this:

/ip route
add dst-address=172.16.21.240/28 gateway=172.16.21.254 routing-mark=lan-paul

..and also notice that IMHO you have errors in your "/ip firewall filter" (I've splitted your forward/input chains but keeping YOUR original order):

{01}  add chain=input comment="Accept established connections" connection-state=established
{02}  add chain=input comment="Accept related connections" connection-state=related,new
{03}  add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
{04}  add action=accept chain=input comment=UDP protocol=udp
{05}  add action=accept chain=input comment="Acces winbox local lan" dst-port=XXXX in-interface=bridge-local protocol=tcp
{06}  add action=accept chain=input comment="Acces winbox PPPOE PAUL" dst-port=XXXX in-interface=pppoe-paul protocol=tcp
{07}  add action=accept chain=input comment="PPTP Paul" dst-port=1723 in-interface=pppoe-paul log=yes log-prefix=pptp-paul protocol=tcp
{08}  add action=accept chain=input comment="Accept ping from outside" in-interface=pppoe-paul log=yes log-prefix=ping protocol=icmp
{09}  add action=drop chain=input comment="Prevent dns request from outside - pppoe paul" dst-port=53 in-interface=pppoe-paul protocol=tcp
{10}  add action=drop chain=input dst-port=53 in-interface=pppoe-paul protocol=udp
{11}  add action=drop chain=input comment="Prevent dns request from outside - pppoe local" dst-port=53 in-interface=pppoe-local protocol=tcp
{12}  add action=drop chain=input dst-port=53 in-interface=pppoe-local protocol=udp
{13}  add action=log chain=input comment="Log everything else" log-prefix="DROP INPUT"
{14}  add action=drop chain=input comment="Drop everything else"

- On {02} you have [connection-state=related,new] ..I think you should have [connection-state=related] only, or better remove {02} and edit {01} in [connection-state=established,related]
- On {04} you are accepting ALL UDP protocol, on {10/12} you try to block Udp/dns packet from outside but you have already accepted on {04}. Remove {04} adapting your config or move {04} below {13} (just before drop averything else).

{01}  add action=fasttrack-connection chain=forward comment="Aceptare fasttracking" connection-state=established,related
{02}  add action=accept chain=forward connection-state=established,related
{03}  add action=drop chain=forward comment="Isolate lans" dst-address=172.16.21.240/28 in-interface=bridge-local log=yes out-interface=ether5 src-address=192.168.0.0/24
{04}  add action=drop chain=forward dst-address=192.168.0.0/24 in-interface=ether5 log=yes out-interface=bridge-local src-address=172.16.21.240/28
{05}  add action=log chain=forward comment="Block port 25 - smtp virus" dst-address=0.0.0.0 dst-port=25 log=yes log-prefix=spam-virus protocol=tcp src-address=172.16.21.240/28
{06}  add action=log chain=forward dst-address=0.0.0.0 dst-port=25 log=yes log-prefix=spam-virus protocol=tcp src-address=192.168.0.0/24
{07}  add action=drop chain=forward dst-address=0.0.0.0 dst-port=25 in-interface=pppoe-paul log=yes log-prefix=smtp-virus protocol=tcp src-address=172.16.21.240/28
{08}  add action=drop chain=forward dst-address=0.0.0.0 dst-port=25 in-interface=pppoe-local log=yes log-prefix=smtp-virus protocol=tcp src-address=192.168.0.0/24

- Disable {01} (and reboot the router) - Fasttracked packets bypass firewall and so they cannot be marked
- maybe add between {02} and {03} a rule dropping invalid >> [add action=drop chain=forward connection-state=invalid]

Good luck and have a nice day!

Posted: **Sun Jan 15, 2017 9:56 pm**

Hi @bajodel,

First of all thank you very much for your inputs.
Second, i have read all your instructions and have implemented. Still does not work after i have sucessfuly connected via PPTP. Here is some logs:

I. after add static route ( on route list window it says "unreachable", but in terminal i did not see any "U" flag in front of it ):

/ip route
add dst-address=172.16.21.240/28 gateway=172.16.21.254 routing-mark=lan-paul

my routing table looks like this:

 /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          pppoe-local               1
 1 A S  0.0.0.0/0                          pppoe-paul                2
 2   S  ;;; Add static route for LAN-PAUL
        172.16.21.240/28                   172.16.21.254             1
 3 ADS  0.0.0.0/0                          10.0.0.1                  0
 4  DS  0.0.0.0/0                          10.0.0.1                  0
 5 ADC  10.0.0.1/32        84.232.XXX.XXX   pppoe-local               0
                                           pppoe-paul        
 6 ADC  172.16.21.240/28   172.16.21.254   ether5                    0
 7 ADC  172.16.21.251/32   172.16.21.254   <pptp-XXXX>          0
 8 ADC  192.168.0.0/24     192.168.0.254   bridge-local              0

Trying to ping RDP workstation ( which is giving me "Request timed out", but from mikrotik router it responds to ping) or connect via RDP:

...
Jan/15/2017 21:20:08 firewall,info nat-paul srcnat: in:(none) out:pppoe-paul, proto TCP (SYN), 172.16.21.251:23828->172.16.21.252:3389, len 56
...
Jan/15/2017 21:20:25 firewall,info nat-paul srcnat: in:(none) out:pppoe-paul, proto ICMP (type 8, code 0), 172.16.21.251->172.16.21.252, len 60
...

I guess my pptp ip, 172.16.21.251, still obey rule #7 instead of #2.

II. I have tried even to modify your static route but instead using gateway 172.16.21.254 i used ether5, like:

/ip route
add dst-address=172.16.21.240/28 gateway=ether5 routing-mark=lan-paul

Althought it says "reachable" still can not ping or connect via RDP:

Jan/15/2017 21:21:51 firewall,info hairpin srcnat: in:(none) out:ether5, proto ICMP (type 8, code 0), 172.16.21.251->172.16.21.252, len 60
Jan/15/2017 21:21:59 firewall,info hairpin srcnat: in:(none) out:ether5, proto TCP (SYN), 172.16.21.251:23858->172.16.21.252:3389, len 60

* Note: "hairpin' prefix reffer to rule from NAT filter as ( i have tried with it disable/enable but no difference):

/ip firewall nat
add action=masquerade chain=srcnat comment="NAt PPTP" out-interface=ether5 src-address=172.16.21.251

Thank you for your patience.

kind regards,

Posted: **Thu Jan 19, 2017 10:05 pm**

It's too hard to solve in this way, you need to test more with the help of torch and log.
In your place I would try to simplify the setup (maybe starting from blank config); surely you have some oddness in the marking/routing stuff but it's hard to work reading export lines w/o the possibility to directly interact with debug tools.

Posted: **Thu Jan 19, 2017 11:33 pm**

Hi @bajodel,

I see. I will try what you have suggested and come back with results.

Thank you very much.

kind regards,

Posted: **Mon Jan 30, 2017 10:08 pm**

hi,

I have just solved the problem with help from mikrotik support ( i have just writen them an e-mail). Magic phrase from Mr. Janis M. was :

If you still insist on using tunnels, use different IP range and exclude them from policy routing.

Best regards,
Janis M.

So i have decided to leave as is policy routing althought i think i may refine my mangle rules and try what mr. janis suggested
1. created a new bridge (bridge-paul) with ARP: proxy-arp;
2. assigned a new ip address to bridge-paul: 10.100.100.254/24;
3. included ether5 on new bridge created;
4. changed pptp-pool ip range from 172.16.21.240/28 to 10.100.100.0/24 range ( 10.100.100.10-10.100.100.20);
5. added an alias from 10.100.100.0/24 range to workstation that i needed to connect via RDP after PPTP in; 10.100.100.253/24;
6. did masquerade 10.100.100.0/24 range to output-interface: pppoe-paul
7. after i have connected via PPTP and received an ip address from 10.100.100.10-20 range i have finally been able to connect via RDP to local workstation (10.100.100.253 )

Thank you very much @bajodel for your patience and inputs and also mikrotik support team which always respond quickly and accurate by email to my open tickets.

kind regards,

Posted: **Sat Nov 10, 2018 5:33 pm**

So I'm reviving this post. I have read and done most of it. I have access to the internet from both dhcp-pools but I can't access the 2 local networks from each other. I mean I can't access any device on 192.168.200.0/24 from 192.168.88.0/24. What's more I can't access my GRE tunnel from local lan (192.168.88.0/24)

IP Routes Export
add distance=1 dst-address=192.168.100.0/24 gateway=172.22.22.1

If I add routing mark local-lan on the gre tunnel I can get ping but nothing more.

How can I achive a running connection with 2 pppoe connections, and the gre tunnel.

MikroTik

[SOLVED] 2 concurent pppoe connections on the same wan interface

[SOLVED] 2 concurent pppoe connections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

Re: 2 concurent pppoe conections on the same wan interface

[SOLVED] 2 concurent pppoe connections on the same wan interface

Re: [SOLVED] 2 concurent pppoe connections on the same wan interface