MikroTik

Community discussions
https://forum.mikrotik.com/

same config but different routing issue

https://forum.mikrotik.com/viewtopic.php?t=120614

Page 1 of 1

same config but different routing issue

Posted: Mon Apr 10, 2017 2:38 pm
by suszi
Hi
I have two client routers configured for site-to-site access (engineers at the office can connect to devices installed on client sites).
On main site, there is SSTP server, both client routers are configured to connect over 4G LTE modem (PPP protocol) and SSTP type VPN.
On site1, it is possible to ping connected devices, on site two it is not.
The difference is that, on site 1 hardware is RB951Ui-2HnD, on site 2 the hardware is RB951Ui-2nD. Same firmware, same software version.

I have no idea, what is wrong...

the configuration scripts:
site1
Code: Select all
# apr/10/2017 13:27:38 by RouterOS 6.38.5
# software id = 5SVQ-YCPK
#
/interface bridge
add admin-mac=6C:3B:6B:E3:79:3E name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=poland disabled=no frequency=auto mode=ap-bridge ssid=**** wireless-protocol=802.11
/ip neighbor discovery
set ether1-wan discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=**** wpa2-pre-shared-key=****
/ip pool
add name=dhcp ranges=192.168.118.100-192.168.118.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/port
set 0 name=usb1
/interface ppp-client
add apn=internet dial-on-demand=no disabled=no name=ppp-out1 port=usb1
/interface sstp-client
add authentication=mschap2 connect-to=**** disabled=no mrru=1600 name=sstp-out1 password=**** profile=default-encryption tls-version=only-1.2 user=**** \
    verify-server-certificate=yes
/interface bridge port
add bridge=bridge1 interface=ether2-master
add bridge=bridge1 interface=wlan1
/ip address
add address=192.168.118.1/24 interface=ether2-master network=192.168.118.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-wan
/ip dhcp-server network
add address=192.168.118.0/24 gateway=192.168.118.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan
add action=masquerade chain=srcnat out-interface=ppp-out1
/ip route
add distance=1 dst-address=192.168.10.0/24 gateway=192.168.2.254
add distance=1 dst-address=192.168.11.0/24 gateway=192.168.2.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=****
/system ntp client
set enabled=yes server-dns-names=tempus1.gum.gov.pl,tempus2.gum.gov.pl
/system routerboard settings
set init-delay=0s
site2
Code: Select all
# apr/10/2017 13:27:35 by RouterOS 6.38.5
# software id = MD8S-ESJH
#
/interface bridge
add admin-mac=6C:3B:6B:50:0E:76 auto-mac=no comment=defconf name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=poland disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=**** wireless-protocol=802.11
/ip neighbor discovery
set ether1-wan discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=**** wpa2-pre-shared-key=****
/ip pool
add name=dhcp ranges=192.168.117.100-192.168.117.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=defconf
/port
set 0 name=usb1
/interface ppp-client
add apn=internet dial-on-demand=no disabled=no name=ppp-out1 port=usb1
/interface sstp-client
add authentication=mschap2 connect-to=**** disabled=no name=sstp-out1 password=**** profile=default-encryption tls-version=only-1.2 user=**** \
    verify-server-certificate=yes
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2-master
add bridge=bridge1 comment=defconf interface=wlan1
/ip address
add address=192.168.117.1/24 interface=ether2-master network=192.168.117.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-wan
/ip dhcp-server network
add address=192.168.117.0/24 gateway=192.168.117.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ppp-out1
add action=masquerade chain=srcnat out-interface=ether1-wan
/ip route
add distance=1 dst-address=192.168.10.0/24 gateway=192.168.2.254
add distance=1 dst-address=192.168.11.0/24 gateway=192.168.2.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=****
/system leds
set 5 interface=wlan1
/system ntp client
set enabled=yes server-dns-names=tempus1.gum.gov.pl,tempus2.gum.gov.pl
/system routerboard settings
set init-delay=0s

Re: same config but different routing issue

Posted: Mon Apr 10, 2017 5:50 pm
by Plutone
The issue is the masquerade in different order. You're masquerading site1 behing ether1-wan and site2 behing ppp-out-1

site1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan
add action=masquerade chain=srcnat out-interface=ppp-out1

site2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ppp-out1
add action=masquerade chain=srcnat out-interface=ether1-wan

Re: same config but different routing issue

Posted: Tue Apr 11, 2017 2:52 pm
by suszi
I don't think so, the WAN port is not used in both cases...
I've changed the order and still same issue :-/

Re: same config but different routing issue

Posted: Tue Apr 11, 2017 3:50 pm
by tangram
Can you post the routing table of both routers ?

Re: same config but different routing issue

Posted: Wed Apr 12, 2017 3:39 pm
by suszi
Code: Select all
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.112.112.137            0
 1 ADC  10.112.112.137/32  100.119.157.77  ppp-out1                  0
 2 ADC  192.168.2.254/32   192.168.11.218  sstp-out1                 0
 3 A S  192.168.10.0/24                    192.168.2.254             1
 4 A S  192.168.11.0/24                    192.168.2.254             1
 5 ADC  192.168.118.0/24   192.168.118.1   bridge1                   0
Code: Select all
 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.118.1/24   192.168.118.0   ether2-master
 1 D 100.119.157.77/32  10.112.112.137  ppp-out1
 2 D 192.168.11.218/32  192.168.2.254   sstp-out1

Code: Select all
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.112.112.124            0
 1 ADC  10.112.112.124/32  100.118.182.19  ppp-out1                  0
 2 ADC  192.168.2.254/32   192.168.11.217  sstp-out1                 0
 3 A S  192.168.10.0/24                    192.168.2.254             1
 4 A S  192.168.11.0/24                    192.168.2.254             1
 5 ADC  192.168.117.0/24   192.168.117.1   bridge1                   0
Code: Select all
 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.117.1/24   192.168.117.0   ether2-master
 1 D 100.118.182.19/32  10.112.112.124  ppp-out1 
 2 D 192.168.11.217/32  192.168.2.254   sstp-out1

Re: same config but different routing issue

Posted: Fri Apr 14, 2017 10:57 am
by tangram
Have you checked the server? Maybe there's a route missing to your second site - 192.168.117.0/24.

Do traceroutes from both sites, compare and see last hop where it get's stuck.

Re: same config but different routing issue

Posted: Fri Apr 14, 2017 12:10 pm
by suszi
It gets stuck on sstp interface on client side (192.168.11.217)

Re: same config but different routing issue

Posted: Sat Apr 15, 2017 10:02 am
by tangram
Shouldn't you have routes for 192.168.117.0/24 and 192.168.118.0/24 with gw 192.168.2.254 on client 1 and 2 ?
There's something else i don't understand:

5 ADC 192.168.118.0/24 192.168.118.1 bridge1 0
and
0 192.168.118.1/24 192.168.118.0 ether2-master

The ip isn't suppose to go on interface bridge1 instead of ether2 ? I mean if you bridge ports you set ip on bridge not on member ports.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/