I'm trying to accomplish a non-standard setup and having trouble doing so.
My company has a "black box" which is our FRONT router. It's a box that is doing routing through a VPN channel. It connects to the WAN by PPPoE and has a local LAN port with address 192.168.1.1
I'm trying to place a RouterBOARD 750G r3 as my new FRONT router. It should connect to the WAN by that same PPPoE and provide one LAN port for company users and one GUEST Access-Point port. Then I would like to continue using my old "black box" by using 2 additional ports of the new FRONT router and routing TO and FROM it.
I want to have a destination address list which will BYPASS the VPN-BOX (and be routed directly to the WAN) and whatever doesn't match with that list will be routed to the VPN-BOX, then back into the new FRONT router and then to the WAN.
For test purposes I've defined 8.8.4.4 in my "BYPASS" address list so I could ping it and make sure it works. All other destinations should now be routed through the VPN-BOX.
I have not used any "Connection Marks" in this setup as I plan to use those for another purpose later. If I understand correctly, I might run into CPU overload problem later on, with many users and many addresses in my "BYPASS" list. I wanted to leave that to the second step.
My current status is that the VPN-BOX is communicating well through the new router, but the communication from my LAN port is not being routed anywhere. Here is my configuration and any suggestions and comments would be appreciated.
Code: Select all
# jun/30/2018 06:00:15 by RouterOS 6.41
# software id = S8JB-PA9X
#
# model = RouterBOARD 750G r3
/interface bridge
add admin-mac=CC:2D:E0:17:C2:65 auto-mac=no comment=defconf name=\
Bridge_LAN-Company
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN-Company
set [ find default-name=ether3 ] name=ether3_TO-VPN
set [ find default-name=ether4 ] name=ether4_FROM-VPN
set [ find default-name=ether5 ] name=ether5_WiFi-Guests
/interface pppoe-client
add disabled=no interface=ether1_WAN name=pppoe-out1 password=xxxxx \
use-peer-dns=yes user=xxxxx
/interface pppoe-server
add name=pppoe-in1 service="" user=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] dns-name=xxx.xxx.xxx hotspot-address=10.255.0.1 \
html-directory=flash/hotspot
add dns-name=xxx.xxx.xxx hotspot-address=10.5.50.1 html-directory=\
flash/hotspot name=hotspot
/ip hotspot
add disabled=no idle-timeout=none interface=ether5_WiFi-Guests name=\
"Guest HS" profile=hotspot
/ip pool
add name="Company Pool" ranges=10.0.10.1-10.0.255.254
add name="Guests Pool" ranges=10.255.0.10-10.255.255.254
add name="PPPoE Pool" ranges=172.16.0.10-172.16.0.254
/ip dhcp-server
add add-arp=yes address-pool="Company Pool" disabled=no interface=Bridge_LAN-Company \
lease-time=5m name="Company Users"
add add-arp=yes address-pool="Guests Pool" authoritative=after-2sec-delay \
disabled=no interface=ether5_WiFi-Guests lease-time=5m name="Guests DHCP"
/ip hotspot user profile
set [ find default=yes ] address-pool="Guests Pool" incoming-packet-mark=\
High-Speed insert-queue-before=first outgoing-packet-mark=High-Speed \
shared-users=unlimited transparent-proxy=yes
add address-pool="Guests Pool" incoming-packet-mark="Guest Download" \
insert-queue-before=first name="guests profile" outgoing-packet-mark=\
"Guest Upload" rate-limit=40M/40M shared-users=20
/ppp profile
add address-list=Priority local-address=172.16.0.1 name="From VPN" \
remote-address="PPPoE Pool"
/interface bridge port
add bridge=Bridge_LAN-Company comment=defconf interface=ether2_LAN-Company
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=Bridge_LAN-Company list=LAN
add interface=ether3_TO-VPN list=WAN
add interface=ether5_WiFi-Guests list=LAN
add interface=pppoe-out1 list=WAN
add interface=ether2_LAN-Company list=LAN
/interface pppoe-server server
add disabled=no interface=ether4_FROM-VPN service-name="From VPN"
/ip address
add address=10.0.0.1/16 comment="Company LAN" interface=Bridge_LAN-Company network=\
10.0.0.0
add address=10.255.0.1/16 comment="Guest Hotspot Port" interface=\
ether5_WiFi-Guests network=10.255.0.0
add address=192.168.1.3/24 comment="To VPN" interface=ether3_TO-VPN network=\
192.168.1.0
add address=172.16.1.1/24 interface=ether1_WAN network=172.16.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1_WAN
/ip dhcp-server network
add address=10.0.0.0/16 dns-server=10.0.0.1 domain=Company.local gateway=10.0.0.1 \
wins-server=192.168.1.100
add address=10.255.0.0/16 comment="Company Guests" dns-server=10.255.0.1 domain=\
guests.Company.local gateway=10.255.0.1 netmask=16
/ip dns
set allow-remote-requests=yes cache-size=10000KiB servers=192.168.1.1
/ip firewall address-list
add address=8.8.4.4 list="Bypass VPN"
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="Reject Blocked Sites" packet-mark=\
Blocked
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
/ip firewall mangle
add action=mark-connection chain=forward comment="Blocked Sites List" \
connection-state=new dst-address-list=Blocked new-connection-mark=Blocked \
passthrough=yes
add action=mark-routing chain=prerouting comment="Mark Routing - VPN -> WAN" \
in-interface=*F00000 new-routing-mark=Directly-Out passthrough=no
add action=mark-routing chain=prerouting comment="Mark Routing - LAN -> VPN" \
dst-address-list="!Bypass VPN" in-interface-list=LAN \
new-routing-mark=To-VPN passthrough=no
add action=mark-routing chain=prerouting comment="Mark Routing - LAN- > WAN" \
dst-address-list="Bypass VPN" new-routing-mark=Directly-Out \
passthrough=no
add action=log chain=prerouting comment="Should not get here"
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
# pppoe-out1 not ready
add action=masquerade chain=srcnat comment="WAN masquerade" ipsec-policy=\
out,none out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="VPN masquerade" out-interface=\
ether3_TO-VPN
add action=masquerade chain=srcnat comment="Guests masquerade" src-address=\
10.255.0.0/16 to-addresses=192.168.1.1
/ip hotspot user
add name=guest password=guest profile="guests profile" server="Guest HS"
/ip proxy
set cache-administrator=admin@Company.local
/ip route
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=\
Directly-Out
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=To-VPN
add disabled=yes distance=1 gateway=pppoe-out1
/ppp secret
add name=xxxx password=xxxx profile="From VPN" routes=\
10.0.0.1 service=pppoe
/system clock
set time-zone-name=Asia/Shanghai
/system identity
set name=Company-router
/system logging
add disabled=yes topics=dhcp
/system routerboard mode-button
set enabled=no on-event=""
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
