VLan help or ideas.

Egate · Sun Sep 18, 2011 10:57 pm

Hi. Spend my weekend to try and fix this.

Time to ask the big guns for help.

As a test i have got a mikrotik router_1 connecting to another mikrotik router_2 on Ether 1. Ether2 on router_2 is connected to a switch. On this connection i have added 4 Vlans going to the switch in turn, connecting to 4 ADSL modems. From router_2 i make PPPoE connection,s through the Vlan to the modems. Pretty standard stuff and works fine. Also masquerade connections going out on the PPPoE connection. If i create a default route with PPPoE _1 as gateway it is possible to ping from router_1 through router_2 to the internet, up until hear every things good.

Now i create three standard rule's a connection mark and routing mark and a route rule in order to route traffic through PPPoE 2. This effectively killed all pings to internet unless default rule is active routing all traffic through the default route. If i have a look at torch it appears as though masquerading is broken. I am thinking it must be something with the Vlan and PPPoE. Router does src-nat traffic going out but traffic coming back appears to be coming from PPPoE ip instead of internet ip, maby masquerade connection mark is striped some how by Vlan and i guess sins router _1 is expecting data from interet ip it just drops the data.

Eventually i want to route data to router_1, create four wan connections from router_1 going to router_2 and route the traffic out the respective PPPoE connections, that is created on Vlan's going to a switch and from there to the respective ADSL routers.

Any ideas or inputs would be appreciated.

fewi · Sun Sep 18, 2011 11:24 pm

Are you looking for someone to look at your configuration and fix it? If so, post the config. It'll be a long post, but so what. You'd want to include everything relevant:
- a network diagram with all devices, connections, ports, and IPs clearly labeled - both how things are right now, and then another one for how you want thinks to look as a final design
- the applicable configuration from router 1, at a minimum: "/ip address print detail", "/ip route print detail", "/interface print detail", "/interface vlan export", "/ip firewall export"
- the applicable configuration from router 2, at a minimum: "/ip address print detail", "/ip route print detail", "/interface print detail", "/interface vlan export", "/ip firewall export", and "/interface pppoe-client export"

That would be a starting point for troubleshooting. Again, it'll be a long post, but without those details every attempt to help you is just a stab in the dark. Guessing can work, but actual troubleshooting with facts is much quicker and far less frustrating.

If on the other hand you're looking for someone to provide a complete, detailed, from scratch reference solution that's a whole different story. At that point you're probably better off getting a consultant.

Egate · Mon Sep 19, 2011 10:37 pm

Hi Fewi.
Thanks for the response. Would just like to try and figure why this is not working. I striped it down to the very basic. If i can get this running the rest should just be copy and paste. Attached a schematic. I created two PPPoE client on router 2 connecting through the Vlans and the respective modems to the internet. This setup is purely to test the best setup to route traffic through the respective PPPoE connections, which of cause , i cant seem to get running. First of i ping website on internet from router 1 with mangle rules disabled, this functions correct. Then i enable mangle rules to route traffic from router 1 through PPPoE 2 instead of PPPoE 1. Not able to ping site any more. Must be missing something.

ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   193.168.125.10/24  193.168.125.0   ether2                                   
 1 D 196.209.237.52/32  41.242.12.1     PPPoE Day 1                              
 2 D 196.209.237.80/32  41.242.12.1     PPPoE Day 2

/ip route
add comment="Route 1 " disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    "PPPoE Day 1" routing-mark=Route_1_out scope=30 target-scope=10
add comment="Route 2" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    "PPPoE Day 2" routing-mark=Route_2_out scope=30 target-scope=10
add comment="Default Gateway" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway="PPPoE Day 1" scope=30 target-scope=10

ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=PPPoE Day 1 

 1   chain=srcnat action=masquerade out-interface=PPPoE Day 2

/ip route
add comment="Route 1 " disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    "PPPoE Day 1" routing-mark=Route_1_out scope=30 target-scope=10
add comment="Route 2" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    "PPPoE Day 2" routing-mark=Route_2_out scope=30 target-scope=10
add comment="Default Gateway" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway="PPPoE Day 1" scope=30 target-scope=10

/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=\
    no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:3D:F4:48 master-port=\
    none mtu=1500 name=ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "From Router 1" disabled=no full-duplex=yes l2mtu=1524 mac-address=\
    00:0C:42:3D:F4:49 master-port=none mtu=1500 name=ether2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=\
    no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:3D:F4:4A master-port=\
    none mtu=1500 name=ether3 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "To Switch" disabled=no full-duplex=yes l2mtu=1524 mac-address=\
    00:0C:42:3D:F4:4B master-port=none mtu=1500 name=ether4 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=\
    no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:3D:F4:4C master-port=\
    none mtu=1500 name=ether5 speed=100Mbps
/interface vlan
add arp=enabled disabled=no interface=ether4 l2mtu=1520 mtu=1500 name=vlan1 \
    use-service-tag=no vlan-id=10
add arp=enabled disabled=no interface=ether4 l2mtu=1520 mtu=1500 name=vlan2 \
    use-service-tag=no vlan-id=20
/interface pppoe-client
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment=Day \
    dial-on-demand=no disabled=no interface=vlan1 max-mru=1480 max-mtu=1480 \
    mrru=disabled name="PPPoE Day 1" password=obytyhzz profile=default \
    service-name="" use-peer-dns=no user=isp0080@isdsl.net
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment=Day \
    dial-on-demand=no disabled=no interface=vlan2 max-mru=1480 max-mtu=1480 \
    mrru=disabled name="PPPoE Day 2" password=ATJeMAky profile=default \
    service-name="" use-peer-dns=no user=isp71541@dsl512.isdsl.net
/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1 \
    switch-all-ports=yes
/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers="" \
    group-key-update=5m interim-update=0s management-protection=disabled \
    management-protection-key="" mode=none name=default radius-eap-accounting=\
    no radius-mac-accounting=no radius-mac-authentication=no \
    radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX \
    radius-mac-mode=as-username static-algo-0=none static-algo-1=none \
    static-algo-2=none static-algo-3=none static-key-0="" static-key-1="" \
    static-key-2="" static-key-3="" static-sta-private-algo=none \
    static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=\
    MikroTik tls-certificate=none tls-mode=no-certificates unicast-ciphers="" \
    wpa-pre-shared-key="" wpa2-pre-shared-key=""
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface ethernet switch port
set ether1 vlan-header=leave-as-is vlan-mode=fallback
set ether2 vlan-header=leave-as-is vlan-mode=fallback
set ether3 vlan-header=leave-as-is vlan-mode=fallback
set ether4 vlan-header=leave-as-is vlan-mode=fallback
set ether5 vlan-header=leave-as-is vlan-mode=fallback
set switch1_cpu vlan-header=leave-as-is vlan-mode=fallback
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption \
    enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
    default enabled=no keepalive-timeout=60 mac-address=FE:3B:AF:6D:1B:7A \
    max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=\
    no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
    default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\
    disabled port=443 verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
    00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
    frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
    multiple-channels=no only-headers=no receive-errors=no streaming-enabled=no \
    streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no

fewi · Mon Sep 19, 2011 11:04 pm

Thanks for the info, but that appears to be missing a bunch of sections from router 1 (like, for example, the mangle rules). Also keep in mind that traffic sourced by the router is usually treated differently from traffic going through the router.

Please post your mangle rules, and - just in case - try testing from a host directly connected to router 1.

Egate · Tue Sep 20, 2011 12:25 pm

Hi Fewi. Thanks for the reply. Did not post any rules on Router 1, because at this time there is nothing on it except for the ip on lan going to router 2.

That said, appears i got it to function with this rule.

ip rout rule print 
Flags: X - disabled, I - inactive 
 0  dst-address=193.168.125.0/24 action=lookup table=main

The ip is the local ip for lan between router 1 and router 2. From what i understand this will cause the router to ignore any routing marks for the local ip. Did try and recreate something similar with firewall, to try and understand what exactly is happening, but up to now could not.

Have the next problem tough. If i set the default gateway as PPPoE1 and ping internet from router 1 every thing is fine. Then i disable PPPoE1 and re enable. Cant ping internet any more. If i set default gateway to use PPPoE2 every thing ping again until i disable and re enable PPPoE2 then i have to use PPPoE1 again as default gateway. The same happen with the policy routing rules.

It is possible to ping internet from Router 2 though through both PPPoE connections.

Any ideas would be appreciated.

VLan help or ideas.

VLan help or ideas.

Re: VLan help or ideas.

Re: VLan help or ideas.

Re: VLan help or ideas.

Re: VLan help or ideas.