MikroTik

Posted: **Sat Jul 25, 2015 7:43 pm**

Hi everyone!

I'm probably being really stupid with this one, but some help would be apprecited,

I have two wan connections, one comes direct into the mikrotik, one into the other router

What I want to do is to be able use the talk talk wan as a failover / load balancing gateway (so it looks like this:)

I have connected the LAN port of the talk talk box into eth2 on the mikrotik

This is the IP Scheme

LAN1 (mikrotik) : 10.1.1.0/16
LAN2 (talk talk) : 192.168.1.0/24

so I need to be able to get anything in LAN1 to talk to aything in LAN2 (such as the talk talk routers web iface), i tried this :

/ip route add dst-address=192.168.1.0/24 gateway=192.168.1.1

but when I run a ping from my 10.1.1.1 client PC or the router command line I still cannot ping anything on the talk talk lan. ( so I'm clearly missing something) and the router says unreachable in winbox

Once I've done that I need to be able to use the talk talk as a load balance / failover set up, I tried this:

/ ip firewall address-list
add list="Allowed-Internet" address=10.1.1.1/16 comment="allowed use of internet" disabled=no

/ ip firewall nat
add chain=srcnat action=masquerade out-interface="WAN - 01" src-address-list="Allowed-Internet" comment="Gateway 10.1.1.1/16" disabled=no
add chain=srcnat action=masquerade out-interface="WAN - 02" src-address-list="Allowed-Internet" comment="Gateway 192.168.1.1/24" disabled=no

/ ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark="WAN-01" src-address-list="WAN-01" passthrough=no comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="WAN-02" src-address-list="WAN-02" passthrough=no comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="HTTP traffic" passthrough=no dst-port=80 protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="SSL traffic" passthrough=no dst-port=443 protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="POP3 traffic" passthrough=no dst-port=110 protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="SMTP traffic" passthrough=no dst-port=25 protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="P2P traffic" passthrough=no p2p=all-p2p comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="SSH Traffic" passthrough=no dst-port=22 protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="SNMP Traffic" passthrough=no dst-port=161 protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="Unknown traffic" passthrough=no comment="" disabled=no

/ ip route
add dst-address=0.0.0.0/0 gateway=10.1.1.1 scope=255 target-scope=10 routing-mark="WAN - 01" comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 routing-mark="WAN - 02" comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 routing-mark="HTTP traffic" comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.1.1.1 scope=255 target-scope=10 routing-mark="SSL traffic" comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.1.1.1 scope=255 target-scope=10 routing-mark="POP3 traffic" comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.1.1.1 scope=255 target-scope=10 routing-mark="SMTP traffic" comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 routing-mark="P2P traffic" comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.1.1.1 scope=255 target-scope=10 routing-mark="SSH traffic" comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.1.1.1 scope=255 target-scope=10 routing-mark="Unknown traffic" comment="" disabled=no

but because I can't get the routing right, I can't use the 192.168.1.1 gateway and send some traffic via the talk talk router,

any help would be appreciated!

thanks,

Ainsey11

Posted: **Wed Jul 29, 2015 1:13 pm**

Which is the ip address of talk talk? The static route for 192.168.1.0/24 should point to talk talk ip address

Posted: **Wed Jul 29, 2015 2:03 pm**

Internally the IP address is 192.168.1.1,

Thanks for the reply

Posted: **Wed Jul 29, 2015 3:52 pm**

Hi,

Let's try this way:
*Delete all your config related to WAN-2
*Add IP address from 192.168.1.0/24 network to WAN-2 interface ( lets say its 192.168.1.100)
*Set static route to 192.168.1.0/24 via 192.168.1.1 ( MT should create additional route with interface label as gateway and preferred source address 192.168.1.100)
*Create masquerade and select WAN-2 interface as out.interface

Now you should be able to talk between 10.1.1.0/16 and 192.168.1.0/24 networks

After this you should try to make your routing/balancing/fail-over rules.

Posted: **Wed Jul 29, 2015 4:19 pm**

Thanks for the reply,

I've done all of the above, other than the masquerade rule - how would I add that?

Thanks,

Rob

Posted: **Wed Jul 29, 2015 4:48 pm**

Hi,

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN - 02

Should do the job.

Posted: **Wed Jul 29, 2015 7:02 pm**

Ran all of those,

Can ping the talk talk router (192.1.1.1) from the mikrotik,
masquerade is turned on for wan02
static route created between the two subnets

Still cannot ping anything on the 192.168.1.0\24 network from the 10.1.0.0\16

I can ping from 192.168.1.1 to anything on the 10.1.1.1 though - I added another route on the talk talk router and that seems to have worked, just cannot get from mikrotik lan to talk talk lan...

very odd.....

Posted: **Thu Jul 30, 2015 4:37 pm**

Hi,

here's my config

ICMP traffic gets marked on mikrotik and goes to talk talk router which sends it to the internet.
I can ping talk talk from 10.1.0.0/16 subnet.
ether1 always leads to the internet.

mikrotik

 #   ADDRESS            NETWORK         INTERFACE                              
 0 D 172.16.4.249/24    172.16.4.0      ether1                                 
 1   10.1.0.1/16        10.1.0.0        ether3                                 
 2   192.168.1.2/24     192.168.1.0     ether2

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=1_icmp protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

 0 A S  dst-address=0.0.0.0/0 gateway=192.168.1.1 
        gateway-status=192.168.1.1 reachable via  ether2 distance=1 scope=30 
        target-scope=10 routing-mark=1_icmp 

 1 A S  dst-address=10.1.0.0/16 gateway=ether3 gateway-status=ether3 reachable 
        distance=1 scope=30 target-scope=10 routing-mark=1_icmp  	NOTICE I HAD TO ADD THIS RULE TO MAKE THE PING WORK

 2 A S  dst-address=0.0.0.0/0 gateway=172.16.4.1 
        gateway-status=172.16.4.1 reachable via  ether1 distance=1 scope=30 
        target-scope=10 

 3 ADC  dst-address=10.1.0.0/16 pref-src=10.1.0.1 gateway=ether3 
        gateway-status=ether3 reachable distance=0 scope=10

 4 ADC  dst-address=172.16.4.0/24 pref-src=172.16.4.249 gateway=ether1 
        gateway-status=ether1 reachable distance=0 scope=10 

 5 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.2 gateway=ether2 
        gateway-status=ether2 reachable distance=0 scope=10

talk talk

 #   ADDRESS            NETWORK         INTERFACE                                
 0 D 192.168.0.193/24   192.168.0.0     ether1                                   
 1   192.168.1.1/24     192.168.1.0     ether2

add action=masquerade chain=srcnat out-interface=ether1

 0 ADS  dst-address=0.0.0.0/0 gateway=192.168.0.1 
        gateway-status=192.168.0.1 reachable via  ether1 distance=1 scope=30 
        target-scope=10 vrf-interface=ether1 

 1 A S  dst-address=10.1.0.0/16 gateway=192.168.1.2 
        gateway-status=192.168.1.2 reachable via  ether2 distance=1 scope=30 
        target-scope=10 

 2 ADC  dst-address=192.168.0.0/24 pref-src=192.168.0.193 gateway=ether1 
        gateway-status=ether1 reachable distance=0 scope=10 

 3 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=ether2 
        gateway-status=ether2 reachable distance=0 scope=10

Posted: **Fri Jul 31, 2015 10:15 am**

Can you post routing table again? Also, can you disable all traffic marking and routes for marked traffic? Just leave 2 default routes for WAN1 and WAN2.

Posted: **Fri Jul 31, 2015 1:46 pm**

Heres the routes I have

/ip route print
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          62.121.9.148              1
 1 ADC  10.1.0.0/16        10.1.1.1        bridge-local              0
 2 A S  10.1.253.0/24      10.1.1.1        ether1-gateway            1
 3   S  10.1.253.0/24                      bridge-local              1
 4   S  10.2.1.0/24                        10.2.1.1                  1
 5 ADC  10.253.253.0/32    10.253.253.1    bridge-local              0
 6 ADC  62.121.9.148/32    77.221.175.138  pppoe-out1                0
 7 ADC  192.168.1.0/24     192.168.1.100   bridge-local              0
 8   S  192.168.1.0/24                     192.168.1.1               1
[admin@A11-ROUTER-1] /ip route>

Posted: **Fri Jul 31, 2015 1:58 pm**

[quote="b1863515"]Hi,

0 A S  dst-address=0.0.0.0/0 gateway=192.168.1.1 
        gateway-status=192.168.1.1 reachable via  ether2 distance=1 scope=30 
        target-scope=10 routing-mark=1_icmp 

 1 A S  dst-address=10.1.0.0/16 gateway=ether3 gateway-status=ether3 reachable 
        distance=1 scope=30 target-scope=10 routing-mark=1_icmp  	NOTICE I HAD TO ADD THIS RULE TO MAKE THE PING WORK

 2 A S  dst-address=0.0.0.0/0 gateway=172.16.4.1 
        gateway-status=172.16.4.1 reachable via  ether1 distance=1 scope=30 
        target-scope=10 

 3 ADC  dst-address=10.1.0.0/16 pref-src=10.1.0.1 gateway=ether3 
        gateway-status=ether3 reachable distance=0 scope=10

 4 ADC  dst-address=172.16.4.0/24 pref-src=172.16.4.249 gateway=ether1 
        gateway-status=ether1 reachable distance=0 scope=10 

 5 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.2 gateway=ether2 
        gateway-status=ether2 reachable distance=0 scope=10

[/code]

which section is this in?

Posted: **Fri Jul 31, 2015 2:18 pm**

Hi, that's the routing table of the router you call "mikrotik" in your diagram

Hi,

0 A S  dst-address=0.0.0.0/0 gateway=192.168.1.1 
        gateway-status=192.168.1.1 reachable via  ether2 distance=1 scope=30 
        target-scope=10 routing-mark=1_icmp 

 1 A S  dst-address=10.1.0.0/16 gateway=ether3 gateway-status=ether3 reachable 
        distance=1 scope=30 target-scope=10 routing-mark=1_icmp  	NOTICE I HAD TO ADD THIS RULE TO MAKE THE PING WORK

 2 A S  dst-address=0.0.0.0/0 gateway=172.16.4.1 
        gateway-status=172.16.4.1 reachable via  ether1 distance=1 scope=30 
        target-scope=10 

 3 ADC  dst-address=10.1.0.0/16 pref-src=10.1.0.1 gateway=ether3 
        gateway-status=ether3 reachable distance=0 scope=10

 4 ADC  dst-address=172.16.4.0/24 pref-src=172.16.4.249 gateway=ether1 
        gateway-status=ether1 reachable distance=0 scope=10 

 5 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.2 gateway=ether2 
        gateway-status=ether2 reachable distance=0 scope=10

[/code]

which section is this in?

Posted: **Fri Jul 31, 2015 3:36 pm**

ahh ok,

I've just added the icmp route in,

still no joy

MikroTik

Second router help

Second router help

Re: Second router help

Re: Second router help

Re: Second router help

Re: Second router help

Re: Second router help

Re: Second router help

Re: Second router help

Re: Second router help

Re: Second router help

Re: Second router help

Re: Second router help

Re: Second router help