[-vodafone-]

Oskab ehk keegi abistada MikroTik RouterOS seadistamisega.

Sai ruuterile poogitud külge teine wan ning tehtud loadbalancing ning failover seadistus - see osa töötab kõik OK. Aga sellega koos kadus ära VPN PPTP võimekus näha sisevõrku. VPN ühenduse loob ära ja sisevõrgu GW´d ka pingib, kuid muu sisevõrk on pime. Olgu öeldud, et kui lisatud PCC ning failover reeglid maha korjata, siis hakkab VPN sisevõrgu osa ka tööle.
Toimiva ning mittetoimiva VPN´ga on klientmasina ipconfig/ 1:1 samasugune

Aru ei saa, milles viga on. Mangle reegel puudu mõni?

Konf ise järgnev:

Spoiler

# aug/05/2014 20:48:46 by RouterOS 6.5 # software id = 8914-6KV5 # /interface ethernet set [ find default-name=ether1 ] comment="WAN1" name=\     ether1-gateway set [ find default-name=ether2 ] comment="WAN2" name=\     ether2-gateway set [ find default-name=ether3 ] comment=LAN /ip pool add name=VPNPool ranges=192.168.40.10-192.168.40.100 /ppp profile add dns-server=192.168.20.4 local-address=VPNPool name=VPNPPTP \     remote-address=VPNPool wins-server=192.168.20.4 /interface bridge port add bridge=bridge-local interface=ether3 add bridge=bridge-local interface=ether4 add bridge=bridge-local interface=ether5 add bridge=bridge-local interface=ether6 add bridge=bridge-local interface=sfp1 add bridge=bridge-local interface=wlan1 add bridge=bridge-local interface=ether7 add bridge=bridge-local interface=ether8 add bridge=bridge-local interface=ether9 add bridge=bridge-local interface=ether10 /interface pptp-server server set authentication=chap,mschap1,mschap2 default-profile=VPNPPTP enabled=yes /ip address add address=192.168.20.1/24 comment=LAN interface=ether3 network=192.168.20.0 add address=xxx.xxx.xxx.85/29 comment="WAN1" interface=ether1-gateway \     network=xxx.xxx.xxx.80 add address=xxx.xxx.xxx.202/29 comment="WAN2" interface=ether2-gateway \     network=xxx.xxx.xxx.200 /ip dhcp-client add comment="default configuration" dhcp-options=hostname,clientid interface=\     ether1-gateway /ip dns set allow-remote-requests=yes servers=\     xxx.xxx.xxx.201,xxx.xxx.xxx.18,192.168.20.4 /ip dns static add address=192.168.88.1 name=router /ip firewall address-list add address=192.168.20.2 list=pordidlahti add address=192.168.20.3 list=pordidlahti add address=192.168.20.4 list=pordidlahti add address=192.168.20.1 list=pordidlahti add address=192.168.20.5 list=pordidlahti add address=192.168.20.0/24 list=safe add address=192.168.40.0/24 list=safe /ip firewall filter add action=passthrough chain=unused-hs-chain comment=\     "place hotspot rules here" disabled=yes add chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast add chain=input comment="Allow access to router from known network" \     src-address-list=safe add chain=input comment="accept established connection packets" \     connection-state=established add chain=input comment="accept related connection packets" connection-state=\     related add action=drop chain=input comment="drop invalid packets" connection-state=\     invalid add action=drop chain=input comment="detect and drop port scan connections" \     protocol=tcp psd=21,3s,3,1 add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\     3,32 protocol=tcp src-address-list=black_list add action=add-src-to-address-list address-list=black_list \     address-list-timeout=1d chain=input comment="detect DoS attack" \     connection-limit=10,32 protocol=tcp add chain=forward comment="accept established connection packets" \     connection-state=established add chain=forward comment="accept related connection packets" \     connection-state=related add action=drop chain=forward comment="drop invalid packets" \     connection-state=invalid add chain=forward comment="seest v2lja" dst-address=0.0.0.0/0 \     src-address-list=safe add chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0 limit=5,5 \     protocol=icmp add chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5 \     protocol=icmp add chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5 \     protocol=icmp add chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8 limit=5,5 \     protocol=icmp add chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11 limit=5,5 \     protocol=icmp add action=drop chain=ICMP comment="Drop everything else" protocol=icmp add chain=services comment="accept localhost" dst-address=127.0.0.1 \     src-address-list=127.0.0.1 add chain=services comment="allow MACwinbox " dst-port=20561 protocol=udp add chain=services comment="Bandwidth server" dst-port=2000 protocol=tcp add chain=services comment="MT Winbox" dst-port=8291 protocol=tcp add chain=services comment=" MT Discovery Protocol" dst-port=5678 protocol=\     udp add chain=services comment="allow SNMP" disabled=yes dst-port=161 protocol=\     tcp add chain=services comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp add chain=services comment="allow BGP" disabled=yes dst-port=5000-5100 \     protocol=udp add chain=services comment="Allow NTP" disabled=yes dst-port=123 protocol=udp add chain=services comment="Allow PPTP" dst-port=1723 protocol=tcp add chain=input comment="Allow PPTP GRE" disabled=yes protocol=gre add chain=services comment="allow PPTP and EoIP" protocol=gre add chain=services comment="allow L2TP" dst-port=1701 protocol=udp add chain=services comment="allow DNS request" dst-port=53 protocol=tcp \     src-address-list=safe add chain=services comment="Allow DNS request" dst-port=53 protocol=udp \     src-address-list=safe add chain=services comment=UPnP disabled=yes dst-port=1900 protocol=udp add chain=services comment=UPnP disabled=yes dst-port=2828 protocol=tcp add chain=services comment="allow DHCP" dst-port=67-68 protocol=udp add chain=services comment="allow Web Proxy" dst-port=8080 protocol=tcp \     src-address-list=safe add chain=services comment="allow IPIP" disabled=yes protocol=ipencap add chain=services comment="allow https for Hotspot" dst-port=443 protocol=\     tcp add chain=services comment="allow Socks for Hotspot" disabled=yes dst-port=\     1080 protocol=tcp add chain=services comment="allow IPSec connections" disabled=yes dst-port=\     500 protocol=udp add chain=services comment="allow IPSec" disabled=yes protocol=ipsec-esp add chain=services comment="allow IPSec" disabled=yes protocol=ipsec-ah add chain=services comment="allow RIP" disabled=yes dst-port=520-521 \     protocol=udp add chain=services comment="allow OSPF" protocol=ospf add action=return chain=services add action=jump chain=input comment=\     "icmp lubatud, kuid nii et ping floodi poleks" jump-target=ICMP protocol=\     icmp add action=jump chain=input comment=\     "Lubatud sissetulevate teenuste nimekirja" jump-target=services add action=log chain=input disabled=yes log-prefix="visatakse 2ra" add action=drop chain=input add chain=forward comment="pordid lahti" dst-address-list=pordidlahti \     src-address=0.0.0.0/0 add action=jump chain=forward comment=\     "icmp lubatud, kuid nii et floodi poleks" jump-target=ICMP protocol=icmp add action=log chain=forward comment="visatakse 2ra" disabled=yes log-prefix=\     "visatakse 2ra" add action=drop chain=forward comment="k6ik ylej22nud kinni" /ip firewall mangle add action=mark-connection chain=input comment=Ether1-WAN_conn in-interface=\     ether1-gateway new-connection-mark=ether1-gateway_conn passthrough=no add action=mark-connection chain=input comment=Ether2-WAN_conn in-interface=\     ether2-gateway new-connection-mark=ether2-gateway_conn passthrough=no add action=mark-routing chain=output comment="RoutingMark to WAN1" \     connection-mark=ether1-gateway_conn new-routing-mark=to_WAN1 passthrough=\     no add action=mark-routing chain=output comment="RoutingMark to WAN2" \     connection-mark=ether2-gateway_conn new-routing-mark=to_WAN2 passthrough=\     no add chain=prerouting comment="Prerouting WAN2" dst-address=xxx.xxx.xxx.202 \     in-interface=bridge-local add chain=prerouting comment="Prerouting WAN1" dst-address=xxx.xxx.xxx.85 \     in-interface=bridge-local add action=mark-connection chain=prerouting comment="Mark connection WAN1" \     dst-address-type=!local in-interface=bridge-local new-connection-mark=\     ether1-gateway_conn per-connection-classifier=\     both-addresses-and-ports:2/0 add action=mark-connection chain=prerouting comment="Mark connection WAN2" \     dst-address-type=!local in-interface=bridge-local new-connection-mark=\     ether2-gateway_conn per-connection-classifier=\     both-addresses-and-ports:2/1 add action=mark-routing chain=prerouting comment="New routing to wan1" \     connection-mark=ether1-gateway_conn in-interface=bridge-local \     new-routing-mark=to_WAN1 passthrough=no add action=mark-routing chain=prerouting comment="New routing to wan2" \     connection-mark=ether2-gateway_conn in-interface=bridge-local \     new-routing-mark=to_WAN2 passthrough=no /ip firewall nat add action=masquerade chain=srcnat comment=WAN1 out-interface=ether1-gateway add action=masquerade chain=srcnat comment=WAN2 out-interface=ether2-gateway add action=masquerade chain=srcnat comment="Sisev\F5rk" dst-address=0.0.0.0/0 \     out-interface=ether1-gateway src-address=192.168.20.0/24 to-addresses=\     194.126.111.85 add action=masquerade chain=srcnat comment="Sisev\F5rk WAN2" dst-address=\     0.0.0.0/0 out-interface=ether2-gateway src-address=192.168.20.0/24 \     to-addresses=194.126.111.85 add action=masquerade chain=srcnat comment=VPN out-interface=ether1-gateway \     src-address=192.168.40.0/24 add action=masquerade chain=srcnat comment="VPN WAN2" out-interface=\     ether2-gateway src-address=192.168.40.0/24 add action=dst-nat chain=dstnat comment="RDP Serverisse" dst-address=\     xxx.xxx.xxx.85 dst-port=5000 protocol=tcp to-addresses=192.168.20.4 \     to-ports=3389 add action=dst-nat chain=dstnat comment="RDP Serverisse WAN2" dst-address=\     xxx.xxx.xxx.202 dst-port=5000 protocol=tcp to-addresses=192.168.20.4 \     to-ports=3389 add action=dst-nat chain=dstnat comment="RDP Serverisse" dst-port=3389 \     in-interface=ether1-gateway protocol=tcp to-addresses=192.168.20.4 \     to-ports=3389 add action=dst-nat chain=dstnat comment="RDP Serverisse WAN2" dst-port=3389 \     in-interface=ether2-gateway protocol=tcp to-addresses=192.168.20.4 \     to-ports=3389 add action=dst-nat chain=dstnat comment=Monitooring dst-port=12490 \     in-interface=ether1-gateway protocol=tcp to-addresses=192.168.20.4 \     to-ports=12489 add action=dst-nat chain=dstnat comment="Monitooring WAN2" dst-port=12490 \     in-interface=ether2-gateway protocol=tcp to-addresses=192.168.20.4 \     to-ports=12489 add action=dst-nat chain=dstnat comment=Monitooring dst-port=12489 \     in-interface=ether1-gateway protocol=tcp to-addresses=192.168.20.3 \     to-ports=12489 add action=dst-nat chain=dstnat comment="Monitooring WAN2" dst-port=12489 \     in-interface=ether2-gateway protocol=tcp to-addresses=192.168.20.3 \     to-ports=12489 add action=dst-nat chain=dstnat comment="RDP hyper-v" dst-port=5001 \     in-interface=ether1-gateway protocol=tcp to-addresses=192.168.20.3 \     to-ports=3389 add action=dst-nat chain=dstnat comment="RDP hyper-v WAN2" dst-port=5001 \     in-interface=ether2-gateway protocol=tcp to-addresses=192.168.20.3 \     to-ports=3389 add action=dst-nat chain=dstnat comment=ILO dst-port=4433 in-interface=\     ether1-gateway protocol=tcp to-addresses=192.168.20.2 to-ports=443 add action=dst-nat chain=dstnat comment="ILO WAN2" dst-port=4433 \     in-interface=ether2-gateway protocol=tcp to-addresses=192.168.20.2 \     to-ports=443 add action=dst-nat chain=dstnat comment=HTTP dst-port=80 in-interface=\     ether1-gateway protocol=tcp to-addresses=192.168.20.4 to-ports=80 add action=dst-nat chain=dstnat comment="HTTP WAN2" dst-port=80 in-interface=\     ether2-gateway protocol=tcp to-addresses=192.168.20.4 to-ports=80 /ip route add check-gateway=ping comment="Balanced WAN1" distance=2 gateway=\     xxx.xxx.xxx.81 routing-mark=to_WAN1 add check-gateway=ping comment="Balanced WAN2" distance=1 gateway=\     xxx.xxx.xxx.201 routing-mark=to_WAN2 add check-gateway=ping comment="WAN2 distance" distance=1 gateway=\     xxx.xxx.xxx.201 add check-gateway=ping comment="WAN1 distance" distance=2 gateway=\     xxx.xxx.xxx.81 add check-gateway=ping comment=Default disabled=yes distance=1 gateway=\     xxx.xxx.xxx.81 /ppp secret add name=user1 password=Parool profile=VPNPPTP service=pptp

EDIT:
Üks illustreeriv pilt ka. Ehk tundub atraktiivsem siis

Ehk siis kui kommentaariga "Default" kirje aktiveerida ning Balanced WAN1 ning WAN2 ja WAN2 ning WAN1 distance deaktiveerida hakkab VPN tööle. Miks ta ei tööta PCC´ga?

Tänud, kes viitsib vaevaks võtta.
UP

[OFFF]

Mul MikroTikiga nii palju kogemusi pole, aga üldiselt WLB puhul peaks tegema "exclude" reeglid, et WLB ei hakkaks "balansseerima" sisevõrkude vahelist liiklust.
Kuidas see "excludemine" MikroTik konffis välja näeb, selle koha pealt ei oska aidata, aga mina võtaks wiresharki ette ja vaataks, MIS nende pakettidega täpselt
tehakse, mis sealt PPTP tunneli seest tulevad. Mul on kuri kahtlus, et WLB saadab need vale otsa pidi välja.

[-vodafone-]

Unustasin värskendada aga sai mure lahendatud.

Vaja oli Firewall/NAT alt VPN subneti srcnat masquerade reegel teha ilma Dst. Addressi või out. interface´ta.

Ühtlasi märgin ära ka, et Mangle rule alt tuleks Per Connection Classifier aadress väärtus määrata "both addresses" kuna vastaselkorral ei tööta balansseerimisega panganduse jms turvalised sessioonid.

[OFFF]

Sisuliselt sama teema, lihtsalt MikroTik terminoloogias Praegu ma küll hetkel ei saa aru, miks peaks VPN subnetil sNAT olema, aga see selleks. "Per Connection Classifier" on siis mõne teise tulemüüri keeles "sticky connection"
Muide, kui see saladus pole, kuidas Mikrotiki WLB saab läbi dNATiga?

[-vodafone-]