I have an RB750 with the follow setup:
- Interface 1 = WAN static IP
- Interface 2 = Static IP from a LAN network (LAN provided by another FW)
- MK as a IPSec/L2TP working well providing to clients the subnet x.x.x.x
I would like to redirect all traffic from VPN clients to the LAN network provided in Interface 2.
I mean; User setup in his computer the VPN with success, when connected they need to access the server z.z.z.z located inside the network provided in Interface 2.
Any ideas how to configure it?
You provide not much information, but if im not wrong
you can try NAT for example
/ip firewall nat add chain=srcnat action=masquerade out-interface="your Interface 2" src-address="your l2tp subnet x.x.x.x"
Related
I Setup a AWS VPC
There are different subnet such as publics subnet and private subnet
My target is created a demo that Windows Server from private subnet access public internet through third party's EC2-Firewall in AWS-VPC
I create a EC2-Firewall with different interface into different subnet (with Allow all policy and allow interface ping)
I also create a EC2-windows server into private subnet, but it cannot access outside network
The issue observed:
EC2-windows can ping local network (/24) include firewall's interface
EC2-windows cannot access (web-browsing/ping) outside network
EC2-windows tracert 8.8.8.8, all response "* * * * request timeout" (default gateway cannot be shown too)
EC2-windows's Ethernet changed to DHCP or changed to static with firewall's interface IP as a default gateway, issue also occurred
Background Information:
Network ACLs is default setting (Allow All)
Security groups is allow all traffic in both direction
AWS subnet - Routing table with two record: Destination: VPC subnet, Target: Firewall's interface & Destination: 0.0.0.0/0, Target: Firewall's interface
Firewall's interface (same subnet) can ping & RDP to EC2-Windows
Firewall has no traffic record "source with EC2-windows, destination: outside network"
EC2-Windows's internal firewall is turn off
Any setting am I missing to check? what should I check to found the root cause related to AWS or Windows setting?
More information after Wireshark on Windows and package capture on firewall:
EC2-Windows sent the "ping 8.8.8.8" & "ping firewall's interface IP" to Firewall's Interface MAC address (shown in Wireshark)
Firewall's interface packet capture only "ping firewall's interface IP" be shown
Is it mean that AWS-VPC drop my outside traffic? How can I fix it?
I found the answer. The root cause is "source/destination checks" of interface.
Since firewall will be able to send and receive traffic the source or destination is not itself when EC-Windows access outside network, AWS "source/destination checks" drop the packet of it.
After Disable source/destination checks, the issue is solved.
I have a mikrotik RB2011u with two WAN with different ISP.
WAN1 - Dynamic (192.168.1.x/24) on Ether1
WAN2 - Static (129.x.x.x/24) on Ether2
Every other port and Wlan - Bridge (192.168.8.x/24)
NAT
i have two firewall NAT:
CHAIN-srcnat outinterface-ether1 action-masquerade
CHAIN-srcnat outinterface-ether2 action-masquerade
and Routes with ether1 with distance=1 and ether2 distance=2
but for reason, if i type my ip address 129.x.x.x from an outside network i keep getting this page cannot be reached.
but i can reach it from any device on the bridge.
I’m try to get the bridge to access the internet through Ether1 (dynamic WAN isp).
And access from an outside network should come in through Ether2 (static WAN isp)
Thank you in advance
you can teach your router to answer on specified interface.
mark new incoming connection on second interace
mark route for marked connection
make new route for specifide route mark
/ip firewall mangle add chain=input in-interface=Wlan2 connection-mark=no-mark action=mark-connection new-connection-mark=Wlan2Con passthrough=no
/ip firewall mangle add chain=output connection-mark=Wlan2Con action=mark-routing new-routing-mark=Wlan2Route passthrough=no
/ip route add dst-address=0.0.0.0/0 gateway=Wlan2 distance=1 routing-mark=Wlan2Route disabled=no
I have setup PPPOE Server successfully in Mikrotik. All is Good. I am able to give out public ips to clients over PPPOE. But I have some issues. For example I have 2 clients with public ips that would want to be able to connect to each other this is not working. Both public ips cannot reach each other.
Client 1
Local IP Remote IP
a.a.a.a b.b.b.b
Client 2
a.a.a.b b.b.b.b
Is there a way for these two IPs talk to each other?
Although its a very old question.
Answer:
1. Both the clients will be connected using ppp link to the pppoe server.
2. Enabled ipv4/ipv6 routing the pppoe server, if it's linux you need to enabled ip forwarding.
The above is logical answer, I haven't tried it myself.
I have mikrotik.
Not Away From Home There are People Who Have Hotspot Network Via Mikrotik.
I Want to Log in from mikrotik system because I use it for some people
topology like this:
Mikrotik[with Hotspot system] --> My Mikrotik [Log in And Share] --> My PC
First Mikrotik : RB1200 (belongs to someone else)
Last Mikrotik : RB951Ui (my own)
if your mikrotik have internet connection, you can use feature cloud on your mikrotik.
IP -> Cloud, then thick DDNS Enable.
*) For some reference :
https://wiki.mikrotik.com/wiki/Manual:IP/Cloud
Did you mean to share the hotspot connection with your own mikrotik ?
So the topology will be like this.
Mikrotik Outside [With Hotspot] --[By Cable or Wifi] -- eth1 Your Own Mikrotik
The main parameter just like this.
Make your own mikrotik DNS are set to Mikrotik Outside IP address.
/ip dns set allow-remote-requests=yes servers=1.2.3.4
IP 1.2.3.4 is Mikrotik Outside IP
and Makesure your own mikrotik gateway set the same servers too.
/ip route add gateway=1.2.3.4
don't forget make some NAT
/ip firewall nat out-interface=eth1 chain=srcnat action=masquerade
Hope it Helps !
I have a macbook, connected with ethernet, and wifi.
A site (lets call it facebook) is blocked on one of the interface (ethernet)
but is open on the other (wifi), on the other hand eth is better (fastest and more reliable than the wifi) so I use eth as a priority interface (on top of network preferences), but in this way there is no access to the blocked site.
I would know if there is a way to say to the operating system or browser or other
software components that it must use the connection of wifi if and only if a connection on :80 over eth fail. this would be perfect...or any other means to solve the problem..
It's a matter of configuring a proper proxy?
Thanks in advance.
You could modify routing table to pass traffic to given host or network through chosen gateway.
List your routing table:
$ netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.0.0.1 UGSc 15 0 en0
default 192.168.0.1 UGScI 1 0 en1
[...]
In this case en1 is wifi. So to use wifi connection to a host x.x.x.x, route traffic to this host through 192.168.0.1 gateway:
sudo route add -host x.x.x.x 192.168.0.1
Or better add routing to entire network used by given service:
sudo route add -net x.x 192.168.0.1
The downside is that it may be difficult to determine an ultimate list of IPs, networks used by the service.
See man route.