I am very new to this Mikrotik. Well, managed router. My current setup is a Mikrotik hAP ac2 DMZ from my home router. I am running IPIP.
What I am try to do here is I have a block of Net44 (subnet /28).
Since I am new, I may use an incorrect term or question.
I follow some simple instruction on how to setup. Everything seem to be working. Tunnel is working fine. The tunnel IP address is 44.60.73.14 and the gateway is 44.60.73.1
Currently I only have one Raspberry Pi running for testing and the IP is 44.60.73.2
All 3 IP above can be ping from the Internet. I can use the Raspberry Pi to ping and traceroute on the Internet as well.
So, everything seems to be working.
My first issue is when I traceroute to other IP address, I did not go back out through the tunnel. Instead the traceroute went out through my home IP address. Or when I plug a laptop in and say I gave it 44.60.73.3 when I check “what is my IP address” I got my home IP address back instead of 44.60.73.#
I am sure I did some thing wrong in the route or firewall settings. I just do not know where to start looking.
I am posting my export file but I trimmed off some Interfaces and routes as there are about 700 interfaces and over 1,800 routes.
But if I need to post the whole thing later I could. If I am missing anything, please feel free to ask. I will try to provide them the best I can and able.
Thank you,
Tha
Code: Select all
#
# model = RBD52G-5HacD2HnD
# serial number = xxxxxxxxxx
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface bridge
add name=bridge1
/interface ipip
add allow-fast-path=no !keepalive local-address=192.168.80.44 name=ucsd-gw \
remote-address=169.228.34.84
/interface list
add name=WAN
add name=LAN
add comment="All AMPR tunnels" name=ampr-interfaces
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool44 ranges=44.60.73.2-44.60.73.13
/ip dhcp-server
add address-pool=pool44 disabled=no interface=bridge1 name=server1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.80.44/24 interface=ether1 network=192.168.80.0
add address=44.60.73.1/28 interface=bridge1 network=44.60.73.0
add address=44.60.73.14/8 interface=ucsd-gw network=44.0.0.0
/ip dhcp-server network
add address=44.60.73.0/28 dns-server=1.1.1.1,1.0.0.1 gateway=44.60.73.1
/ip firewall filter
add action=accept chain=input in-interface=ether1 protocol=ipencap
add action=accept chain=input dst-port=520 in-interface=ucsd-gw protocol=udp \
src-address=44.0.0.1 src-port=520
add action=accept chain=forward connection-state=established,new \
icmp-options=8:0 log-prefix=DROP-ICMP protocol=icmp
add action=accept chain=input dst-address=192.168.80.44 dst-port=xxxxx \
protocol=tcp
/ip firewall mangle
add action=passthrough chain=prerouting in-interface-list=WAN
add action=passthrough chain=forward
add action=passthrough chain=postrouting
add action=mark-connection chain=prerouting connection-state=\
established,related,new in-interface=ucsd-gw new-connection-mark=EXT-MARK \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=EXT-MARK \
in-interface=bridge1 new-routing-mark=44NET passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ucsd-gw src-address=\
44.60.73.0/28
add action=masquerade chain=srcnat out-interface=bridge1 src-address=\
44.60.73.0/28
/ip firewall raw
add action=passthrough chain=prerouting
/ip route
add distance=1 gateway=ucsd-gw pref-src=44.60.73.1 routing-mark=44rip
add distance=1 dst-address=44.60.73.0/28 gateway=bridge1 pref-src=44.60.73.1 \
routing-mark=44rip
add distance=1 gateway=ucsd-gw pref-src=44.60.73.14 routing-mark=44NET
add distance=1 gateway=192.168.80.1
add distance=1 dst-address=169.228.34.84/32 gateway=192.168.80.1
/ip route vrf
add interfaces=ucsd-gw routing-mark=44rip
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=xxxxx
set api disabled=yes
set winbox port=xxxxx
set api-ssl disabled=yes
/routing prefix-lists
add action=discard chain=ampr prefix=44.0.0.1/32 prefix-length=32
add action=discard chain=ampr prefix=44.128.0.0/16 prefix-length=16-32
add action=discard chain=ampr prefix=44.60.73.0/28 prefix-length=28-32
add chain=ampr prefix=44.0.0.0/8 prefix-length=8-32
add action=discard chain=ampr
/routing rip
set garbage-timer=30m routing-table=44rip timeout-timer=30m update-timer=5m
/routing rip interface
add authentication=simple authentication-key=pLaInTeXtpAsSwD in-prefix-list=\
ampr passive=yes receive=v2
/routing rip network
add network=44.0.0.0/8
/system scheduler
add comment="AMPR update" interval=30m name="ampr update" on-event=\
update_amprgw policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
apr/15/2017 start-time=00:21:00
/system script
add dont-require-permissions=no name=update_amprgw owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="#\r\
\n# RIPv2 based AMPR Tunnel setup script for RouterOS v2.2\r\
\n#\r\
\n# by YO2LOJ, Marius <marius@yo2loj.ro>\r\
\n#\r\
\n# This script is a wrapper for minimal error handling\r\
\n#\r\
\n\r\
\n:global AmprRunning ;\r\
\n:global AmprFailCount ;\r\
\n:global AmprPhase ;\r\
\n\r\
\n:local maxCount 1;\r\
\n\r\
\n:local RipEntries [:len [/routing rip route find from=44.0.0.1]] ;\r\
\n\r\
\n:if ( \$RipEntries > 100 ) do={\r\
\n\r\
\n :if (\$AmprRunning = true) do={\r\
\n :set \$AmprFailCount (\$AmprFailCount + 1) ;\r\
\n :log error \"AMPR script already running (\$AmprPhase) - check y\
our scheduler\" ;\r\
\n }\r\
\n\r\
\n if (\$AmprFailCount > \$maxCount) do={\r\
\n :set \$AmprFailCount 0 ;\r\
\n :set \$AmprRunning false ;\r\
\n }\r\
\n\r\
\n :if (\$AmprRunning != true) do={\r\
\n :set \$AmprRunning true ;\r\
\n /system script run ampr_gw\r\
\n\r\
\n :if (\$AmprPhase != \"Idle\") do={\r\
\n :log error \"AMPR ampr_gw script has crashed in \$AmprPhase\
\" ;\r\
\n }\r\
\n\r\
\n :set \$AmprRunning false ;\r\
\n :set \$AmprFailCount 0 ;\r\
\n }\r\
\n\r\
\n} else={\r\
\n :log error \"AMPR: To few RIP entries available\" ;\r\
\n}\r\
\n"
add dont-require-permissions=no name=ampr_gw owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sensitive source="#\r\
\n# RIPv2 based AMPR Tunnel setup script for RouterOS v3.2\r\
\n#\r\
\n# by YO2LOJ, Marius <marius@yo2loj.ro>\r\
\n#\r\
\n#\r\
\n# This script is the actual router update script\r\
\n# Warning: use on RouterOS 6.41 and newer\r\
\n#\r\
\n\r\
\n# --------------------------------------------------------------\r\
\n# To my son, Marcel (2005-2017)\r\
\n# --------------------------------------------------------------\r\
\n\r\
\n# --------------------------------------------------------------\r\
\n#\r\
\n# DO NOT EDIT!\r\
\n# Configuration parameters are in \r\
\n# the \"ampr_config\" script.\r\
\n#\r\
\n# --------------------------------------------------------------\r\
\n\r\
\n # Your gateway interface\r\
\n :global AmprPublicIp ;\r\
\n\r\
\n # router local AMPR IP\r\
\n :global AmprMyIp ;\r\
\n\r\
\n # AMPR defaul gateway\r\
\n :global AmprDefaultGw ;\r\
\n\r\
\n # routing distance for AMPR routes\r\
\n :global AmprRoutingDistance ;\r\
\n\r\
\n # global delay between steps\r\
\n :global AmprDelay ;\r\
\n\r\
\n # global state variable\r\
\n :global AmprPhase ;\r\
\n\r\
\n :set \$AmprPhase \"Global: Reading configuration and creating enviro\
nment\" ;\r\
\n\r\
\n # get the system parameters\r\
\n /system script run ampr_config\r\
\n\r\
\n :local date [/system clock get date] ;\r\
\n :local months [:toarray \"jan,feb,mar,apr,may,jun,jul,aug,sep,oct,no\
v,dec\"] ;\r\
\n\r\
\n :local day [:pick \$date 4 6]\r\
\n :local txtmonth [:pick \$date 0 3] ;\r\
\n :local month ([:find \$months \$txtmonth -1] + 1);\r\
\n :if (\$month < 10) do={ :set month (\"0\" . \$month)};\r\
\n :local year [:pick \$date 7 11]\r\
\n\r\
\n :local time [/system clock get time] ;\r\
\n :local runtime (\$year . \"/\" . \$month . \"/\" . \$day . \" \" . \
\$time) ;\r\
\n\r\
\n :local ripnets \"\" ;\r\
\n :local ripgws \"\" ;\r\
\n\r\
\n :local amprnets \"\" ;\r\
\n :local amprgws \"\" ;\r\
\n :local amprtuns \"\";\r\
\n\r\
\n # routes to be added\r\
\n :local addnets \"\" ;\r\
\n :local addgws \"\" ;\r\
\n\r\
\n # routes to be updated\r\
\n :local updatenets \"\" ;\r\
\n :local updategws \"\" ;\r\
\n\r\
\n # tunnels to be added\r\
\n :local addtuns \"\";\r\
\n\r\
\n # routes to be deleted\r\
\n :local delnets \"\" ;\r\
\n :local delgws \"\" ;\r\
\n\r\
\n # tunnels to be deleted\r\
\n :local deltuns \"\";\r\
\n\r\
\n # create interface list if needed\r\
\n :if ([:len [/interface list find where name=\"ampr-interfaces\"]] = \
0) do={\r\
\n :set \$AmprPhase \"Global: Creating initial interface list\" ;\r\
\n /interface list add name=\"ampr-interfaces\" comment=\"All AMPR\
\_tunnels\"\r\
\n\r\
\n # initial populate with existing interfaces\r\
\n :foreach mytunnel in=[/interface ipip find] do={\r\
\n :local gw [/interface ipip get \$mytunnel name] ;\r\
\n :if ([:find \$gw \"ampr-\" -1 ] = 0) do={\r\
\n /interface list member add list=\"ampr-interfaces\" inter\
face=\$gw\r\
\n }\r\
\n }\r\
\n }\r\
\n\r\
\n# ------------------------------------------------------\r\
\n# read the current configuration\r\
\n# ------------------------------------------------------\r\
\n\r\
\n :set \$AmprPhase \"Logic: Loading routes and tunnels\" ;\r\
\n\r\
\n :foreach riproute in=[/routing rip route find from=44.0.0.1] do={\r\
\n :local subnet [/routing rip route get \$riproute dst-address] ;\
\r\
\n :local gw [/routing rip route get \$riproute gateway] ;\r\
\n :set \$ripnets (\$ripnets, \$subnet) ;\r\
\n :set \$ripgws (\$ripgws, \"ampr-\" . \$gw) ;\r\
\n :delay \$AmprDelay ;\r\
\n }\r\
\n\r\
\n :foreach myroute in=[/ip route find static pref-src=\$AmprMyIp] do={\
\r\
\n :local subnet ([/ip route get \$myroute dst-address]) ;\r\
\n :local gw [:pick [/ip route get \$myroute gateway] 0] ;\r\
\n :if ([:find \$gw \"ampr-\" -1 ] = 0) do={\r\
\n :set \$amprnets (\$amprnets, \$subnet) ;\r\
\n :set \$amprgws (\$amprgws, \$gw) ;\r\
\n }\r\
\n :delay \$AmprDelay ;\r\
\n }\r\
\n\r\
\n :foreach mytunnel in=[/interface ipip find] do={\r\
\n :local gw [/interface ipip get \$mytunnel name] ;\r\
\n :if ([:find \$gw \"ampr-\" -1 ] = 0) do={\r\
\n :set \$amprtuns (\$amprtuns, \$gw) ;\r\
\n }\r\
\n :delay \$AmprDelay ;\r\
\n }\r\
\n\r\
\n# ------------------------------------------------------\r\
\n# Process configuration against RIP\r\
\n# ------------------------------------------------------\r\
\n\r\
\n :local riplen [:len \$ripnets ] ;\r\
\n :local amprlen [:len \$amprnets ] ;\r\
\n\r\
\n\r\
\n# check routes and tunnels to add/update\r\
\n# ------------------------------------------------------\r\
\n\r\
\n :set \$AmprPhase \"Logic: Processing new/updated\" ;\r\
\n\r\
\n :for i from 1 to (\$riplen - 1) do={\r\
\n :local subnet [:pick \$ripnets \$i] ;\r\
\n :local gw [:pick \$ripgws \$i] ;\r\
\n\r\
\n # check if route for subnet exists\r\
\n :local f [:find \$amprnets \$subnet -1] ;\r\
\n :if (\$f > 0) do={\r\
\n # route exists, update if gateway has changed\r\
\n :if ([:pick \$amprgws \$f] != \$gw) do={\r\
\n :set \$updatenets (\$updatenets, \$subnet) ;\r\
\n :set \$updategws (\$updategws, \$gw) ;\r\
\n }\r\
\n } else={\r\
\n # route is new, add\r\
\n :set \$addnets (\$addnets, \$subnet) ;\r\
\n :set \$addgws (\$addgws, \$gw) ;\r\
\n\r\
\n }\r\
\n\r\
\n # check if gateway exists, add if new\r\
\n :if ([:find \$amprtuns \$gw -1] < 0) do={\r\
\n :if ([:find \$addtuns \$gw -1] < 0) do={\r\
\n :set \$addtuns (\$addtuns, \$gw) ;\r\
\n }\r\
\n }\r\
\n }\r\
\n\r\
\n# check obsolete routes\r\
\n# ------------------------------------------------------\r\
\n\r\
\n :set \$AmprPhase \"Logic: Processing obsolete\" ;\r\
\n\r\
\n :for i from 1 to (\$amprlen - 1) do={\r\
\n :local subnet [:pick \$amprnets \$i] ;\r\
\n :local gw [:pick \$amprgws \$i] ;\r\
\n\r\
\n # check if route is in rip data\r\
\n :if ([:find \$ripnets \$subnet -1] < 0) do={\r\
\n :set \$delnets (\$delnets, \$subnet) ;\r\
\n :set \$delgws (\$delgws, \$gw) ; \r\
\n }\r\
\n }\r\
\n\r\
\n# check for obsolete/orphan tunnels\r\
\n# ------------------------------------------------------\r\
\n\r\
\n # check for orphan tunnels\r\
\n : foreach gw in=\$amprtuns do={\r\
\n :if ([:find \$ripgws \$gw -1] < 0) do={\r\
\n :if ([:find \$deltuns \$gw -1] < 0) do={\r\
\n :set \$deltuns (\$deltuns, \$gw) ;\r\
\n }\r\
\n }\r\
\n }\r\
\n\r\
\n# ------------------------------------------------------\r\
\n# Configure the router\r\
\n# ------------------------------------------------------\r\
\n\r\
\n# add new tunnels\r\
\n# ------------------------------------------------------\r\
\n :if ([:len \$addtuns] > 1) do={\r\
\n :set \$AmprPhase \"Router: Add tunnels\" ;\r\
\n :for i from 1 to ([:len \$addtuns] - 1) do={\r\
\n :local gw [:pick \$addtuns \$i] ;\r\
\n :local ip [:pick \$gw ([:find \$gw \"-\"] + 1) [:len \$gw] \
];\r\
\n :if (\$ip & 255.0.0.0 = 44.0.0.0) do={\r\
\n :log info \"AMPR: GW in ampr network - add route to \$i\
p via \$AmprDefaultGw\"\r\
\n /ip route add dst-address=\$ip gateway=\$AmprDefaultGw \
distance=\$AmprRoutingDistance pref-src=\$AmprMyIp comment=(\"Added on \".\
\_\$runtime)\r\
\n }\r\
\n :log info \"AMPR: Add tunnel \$gw to \$ip\"\r\
\n /interface ipip add !keepalive clamp-tcp-mss=yes local-addre\
ss=\$AmprPublicIp remote-address=\$ip name=\$gw comment=(\"Added on \". \$\
runtime)\r\
\n /interface list member add list=\"ampr-interfaces\" interfac\
e=\$gw\r\
\n }\r\
\n }\r\
\n\r\
\n# delete routes\r\
\n# ------------------------------------------------------\r\
\n :if ([:len \$delnets] > 1) do={\r\
\n :set \$AmprPhase \"Router: Delete routes\" ;\r\
\n :for i from 1 to ([:len \$delnets] - 1) do={\r\
\n :local subnet [:pick \$delnets \$i] ;\r\
\n :local gw [:pick \$delgws \$i] ;\r\
\n :log info \"AMPR: Delete route \$subnet via \$gw\"\r\
\n :foreach myroute in=[/ip route find dst-address=\$subnet !ro\
uting-mark] do={\r\
\n :local intf [:pick [/ip route get \$myroute gateway] 0] \
;\r\
\n :if (\$intf = \$gw) do={\r\
\n /ip route remove \$myroute\r\
\n }\r\
\n }\r\
\n }\r\
\n }\r\
\n\r\
\n# add new routes\r\
\n# ------------------------------------------------------\r\
\n :if ([:len \$addnets] > 1) do={\r\
\n :set \$AmprPhase \"Router: Add routes\" ;\r\
\n :for i from 1 to ([:len \$addnets] - 1) do={\r\
\n :local subnet [:pick \$addnets \$i] ;\r\
\n :local gw [:pick \$addgws \$i] ;\r\
\n :log info \"AMPR: Add route \$subnet via \$gw\"\r\
\n /ip route add dst-address=\$subnet gateway=\$gw distance=\$A\
mprRoutingDistance pref-src=\$AmprMyIp comment=(\"Added on \". \$runtime)\
\r\
\n }\r\
\n }\r\
\n\r\
\n# update routes\r\
\n# ------------------------------------------------------\r\
\n :if ([:len \$updatenets] > 1) do={\r\
\n :set \$AmprPhase \"Router: Update routes\" ;\r\
\n :for i from 1 to ([:len \$updatenets] - 1) do={\r\
\n :local subnet [:pick \$updatenets \$i] ;\r\
\n :local gw [:pick \$updategws \$i] ;\r\
\n :log info \"AMPR: Update route \$subnet via \$gw\"\r\
\n :foreach myroute in=[/ip route find dst-address=\$subnet !ro\
uting-mark] do={\r\
\n :local intf [:pick [/ip route get \$myroute gateway] 0] \
;\r\
\n :if ([:find \$intf \"ampr-\" -1 ] = 0) do={\r\
\n /ip route set \$myroute gateway=\$gw comment=(\"Upda\
ted on \". \$runtime)\r\
\n }\r\
\n }\r\
\n }\r\
\n }\r\
\n\r\
\n# delete tunnels\r\
\n# ------------------------------------------------------\r\
\n :if ([:len \$deltuns] > 1) do={\r\
\n :set \$AmprPhase \"Router: Delete tunnels\" ;\r\
\n :for i from 1 to ([:len \$deltuns] - 1) do={\r\
\n :local gw [:pick \$deltuns \$i] ;\r\
\n :local ip [:pick \$gw ([:find \$gw \"-\"] + 1) [:len \$gw] \
];\r\
\n :if (\$ip & 255.0.0.0 = 44.0.0.0) do={\r\
\n :foreach myroute in=[/ip route find dst-address=\$ip.\"/\
32\" !routing-mark] do={\r\
\n :local intf [:pick [/ip route get \$myroute gateway]\
\_0] ;\r\
\n :if (\$intf = \$AmprDefaultGw) do={\r\
\n :log info \"AMPR: GW in ampr network - remove ro\
ute to \$ip via \$AmprDefaultGw\"\r\
\n /ip route remove \$myroute\r\
\n }\r\
\n }\r\
\n }\r\
\n :log info \"AMPR: Delete tunnel \$gw\"\r\
\n :local listentry [/interface list member find where interfac\
e=\$gw] ;\r\
\n :if (\$listentry != 0) do={\r\
\n /interface list member remove \$listentry\r\
\n }\r\
\n /interface ipip remove \$gw\r\
\n }\r\
\n }\r\
\n\r\
\n :set \$AmprPhase \"Idle\" ;\r\
\n"
add dont-require-permissions=no name=ampr_config owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="#\r\
\n# RIPv2 based AMPR Tunnel setup script for RouterOS v3.0\r\
\n#\r\
\n# by YO2LOJ, Marius <marius@yo2loj.ro>\r\
\n#\r\
\n# This script holds the runtime parameter definitions\r\
\n#\r\
\n\r\
\n# --------------------------------------------------------------\r\
\n# Setup parameters (change as needed)\r\
\n#\r\
\n# These parameters are used by\r\
\n# the \"ampr_gw\" script which is\r\
\n# called by the scheduled \"update_ampr\"\r\
\n# wrapper script.\r\
\n# --------------------------------------------------------------\r\
\n\r\
\n# Your gateway interface\r\
\n:global AmprPublicIp \"192.168.80.44\" ;\r\
\n\r\
\n# router local AMPR IP\r\
\n:global AmprMyIp \"44.60.73.14\" ;\r\
\n\r\
\n# default gateway \r\
\n:global AmprDefaultGw \"ucsd-gw\" ;\r\
\n\r\
\n# routing distance for AMPR routes\r\
\n:global AmprRoutingDistance 50 ;\r\
\n\r\
\n# global delay between steps\r\
\n:global AmprDelay \"10ms\" ;\r\
\n\r\
\n"