~ There are no absolute answers in this universe, only assumptions, guesses, Jeopardies
Syed Jahanzaib !
Just a reference post. Default PCC may not work if you are using VPN server (to provide net access to local users via dialer) , So you may need to tweak it very little in order to make it work.
Disclaimer:
The script in this post is made for reference purposes only. This is no way a COPY PASTE material which you can use it as a whole. every config is different and is build according to the network. Just try to read it and get the logics , modify them as per local requirements and then implement it. You may need to play a bit or tweak it in order to make it Workable config.
Scenario:
Hardware Used : Mikrotik – Rb1100ahx2
- 9 DSL (ptcl) routers are connected with the RB1100ahx2
- Ports name have been renamed to friendlier label for easy marking.
Example Port 1-9 are renamed as WANx , and Port 10 is marked as Local - VPN Server is configured on same RB, and users dials in to this server in order to access internet.
- No DHCP is being used on this setup as OP prefers to use static ips due to some specific circumstances.
the scriptO!
# Make sure to adjust it as per your setup # Local Interface connected with the Users Switch /ip address add address=10.0.0.1/24 interface=Local network=10.0.0.0 # WAN interfaces IP addresses, which are connected with ptcl dsl routers /ip address add address=192.168.1.2/24 interface=WAN1 network=192.168.1.0 add address=192.168.2.2/24 interface=WAN2 network=192.168.2.0 add address=192.168.3.2/24 interface=WAN3 network=192.168.3.0 add address=192.168.4.2/24 interface=WAN4 network=192.168.4.0 add address=192.168.5.2/24 interface=WAN5 network=192.168.5.0 add address=192.168.6.2/24 interface=WAN6 network=192.168.6.0 add address=192.168.7.2/24 interface=WAN7 network=192.168.7.0 add address=192.168.8.2/24 interface=WAN8 network=192.168.8.0 add address=192.168.9.2/24 interface=WAN9 network=192.168.9.0 # Add IP pool for VPN dialer users, which will be allowed to use internet /ip pool add name=vpn-pool ranges=172.16.0.1-172.16.0.255 # Add VPN Profile for users , example 1mb per user profile /ppp profile add change-tcp-mss=yes dns-server=110.0.0.1,8.8.8.8 local-address=10.0.0.1 name=vpn-1mb only-one=yes rate-limit=1024k/1024k remote-address=vpn-pool use-encryption=yes /interface pptp-server server set authentication=pap,chap,mschap1,mschap2 default-profile=vpn-1mb enabled=yes # Enable DNS server /ip dns set allow-remote-requests=yes servers=8.8.8.8 /ip firewall address-list add address=172.16.0.1-172.16.0.255 list=local_vpn_users_internet_allowed_list # This is a local sharing server add address=192.168.10.1 list=local_sharing_server /ip firewall mangle # Bypass Local Media Sharing server from PCC, so user can access it / Adjust it according to your need/ Jz add action=accept chain=prerouting comment="Allow access to local sharing server / bypass them from the PCC" dst-address-list=local_sharing_server # Accept traffic going to DSL Routers / Adjust it according to your need/ Jz add action=accept chain=prerouting dst-address=192.168.1.0/24 add action=accept chain=prerouting dst-address=192.168.1.0/24 add action=accept chain=prerouting dst-address=192.168.2.0/24 add action=accept chain=prerouting dst-address=192.168.3.0/24 add action=accept chain=prerouting dst-address=192.168.4.0/24 add action=accept chain=prerouting dst-address=192.168.5.0/24 add action=accept chain=prerouting dst-address=192.168.6.0/24 add action=accept chain=prerouting dst-address=192.168.7.0/24 add action=accept chain=prerouting dst-address=192.168.8.0/24 add action=accept chain=prerouting dst-address=192.168.9.0/24 # Mark connections using PCC for 9 WAN / Adjust it according to your need / Jz add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/0 src-address-list=local_vpn_users_internet_allowed_list add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/1 src-address-list=local_vpn_users_internet_allowed_list add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/2 src-address-list=local_vpn_users_internet_allowed_list add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=WAN4_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/3 src-address-list=local_vpn_users_internet_allowed_list add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=WAN5_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/4 src-address-list=local_vpn_users_internet_allowed_list add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=WAN6_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/5 src-address-list=local_vpn_users_internet_allowed_list add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=WAN7_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/6 src-address-list=local_vpn_users_internet_allowed_list add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=WAN8_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/7 src-address-list=local_vpn_users_internet_allowed_list add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=WAN9_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/8 src-address-list=local_vpn_users_internet_allowed_list # Mark routing for above marked connections, so that it can be used in ROUTE section / Adjust it according to your need/ Jz add action=mark-routing chain=prerouting connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes add action=mark-routing chain=prerouting connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=yes add action=mark-routing chain=prerouting connection-mark=WAN3_conn new-routing-mark=to_WAN3 passthrough=yes add action=mark-routing chain=prerouting connection-mark=WAN4_conn new-routing-mark=to_WAN4 passthrough=yes add action=mark-routing chain=prerouting connection-mark=WAN5_conn new-routing-mark=to_WAN5 passthrough=yes add action=mark-routing chain=prerouting connection-mark=WAN6_conn new-routing-mark=to_WAN6 passthrough=yes add action=mark-routing chain=prerouting connection-mark=WAN7_conn new-routing-mark=to_WAN7 passthrough=yes add action=mark-routing chain=prerouting connection-mark=WAN8_conn new-routing-mark=to_WAN8 passthrough=yes add action=mark-routing chain=prerouting connection-mark=WAN9_conn new-routing-mark=to_WAN9 passthrough=yes # Add NAT/MASQUERADE rule allowing only allowed users, restricted to allowed users only add action=masquerade chain=srcnat comment="Allow Local Sharing Servers / NATING" dst-address-list=local_sharing_server add action=masquerade chain=srcnat comment="WAN-1 / Allow Internet Access - For VPN Users only" out-interface=WAN1 src-address-list=local_vpn_users_internet_allowed_list add action=masquerade chain=srcnat comment="WAN-2 / Allow Internet Access - For VPN Users only" out-interface=WAN2 src-address-list=local_vpn_users_internet_allowed_list add action=masquerade chain=srcnat comment="WAN-3 / Allow Internet Access - For VPN Users only" out-interface=WAN3 src-address-list=local_vpn_users_internet_allowed_list add action=masquerade chain=srcnat comment="WAN-4 / Allow Internet Access - For VPN Users only" out-interface=WAN4 src-address-list=local_vpn_users_internet_allowed_list add action=masquerade chain=srcnat comment="WAN-5 / Allow Internet Access - For VPN Users only" out-interface=WAN5 src-address-list=local_vpn_users_internet_allowed_list add action=masquerade chain=srcnat comment="WAN-6 / Allow Internet Access - For VPN Users only" out-interface=WAN6 src-address-list=local_vpn_users_internet_allowed_list add action=masquerade chain=srcnat comment="WAN-7 / Allow Internet Access - For VPN Users only" out-interface=WAN7 src-address-list=local_vpn_users_internet_allowed_list add action=masquerade chain=srcnat comment="WAN-8 / Allow Internet Access - For VPN Users only" out-interface=WAN8 src-address-list=local_vpn_users_internet_allowed_list add action=masquerade chain=srcnat comment="WAN-9 / Allow Internet Access - For VPN Users only" out-interface=WAN9 src-address-list=local_vpn_users_internet_allowed_list # Adding routes for marked traffic # Each DSL router ip is in series like 192.168.1.1 / 2.1 / 3.1 and so on /ip route add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN1 add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_WAN2 add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=to_WAN3 add check-gateway=ping distance=1 gateway=192.168.4.1 routing-mark=to_WAN4 add check-gateway=ping distance=1 gateway=192.168.5.1 routing-mark=to_WAN5 add check-gateway=ping distance=1 gateway=192.168.6.1 routing-mark=to_WAN6 add check-gateway=ping distance=1 gateway=192.168.7.1 routing-mark=to_WAN7 add check-gateway=ping distance=1 gateway=192.168.8.1 routing-mark=to_WAN8 add check-gateway=ping distance=1 gateway=192.168.9.1 routing-mark=to_WAN9 # Adding routes for default routes, so that if any WAN goes down, those packets should go via MAIN table : ) kind of fail over/ Jz add check-gateway=ping comment="WAN-1 / DEFAULT ROUTE" distance=1 gateway=192.168.1.1 add check-gateway=ping comment="WAN-2 / DEFAULT ROUTE" distance=2 gateway=192.168.2.1 add check-gateway=ping comment="WAN-3 / DEFAULT ROUTE" distance=3 gateway=192.168.3.1 add check-gateway=ping comment="WAN-4 / DEFAULT ROUTE" distance=4 gateway=192.168.4.1 add check-gateway=ping comment="WAN-5 / DEFAULT ROUTE" distance=5 gateway=192.168.5.1 add check-gateway=ping comment="WAN-6 / DEFAULT ROUTE" distance=6 gateway=192.168.6.1 add check-gateway=ping comment="WAN-7 / DEFAULT ROUTE" distance=7 gateway=192.168.7.1 add check-gateway=ping comment="WAN-8 / DEFAULT ROUTE" distance=8 gateway=192.168.8.1 add check-gateway=ping comment="WAN-9 / DEFAULT ROUTE" distance=9 gateway=192.168.9.1
W/Salam
Filed under: Uncategorized
