R
R
rt0012015-02-15 14:32:51
Computer networks
rt001, 2015-02-15 14:32:51

How to let users through a specific provider in Mikrotik if there are several providers?

I'll start from the beginning.
The school has a DC and 2 providers, one of them (prover number 1 - ertelecom) has content filtering enabled and the whole school goes to tyrnet through it. Previously, a certain circle of people (VYP) had their own subnet (WORKGROUP), physically separated from everyone else, and they had their own router (D-LINK) there, distributing the Internet and DHCP, this was done by someone whom I did not see ))). But these users did not have access to the resources of the domain controller and the file server, of course, and experienced inconvenience about this. Finally got around to uniting the whole thing together - to bring two providers into one router and distribute the Internet from there to the bittern and mere mortals.
because the cable from provider No. 2 is physically far from the main router (RB2011), I installed a D-LINK RB750 in place and forwarded a channel from it through vlan through the main network to RB2011. Now RB2011 initiates a connection to both providers. Connected the bittern to the same network along with mortals. I set up the mangles and let them into one or another provider according to the address lists. when I ask my IP from Yandex from under the VPI machine - it shows the IP of the 2nd provider, for a normal machine it shows the IP of the 1st provider. It would seem that everything is fine, but there is a problem.
from under a normal machine when the machine tries to go to classmates, for example, the browser redirects to the page parent-control.filter.ertelecom.ru (the address changes in the address bar) - everything is correct
but when you try to open the same classmates from under the VPI machine, it sometimes opens the destination page, but more often it shows all the same information from the parent-control.filter.ertelecom.ru page , but without redirection, i.e. in the address bar are still classmates, and on the "parental control" screen,
I'm already hysterical. Drink on me presses - let's classmates! return everything as it was (i.e. a separate network and an old router)! I almost sob. I've spent over 70 hours on this. did mangles with jumps and without jumps (of course, these are the same eggs, only on the side, but you never know) - does not work
moreover, if you make a disconnect from provider No. 1, then nothing opens for ordinary computers (as it should be), and for VPI - the same song - parental control, even if you remove the cable from the media converter.
create a regular route to prov2, remove the mangles (as if we only have one prov #2) - everything starts working
on the DHCP domain controller
; clients set 192.168.1.2 (RB2011) as a gateway,
a domain controller as DNS,
on a domain controller in DNS is forwarding to 192.168.1.2 (RB2011)
it looks something like this ... I drew it as best I could)))

-
  +-------+                            +-------+
  | ISP 2 |                            | ISP 1 |
  +-------+                            +-------+
     |                                     |
     |ETH1                                 |ETH6
+--+-----------+----------+            +-------------------------+
|  |  BRIDGE1  |          |            |                         |
|  +-----------+          |            |                         |
|          |              |            |                         |
| RB750    |              |            | RB2011                  |
|          |              |            |                         |
|  +-----------+          |            |  +-----------+          |
|  |     VLAN1 |          |            |  |     VLAN1 |          |
+--+----------------------+            +--+----------------------+
     | ETH2 (LAN) 192.168.1.3/24            | ETH2 (LAN) 192.168.1.2/24
     |                                      |
     |             +------------------+     |
     |             |                  |     |
      -------------|   LAN Switch     |-----
                   |                  |
                   +------------------+
                     |         |     |
                 +-----+  +-----+  +-----+
                 | PC1 |  | PC2 |  | DC  |
                 +-----+  +-----+  +-----+

/ip firewall mangle
add action=log chain=output disabled=yes protocol=icmp
add action=log chain=input disabled=yes protocol=icmp
add action=mark-connection chain=input comment="in wan2,out wan2" in-interface=\
    wan2 new-connection-mark=wan2_conn
add action=mark-routing chain=output comment="in wan2,out wan2" connection-mark=\
    wan2_conn new-routing-mark=wan2_traffic passthrough=no
add action=mark-connection chain=forward comment="pfw wan2, out wan2" \
    connection-state=new in-interface=wan2 new-connection-mark=wan2_pfw \
    passthrough=no
add action=mark-routing chain=prerouting comment="pfw wan2, out wan2" \
    connection-mark=wan2_pfw in-interface=ether2 new-routing-mark=wan2_traffic \
    passthrough=no
add action=mark-connection chain=prerouting comment="wan2 con mark" \
    connection-state=new dst-address-type=!local in-interface=ether2 \
    new-connection-mark=wan2_conn src-address-list=to_wan2
add action=mark-connection chain=prerouting comment="wan2 con mark" \
    connection-state=new dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=wan2_conn src-address-list=to_wan2
add action=mark-routing chain=prerouting comment="wan2 rout mark" connection-mark=\
    wan2_conn in-interface=ether2 new-routing-mark=wan2_traffic passthrough=no
add action=mark-routing chain=prerouting comment="wan2 rout mark" connection-mark=\
    wan2_conn in-interface=bridge1 new-routing-mark=wan2_traffic passthrough=no
add action=mark-connection chain=input comment="in wan1,out wan1" in-interface=\
    wan1 new-connection-mark=wan1_conn
add action=mark-routing chain=output comment="in wan1,out wan1" connection-mark=\
    wan1_conn new-routing-mark=wan1_traffic passthrough=no
add action=mark-connection chain=forward comment="pfw wan1, out wan1" \
    connection-state=new in-interface=wan1 new-connection-mark=wan1_pfw \
    passthrough=no
add action=mark-routing chain=prerouting comment="pfw wan1, out wan1" \
    connection-mark=wan1_pfw in-interface=ether2 new-routing-mark=wan1_traffic \
    passthrough=no
add action=mark-connection chain=prerouting comment="wan1 con mark" \
    connection-state=new dst-address-type=!local in-interface=ether2 \
    new-connection-mark=wan1_conn src-address-list=to_wan1
add action=mark-routing chain=prerouting comment="wan1 rout mark" connection-mark=\
    wan1_conn in-interface=ether2 new-routing-mark=wan1_traffic passthrough=no

/ip route
add comment=wan1 distance=1 gateway=wan1 routing-mark=wan1_traffic
add comment=wan2 distance=1 gateway=wan2 routing-mark=wan2_traffic
add comment=wan1 distance=1 gateway=wan1
add comment="wan2,wan3 DNS" distance=1 dst-address=93.88.128.2/32 gateway=\
    wan2,wan3
add comment="wan2,wan3 DNS" distance=1 dst-address=93.88.129.2/32 gateway=\
    wan2,wan3
add comment="wan1 DNS" distance=1 dst-address=109.194.159.59/32 gateway=wan1
add comment="wan1 DNS" distance=1 dst-address=212.33.246.249/32 gateway=wan1

/ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  ;;; wan1        
0.0.0.0/0                          wan1                      1
 1 A S  ;;; wan2        
0.0.0.0/0                          wan2                      1
 2 A S  ;;; wan1       
0.0.0.0/0                          wan1                      1
 3 ADC  10.81.255.126/32   XXX.XXX.XXX.XXX   wan1                      0
 4 A S  ;;; wan2,wan3 DNS
93.88.128.2/32                     wan2                      1
                                           wan3              
5 A S  ;;; wan2,wan3 DNS
93.88.129.2/32                     wan2                      1
                                           wan3              
6 ADC  93.88.133.200/32   XXX.XXX.XXX.XXX   wan2                      0
7 A S  ;;; wan1 DNS
109.194.159.59/32                  wan1                      1
10 ADC  192.168.1.0/24     192.168.1.2     ether2                    0
11 A S  ;;; wan1 DNS
212.33.246.249/32                  wan1                      1

/ip dns
set allow-remote-requests=yes servers=\
    212.33.246.249,109.194.159.59,93.88.128.2,93.88.129.2

please, help!!! :'(

Answer the question

In order to leave comments, you need to log in

1 answer(s)
M
Melkij, 2015-02-15
@rt001

There is an opinion that the setting is generally correct, and the problem is exclusively in the DNS.
Those. in the end, the entire DNS is wrapped in RB2011, and there - whatever Mikrotik comes up with, that upstream DNS will ask for the address, both for VIPs and for users.
At the same time, the first provider intercepts and replaces DNS responses, wrapping traffic to a controlled node. This response is associated with a domain name without reference to an ISP - and hooray, all traffic from this domain name is wrapped to this address.
Try, in order to test the hypothesis on the VIP machine, register dns statically, which are issued by the second provider. Or even Google 8.8.8.8, 8.8.4.4

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question