Answer the question
In order to leave comments, you need to log in
RouterOS - how to mark traffic?
Good evening.
There are two offices, between them a pptp tunnel. Each building has its own provider.
In building "A" the provider provides mail services for its clients, and provides them only from its own subnet, using another connection point it is not possible to connect to its pop3/smtp services.
Part of the workstations left building "A" for building "B" - accordingly, the mail service became unavailable to them. The task is to return the availability of the service.
We have 2 Mikrotik CCR1016-12G routers with RouterOS v. 6.1 on each of the points.
At point "B" I create a rule for marking traffic in the direction of pop3 / smtp services, as well as a log rule, routes in which I say that traffic with the above marker should be sent through the tunnel.
At point "A" I create a log rule for mail traffic coming from the tunnel, I also create a log rule for the output interface.
From building "B" I connect with telnet to port 25 of the provider's server, I see from the logs that the traffic turned into a tunnel, on router "A" I see that it left the tunnel, went to the external interface.
Created 1 more rule on the external interface, with which you can see that the service is responding.
And here, in fact, the question is, how would I mark incoming traffic from the provider's server, which is intended for office "B"? Naturally, you cannot send all mail traffic into the tunnel.
I will be glad to any advice.
Thanks in advance, Konstantin.
Answer the question
In order to leave comments, you need to log in
I'm afraid to be inadequate, but: input -> Source ip (addresses of pop3\smtp servers) -> marking -> wrapping in pptp to office B?
mark forward connections from the tunnel of the service, only on the necessary ports
and for these connections you mark the routes,
i.e. it will look like the following images
/ip firewall mangle> pr
Flags: X - disabled, I - invalid, D - dynamic
0 I chain=forward action=mark-connection new-connection-mark=Office-B-mail passthrough=no protocol=tcp in-interface=PPTP(Ваш офис) out-interface=ether2 (Ваш провайдер)
dst-port=25,110,995
1 chain=preroutingaction=mark-routing new-routing-mark=ROUTE OFFICE B passthrough=no in-interface=ether2(Ваш провайдер) connection-mark=Office-B-mail
Thanks for the answer, I solved the problem like this: pptp endpoints 192.168.x.100 on one side and 192.168.y.100 on the other, respectively. On the Y side, which is a consumer of a number of services through the X side gateway, it did logging and marking, created a route for marked traffic through the tunnel. On the X side, I just wrote that everything that came from 192.168.y.100 should be logged and NATed to the provider according to the specified parameters. The plug was in NAT. Thanks everyone for the advice, it's appreciated.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question