I have a RB532 with 4 radio+ether1 bridged all together on one side (Tower), and a RB532, with 2 radio+ether1 bridged too (Base).
The Tower is connected to Base with a WDS on 5Ghz (SR5 on both sides).
All radios (except the SR5 with the WDS)
Now, Tower receives a Broadband line through ether2, and I want it to "move" through the WDS to ether2 of Base and there connect it to main router, on the other site of the Access Control Router.
我建立了一个EoIP隧道,两块板之间,屁股igned an IP address to each, set up the route table and is working correctly, always between main router an new broadband and also from any of two boards.
On the new broadband side, I also have a new asterisk box (IP add: 192.168.254.13/29, Tower.EoIPside: 192.168.254.5/29, Tower.Ether2: 192.168.254.11/29).
I set up a VoIP client to register to Asterisk, but its traffic is not getting the expected path: Client -> Node -> Tower -> Base -> Access Control -> main router -> EoIP -> Tower.Ether2 -> Asterisk.
The path it takes is an undesired shortcut:
Client -> Node -> Tower -> Tower.Ether2 -> Asterisk.
So I cannot control access of that client.
What I need and cannot get it, is to "split" each node (tower & Base) to make sure that traffic from Public side will get out through Access Control Router and not through Tower node's Routing tables.
I've been messing around with Routes and pref. source, but no result.
-
-
danielillu
Member Candidate
- Posts: 110
- Joined:
- Location:Barcelona, Spain
Re: "Splitting" a RB532 to act like two independent routers.
you can possibly do something in firewall mangle.
You can try adding a routing mark as the action to packets aimed at asterisk network, from the public network or interface, and then
insert a route that sends the marked packets to your access control device. This may not work since the asterisk device is directly connected however.
Another possibility: add a second address in a different network to the asterisk box. On the mikrotik put a route to this other network using the 192.168.254.13 address as the gateway. add a firewall rule to block attempts from the public side to connect to the 192.168.254.13 address directly:
On Asterisk:
IP addresses on eth0:
192.168.254.13/29
192.168.253.1/32 (or possibly /30), make sure asterisk is listening on this interface (you could also possibly stop asterisk from paying attention to the other interface).
on routerboard:
Tower.Ether2 192.168.254.11/29
ip route add 192.168.253.1/32 address-of-your-access-control-device
ip route add 192.168.253.1/32 192.168.254.11 routing-mark=authorized (doing from memory, this is probably not the exact syntax)
ip firewall mangle add rule to set routing mark authorized if packet is to 192.168.253.1 and it came from access-control interface.
Tell clients that asterisk box is at 192.168.253.1. on routerboard add firewall rull to drop or reject packets to 192.168.254.8/29
You'll probably have to alter/adjust some or most of the above to your situation, and whether or not you are using routing protocols or not, but hopefully this is enough of a cookbook to get you started.
(Also, see Policy Routing in the RouterOS Manual).
There are possibly easier ways to do this (such as using more than one routerboard, or connecting all the private side stuff to the access-control-device) and/or using vlans. (to paraphrase doctors: is difficult to make long distance diagnosis).
You can try adding a routing mark as the action to packets aimed at asterisk network, from the public network or interface, and then
insert a route that sends the marked packets to your access control device. This may not work since the asterisk device is directly connected however.
Another possibility: add a second address in a different network to the asterisk box. On the mikrotik put a route to this other network using the 192.168.254.13 address as the gateway. add a firewall rule to block attempts from the public side to connect to the 192.168.254.13 address directly:
On Asterisk:
IP addresses on eth0:
192.168.254.13/29
192.168.253.1/32 (or possibly /30), make sure asterisk is listening on this interface (you could also possibly stop asterisk from paying attention to the other interface).
on routerboard:
Tower.Ether2 192.168.254.11/29
ip route add 192.168.253.1/32 address-of-your-access-control-device
ip route add 192.168.253.1/32 192.168.254.11 routing-mark=authorized (doing from memory, this is probably not the exact syntax)
ip firewall mangle add rule to set routing mark authorized if packet is to 192.168.253.1 and it came from access-control interface.
Tell clients that asterisk box is at 192.168.253.1. on routerboard add firewall rull to drop or reject packets to 192.168.254.8/29
You'll probably have to alter/adjust some or most of the above to your situation, and whether or not you are using routing protocols or not, but hopefully this is enough of a cookbook to get you started.
(Also, see Policy Routing in the RouterOS Manual).
There are possibly easier ways to do this (such as using more than one routerboard, or connecting all the private side stuff to the access-control-device) and/or using vlans. (to paraphrase doctors: is difficult to make long distance diagnosis).
-
-
danielillu
Member Candidate
- Posts: 110
- Joined:
- Location:Barcelona, Spain
Re: "Splitting" a RB532 to act like two independent routers.
Asterisk box is "untouchable", because it isn't strictly in my network; it's owned and administrated by a partner that let me use it. So this option, as it sounds pretty nice, cannot be tried.
I'll take a look to routing policies (it's so late, now) but tomorrow I'll have a couple of new nodes (Tower.rb133c, Base.rb532) to phisically separate Broadband link from public link, so there will be no more problems, I hope, and get this new line added to the load balance system.
Many thanks for your time,
Regards!
just tried, and as you said, doesn't work because in Tower, both networks are directly connected.You can try adding a routing mark as the action to packets aimed at asterisk network, from the public network or interface, and then
insert a route that sends the marked packets to your access control device. This may not work since the asterisk device is directly connected however.
I'll take a look to routing policies (it's so late, now) but tomorrow I'll have a couple of new nodes (Tower.rb133c, Base.rb532) to phisically separate Broadband link from public link, so there will be no more problems, I hope, and get this new line added to the load balance system.
Many thanks for your time,
Regards!
Re: "Splitting" a RB532 to act like two independent routers.
In that case, you could use NAT rules to work around that (you would then have to NAT it back after the access controller), but its starting to be like using an airplane to go to the corner market.[Asterisk box is "untouchable", because it isn't strictly in my network; it's owned and administrated by a partner that let me use it. So this option, as it sounds pretty nice, cannot be tried
But if you're getting more nodes so you can physically separate the networks, thats probably going to be better and easier.