Hi.
I'm trying to establish vpn connection to mikrotik, which is available from local network but completely unavailable from outside.
The problem is in several wan interfaces (3 internet providers to be precise).

From inside connections marked randomly, routing is marked, routing decision goes brilliantly and everything goes fine. The same thing goes on forward flow from the outside to the inside way. The problem appears when I connect to Mikrotik itself from outside.

I'm connecting to one of the wan interfaces and Mikrotik answers me from the wrong one.
According to IP Flow diagram (http://mum.mikrotik.com/presentations/2 ... traweb.pdf page 00-12 or 00-15) all I need is to mark routing on output queue and it should be fine but it seems to be ignoring my marking or the diagram is wrong and the routing decision is going before the output queue.

Let's for instance test output queue. Rule: chain=output action=log protocol=icmp - writes in log strings like: output: in:(none) out:wan2, proto ICMP (type 8, code 0), 111.111.111.111->8.8.8.8, len1400.
Doesn't that shows that we already know wan interface ip address on output queue (111.111.111.111)?

Then how can I chose the output interface and tell mikrotik to answer from the precise interface I need?

Deleted because not related.

Hello, Dobby. Thank you for your quick response.

Why this should be a problem? It is a point to point connection.

It shouldn't be but I think it is the problem because of a several reasons:
1) my VPN connection can't establish reporting an error "809 - The network connection between your computer and the VPN server could not be established because the remote server is not responding".
2) I see it from mikrotik's packet sniffer. I see packets coming in on port 1701 to mikrotik and answer packets going out with wrong src ip address.
3) I see many "first L2TP UDP packet received from *.*.*.*" messages in mikrotik's log and no further process going on.

Do you get by your providers dynamically changing IP addresses or static ones?

I have static ones.

But from inside it didn't make sense, for sure you would consider I hope.

I just mentioned that to clear that vpn settings are good.

If you have three WAN interfaces you should use them each for another service pending on used the Protocols!
WAN 1 for the VPN, IPSec
WAN 2 for the iMAP,SMTP,POP3,...
WAN 3 for the http,https,ftp,ftps,....

I could. But the reason of having 3 internet providers in my case is reliability. If one ISP for any reason falls down everything should work fine. I have special script for routes change in case.