MikroTik

mattstephenson

Sounds like a good idea, this has bitten me more than once.

mattstephenson

Hello I have a scenario I have been testing with what appears to be inconsistent results, and I was wondering if anyone could help me understand why. Please see the attached diagram. Untitled Diagram.drawio.png * HQ is the company head quarters (hub site), and has dual connections to SITE1 and SITE2...

mattstephenson

I have an issue where if the ethernet port on an RB3011 that connects to the main LAN switch is physically disconnected (or the switch is rebooting), the IP address on the router for that interface disappears temporarily, and this cascades through OSPF (undesirably) removing the routes at other site...

mattstephenson

But if the interface does not go "down" it just has no route/default gateway (because it has no internet connectivity), it will behave the same as src-nat?

mattstephenson

So masquerade removing connection tracking entries only happens on physical (or PPPoE) interface disconnect?

mattstephenson

Hello

Thank you for being the first to reply.

However, I already have the routing and failover working... my question was only: given my types of connections (primary and backup), and that they are both static IPs, was there any benefit to using masquerade over src-nat?

Thanks, Matt

mattstephenson

Hello Using an RB3011 on v6.49.7 with dual WAN for failover only (no load balancing) successfully running through mangle for inbound dst-nat return traffic. Primary WAN is static public IP (ethernet), backup WAN is static public IP by DHCP on PPPoE client (DSL ISP) - the IPs will not change (no dyna...

mattstephenson

Is the address assigned by the ISP to the PPPoE interface the same before and after the PPPoE outage or it changes?

Yes they are all public static IP addresses between the tunnels.

mattstephenson

I have the exact same problem whenever PPPoE is reestablished quickly (because of some ISP drop - usually during maintenance), it requires a reboot of the router to restore IPSec tunnels.

Has been this way for years and running all firmwares from 6.35 to current 6.44.3

mattstephenson

Hello I have a MikroTik with a PPPoE connection for WAN with a static /48 prefix which I then split into my various networks of /64. It has the following IPv6 configuration, which allows a workstation/device to get an IPv6 address from the Microsoft DHCPv6 server on the same VLAN. Windows PCs, iOS d...

mattstephenson

I have this also on previous versions but still on 6.38.5 and at multiple different sites with RB3011. This is usually evident at router startup, but does seem to have sporadically, perhaps when there is a drop in the connection at either end. I have left it for hours and it still just fills up the ...

mattstephenson

I too have this problem, if the internet connection (PPPoE in my case) goes down and up quickly, it stalls on PH2 state "no phase 2", rebooting the router again, or removing the 'remote peers' re-establishes the links. We are experiencing this in 5 different site to site connections. All a...

mattstephenson

It looks like PMs are not available here. It's probably a good thing when you think about it. Imagine all those people spamming others with "I saw a post of yours from ten years ago about a problem that I think is remotely similar to mine, come to my thread and solve it for me!" But maybe...

mattstephenson

Depends. If you want both to be equal, i.e. both able to initiate connection to other subnet, you need both. But if you'd want e.g. VLAN2 talk to VLAN5, but not the other way around, you need just one and other direction (replies) would be allowed by "accept established & related" rul...

mattstephenson

Yes, if you have two VLANs as interfaces, accept rules in forward chain is the way to let them talk to each other (if they have this router as gateway).

Yes they do, but I need TWO rules, one for each direction in FORWARD chain?

mattstephenson

thank you for the explanation, I think you are right though - at this stage not to rock the boat!! plus if it uses the same IPsec protocol to do the outer layer of the connection it would probably still cause the same problem that I am facing with the dual wans so would not hugely benefit me. Final ...

mattstephenson

At the risk of making you want to throw the book at me, is it complicated to change? I agree with what you say, as we have multiple subnets at one site and I had to make multiple policies to get it work, but it does seem to work very well and auto-reconnects if ever there is an outage at one end. Ca...

mattstephenson

Hi Hope you are well :) Yes I have all the rules in the mangle in place correctly. The IPsec SA is setup correctly with the correct source/destination IPs, if WAN2 has a default route in place it will not connect the routes... once they are established if I enable the route, I think they stay up, bu...

mattstephenson

I have some good news, the static routes and the other tricks seems to have made it a lot better. IPsec, I have made the mangle rules as you said but they still do not like to work reliably. I have IPsec linked to WAN1, if I disable the default route for WAN2 and reboot the router it works perfectly...

mattstephenson

They are static addresses at both ends. When I did an output rule before it did not seem to fix it, the link would just refuse to establish.

I will try again Tuesday along with all the other things you have said, I have made a list

mattstephenson

Sounds good - and as you said before I will do it when on site

On Tuesday evening when everyone leaves for the day.

So in this scenario if WAN1 goes down, it will use WAN2?

Also is there a possible way to chain IPSEC tunnels to just WAN1 - so it never tries to use WAN2 under any circumstance?

mattstephenson

When you tried static routes before, did you disable adding default routes in PPPoE clients? If you disable it just for WAN2, you'll have only one default route, but still using the same default gateway reachable using both connections. Previously I disabled it on both PPPoE connections and added t...

mattstephenson

Hi I tried static routes before, but it still seemed to combine them. I do not really need outgoing from both WANs, just inbound.. could I have NO default route and just the routing-mark route for WAN2? Also I could not get it to always send IPSec on WAN2.. but to be honest I have given up on that n...

mattstephenson

Unfortunately I was not breaking out the champagne... i got over confident and locked myself out with a mangle prerouting rule. So a 70 mile drive today to correct. I did all of the changes and had it all working fine... except.. IPsec site-to-site traffic was very problematic.. would ping, but then...

mattstephenson

I've only gone and worked it out!! I remembered that when I set the router up originally I read to enable "RP Filter" to 'strict'. I have since changed this to 'loose' and it works!!!!!! I can't believe it has taken so long to figure it out - but at least we are further forward and now hav...

mattstephenson

Thank you very much for your persistence and time spent on helping me - I am very appreciative.

Sleep well, and let me know if you think of anything else to try.

Many thanks Matt

mattstephenson

It only logs when ping goes through pppoe-out1 interface, pinging pppoe-out1 public does nothing in log.

I think it is down to the 'default route' and how the pppoe gateways work.

mattstephenson

Hmmm... we see the packet in prerouting, but it doesn't get to input. Where else it can go? Put this at the top:
Code: Select all
/ip firewall filter
add action=log chain=forward protocol=icmp

Done.. nothing logs

mattstephenson

I already removed the "Invalid" rule just to be sure it was not that, nothing logs on the "drop" rule. I also enabled logging on ICMP input rule... 01:11:44 firewall,info input: in:pppoe-out1 out:(none), src-mac 10:e8:78:a7:e6:02, proto ICMP (type 8, code 0), 78.xx.xx.11->88.xx.x...

mattstephenson

[admin@router] /log> /ping 8.8.8.8 routing-table=wan1-route SEQ HOST SIZE TTL TIME STATUS 0 8.8.8.8 56 61 19ms 1 8.8.8.8 56 61 18ms sent=2 received=2 packet-loss=0% min-rtt=18ms avg-rtt=18ms max-rtt=19ms [admin@router] /log> /ping 8.8.8.8 routing-table=wan2-route SEQ HOST SIZE TTL TIME STATUS 0 8.8...

mattstephenson

00:47:18 firewall,info postrouting: in:(none) out:pppoe-out1, proto ICMP (type 8, code 0), 88.xxx.xxx.151->8.8.8.8, NAT 88.xxx.xxx.151->8.8.8.8, len 56 00:47:19 firewall,info postrouting: in:(none) out:pppoe-out1, proto ICMP (type 8, code 0), 88.xxx.xxx.151->8.8.8.8, NAT 88.xxx.xxx.151->8.8.8.8, le...

mattstephenson

[admin@router] > /ping 8.8.8.8 routing-table=wan1-route SEQ HOST SIZE TTL TIME STATUS 0 8.8.8.8 56 61 18ms 1 8.8.8.8 56 61 18ms sent=2 received=2 packet-loss=0% min-rtt=18ms avg-rtt=18ms max-rtt=18ms [admin@router] > /ping 8.8.8.8 routing-table=wan2-route SEQ HOST SIZE TTL TIME STATUS 0 8.8.8.8 tim...

mattstephenson

Try a different test, ping both public addresses from outside. Because when you initiate connection from router to internet, it won't get marked, because first packet coming back won't match connection-state=new.

I tried that first.. same as before - only the lowest distance interface responds.

mattstephenson

/ip route nexthop
 0 address=62.3.80.17 gw-state=reachable forwarding-nexthop="" interface="" scope=10 check-gateway=none
 1 address=192.168.70.10 gw-state=reachable forwarding-nexthop="" interface="" scope=10 check-gateway=none

mattstephenson

/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new in-interface=pppoe-out1 new-connection-mark=wan1-conn passthrough=yes add action=mark-connection chain=prerouting connection-state=new in-interface=pppoe-out2 new-connection-mark=wan2-conn passthrough=yes add actio...

mattstephenson

# DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 A S 0.0.0.0/0 pppoe-out1 1 1 A S 0.0.0.0/0 pppoe-out2 1 2 ADS 0.0.0.0/0 62.3.80.17 1 3 DS 0.0.0.0/0 62.3.80.17 2 4 ADC 62.3.80.17/32 88.xx.xx.182 pppoe-out2 0 pppoe-out1 5 ADC 192.168.1.0/24 192.168.1.1 vlan3 0 6 ADC 192.168.2.0/24 192.168.2.1 vlan4 0 7 ADC...

mattstephenson

Living dangerously - I've done it remotely - same result

mattstephenson

It must work, it's just three simple steps: - Incoming connection from pppoe-outX gets marked with connection mark wanX - Outgoing packets with connection mark wanX get routing mark wanX - The only route from routing table wanX gets used What could go wrong there? You can easily verify first two st...

mattstephenson

I cannot do it right now, as I am not on site, and I do not want to risk locking myself out.

When I did it before the counters do increase yes - it does hit the rules in the mangle.

mattstephenson

It may be time to post your config (routes, firewall rules, ...), because marking routing is something that usually works without any problem. You may have some tiny mistake somewhere... Below is the configuration, currently pppoe-out1 is disconnected to allow function on pppoe-out2 as normal. This...

mattstephenson

I don't see a way how to do what I wanted to with route filters (it doesn't necessarily mean that there isn't one, I might have overlooked something). But if I understand it correctly, PPPoE should not care about gateways very much and should work with routes that have interface as gateway. I tried...

mattstephenson

"test2" and "test3" are my interfaces. Unfortunately, this is most likely wrong. I still think that something can be done using route filters, but I'll have to do few experiments to see if I can come up with working solution. You can help by sharing your PPPoE config, specifical...

mattstephenson

You can try to play with routing filters (distance 7 serves as unique selector): /ip dhcp-client add default-route-distance=7 interface=test2 /routing filter add chain=dynamic-in distance=7 set-distance=1 set-in-nexthop-direct=test3 Thank you, I will try this in the next maintenance window. So I re...

mattstephenson

In your case, you didn't post many details about your config, but if you have two gateways with same address, you should try routes with gateway=<address>%<interface> (e.g. gateway=1.2.3.4%ether1). Thank you - unfortunately the gateway is assigned by DHCP from the PPPoE and after speaking to the pr...

mattstephenson

One idea, can't it be fasttrack? I don't normally use it, so I'm not sure, but it makes packets skip some steps, maybe that includes routing? Check that, I'm too lazy to look it up right now myself. ;) Thank you, but I do not use fast track rules in the firewall, so I do not think that is the issue.

mattstephenson

I have the same problem, and cannot despite countless rules in mangle get it to function. I see ICMP packets arrive on the second interface, but are returned on the first interface - despite mangle rules forcing all ICMP via the second interface. Both my gateways are PPPoE with the same provider and...

mattstephenson

Did you ever resolve this, I have two wan connections and have similar problem.

mattstephenson

Hello

Did you ever resolve this, I have the same problem with two PPPoE connections. Traffic only travels on the first interface, if this interface is disabled manually it uses the second, but never both simultaneously.

Thanks

Search found 48 matches