2 PPPOE Connections to be Active Simultaneously

DukeOfAwesome · November 22, 2018, 12:58pm

Hi everyone,

I’m having a lot of problems with setting up 2 PPPOE connections to 2 different ISPs and having them both available at all times. The scenario is as follows:

Primary PPPOE connection Distance = 1
Secondary PPPOE connection Distance = 2
L2TP Connection that routes through the secondary connection Distance = 3

As soon as I enable the primary connection, the secondary becomes unavailable, you can’t ping it or access it and the L2TP connection goes down. I disable it and the secondary one becomes available and the L2TP works again.

Is there a way I can have both connections active at the same time? I hope I’ve provided enough info, if not, please get back to me if you need additional info.

Thanks

Duke

AlainCasault · November 22, 2018, 1:48pm

Hello Duke

I don’t see why the second pppoe should go down when the first is up. Are your isp’s two separate providers?

The only thing I see from your description is the distance value. I’m assuming you’re taking about the distance parameter in dhcp-client (or routing in general).

If so, it’s normal that the link with the lowest distance value will be used to pass traffic as the default route.

Perhaps you should describe your goal for your setup. Why two pppoe? Why the l2tp? Etc.

Regards,

Envoyé de mon LG-H873 en utilisant Tapatalk

DukeOfAwesome · November 22, 2018, 2:04pm

Hi Alain,

Yes, the 2 PPPOE connections are to two separate providers. I would like to be both connections to be “alive” all the time so the L2TP connection works as setup because it uses the secondary connections as it’s route. The the primary connection is active, the L2TP connection disappears so the VPN connection doesn’t work.

The distance parameter is in the Dial Out tab of the PPPOE connections and in the General tab of the Route List for the L2TP connection.

I am assuming that the distance tab for the L2TP connection is applicable in this setup?

Is it possible to have 2 connections active at the same time?

Thanks

Duke

AlainCasault · November 22, 2018, 3:08pm

Hello Duke,

Quick answer:
Yes, it can be done.

Longer answer:
It’ll depend on what traffic needs to go where. You could manually create a static route while you tell the pppoe clients not to add a default route. The (2) gateway field values (yes, you’ll add a 2nd) of that static route would be the IP addresses of both ISPs’ gateways. This will now give you a load balancing static default route loadsharing 50-50 between both ISPs. Thing is, you can’t force which ISP the L2TP tunnel is going through. Maybe it’s not an issue for you, maybe it is.

If you don’t want this, I suggest:

Create both pppoe links as you’re doing now without the “add default route” option.
Create two static default routes (one per ISP) using the distance of 10, for example.
Then create mangle filters that tell the router to route-mark (eg. mark=ISP2) L2TP (UDP 1701) and IPSec (UDP 500 and 4500) traffic.
Tell the static route of the second ISP to use those packet marks. At this point, both static default routes (to both ISPs) are active.
Create your L2TP tunnel. At this point, depending on the distance value you give, you’ll either loose the 1st PPPoE or the L2TP link as the default route. You can’t have both at the same time.

You’ll need to decide what goes through the L2TP link. If it’s to a remote office, don’t use the “add default route” option on the L2TP client and just do normal routing through it (ether static or dynamic, but I prefer dynamic).

That should give you what you’re looking for.

Regards,

anav · November 22, 2018, 4:59pm

Alain has a lots of designations so he must be on the right track!!

I would go further in ascertaining your requirements.
a. have two wan connections that both should be active.
b. you have a vpn connection which you want to use one of the WANIPs specifically.

What I dont know is:
c. is the second WANIP ONLY to be used exclusively for the vpn, or do you want it also to be available for normal internet traffic by users.
d. if both WANs are to be accessible for lan traffic, did you want
i. Specific Users to use WANIP1 and others WANIP2 (like LAN1 to WANIP1 and LAN2 to WANIP2)
ii. Users able to access both WANIPs in a fair load balancing kind of way.

e. Whether or not you have any port forwarding required (servers on your LAn setup that require destination nat rules).

AlainCasault · November 22, 2018, 5:23pm

Me blushing

DukeOfAwesome · November 23, 2018, 8:41am

Hello Duke,

Quick answer:
Yes, it can be done.

Longer answer:
It’ll depend on what traffic needs to go where. You could manually create a static route while you tell the pppoe clients not to add a default route. The (2) gateway field values (yes, you’ll add a 2nd) of that static route would be the IP addresses of both ISPs’ gateways. This will now give you a load balancing static default route loadsharing 50-50 between both ISPs. Thing is, you can’t force which ISP the L2TP tunnel is going through. Maybe it’s not an issue for you, maybe it is.

If you don’t want this, I suggest:

Create both pppoe links as you’re doing now without the “add default route” option.

Create two static default routes (one per ISP) using the distance of 10, for example.

Then create mangle filters that tell the router to route-mark (eg. mark=ISP2) L2TP (UDP 1701) and IPSec (UDP 500 and 4500) traffic.

Tell the static route of the second ISP to use those packet marks. At this point, both static default routes (to both ISPs) are active.

Create your L2TP tunnel. At this point, depending on the distance value you give, you’ll either loose the 1st PPPoE or the L2TP link as the default route. You can’t have both at the same time.

You’ll need to decide what goes through the L2TP link. If it’s to a remote office, don’t use the “add default route” option on the L2TP client and just do normal routing through it (ether static or dynamic, but I prefer dynamic).

That should give you what you’re looking for.

Regards,

Thank you Alain. I will try this out, but it looks pretty complicated and I’m just a beginner with these multi WAN setups.

One of my major concerns with this as you’ve outlined is getting disconnected. I’m doing this remotely, so don’t want to commence this and end up with no internet. What would be the best process to do this to prevent total disconnection?

Thanks for all your help and guidance so far.

Thanks

Duke

AlainCasault · November 23, 2018, 11:09am

Like my MikroTik trainer once said: “How do you eat an elephant? One bite at a time.”

Doing something complicated remotely is not recommended practice. Go local if you can.

I would establish one link and make sure it’s stable. Work from there after. The first thing you absolutely need to learn and play with is “Safe mode”. It’s the little button top left of WinBox.

When you start something that might byte you in the rear end, active it. Should you do something that locks you out, safe mode will detect this and remove all the changes that you did AFTER its activation. The trigger for this is an abnormal termination of the WinBox session.

As you’re working, if all goes well, stop Safe mode then restart it. This will reset the reference point. If you’ve been working for an hour and it works, it would be a real bummer to lose all that work for a one second mistake. Not that it ever happened to me , noooooo

Also, save your work as you go along. Binary backup and an export.

As for the complicated part, if it was easy, I’d be out of a job. I’m convinced you can learn this. Tip: buy smaller boxes, build a lab and practice. It’s amazing how fast you’ll learn with a good lab setup. It’s aways scary to test with production routers and you won’t want to break stuff, so less learning to be had there.

Last piece of advice, draw, yes, on paper, the desired setup and goal. Write the steps to achieve the final results. This is always good to do even for experts. It’s your road map. Thing is, it’s not sexy and many guys don’t do it and wind up driving many Km after a mistake that locks them out.

Again, never done that, noooooooo!

Cheers

Envoyé de mon LG-H873 en utilisant Tapatalk

anav · November 24, 2018, 2:04pm

I had a different trainer, not mikrotik certified but the wine he had in paper bag wasnt bad,
and he said, simplicity and realism the key to success, most high falutin Mikrotik Trainers use this standard line of
“How do you eat an elephant? One bite at a time.” but can you imagine how intimidating it is to even contemplate eating an elephant!!,

What you should be thinking is…
“How do you eat an ant? One leg at a time.”

AlainCasault · November 24, 2018, 4:31pm

Hello Anav,

I think the idea behind the “elephant” expression was just that it’s human nature to get easily discouraged when faced with a big task. But, if we approach it in a step-by-step manner, nothing is insurmountable.

I understand that the “ant” expression is meant to secure people when faced with an issue, but often enough, said issue is not small.

Duke’s issue is quite real, and challenging for him and I would not wish to belittle it.

I hope my intentions are clear.

Best regards,

anav · November 24, 2018, 7:51pm

Not all mon cherie Alain, It was simply my bad attempt at humour, or by attempt at bad humour… almost the same thing!
(there is no such expression about the ‘ant’ I made it up ). Please do not encourage the eating of elephants, as they are an endangered species, perhaps a really fat pig shall suffice!
See I just cant help myself with the bad humour.

With respect to what Duke stated, is it true that:

One cannot have two active pppoe links up and running in a PCC type setup, and also have an L2TP tunnel active on one of the ppppoes??

and by way of comment
2. The OP has not returned to answer the questions I posed, that will provide a better detail of the requirements and one could think of those as providing sharper knives with which to cut portions of meat off the chosen beast.

DukeOfAwesome · November 25, 2018, 12:01am

Sorry anav, I didn’t see this request for info.

Answers are as follows:
c. It will used for the the VPN and RDP traffic
d. i. No user traffic filtering required
d. ii. No Load Balancing required.

Again, apologies for missing this originally…

Duke

DukeOfAwesome · November 25, 2018, 12:03am

Like my MikroTik trainer once said: “How do you eat an elephant? One bite at a time.”

Doing something complicated remotely is not recommended practice. Go local if you can.

I would establish one link and make sure it’s stable. Work from there after. The first thing you absolutely need to learn and play with is “Safe mode”. It’s the little button top left of WinBox.

When you start something that might byte you in the rear end, active it. Should you do something that locks you out, safe mode will detect this and remove all the changes that you did AFTER its activation. The trigger for this is an abnormal termination of the WinBox session.

As you’re working, if all goes well, stop Safe mode then restart it. This will reset the reference point. If you’ve been working for an hour and it works, it would be a real bummer to lose all that work for a one second mistake. Not that it ever happened to me , noooooo

Also, save your work as you go along. Binary backup and an export.

As for the complicated part, if it was easy, I’d be out of a job. I’m convinced you can learn this. Tip: buy smaller boxes, build a lab and practice. It’s amazing how fast you’ll learn with a good lab setup. It’s aways scary to test with production routers and you won’t want to break stuff, so less learning to be had there.

Last piece of advice, draw, yes, on paper, the desired setup and goal. Write the steps to achieve the final results. This is always good to do even for experts. It’s your road map. Thing is, it’s not sexy and many guys don’t do it and wind up driving many Km after a mistake that locks them out.

Again, never done that, noooooooo!

Cheers

Envoyé de mon LG-H873 en utilisant Tapatalk

Hi Alain,

Didn’t know what that Safe Mode option did, I assumed it was to boot the device into safe mode on the next boot. You learn something everyday.

Thanks for your guidance. I’ll try this out next week when I return to the office and report back.

Duke

docmarius · November 25, 2018, 1:52am

2 PPPoE connection work happily together.
To force a specific interface for L2TP connection, you could use routing marks.
In your main table you have one default gateway, on your secondary (marked) routing table, the other gateway.
Mark your L2TP outgoing traffic in the output chain as needed and it will work.
Make sure you do not have “Add default route” set on the PPPoE connections.

Something like:

/ip route
add comment="Default main route" distance=249 gateway=PPPoE_1
add comment="Fallback main route" distance=250 gateway=PPPoE_2
add comment="Default secondary route" gateway=PPPoE_2 routing-mark=secondary

/ip firewall mangle
add action=mark-routing chain=output comment="Mark Outgoing L2TP" protocol=l2tp new-routing-mark=secondary passthrough=no

Of course, you could mark using other criteria, too, like e.g. destination address.

anav · November 25, 2018, 2:10am

Sorry one last question.
The ppoee connections are from two different ISPs,
So naturally I have to ask…
If ISP1 goes down, do you want to route all that traffic to ISP2?
If ISP2 goes down do you want to route VPN and RDP traffic to ISP1?

DukeOfAwesome · November 25, 2018, 9:15pm

2 PPPoE connection work happily together.
To force a specific interface for L2TP connection, you could use routing marks.
In your main table you have one default gateway, on your secondary (marked) routing table, the other gateway.
Mark your L2TP outgoing traffic in the output chain as needed and it will work.
Make sure you do not have “Add default route” set on the PPPoE connections.

Something like:
/ip route
add comment="Default main route" distance=249 gateway=PPPoE_1
add comment="Fallback main route" distance=250 gateway=PPPoE_2
add comment="Default secondary route" gateway=PPPoE_2 routing-mark=secondary

/ip firewall mangle
add action=mark-routing chain=output comment="Mark Outgoing L2TP" protocol=l2tp new-routing-mark=secondary passthrough=no
Of course, you could mark using other criteria, too, like e.g. destination address.

Thanks docmarious. This is really good info. Will use this.

Duke

DukeOfAwesome · November 25, 2018, 9:17pm

Hi Anav,

Yes, if ISP1 goes down, then all traffic to go through ISP2. The VPN will go down in this instance and we’re OK with that, so long as they still have internet access.

Duke

anav · November 25, 2018, 11:32pm

I am not conversant with VPNs, but why if ISP2 is the ISP used for VPN, and ISP1 becomes unavailable does it mean necessarily that VPN will stop working??

Lets say all users go out internet on WAN1.
Which users go out VPN on WAN2? If its not based on a list, then perhaps its something the user initiates, certain type of traffic and thats what is being mangled?
If so, then it should work the same even if ISP1 is down.

If WAN2 is the one that goes down, then agreed, there is no backup for VPN.
However, are you sure its not possible to create a back up VPN that would use WAN1 if WAN2 goes down. Way to complicated for me to contemplate but others may know how??