Configured LAN (main settings receved by DHCP: host IP, LAN GW, DNS), NAT (chain=srcnat out interface=wan[renamed ether1] action=masquerade), PPTP (user-pass blah-blah-blah with option Add Default Route).
Here is first issue: ISP gives me VPN server as domain name, resolved by LAN DNS, but i can only use IP address in PPTP Client settings. Not very convenient, but i think there is nothing to do at this time. Not very important.
Second issue: after connecting to VPN i have two GW: DAS reacheable LAN from DHCP and DS reachable from VPN connection. How to set VPN GW active?
You could write a script to :resolve the hostname to an IP address every ${time_interval} and updates the PPTP interface with the new IP address.
“DAS”? “DS”? Are you referring to the route flags for each route? What condition do you consider to be VPN gateway active?
You haven’t actually told us what you want to accomplish… I’m sure it is clear in your mind. But, you didn’t quite get around to telling us.
I’ll look in my crystal ball and see if anything useful comes out.
If your 0.0.0.0/0 route via the VPN is made primary, active. You may even loose your connection to your PPTP server. You have to make sure you have a more specific route to keep traffic to the PPTP server going through your ISP gateway even when your PPTP link is up.
Sometimes the VPN path is made primary by adding routes for 0.0.0.0/1 and 128.0.0.0/1 via the PPTP interface. But you have to ensure you don’t change the route for traffic to the PPTP server.
It will reset connection at every update, isn’t it?
I thought it is enough for second issue question
Okay, may be I was wrong and it’s not clear from my writings.
As say CelticComms, I need to transfer outgoing traffic from local hosts through VPN gw, instead of through LAN gw.
LAN gw have status “Dynamic Active Static”, VPN gw have status “Dynamic Static”. I think there is main problem. I can reach VPN gw, but when I disable LAN gw, obviously i lost connection at all.
Is VPN gw is not active because there is active LAN gw, gained earler through DHCP?
I tried 0.0.0.0/1 and 128.0.0.0./1 through VPN gw and it have very strange effect: VPN routes flashed with some period and main VPN gw was unerachable sometimes. Router can’t reach LAN DNS anymore, i tried some google DNS with result LAN resourses are reachable sometimes (same with direct IP and domain name) and WAN resourses are not reachable at all.
I watched what routes do have people with same connection as me on another routers, but they simply don’t have VPN gw. I get confused.
May be there is method to transfer traffic through particular intarface (here PPTP Clinet) with separated routing table?
I have not tried it myself so I don’t know for sure. If it does, you may want to run it from a tools netwatch setup. Then when you can’t ping something that’s supposed to be reachable via the PPTP, netwatch runs the script, updates the IP and PPTP interface comes back up, theoretically. That should only run when the PPTP link is down and has been for more than a minute or so.
As soon as you bring up the routes to tunnel all traffic via the VPN, the traffic between the MikroTIk and the VPN server tries to pass over the VPN, but that can’t be. So you need an
. Then that will be a more specific route and your VPN will stay connected. I didn’t test that [:resolve vpn.server.tld] stuff. It may not work that way. Adding that route could be part of your script that is run from netwatch so that it’s IP gets updated at the right times too.
[/size]Here are: wan - ether1, msm - PPTP Clinet, 10.251.78.254 - LAN GW (not changes), 213.219.200.3 - VPN GW (changes after every reconnect). Not sure what IP 95.163.161.39 is, I think it should be PPTP Client local IP, but it from different pool, that gives me ISP.
I remembered, that my PC have no problem to connect to VPN and reach WAN resourses, so i investigated into PC routing table (here is w/o lo intarfaces).
When VPN disconnected:
[/size]
I tried to lower metric to DHCP GW (e.g. set it 2), but it became inactive, when PPTP client is connected w/ GW metric 1 and I lose connection at all.
So, there is no way to have two active GWs?
Here is another interesting thinng: PC configuration have no GW on PPTP interface:
The problem is that both default routes have the same distance. You can adjust the distance of the entry for the WAN connection to (say) 5 in the DHCP client settings. You would then need to add a route to the VPN server via the WAN gateway with distance of (say) 1.
A different approach using VRFs is to put the PPTP interface and any LAN interfaces to use it in a VRF. Note that it should be possible to have the PPTP client add its default route automatically into the VRF but that doesn’t seem to work in some ROS versions - so switch off the automatic addition of the gateway and make a manual default route entry in the VRF. You can just list the PPTP interface as the gateway - no IP needed.
I just needed to create create new GW via PPTP interface with some routing mark.
VFR either don’t works, or I don’t get how it works. I red manual, I get meaning of this, but don’t get how to configure it.
Traceroute through specefic routing table gives me access to WAN resources, but router just ignores distance of routes and all packets w/o specefic routing table just goes through wan interface, not through PPTP Client w/ distance=1. I tried to understand principe of scope property but my mind was blown up (to recognize nexthop scope of route should be less/equal target-scope, but default value is scope=30 and target-scope=10 and dynamic DHCP route have same values, and it works! I completly miss it.).
Here is a real world example of how to do something like what you are doing. This is from a live, working setup.
/ip route
add check-gateway=ping comment=Wireless distance=10 dst-address=0.0.0.0/1 \
gateway=wireless.next.hop.ip
add check-gateway=ping comment=DSL distance=20 dst-address=0.0.0.0/1 \
gateway=ovpn.tunnel.gw.ip
add distance=1 dst-address=canary.host.ip.addr/32 gateway=wireless.next.hop.ip
add comment="OpenVPN server" distance=1 dst-address=ovpn.server.ip.addr/32 \
gateway=pppoe-out1
add comment="make sure OpenVPN server is unreachable when pppoe-out1 is dead" \
distance=200 dst-address=ovpn.server.ip.addr/32 type=unreachable
add check-gateway=ping comment=Wireless distance=10 dst-address=128.0.0.0/1 \
gateway=wireless.next.hop.ip
add check-gateway=ping comment=DSL distance=20 dst-address=128.0.0.0/1 \
gateway=ovpn.tunnel.gw.ip
/tool netwatch
add comment="If reachable via wireless prefer wireless for default routes. If not, prefe\
r DSL for default routes." down-script=\
"/ip route set [/ip route find comment=\"DSL\"] distance=5" host=canary.host.ip.addr \
up-script="/ip route set [/ip route find comment=\"DSL\"] distance=20"
add comment="disable ovpn-out1 when we have no route to ovpn server via pppoe-out1. save\
s log entries" down-script="/interface disable [ find where name~\"ovpn-out1\" ]" \
host=ovpn.server.ip.addr up-script="/interface enable [ find where name~\"ovpn-out1\" ]"
/interface ovpn-client
add add-default-route=no connect-to=ovpn.server.ip.addr \
disabled=no max-mtu=1500 mode=ip name=ovpn-out1 \
password=password profile=default-encryption user=username
The canary.host is a device which is always up and not required for proper operation from the client’s network. It is very close to the ISPs upstream. If we can’t ping it, the path between the wireless interface ISPs main router is not working, we need to use the upload on the DSL even though it is only 384K.
DSL is provided by another ISP. The DSL uses PPPoE with dynamic IP addresses. It’s download is just a little faster than the wireless link. The client has a public /29 of IP addresses for their mail and web servers. They want redundant connections and want the fastest available combination of speeds.
During normal conditions, the download comes across the OpenVPN tunnel from a router at the primary ISP across the DSL connection from the other ISP. Upload runs across the wireless link. Either path can fall down and the client still gets their public /29 delivered. It just isn’t fun if only the DSL is up. It runs pretty smoothly if the DSL dies.
We want the OpenVPN server to be unreachable when DSL is down so that we don’t bring up the ovpn tunnel across the wireless link. That would defeat our purposes…
There is more complexity in this setup than you require.
I told you aleady, it have very strange result on those \1 routes.
\1 routes flashes some time reachable/unreachable and then I lost connection to PPTP Server and it refuses me for some time, if I try to connect.
The hell with that!
ip dhcp-client add-default-route=no
ip route add dst-address=10.0.0.0/8 gateway=DHCP.GW
interface pptp-client add-default-route=yes