Hi Everyone! quick Mangle question from someone new to RouterOS.
I have my Hex up and running with a L2TP IPSec tunnel to a VPN provider, and top of my mangle list is a mark-routing for my local subnet to flag all outgoing traffic via the VPN.
add action=mark-routing chain=prerouting comment="Tag all local LAN traffic for routing via VPN" new-routing-mark=L2TPVPN passthrough=yes src-address=\
192.168.118.0/24
There are then a couple of subsequent Mangle rules for specific devices that override this routing mark with ‘main’ so they follow the standard direct-route to the ISP.
Then I have a default static route that points to the l2tp-out1 interface (which has a better metric than the regular WAN-ISP default) , and under normal circumstances this all works fine.
Q: Is there a way I can ask the mark-routing via tunnel be conditional on the interface being up - In the event that the tunnel drops for some reason, I’d like it to fall back and not apply this LT2PVPN rule (and so default to the ‘main’ mark-routing action.) Appreciate there may be a more elegant way to designate the default route/routing mark, so open to any and all suggestions!
Yes - thats what I already have , but it still blackholes those packets if the L2TP is down - the IP address is technically reachable (via the default, default route) but without the VPN the traffic is non routable at the far end.
I’m thinking about this and maybe the issue is I have the L2TP default gateway as a manual static route. If I change the L2TP interface to ‘add default route’ option (so its dynamically created), with a metric of 1 - and set the DHCP client on the WAN to have a metric of 2 , it should only ever have routes for active interfaces.
Maybe its my misudnerstanding of the routing-mark - I though it was effectively setting up a VRF, so it will push it to that routing table with that mark and not cross over into the ‘main’ routing table.
Continued thought… I changed the L2TP to add a default route, and it added one - but without the routing mark for L2TP so thats not going to work.
Maybe I answered my own question in the previous post - I need to create a VRF/FIB for that routing mark (which has the dual-default gateways with different metrics, and another one without (just the standard default route)
Either that or just lose the routing-mark altogether, and add mangle rules for the clients that should always use the higher-metric default route - and let everything just follow the dynamic routing table.
I have the opposite problem that traffic destined for the VPN is wanting to get out through the ISP (pppoe-out-1). In my routing table all the VPN connections and the ISP have as distance “1”. When I set the ISP distance to 2 and the VPN stays 1 then my VPN connections don’t start any more.
I don’t want my packet destined for the VPN over the ISP connection so I block those wanting to get out in Filters.
So I think my config would help you then! If you set a mangle-rule to ‘mark-routing’ for the subnet or addresses you want to ‘force’ over the VPN, then have a default route which includes that routing mark via the VPN interface - those packets will only every follow that route. All the traffic with no routing-mark follow the standard default route via the ISP (if there are any).
(Dont forget to also add a srcnat masquerade for that out-interface of the VPN , looks exactly the same as the default just on the VPN interface. You’ll have to disable the fasttrack rule in the firewall as its incompatible with policy based routing).