i have configured a RouterBoard by 2 WAN Fail-Over connection. when my First gateway dead down then our packets will be send through Second gateway.
(2 gateways are PPPoE connection)
(method of checking gateways are ping)
(set primary and secondary gateway by distance 1 and 2)
now i have a static IP on secondary gateway which i want to use as VPN server IP address.
the problem of PPTP tunnel is that always primary gateway is up and when an incoming connection establish through secondary gateway, it could not go out through primary gateway. it should outgoing through exact secondary gateway.
what should i do ?
i found this solution before that it marks your connection and define Mangle, but i think it work for load balance solution not Fail-Over, in Fail-Over just your primary Gateway is active connection until dead down.
No, mangling (marking) works generally. It does not have any real effect (besides cpu utilization ) until you do something (e.g. routing decision or queuing) using the marks as selection parameters criteria.
So I assume you have WAN1, WAN2 and TUNNEL interfaces. You want to send back the packets that arrived thru each of them. TUNNEL interface is server side, so it should be possible to open accessing both WANs. I will not describe here how to make correct failover or how to set firewall. Assuming you already did it.
So first mangling the traffic:
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=WAN1 new-connection-mark=WAN1 passthrough=no
add action=mark-connection chain=prerouting in-interface=WAN2 new-connection-mark=WAN2 passthrough=no
add action=mark-connection chain=prerouting in-interface=TUNNEL new-connection-mark=TUNNEL passthrough=no
add action=jump chain=output jump-target=routing
add action=jump chain=prerouting in-interface=bridge1 jump-target=routing
add action=return chain=routing dst-address-type=local,broadcast,multicast
add action=return chain=routing dst-address-list=192.168.1.1-192.168.1.255 dst-address-type=“”
add action=mark-routing chain=routing connection-mark=WAN1 new-routing-mark=WAN1-out
add action=mark-routing chain=routing connection-mark=WAN2 new-routing-mark=WAN2-out
add action=mark-routing chain=routing connection-mark=TUNNEL new-routing-mark=TUNNEL-outThe 192.168.1.1-192.168.1.255 is your internal LAN address within this router. Change it as you use. Bridge1 is internal LAN bridge.
Now you should see all external traffic marked. If something is not marked and you want to handle it also, you need to add a similar rules to capture it.
Finally you will make routing decision about where to send what:
/ip route
add distance=1 gateway=1.1.1.1 routing-mark=WAN1-out
add distance=1 gateway=2.2.2.2 routing-mark=WAN2-out
add distance=1 gateway=9.9.9.9 routing-mark=TUNNEL-out1.1.1.1 is the gateway of WAN1, 2.2.2.2 is the gateway of WAN2 and 9.9.9.9 is the opposite side of the tunnel in case it is used as gateway. Otherwise you do not need the last line with this as the similar route could already exist (depends how you add routers).
There is karma button below my profile name. You can rise it if it helped you.
the tunnel is not site to site or outgoing tunnel, it’s a L2TP tunnel that used by remote user for connecting to our LAN.
we do not have Load-Balance, we just have Fail-Over that is configured by route distance and 2 gateway, exactly like this link: http://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting
the point is that i have a static IP for VPN tunnel on second gateway which is not in use, because it’s a backup link for primary gateway. whenever the primary gateway dead down, then my secondary gateway will be use.
do i need to mark all connection or mark just secondary gateway and tunnel are enough ?
If it is incoming tunnel opened from outside, than you do not need to do anything special for that. The tunnel itself will be marked as belonging to its wan and will reply back thru the same wan.
I do not understand the IP on the tunnel to be on wan. The tunnel is ended inside the network as part of bridge or separate lan interface, or not?
For sure, mark all traffic coming from outside, it is safer to know from where came what.
) until you do something (e.g. routing decision or queuing) using the marks as selection parameters criteria.