Help with VPN and multi WAN providers

gnalbandian · October 23, 2014, 9:28pm

Hello everyone! thanks for reading.
I am having the following issues in RB 1000 X2.

I have two WAN connections from different providers. Both have static ip’s but are provided via DHCP. All of this working fine.
I have created a VPN L2TP server in this Mtik, but it’s just works (the vpn connection) if I get connected through the ‘lowest distance default gateway’ connection (WAN1).
I have created the following rules in mangle, to avoid connections going in through one interface, getting out through the other one:

 2   chain=prerouting action=mark-connection new-connection-mark=WAN1-Cx 
     passthrough=no connection-state=new in-interface=ether1-WAN1 
     connection-mark=no-mark 

 3   chain=output action=mark-routing new-routing-mark=WAN1-Route
     passthrough=no connection-mark=WAN1-Cx 

 4   
     chain=prerouting action=mark-connection new-connection-mark=WAN2-Cx 
     passthrough=no connection-state=new in-interface=ether2-WAN2 
     connection-mark=no-mark 

 5   chain=output action=mark-routing new-routing-mark=WAN2-Route 
     passthrough=no connection-mark=WAN2-Cx

After this I created the routes for each routing mark

 1 A S  ;;; Connections gettint in through WAN1, get out through WAN1
        dst-address=0.0.0.0/0 gateway=200.127.254.1
        gateway-status=200.127.254.1 reachable via  ether1-WAN1 distance=1 scope=30 
        target-scope=10 routing-mark=WAN1-Route 

 2 A S  ;;; Connections gettint in through WAN2, get out through WAN2
        dst-address=0.0.0.0/0 gateway=181.31.247.1
        gateway-status=181.31.247.1 reachable via  ether2-WAN2 distance=1 scope=30 
        target-scope=10 routing-mark=WAN2-Route

And the ones dinamically created through the dhcp clients:

 3 ADS  dst-address=0.0.0.0/0 gateway=181.31.247.1 
        gateway-status=181.31.247.1 reachable via  ether1-WAN1 distance=1 scope=30
        target-scope=10 vrf-interface=ether1-WAN1

 4  DS  dst-address=0.0.0.0/0 gateway=200.127.254.1 
        gateway-status=200.127.254.1 reachable via  ether2-WAN2 distance=2 scope=30
        target-scope=10 vrf-interface=ether2-WAN2

I also have defined dinamically, the routes to gateway’s subnets, but not relevant in this case.

Do you see any reason why I shouldn’t be able to connect via VPN through WAN2 ?
Thank you for reading and for the help!

EDIT: Please see the picture attached. There you can see the connection tracker, with the vpn connection pointed to the working WAN in state A ‘active’, and the vpn connection through the not-working WAN connection state as U ‘unreplied’
Any clues?

Gonzalo
Sin título-2.jpg

gnalbandian · November 18, 2014, 3:07am

Please anyone…any clues?
The same beahvior happens when I do a port forwading.
For example, if I redirect input connections to Mtik through port 3456 to IP 10.10.10.1:80 I can only get to that host if I point my connection through WAN1 which is the lowest distance default gateway.

If I change WAN2 distance to be lower than WAN1, the port forwarding and the VPN works fine through WAN2 but stops working on WAN1.

WAN1 > distance 0
WAN2 > distance 1

WAN1_IP:3456 >>> 10.10.10.1:80 works great
WAN2_IP:3456 >>> 10.10.10.1:80 doesn work

Thanks!