SXTR Lte6 Mikrotik, dynamic ip address getting from mobile operator. For example 1.2.3.4
SXTR is connecting to Ikev2 VPN server(CHR), getting all ip setup from mode-config. As the result - we have additional IP address on the LTE1 interface. For example (172.16.252.236/24)
So the magic begins.
The SXTR itself, trying to reach 8.8.8.8 - is using the ipsec address, (172.16.252.236/24 instead of 1.2.3.4). I can see in firewall connections - 172.16.252.236/24 in src.address, trying to reach 8.8.8.8
The /ip firewall nat rule for LAN clients are doing the same, i have ipsec address in the srcnat.
action=masquerade chain=srcnat ipsec-policy=out,none out-interface=lte1 src-address=192.168.1.0/24
2.1. I can correct this problem with using srcnat instead of masquerade, but the problem with dynamic ip address from provider remains (if i will have other white IP address, the rule will not work).
So, the question is - how to restrict Mikrotik to use ipsec ipaddress for connecting to outside??
P.s Was trying to add pref.source to default route (0.0.0.0/0), it is solving, but the question about dynamic default route remains.
Thanks for your answer.
The LTE is taking parameters from LTE APN, where you can only choose “Add Default Route” option, and can edit the Default Route Distance (default is 2).
There is no classic DHCP client (with possibility to run scripts).
I do. It’s a terrible mess. If we let alone the “serial modem” mode, depending on (possibly) RouterOS versions and/or LTE modem models and/on firmware versions, you can get a dynamically added DHCP client (for which you cannot configure a lease script), or you may have to add one manually (which is stated in the manual but I haven’t seen this case in reality yet), or you get a /32 IP address with network parameter indicating the same address, and a default route with interface, rather than IP address, as a gateway.
[xxxxxx@MikroTikxxxx] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
ADDRESS NETWORK INTERFACE
2 192.168.1.1/24 192.168.1.0 local
3 D 85.yyy.xxx.71/32 85.yyy.xxx.71 lte1
4 D 172.16.252.236/24 172.16.252.0 lte1
[xxxxx@MikroTikxxxxx] /ip route> print where dst-address="0.0.0.0/0"
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 85.yyy.xxx.71 lte1 1
1 DS 0.0.0.0/0 lte1 2
The route 0 - created manually
Trying to reach technical support
Also, beginning to create a script, which will create the default route with pref-src included, and will put this in schedule...but this is really not nice...
The script can be the follows, but anyway, hope this is not the solution at all…
:
do {
:local lte1ip [/ip address get [find address~"/32" and interface=lte1] address];
:local defroute [/ip route get [find distance=1 and gateway=lte1 and disabled=no and dst-address="0.0.0.0/0"] pref-src];
:local newprefsource [:pick $lte1ip 0 [:find $lte1ip "/"]];
:if ($defroute != $newprefsource) do={
:log info "Adding pref-src to the default route ($newprefsource)";
/ip route set [find distance="1" and gateway=lte1 and dst-address="0.0.0.0/0"] pref-src=$newprefsource;
}
#else={ :log info "Nothing to do -> exit";}
} on-error={
:log info "DEFAULT ROUTE NOT EXISTS or IS DISABLED";
:local lte1ip [/ip address get [find address~"/32" and interface=lte1] address];
:local newprefsource [:pick $lte1ip 0 [:find $lte1ip "/"]];
:log info "lte1ip $lte1ip";
:log info "New pref-src $newprefsource";
:log info "Removing default route if it is disabled";
/ip route remove [find distance=1 and gateway=lte1 and dst-address="0.0.0.0/0"];
:log info "Adding new default route"
/ip route add distance=1 gateway=lte1 pref-src=$newprefsource;
};