Dear all experts,
Hope you will be fine.
I want to route my LAN traffic on a 3VPN connection over 3WAN uplinks
I have three WANs and deployed PCC Load Balance. I have three L2TP VPN Clients. I want all LAN traffic to pass through the Client VPN Link.
For example L2TP_VPN1 pass throug ISP1 L2TP_VPN2 pass throug ISP2 L2TP_VPN3 pass throug ISP3
in common words, it uses three VPN uplinks instead of 3 WANs in PCC Loadbalancing.
Do not understand.
Are these L2TP VPN clients coming in on three different WANS?
Are these three LT2PVN clients suppose to share outbound to internet three different WANs
are the three different WANS all static fixed IPs?
are the three different WAns from teh same provider?
Is this the only LAN traffic on this router?
What are other requirements are there ( port fowarding etc..)
Too many possiblities to even start exploring a config.
Need network diagram and config.
In any case I could assist for WG but l2TP is a bridge too far…
I have 3 wan from the same ISP. These WAN links connected on the PPPoE Client
L2TP VPN from 3 different sources. and want to pass through
I have a 3WAN with PCC LoadBalancing.
For VPN
now I want to pass LAN users as the below pattern
VPN1 pass from => WAN1 PPPoE
VPN2 pass from => WAN2 PPPoE
VPN3 pass from => WAN1 PPPoE
Okay so the request concern incoming vpn clients to your VPN server, each client coming in a different WAN..
That has nothing to do with PCC of the LAN outbound though.
So to be able to start planning a config, the requirements must be fully understood.
a. identify all users(s)/device(s) / groups of users /devices including the admin ( external originated and internal generated traffic )
b. identify all the traffic flows they require.
Provide a network diagram to give context of equipment, subnets, ISPs.
Where is the config so far?
/export file=anynameyouwish ( minus router serial number, any public WANIP informaiton, keys etc…)
No, all VPN is connected over WAN1.
I want to force to VPN to specific wan
I want to Pass vpn1 throughout pppoe client1
Vpn2 to pppoe clent2
Vpn3 to pppoe clent3
Sorry you are not making any sense,
Until you provide diagrams and requirements and config, we can make no progress.
Dear I have already mentioned everything thing.
What you have not understand ask me.
All VPN connection (using wan1- gateway) is connected on wan1- interface. Due to distance 1.
I have wan2 and wan3
And connect other 2 VPN on wan2 and wan3.
Hope you understand.
I have 3 ISP link
pppoe WAN1 100Mbps
pppoe WAN2. 100Mbps
pppoe WAN3. 100Mbps these all working for PCC.
Is it clear..?
Now want to force
vpn1 use wan1-gateway
vpn2 use wan2 gateway
vpn3 use wan3 gateway
Would need to see the config before providing any advice.
Mangling is involved so it has to work with current config.
/interface bridge
add admin-mac=B8:69:F4:AE:BC:FD auto-mac=no comment=ISP1
name=Bridge_WAN-1
add admin-mac=14:46:58:BC:18:1E auto-mac=no comment=
ISP2 name=Bridge_WAN-2
add admin-mac=50:D4:F7:ED:0A:8E auto-mac=no comment=
ISP3 name=Bridge_WAN-3
add admin-mac=50:D4:F7:ED:09:E4 auto-mac=no name=Bridge_ether2
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether3 ] name=ether3_Loop
set [ find default-name=ether4 ] name=ether4_Loop
set [ find default-name=ether5 ] name=ether5_LAN
/interface pppoe-client
add disabled=no interface=Bridge_WAN-1 name=ISP1 password=Ntl@1023835 user=
asad61
add disabled=no interface=Bridge_WAN-2 name=ISP2 password=Ntl@1045548 user=
mubasharahmad01
add disabled=no interface=Bridge_WAN-3 name=ISP3 password=Ntl@1045549 user=
mubasharahmad02
/interface l2tp-client
add connect-to=113.61.20.01 disabled=no name=L2TP_VPN1 password=ppp@e user=
pppoe1
add connect-to=150.99.30.66 disabled=no name=L2TP_VPN2 password=ppp@e user=
pppoe2
add connect-to=151.11.10.33 disabled=no name=L2TP_VPN3 password=ppp@e user=
pppoe3
/interface vlan
add interface=ether3_Loop name=vlan1011_ether3 vlan-id=1011
add interface=ether4_Loop name=vlan1011_ether4 vlan-id=1011
add interface=ether3_Loop name=vlan1012_ether3 vlan-id=1012
add interface=ether4_Loop name=vlan1012_ether4 vlan-id=1012
add interface=ether3_Loop name=vlan1013_ether3 vlan-id=1013
add interface=ether4_Loop name=vlan1013_ether4 vlan-id=1013
/interface list
add include=none name=“WAN Interface”
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pppoe-pool ranges=172.30.30.10-172.30.30.250
/interface bridge port
add bridge=Bridge_ether2 interface=ether2
add bridge=Bridge_ether2 interface=vlan1011_ether3
add bridge=Bridge_ether2 interface=vlan1012_ether3
add bridge=Bridge_ether2 interface=vlan1013_ether3
add bridge=Bridge_WAN-1 interface=vlan1011_ether4
add bridge=Bridge_WAN-2 interface=vlan1012_ether4
add bridge=Bridge_WAN-3 interface=vlan1013_ether4
/ip neighbor discovery-settings
set discover-interface-list=!all
/interface l2tp-server server
set default-profile=VPN_10Mbps ipsec-secret=Mka@7100 one-session-per-host=yes
use-ipsec=required
/interface list member
add interface=ISP1 list=“WAN Interface”
add interface=ISP3 list=“WAN Interface”
/interface pppoe-server server
add authentication=pap disabled=no interface=ether5_LAN max-mtu=1500
one-session-per-host=yes service-name=service_one
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=VPN_10Mbps
/ip address
add address=172.20.20.1/24 comment=“Wireless AP” interface=ether5_LAN
network=172.20.20.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dns
set allow-remote-requests=yes cache-size=10000KiB servers=
8.8.8.8,1.1.1.1,8.8.4.4
/ip firewall filter
add action=drop chain=input comment=“Block Ping” in-interface-list=
“WAN Interface” protocol=icmp
add action=accept chain=input comment=“Router Access Remotely” dst-port=
8295,8296 protocol=tcp
add action=drop chain=input comment=“Block Attack” dst-port=
25,53,87,512-515,543,544,7547,8080 protocol=tcp
add action=drop chain=input comment=“Block Attack” dst-port=
53,80,87,161,162,1900,4520-4524,8080 protocol=udp
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
"Port Scanners to Address List " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-NMAP FIN Stealth scan” protocol=tcp tcp-flags=
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-FIN/SYN scan” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-RST/SYN scan” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-FIN/PSH/URG scan” protocol=tcp tcp-flags=
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-ALL/ALL scan” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“Port Scanners”
address-list-timeout=none-dynamic chain=input comment=
“TCP Flag-NMAP NULL scan” protocol=tcp tcp-flags=
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“Dropping Port Scanners”
src-address-list=“Port Scanners”
/ip firewall mangle
add action=mark-connection chain=input in-interface=ISP1 new-connection-mark=
wan1_conn passthrough=yes
add action=mark-connection chain=input in-interface=ISP2 new-connection-mark=
wan2_conn passthrough=yes
add action=mark-connection chain=input in-interface=ISP3 new-connection-mark=
wan3_conn passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_conn
new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=output connection-mark=wan2_conn
new-routing-mark=to_wan2 passthrough=no
add action=mark-routing chain=output connection-mark=wan3_conn
new-routing-mark=to_wan3 passthrough=no
add action=accept chain=prerouting in-interface=ISP1
add action=accept chain=prerouting in-interface=ISP2
add action=accept chain=prerouting in-interface=ISP3
add action=mark-connection chain=prerouting dst-address-type=!local
new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=
both-addresses-and-ports:3/0 src-address=172.30.30.10-172.30.30.250
add action=mark-connection chain=prerouting dst-address-type=!local
new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=
both-addresses-and-ports:3/1 src-address=172.30.30.10-172.30.30.250
add action=mark-connection chain=prerouting dst-address-type=!local
new-connection-mark=wan3_conn passthrough=yes per-connection-classifier=
both-addresses-and-ports:3/2 src-address=172.30.30.10-172.30.30.250
add action=mark-routing chain=prerouting connection-mark=wan1_conn
new-routing-mark=to_wan1 passthrough=yes src-address=
172.30.30.10-172.30.30.250
add action=mark-routing chain=prerouting connection-mark=wan2_conn
new-routing-mark=to_wan2 passthrough=yes src-address=
172.30.30.10-172.30.30.250
add action=mark-routing chain=prerouting connection-mark=wan3_conn
new-routing-mark=to_wan3 passthrough=yes src-address=
172.30.30.10-172.30.30.250
add action=mark-connection chain=prerouting new-connection-mark=L2TP_VPN1
passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP1 src-address=
172.30.30.10-172.30.30.250
add action=masquerade chain=srcnat out-interface=ISP2 src-address=
172.30.30.10-172.30.30.250
add action=masquerade chain=srcnat out-interface=ISP3 src-address=
172.30.30.10-172.30.30.250
add action=dst-nat chain=dstnat comment=“Port Forward For Switch” disabled=
yes dst-address=101.50.74.234 dst-port=8297 protocol=tcp to-addresses=
172.20.20.200 to-ports=80
add action=dst-nat chain=dstnat comment=“Port Forward For Switch” disabled=
yes dst-address-list=“Switch Port forward” dst-port=8297 protocol=tcp
to-addresses=172.20.20.200 to-ports=80
/ip proxy
set enabled=yes
/ip route
add check-gateway=ping distance=1 gateway=ISP1 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=ISP2 routing-mark=to_wan2
add check-gateway=ping distance=1 gateway=ISP3 routing-mark=to_wan3
add comment=“WAN-1 Cloud” distance=1 gateway=ISP1
add check-gateway=ping distance=2 gateway=ISP2
add check-gateway=ping distance=3 gateway=ISP3
/ip route rule
add dst-address=172.30.30.0/24 src-address=172.30.30.0/24 table=main
add dst-address=172.20.20.0/24 src-address=172.30.30.0/24 table=main
Your setup is way to complex for me to understand?
In general, what you need to do is mangle connections via the PREROUTING chain, coming in each ISP and then mark route to the appropriate IP route based on OUTPUT chain.
something like
add chain=prerouting action=mark-connection in-interface=bridge1? connection-mark=no-mark new-connection-mark=ISP1-conn passthrough=yes
add chain=prerouting action=mark-connection in-interface=bridge2? connection-mark=no-mark new-connection-mark=ISP2-conn passthrough=yes
add chain=prerouting action=mark-connection in-interface=bridge3? connection-mark=no-mark new-connection-mark=ISP3-conn passthrough=yes
add chain=output action=mark-routing connection-mark=ISP1-conn new-routing-mark=to_wan1
add chain=output action=mark-routing connection-mark=ISP2-conn new-routing-mark=to_wan2
add chain=output action=mark-routing connection-mark=ISP3-conn new-routing-mark=to_wan3
Your routes cannot have generic gateway IPs, they must be either fixed gateway IPs, or dynamic gateway IPs updated by separate scripts!!
In the case of pppoe accounts it should look like
/ip route
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=pppoe-out2-mark=to_wan2
add check-gateway=ping distance=1 gateway=pppoe-out3 routing-mark=to_wan3
where the pppoe-outX, is basically the interface name given to the connection.
OH I see, you put the name as ISP1, ISP2, ISP3, very confusing,
YOu also already have all the above rules so it should work??
What is the purpose of these three rules??
add action=accept chain=prerouting in-interface=ISP1
add action=accept chain=prerouting in-interface=ISP2
add action=accept chain=prerouting in-interface=ISP3
For these ones ADD mark=no-mark!!
add action=mark-connection chain=prerouting dst-address-type=!local
new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=
both-addresses-and-ports:3/0 src-address=172.30.30.10-172.30.30.250
add action=mark-connection chain=prerouting dst-address-type=!local
new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=
both-addresses-and-ports:3/1 src-address=172.30.30.10-172.30.30.250
add action=mark-connection chain=prerouting dst-address-type=!local
new-connection-mark=wan3_conn passthrough=yes per-connection-classifier=
both-addresses-and-ports:3/2 src-address=172.30.30.10-172.30.30.250
Please tell me simply which rule I need to add. So I can add carefully.
You didnt answer my question, why do you have these three rules in the config??
What is the purpose of these three rules??
add action=accept chain=prerouting in-interface=ISP1
add action=accept chain=prerouting in-interface=ISP2
add action=accept chain=prerouting in-interface=ISP3
As stated add mark=no-mark to each of the connection rules for PCC.
For these ones ADD mark=no-mark!!
add action=mark-connection chain=prerouting dst-address-type=!local
new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=
both-addresses-and-ports:3/0 src-address=172.30.30.10-172.30.30.250
add action=mark-connection chain=prerouting dst-address-type=!local
new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=
both-addresses-and-ports:3/1 src-address=172.30.30.10-172.30.30.250
add action=mark-connection chain=prerouting dst-address-type=!local
new-connection-mark=wan3_conn passthrough=yes per-connection-classifier=
both-addresses-and-ports:3/2 src-address=172.30.30.10-172.30.30.250