l2tp tunnels with multiple internet connections issues

RouterOS General
1

I have a router at the main office with 3 isp’s with many l2tp tunnels coming in.

The issue is that the incoming tunnel has to be over the isp that has the default route on the router, OR with a route->rule that sends it over another isp.

I have tried putting in mangle rules on the input/output chains in an attempt to mark the traffic, but it does NOT work.


;;; ISP1
chain=input action=mark-connection new-connection-mark=wan_isp1
passthrough=no in-interface=isp1


chain=output action=mark-routing new-routing-mark=to_isp1 passthrough=no
connection-mark=wan_isp1

Any suggestions?

Policy Routing - L2TP and multiple WANs
L2tp on Multiple IP
[Solved] OSPF + Multiple Gateways
2

Im trying to get past this same issue as well, ive tried all kinds of mangle rules but none of them can see the mikrotik’s own l2tp traffic. I do have a server that is behind the router properly being connection marked, then routing marked via a separate public gateway. So that part is working, my problem is doing the initial connection marked mangle rule to find the l2tp traffic.

anyone have any ideas? this answer could help both myself and the OP.

thanks!

3

Try making routing rules that tell it certain source IP’s belong to certain lines.

/IP route rule
add src-address=<ISP1 Wan IP>/32 action=lookup table=<ISP1>
add src-address=<ISP2 Wan IP>/32 action=lookup table=<ISP2>
add src-address=<ISP3 Wan IP>/32 action=lookup table=<ISP3>
4

hi,

here is the rule ive added, it doesnt seem to do anything to change this issue.

/ip route rule
add action=lookup disabled=no src-address=69.xxx.xxx.xxx/29 table=route_via_154

routevia154 is a routing rule that i successfully use to direct other servers out via the correct public IP gateway.

Im still RX on port 1 and / TX on default public gateway port 3, out of the wrong public IP.

the silence from mikrotik support on this is deafening.

5

Route rules are processed in order IIRC, so make sure the new rule is at the top.

To make sure I am understanding this properly, an outisde client is connecting to the IP address of ISP1, but the mikrotik response is going out ISP2 with a source IP of ISP2?

6

Hi that is correct. (your network map with isp 1 isp2)

Also every rule i have been testing is always moved to the top so that is not the issue. THe main problem i every have is not the action, its getting the rule to be qualified (and thus see the packet counter go up) most of these tests the packet count on the rule is 0.

I think this is clear mikrotik BUG judging by all the other threads about this and judging by the strage replies im getting from mikrotik support on this issue *( first the completely ignored the question and focued on a 1 line question about an RB1200, then they sent a one line very vague rule).

The sad thing is i brought this issue up to mikrotik back on 2.9.2x days

thanks

7

Could you please post the dump from

/ip route export
/ip firewall mange export

I have three of these setups running right now (the latest of which I just set up last week), and all of them work great (dual WAN, failover, VPN on both links).
They are all on 450G’s running 4.17, 5.4 or 5.7.

8

so you have 2 public Gateways on one mikrotik, and if dial vpn into public IP1 it talks back on public IP1?

you see if they are close, and the same isp, this will work bc of router fancyness done by the ISP. (as ive seen at my Datacenter)

can you post your rules maybe if its short??

tks

here is ip fire mangle

this works and simply takes 97.3 and tells forces it to use “154 jo” (there is “154 jo” and “142 jo” each a seperate public gateway)

/ip firewall mangle
add action=mark-connection chain=prerouting disabled=no dst-address=!192.168.97.1 in-interface=ether3-to-ETH1-97ip new-connection-mark=
“use 154 jo” passthrough=yes src-address=192.168.97.3
add action=mark-routing chain=prerouting connection-mark=“use 154 jo” disabled=no in-interface=ether3-to-ETH1-97ip new-routing-mark=
route_via_154 passthrough=yes
add action=mark-routing chain=output connection-mark=“use 154 jo” disabled=no new-routing-mark=route_via_154 passthrough=yes


edit: if i turn off the rule above, then the server that it controls uses public IP X vs using Public IP Y with this rule on.


/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=69.xxx.xx.xx routing-mark=route_via_145 scope=30 target-scope=10

/ip route rule
add action=lookup disabled=yes src-address=69.xxx.xxx.xxx/29 table=route_via_154

9

Yes… mangling and having route rules does work… IF you know the address of the remote.

But in the case of a remote office that gets its address from DHCP, it doesn’t help.

I wish it would just track the l2tp traffic like any other traffic.

10 



/ip firewall mangle
add action=mark-connection chain=prerouting disabled=no in-interface=ether1-ISP1 \
    new-connection-mark=Out_ISP1 passthrough=yes comment="Mark ISP1 in as ISP1"
add action=mark-connection chain=prerouting disabled=no in-interface=PPPoE_DSL \
    new-connection-mark=Out_ISP2 passthrough=yes comment="Mark ISP2 in as ISP2" 

add action=mark-routing chain=prerouting connection-mark=Out_ISP1 disabled=no \
    dst-address=!<LAN/16> src-address=<LAN/16> new-routing-mark=Out_ISP1 \
	passthrough=yes comment="Mark Out_ISP1 Route" 
add action=mark-routing chain=prerouting connection-mark=Out_ISP2 disabled=no \
    dst-address=!<LAN/16> src-address=<LAN/16> new-routing-mark=Out_ISP2 \
	passthrough=yes comment="Mark Out_ISP2 Route"

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=<GW1> \
    routing-mark=ISP1 scope=30 target-scope=10 check-gateway=ping
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=PPPoE_DSL \
    routing-mark=ISP1 scope=30 target-scope=10

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE_DSL \
    routing-mark=ISP2 scope=30 target-scope=10
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=<GW1> \
    routing-mark=ISP2 scope=30 target-scope=10 check-gateway=ping 

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=<GW1> \
    scope=30 target-scope=10 check-gateway=ping 
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=PPPoE_DSL \
    scope=30 target-scope=10

/ip route rule
add action=lookup disabled=no dst-address=<LAN/8> \
    table=main comment="Prevent Local traffic from going out WAN"
add action=lookup disabled=no dst-address=<ISP1>/29 \
    table=main comment="ISP1 local network, used to force gateway check out ISP1 line" 
	
add action=lookup disabled=no src-address=<ISP2 external IP>/32 \
    table=ISP2 comment="ISP2 Source goes out ISP2" 
add action=lookup disabled=no src-address=<ISP1 external IP>/32 \
    table=ISP1 comment="ISP1 Source goes out ISP1" 

add action=lookup disabled=no routing-mark=Out_ISP1 table=ISP1
add action=lookup disabled=no routing-mark=Out_ISP2 table=ISP2

In theory I should be able to get rid of the src/dst checks on the final 2 mangle rules, but I haven’t gotten around to testing it yet. Since the CPU doesn’t ever hit over 20% I’m not worried about redundant checks.

I should note that I am checking against <LAN/16> instead of <LAN/24> to make sure I get the VPN user’s subnet as well

With this setup, LAN customers default to out ISP1, failover to ISP2. In the event of failback, existing connections stay on their established line until terminated. I can successfully PPTP,L2TP, and SSH to both ISP1 and ISP2 from the internet.

11

Hi, we have the same situation, but we need to mark traffic only to ISP2 and when local router initiated IPSec traffic also to go to the ISP2. Please help, our central router is static IP and our remote router is dynamic IP which we have script to resolve IP. We tried your solution but doesnt work. Please provide us more specific example. If you need we cant provide you our configuration with IP adresses.



thanks

12

Anyone found a solution for this ? Seems like L2TP is not being marked correctly still.
I have problem with l2tp going to wan2, but answered with wan1.