Loosing VPN interfaces when reconnect

hgonzale · September 26, 2018, 10:23am

I have some mikrotiks in differents countries and I have "mark routing" to some IP for going to that IP using that route.

The problem is... I have a mark routing with the "vpn internface" but when the vpn is down, the vpn name dissapear, and all the relations are loose, when the VPN reconnect, the "interface: are still missing.... and I need to do fix it manually.

Is some way to fix it? Any trick...

Thank you

PD: Here, some useful info

[admin@Sprinfield Mikrotik] /ppp active> print
Flags: R - radius

NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING

0 casavzla l2tp 186.14.xxx.xxx 192.168.16.11 3d20h... cbc(aes) + hmac(sha256)
1 gutierolm... l2tp 190.77.xxx.xxx 192.168.16.26 1d11h... cbc(aes) + hmac(sha1)
2 mayjo l2tp 80.27.xxx.xxx 192.168.16.10 3h54m47s cbc(aes) + hmac(sha256

[admin@Sprinfield Mikrotik] /ip firewall mangle> export

sep/26/2018 12:25:49 by RouterOS 6.42.3

software id = xxxx-xxxx

model = 2011UiAS-2HnD

serial number = xxxxxxxxxxxx

/ip firewall mangle
add action=mark-routing chain=prerouting comment="Marcado via VPN USA" new-routing-mark=VIA_VPN_USA passthrough=yes src-address-list=
salida-via-vpn-usa
add action=mark-routing chain=prerouting comment="Marcado via VPN Troca" connection-state=new connection-type="" new-routing-mark=VIA_VPN_TROCA
passthrough=yes src-address-list=salida-via-trocadero
add action=mark-routing chain=prerouting comment="Marcado via Sat" disabled=yes new-routing-mark=VIA_SAT passthrough=yes src-address-list=
salida-via-sat
add action=mark-routing chain=prerouting comment="Marcado via Vzla" connection-state=new new-routing-mark=VIA_VPN_VZLA passthrough=yes
src-address-list=salida-via-vpn_vzla
add action=mark-routing chain=prerouting comment="Marcado via Vzla para banesco" connection-state="" dst-address-list=banesco new-routing-mark=
VIA_VPN_VZLA passthrough=no src-address=192.168.10.0/24
add action=mark-routing chain=prerouting comment="Salida via Troca" new-routing-mark=VIA_VPN_TROCA passthrough=yes src-address-list=
salida-via-trocadero

[admin@Sprinfield Mikrotik] /ip firewall nat> export

sep/26/2018 12:27:44 by RouterOS 6.42.3

software id = xxxx-xxxx

model = 2011UiAS-2HnD

serial number = xxxxxxxxxxx

/ip firewall nat
add action=masquerade chain=srcnat comment="Default Gateway FTTH" out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="FTTH con marca" out-interface=ether10-gateway routing-mark=VIA_SAT
add action=masquerade chain=srcnat comment="Via VPN_USA" dst-address=0.0.0.0/0 out-interface=ppptp-usa src-address-list=salida-via-vpn-usa
add action=masquerade chain=srcnat comment="Via VPN_VZLA" dst-address=0.0.0.0/0 out-interface=<l2tp-casavzla> routing-mark=VIA_VPN_VZLA
src-address-list=salida-via-vpn_vzla
add action=masquerade chain=srcnat comment="Via VPN_VZLA Banesco" dst-address-list=banesco out-interface=<l2tp-casavzla> routing-mark=VIA_VPN_VZLA
src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="Via VPN_Troca" dst-address=0.0.0.0/0 out-interface="Trocadero-vpn Oficina" routing-mark=VIA_VPN_TROCA
src-address-list=salida-via-trocadero

[admin@Sprinfield Mikrotik] /ip route> export

sep/26/2018 12:30:39 by RouterOS 6.42.3

software id = xxxx-xxxx

model = 2011UiAS-2HnD

serial number = xxxxxxxxxxxxxxx

/ip route
add comment="Salida via USA" distance=1 gateway=ppptp-usa routing-mark=VIA_VPN_USA
add comment="Salida via Troca" distance=1 gateway="Trocadero-vpn Oficina" routing-mark=VIA_VPN_TROCA
add comment="Salida via WLAN 3G/4G" distance=1 gateway=192.168.42.129 routing-mark=VIA_DOOGEE
add comment="Salida via Sat con Mark Routing" distance=2 gateway=ether10-slave-local routing-mark=VIA_SAT
add comment="Salida via Vzla" distance=1 gateway=<l2tp-casavzla> routing-mark=VIA_VPN_VZLA
add disabled=yes distance=1 gateway=ether1-gateway
add distance=1 dst-address=192.168.0.0/24 gateway="Trocadero-vpn Oficina"
add distance=1 dst-address=192.168.1.0/24 gateway="Trocadero-vpn Oficina"
add comment="Red de Vzla" distance=1 dst-address=192.168.14.0/24 gateway=<l2tp-casavzla>
add distance=1 dst-address=192.168.30.0/24 gateway="Trocadero-vpn Oficina"
add comment="GP Rooms red 30" disabled=yes distance=1 dst-address=192.168.30.0/24 gateway=*F03249
add distance=1 dst-address=192.168.31.0/24 gateway="Trocadero-vpn Oficina"
add distance=1 dst-address=192.168.75.0/24 gateway="Trocadero-vpn Oficina"
add distance=1 dst-address=192.168.76.0/24 gateway="Trocadero-vpn Oficina"
/ip route rule
add dst-address=142.4.201.85/32 interface=ether10-gateway routing-mark=VIA_SAT table=VIA_SAT
add dst-address=142.4.209.197/32 interface=ether10-gateway routing-mark=VIA_SAT table=VIA_SAT

The bold interfaces are missed when this VPN disconnect and I need to configure it again

Thank youuuuuuuu

Weverson · September 26, 2018, 12:47pm

I have some mikrotiks in differents countries and I have “mark routing” to some IP for going to that IP using that route.

The problem is… I have a mark routing with the “vpn internface” but when the vpn is down, the vpn name dissapear, and all the relations are loose, when the VPN reconnect, the "interface: are still missing… and I need to do fix it manually.

Is some way to fix it? Any trick…

Thank you

PD: Here, some useful info

[admin@Sprinfield Mikrotik] /ppp active> print
Flags: R - radius

NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING

0 casavzla l2tp 186.14.xxx.xxx 192.168.16.11 3d20h… cbc(aes) + hmac(sha256)
1 gutierolm… l2tp 190.77.xxx.xxx 192.168.16.26 1d11h… cbc(aes) + hmac(sha1)
2 mayjo l2tp 80.27.xxx.xxx 192.168.16.10 3h54m47s cbc(aes) + hmac(sha256

[admin@Sprinfield Mikrotik] /ip firewall mangle> export

sep/26/2018 12:25:49 by RouterOS 6.42.3

software id = xxxx-xxxx

model = 2011UiAS-2HnD

serial number = xxxxxxxxxxxx

/ip firewall mangle
add action=mark-routing chain=prerouting comment=“Marcado via VPN USA” new-routing-mark=VIA_VPN_USA passthrough=yes src-address-list=
salida-via-vpn-usa
add action=mark-routing chain=prerouting comment=“Marcado via VPN Troca” connection-state=new connection-type=“” new-routing-mark=VIA_VPN_TROCA
passthrough=yes src-address-list=salida-via-trocadero
add action=mark-routing chain=prerouting comment=“Marcado via Sat” disabled=yes new-routing-mark=VIA_SAT passthrough=yes src-address-list=
salida-via-sat
add action=mark-routing chain=prerouting comment=“Marcado via Vzla” connection-state=new new-routing-mark=VIA_VPN_VZLA passthrough=yes
src-address-list=salida-via-vpn_vzla
add action=mark-routing chain=prerouting comment=“Marcado via Vzla para banesco” connection-state=“” dst-address-list=banesco new-routing-mark=
VIA_VPN_VZLA passthrough=no src-address=192.168.10.0/24
add action=mark-routing chain=prerouting comment=“Salida via Troca” new-routing-mark=VIA_VPN_TROCA passthrough=yes src-address-list=
salida-via-trocadero

[admin@Sprinfield Mikrotik] /ip firewall nat> export

sep/26/2018 12:27:44 by RouterOS 6.42.3

software id = xxxx-xxxx

model = 2011UiAS-2HnD

serial number = xxxxxxxxxxx

/ip firewall nat
add action=masquerade chain=srcnat comment=“Default Gateway FTTH” out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=“FTTH con marca” out-interface=ether10-gateway routing-mark=VIA_SAT
add action=masquerade chain=srcnat comment=“Via VPN_USA” dst-address=0.0.0.0/0 out-interface=ppptp-usa src-address-list=salida-via-vpn-usa
add action=masquerade chain=srcnat comment=“Via VPN_VZLA” dst-address=0.0.0.0/0 out-interface=<l2tp-casavzla> routing-mark=VIA_VPN_VZLA
src-address-list=salida-via-vpn_vzla
add action=masquerade chain=srcnat comment=“Via VPN_VZLA Banesco” dst-address-list=banesco out-interface=<l2tp-casavzla> routing-mark=VIA_VPN_VZLA
src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment=“Via VPN_Troca” dst-address=0.0.0.0/0 out-interface=“Trocadero-vpn Oficina” routing-mark=VIA_VPN_TROCA
src-address-list=salida-via-trocadero

[admin@Sprinfield Mikrotik] /ip route> export

sep/26/2018 12:30:39 by RouterOS 6.42.3

software id = xxxx-xxxx

model = 2011UiAS-2HnD

serial number = xxxxxxxxxxxxxxx

/ip route
add comment=“Salida via USA” distance=1 gateway=ppptp-usa routing-mark=VIA_VPN_USA
add comment=“Salida via Troca” distance=1 gateway=“Trocadero-vpn Oficina” routing-mark=VIA_VPN_TROCA
add comment=“Salida via WLAN 3G/4G” distance=1 gateway=192.168.42.129 routing-mark=VIA_DOOGEE
add comment=“Salida via Sat con Mark Routing” distance=2 gateway=ether10-slave-local routing-mark=VIA_SAT
add comment=“Salida via Vzla” distance=1 gateway=<l2tp-casavzla> routing-mark=VIA_VPN_VZLA
add disabled=yes distance=1 gateway=ether1-gateway
add distance=1 dst-address=192.168.0.0/24 gateway=“Trocadero-vpn Oficina”
add distance=1 dst-address=192.168.1.0/24 gateway=“Trocadero-vpn Oficina”
add comment=“Red de Vzla” distance=1 dst-address=192.168.14.0/24 gateway=<l2tp-casavzla>
add distance=1 dst-address=192.168.30.0/24 gateway=“Trocadero-vpn Oficina”
add comment=“GP Rooms red 30” disabled=yes distance=1 dst-address=192.168.30.0/24 gateway=*F03249
add distance=1 dst-address=192.168.31.0/24 gateway=“Trocadero-vpn Oficina”
add distance=1 dst-address=192.168.75.0/24 gateway=“Trocadero-vpn Oficina”
add distance=1 dst-address=192.168.76.0/24 gateway=“Trocadero-vpn Oficina”
/ip route rule
add dst-address=142.4.201.85/32 interface=ether10-gateway routing-mark=VIA_SAT table=VIA_SAT
add dst-address=142.4.209.197/32 interface=ether10-gateway routing-mark=VIA_SAT table=VIA_SAT

The bold interfaces are missed when this VPN disconnect and I need to configure it again

Thank youuuuuuuu

Does each VPN have an ip connection? If yes, as opposed to making the masquerade listen to an output interface, try doing the src-nat ip

hgonzale · September 26, 2018, 12:58pm

ummmmmm interesting!!!
And yes. It makes sense!
I will try Mr…

sindy · September 26, 2018, 3:08pm

One of the simpler solutions is to link static interface names to _/ppp secret_s as follows:

/interface l2tp server add name=e-g-casavzla user=casavzla

and redo all the references (routes’ gateways and out-interface matchers in firewall rules) to these static names.

Also, you can create an /interface list, like all-l2tp-clients, and copy the /ppp profile you use (possibly the one called default) to a new one, and set the interface-list parameter of the new one to all-l2tp-clients, and configure all _/ppp secret_s to use that new profile instead of the default one. Or you can modify the default one this way if you don’t need it for anything else. This way, a single masquerade rule will be enough, referring to out-interface-list=all-l2tp-clients.

hgonzale · September 26, 2018, 3:14pm

I don’t understanb, sorry

give a name to the l2tp server?

each connection to “me” has a name like: l2tp-username

is already, but when the VPN client disconnect, the “name” disappear…
and disappear from all the references, but now I am doing like the first answer, using IP… waiting for loosing connections and checking!!!

sindy · September 26, 2018, 3:29pm

Yes, the interface is created dynamically, and gets a name composed of the ppp service type name (here, l2tp) and the ppp user name (here, casavzla). When the client connection goes down, the dynamically created interface gets destroyed, so references to it “hang in the air”.

Using the method I’ve suggested, you create static interfaces which never disappear, and when a client for whom a static interface has been created using the command I gave above logs in, the corresponding static interface is used for him instead of dynamically creating a new one.

You have to make sure that only-one parameter of the /ppp profile is set to yes, otherwise if the connection breaks and the client re-connects before the previous connection expires locally, the new connection creates a dynamic interface and the idea fails.

hgonzale · September 26, 2018, 4:08pm

OHHHHHHHHHHHHHHHHHH WOWWWWWWWWW Supper explainin!!!

That is the best answer!!!

I didn’t know how to do it… amazing my friend

I will try later, but this is super

And yes, I always have only ONE CONNECTION.

hgonzale · September 26, 2018, 4:22pm

My friend. THIS IS WORKING perfectly
I didn’t know it. WOWWWWWWWWWWWWWWWWWWW
THANK YOUUUUUUUUUUUUUUUUUUUUUUUUU
many routers for changing it right now jajajaja