Mangle L2TP vpn

RouterOS Beginner Basics
1

Hi guys!

http://forum.mikrotik.com/t/moving-from-fail-over-to-using-both-wans/143145/1
http://mum.mikrotik.com/presentations/US12/tomas.pdf

I follow this guide step by step to stage “Incoming connectios done”
All is working, I can browse a web page from the mainISP and cameras web from the backupISP
All Lan traffic is going out to mainISP because I dont setup outgoing from our lan to the internet and it is using default gateway

I have setup L2TP vpn clients and they are workin with the mainISP.
Now when I setup a vpn client for the backupISP, the client is workin much unstable.

I think i have a concept mistake, at this point i konw that when a connection is initiated from the internet through one of the ISPs I ensure that this connection is replied through the same ISP, but somithing is wrong because vpn connecctions comming from backupISP is not working but connecctions to the cameras web comming from the same backupISP is workin.

Thanks in advance!!!

ip fireall nat and filter question
Connect to VPN over 2 Internet connections
L2TP VPN selective routing using mangle filters
2

make sure your mangle rules are correct. L2TP is not going through router just in and out.

page 31 of pdf file.

3

thanks snowman

page 31 of pdf file.

where is that pdf?

here is some more detail.
. I only want taking care of incoming connections from MAIN and BKP isp, if wan incoming come from MAIN must return to MAIN and the same for BKP
. I do not want Load Balancing
. LAN → WAN traffic go out to MAIN isp.

I have problems with VPN connections.
If a VPN connection come from MAIN it must return to MAIN, this is working (i suppodes becouse it is the default route), but if come from BKP it must return to BKP and it is not working

here es my setup

/interface bridge add name=lanBridge

/interface list
add name=ispBKP
add name=ispMAIN
add name=LAN

/ip pool add name=lanPool ranges=10.0.41.100-10.0.41.254
/ip pool add name=vpnPool ranges=192.168.9.10-192.168.9.30

/ip dhcp-server add address-pool=lanPool disabled=no interface=lanBridge lease-time=1w10m10s name=dhcpLan
/ip dhcp-server network add address=10.0.41.0/24 dns-server=10.0.41.7 gateway=10.0.41.1

/interface bridge port
add bridge=lanBridge interface=ether3
add bridge=lanBridge interface=ether4
add bridge=lanBridge interface=ether5


/interface list member
add interface=ether1 list=ispMAIN
add interface=ether2 list=ispBKP
add interface=lanBridge list=LAN


/ip address
add address=888.888.888.254/24 interface=ether1 network=888.888.888.0
add address=999.999.999.254/24 interface=ether2 network=999.999.999.0
add address=10.0.41.1/24 interface=lanBridge network=10.0.41.0


/ip dns set servers=1.1.1.1,1.0.0.1

/ip firewall filter
add action=accept chain=input comment="rbMT" connection-state=established,related,untracked
add action=accept chain=input comment="L2TP (ipsec-esp)" protocol=ipsec-esp
add action=accept chain=input comment="L2TP (udp)" dst-port=500,1701,4500 protocol=udp 
add action=drop chain=input comment="rbMT" connection-state=invalid
add action=drop chain=input comment="DENY ALL - LAN" in-interface-list=!LAN
add action=accept chain=forward comment="rbMT" ipsec-policy=in,ipsec
add action=accept chain=forward comment="rbMT" ipsec-policy=out,ipsec
add action=fasttrack-connection comment="rbMT" chain=forward connection-state=established,related
add action=accept chain=forward comment="rbMT" connection-state=established,related,untracked
add action=drop chain=forward comment="rbMT" connection-state=invalid
add action=drop chain=forward comment="DENY ALL - NAT" connection-nat-state=!dstnat connection-state=new in-interface-list=none



/ip firewall nat 
add action=src-nat chain=srcnat out-interface-list=ispMAIN to-addresses=888.888.888.254
add action=src-nat chain=srcnat out-interface-list=ispBKP to-addresses=999.999.999.254

/ip route
add distance=1 gateway=888.888.888.1


/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80,443 protocol=tcp to-addresses=10.0.41.19 comment="WEB"
add action=dst-nat chain=dstnat dst-port=11080 protocol=tcp to-addresses=10.0.41.19 comment="SERVICE"
add action=dst-nat chain=dstnat dst-port=3389 protocol=tcp to-addresses=10.0.41.2 comment="RDP" disabled=yes
add action=dst-nat chain=dstnat dst-port=34567 protocol=tcp to-addresses=10.0.41.119 comment="DVR"

	
/ppp profile
add local-address=192.168.9.1 name=l2tpProfile remote-address=vpnPool use-encryption=required

/interface
l2tp-server server set authentication=mschap2 default-profile=l2tpProfile enabled=yes ipsec-secret=test123 use-ipsec=yes

and here is mangle setup

/ip firewall address-list
add address=888.888.888.0/24 list=Connected
add address=999.999.999.0/24 list=Connected
add address=10.0.41.0/24 list=Connected
add address=10.0.41.0/24 list=lanList


/ip firewall mangle add action=accept chain=prerouting dst-address-list=Connected src-address-list=Connected


*****************************************
*** WAN <-> ROUTER MANGLE ***
*****************************************
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface-list=ispMAIN new-connection-mark=fromIspMAIN passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface-list=ispBKP new-connection-mark=fromIspBKP passthrough=no

add action=mark-routing chain=output connection-mark=fromIspMAIN new-routing-mark=ispMAIN_ROUTE passthrough=no
add action=mark-routing chain=output connection-mark=fromIspBKP new-routing-mark=ispBKP_ROUTE passthrough=no

***********************************
*** WAN <-> LAN MANGLE ***
***********************************
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark in-interface-list=ispMAIN new-connection-mark=ispMAIN-lan passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark in-interface-list=ispBKP new-connection-mark=ispBKP-lan passthrough=no

add action=mark-routing chain=prerouting connection-mark=ispMAIN-lan new-routing-mark=ispMAIN_ROUTE passthrough=no src-address-list=lanList
add action=mark-routing chain=prerouting connection-mark=ispBKP-lan new-routing-mark=ispBKP_ROUTE passthrough=no src-address-list=lanList


/ip route
add distance=2 gateway=999.999.999.1
add distance=1 gateway=888.888.888.1 routing-mark=ispMAIN_ROUTE
add distance=1 gateway=999.999.999.1 routing-mark=ispBKP_ROUTE

thanks

4

I believe that i having problems with Fasttrack and IPSec, i read that there are some issues.
But for now i have not found the solution and my mangle is still not working on the second ISP

5

Fasttracking is only used in the forward chain, and L2TP transport packets are handled by input and output chains, not the forward one.

Your mangle rules seem fine for the L2TP session to get established, except if the L2TP client connects from 888.888.888.0/24 or 999.999.999.0/24. Are you testing from one of these subnets or from a totally unrelated one?

Does the L2TP client connect successfully, but no traffic is getting through the established tunnel, or does already the L2TP connection of the client fail?

6

Are you testing from one of these subnets or from a totally unrelated one?

totally different


Does the L2TP client connect successfully, but no traffic is getting through the established tunnel, or does already the L2TP connection of the client fail?

from main ISP (888.888.888.0 and default route) L2TP clients are working
from second ISP (999.999.999.0) L2TP clients connects but suddenly disconect

7

How long after connection establishment this happens? Seconds, hours? If it works for a minute and then fails, the root cause may not be related to the policy routing (mangle rules etc.) at all.

8

How long after connection establishment this happens? Seconds, hours? If it works for a minute and then fails, the root cause may not be related to the policy routing (mangle rules etc.) at all.

yes, ma-by the backup ISP because sometimes the connection break at the moment and anthers work by hours, but still there is some problem that i can understand.

i have a webserver running that is accessible from wan by this nat

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80,443 protocol=tcp to-addresses=10.0.41.19 comment="WEB"

10.0.41.19 is haproxy that redirect traffic to the final webserver 10.0.41.10

from mainISP (default route) is workink OK, but from backupISP is don’t working.

I know that when the package leave the router mangle marks are cleaned, then how know the response from the webserver that must go out to backupISP and not by default gateway?

9

This is what connection-mark is used for - it is assigned to the connection as a whole when one of the first packets belonging to that connection is processed, and then all packets belonging to the same connection get this connection-mark as they pass through the connection tracking module of the firewall, as one of the first stages of processing (only raw rules are examined before connection tracking). So in your particular case, the action=mark-connection rule matches on the first SYN packet from the client and assigns the connection-mark value, and then the action=mark-routing rule matches on all the packets sent by the server and belonging to the same connection.

I cannot see anything wrong about your mangle rules, so you have to run a sniffer to see what is going on. The address of the client doesn’t change as the packet passes through the various stages of firewall handling, so make a command line window as wide as your screen allows and run /tool sniffer quick ip-address=ip-of-the-client while attempting to connect from a remote client via the backup WAN, to see whether the requests arrive at all (some ISPs block incoming traffic to server ports) and whether the responses from the server come from the expected address (of the ha-proxy) and port.

10

Thanks to all the people that spent a little of his time to answer question and help to make easy or tech lives, i Will try to help others.

11

I suspect your problem is you don’t have a route via the backup ISP, add a default route to this with distance of 3 and test