need help in vpn

qadir52786 · April 1, 2020, 5:22am

Dear all i need help i had configure vpn on mikrotik and have 2 isp

from isp A vpn work perfectly but when i try to connect vpn from isp B i got following error

proto tcp (syn) my remote ip-mirotik ip

please help

erlinden · April 1, 2020, 6:21am

Can you please share your configuration (/export hide-sensitive)?

qadir52786 · April 1, 2020, 12:51pm

thanks for reply sir following ismy firewall configuration

1 chain=input action=accept connection-state=established

2 chain=input action=accept protocol=udp port=1701,500,4500 log=yes

3 chain=input action=accept protocol=ipsec-esp log=yes

4 chain=input action=accept protocol=udp port=1701,500,4500

5 ;;; BSNL VPN
chain=input action=accept tcp-flags=“” protocol=tcp in-interface=bsnl
dst-port=1723 log=yes log-prefix=“”

6 ;;; BSNL VPN
chain=input action=accept protocol=tcp in-interface=bsnl dst-port=8291
log=yes log-prefix=“”

7 ;;; vpn
chain=input action=accept protocol=tcp dst-port=1723 log=yes log-prefix=“”

qadir52786 · April 1, 2020, 12:54pm

i can connect on ISP A perfectly but unable to get connect on ISP B

Getting error
Firewall info input in:ispB out :(nine),proto tcp (syn) My ip->ISP B IP

qadir52786 · April 3, 2020, 6:56am

sir please help me in this

qadir52786 · April 7, 2020, 8:42am

i had diagnose when i shut ISP A ISB B is getting successfully connected .

can someone guide what changes i have to made to get it connected from both isp A & B

Please if anyone can help

sindy · April 9, 2020, 7:08pm

The answer is in this post. Start reading it from the last paragraph, as it explains its relationship to your need.

qadir52786 · April 10, 2020, 8:19pm

Thank you very much sir for your reply

after adding below rule
/ip firewall mangle
add chain=prerouting connection-state=established,related connection-mark=no-mark action=accept # if a mid-connection packet has no connection mark, it needs the default handling
add chain=prerouting connection-state=established,related in-interface=your-wan # download packets MUST NOT be routing-marked

getting error as follows
prerouting :in:ispb:(unknown0),src mac : mac address proto udp ip->ISB b ip Nat ip>isb B ip >lan ip len 56
prerouting :in:lan out:(unknown0),src mac : mac address proto udp ip->ISB b ip Nat ip>isb B ip >lan ip len 56

Please help what could i do next to resolve the same

thanks in advance

sindy · April 10, 2020, 8:57pm

I don’t understand why you call a log message an “error”, that’s first; second, I don’t know which log rules are logging these packets because none of the above ones have log=yes; third, I cannot see the rest of your firewall, and fourth, you didn’t write whether it works as desired an only the log messages bother you or whether it still doesn’t work as expected.

So please follow the instruction in my automatic signature just below.

qadir52786 · April 10, 2020, 9:05pm

after adding below rule
/ip firewall mangle
add chain=prerouting connection-state=established,related connection-mark=no-mark action=accept # if a mid-connection packet has no connection mark, it needs the default handling
add chain=prerouting connection-state=established,related in-interface=your-wan # download packets MUST NOT be routing-marked

getting error as follows
prerouting :in:ispb:(unknown0),src mac : mac address proto udp ip->ISB b ip Nat ip>isb B ip >lan ip len 56
prerouting :in:lan out:(unknown0),src mac : mac address proto udp ip->ISB b ip Nat ip>isb B ip >lan ip len 56

I don’t understand why you call a log message an “error”, that’s first; second, I don’t know which log rules are logging these packets because none of the above ones have log=yes; third, I cannot see the rest of your firewall, and fourth, you didn’t write whether it works as desired an only the log messages bother you or whether it still doesn’t work as expected.

sorry i forget to mention that i had add loges to above rules and i am still not able to connect it from isp B , ISP A is working Perfectly but unable to get connected using ISp B let me go to your post once again and will up date you or if you can post the set of rules that can i apply to allow the same

Thanks

So please follow the instruction in my automatic signature just below.

sindy · April 10, 2020, 9:11pm

The firewall rules work depending on their mutual order in each chain and together with the routing setup. So I need your complete configuration export, anonymized the way suggested in the automatic signature, to tell you exactly what to add/remove/change.

mbaute · April 10, 2020, 10:50pm

problem seems to be that if ISP A is the primary default gateway, traffic incoming from ISP B will get forwarded to ISP A unless being marked in mangle, to go out through ISP B’s gateway. thats why it works when you unplug ISP A.

please follow the answer here. As this is for vpn traffic, you can omit the rules in forward chain.

qadir52786 · April 11, 2020, 4:48am

thanks..it works .now i am able to login through ISP A and ISB B also
But now 1 issue if i connect it With ISP B also i am getting ISP A ip address only(WAN ip.. my WAN ip shows ISP A only )

so how could i resolve the same