I have 2 Mikrotik routers in different data centers with the following specifications: Router A
RouterOS 6.49.6
WAN int: ether2
Public IP: a.a.a.a
IP Pool 192.168.200.0/24
L2TP/IPSec PSK with an assigned range of IP from the pool
Router B
RouterOS 7.2.1
WAN int: ether1
Public IP: b.b.b.b
I would like to set up an IP-IP tunnel between the two and have the traffic of all users who connect to router A go through router B. For that, I have done the following steps with help from others:
Router B> create an ipip int
Router B> assign an IP address of 10.40.40.1 bound to ipip int
Router A> create an ipip int
Router A> assign an IP address of 10.40.40.2 bound to ipip int
Router A>NAT> in srcnat chain the action of src-nat to address b.b.b.b
Router A>Mangle> in prerouting chain from src address 192.168.200.0/24 to any destination but local, the action of route to 10.40.40.1 with passthrough enabled
Router B>NAT> in srcnat chain the action of src-nat to address b.b.b.b
Router B>NAT> in srcnat chain the action of src-nat to address a.a.a.a
Now, we have traffic sent from router A to B, but no traffic in the other direction (which means even the google website is not accessible for L2TP clients on router A). last night I got it to work with help from a friend, but apparently didn’t download the backup from router A and now the settings are lost. So that’s one of the issues that I need help with. The other is when the last time it was working L2TP clients of router A could see router B IP when looking up their own public IP, but could not use applications that are accessible from router B such as YouTube or Miro.
Thanks in advance for any kind soul that could help
Both 10.40.40.x must have some sane mask (e.g. /30 or /24)
Step 5 is wrong, only srcnat that could make sense here would use 10.40.40.2. But it’s even better to not add it at all, and instead add route on router B to 192.168.200.0/24 with 10.40.40.2 (router A) as gateway.
FYI router B network should be different so say
192.168.201.0/24
You also need to masquerade both Network ranges on router B because both ranges leave that router to the public IP of router B
The VPN traffic will either in the specific network or worse case you can mangle mark it as it enters a.a.a.a
Either way it will have a tighter network or router mark and won’t end up on the 0.0.0.0/0 default route
Need a bit more detail of VPN setup to work that thru all we know at the moment is
L2TP/IPSec PSK with an assigned range of IP from the pool
Usually when you setup like this you are remoting in on a small feed but the other site has a large feed which
is why you want the internet from it. I use a VPN to RDP to machine on my woeful 25Mb home link to use the
office 1GB link all the time
I meant the tunnels themselves, IPSec packets between clients in internet and router A. If I’m client x.x.x.x and I’m connecting to server a.a.a.a, this traffic needs to use a.a.a.a’s internet connection. If you handle it with routing marks or rules, then fine, it will work. But you didn’t mention it before.
In most cases when you setup the VPN tunnel it will add the specific route dynamically
In the mode he is using L2TP/IPSec he should have had to set dynamic end points in policies and those dynamic endpoints will end up in the route table .. its automatic
Generally the VPN traffic is the last thing you have to worry about because it’s on a very specific route (usually a /30) and most setups on the tik they do it all for you
They usually end up looking like this .. Dynamic, Active, Connected
Well, routes for addresses inside tunnels, sure. But what about those outside, transport packets (in this case ESP used by IPSec, or wrapped in UDP if there’s NAT traversal)? I don’t use L2TP/IPSec often, so you made me doubt myself and I had to try it, and it doesn’t seem that server is adding any routes for those.
