Send l2tp over secondary WAN ISP *** $100 BOUNTY ***

RouterOS General
1

Originally posted in forwarding protocols but got no response so I am trying the busier forum.
Origional http://forum.mikrotik.com/t/send-l2tp-over-secondary-wan-isp-100-bounty-moved/91934/1

The config I am trying get will accomplish the following
ISP1 Primary
ISP2 Secondary
l2tp traffic prefers ISP2 but will fail over to ISP1 if it does not connect with ISP2
All traffic fails over to ISP2 if ISP1 down.

ISP 1 and 2 have static routes.
One internal VLAN

Ok here is what I have so far:

/ip firewall mangle
add action=mark-routing chain=output dst-address=216.174.x.x new-routing-mark=usesecondary passthrough=no

/ip route
add check-gateway=ping comment="Secondary ISP-L2tp" distance=1 gateway=209.153.x.x routing-mark=usesecondary
add check-gateway=ping comment="Priamary ISP" distance=2 gateway=67.52.x.x
add check-gateway=ping comment="Secondary ISP" distance=3  gateway=209.153.x.x 
add distance=1 dst-address=10.10.0.0/16 gateway=10.9.0.1

the pre-routing chain seems to have no effect. If I use postrouting or output chain the reply to address is wrong when the packet hits the remote l2tp server and the connection does not establish. The issue seems to be that the l2tp traffic is being initiated from the router itself and does not enter the pre-routing stage.

I also have a simple queue that affect this traffic and they seem to work.

/queue simple
add burst-limit=26M/3600k burst-time=1s/1s max-limit=26M/3600k name="Non Voice Que" target=ether1-WAN-TimeWarner
add name="Voice Unlimited" priority=3/3 queue=default/default target=216.174.x.x/24,10.10.0.208/32

Any Ideas?
I have increased the bounty to $100 if solved today.

2

Is it pure L2TP (no IPSec)? Have you checked is not a masquerade issue?

3

Correct no ipsec. I only have one srcnat and that is

/ip firewall nat
add action=masquerade chain=srcnat src-address=10.0.0.0/24
4

I will also add that the traffic does fail over properly if i just yank the primary isp cable.

5

Have you tried to make that masquerade rule more specific? i.e. specifying out interface and maybe even changing to src-nat and specifying to-addresses?

6

try to put a route (ej to public l2tp tunel ip address) using the gateway of isp2 put distance 1 for failover. Doing this u are forcing to establish the tunnel over the second isp
then replicate for isp with distance 2.

 ip route add dst-address=public-ip-of-l2tptunnel gateway=isp2-ip  distance=1

and remove mangles..

7

Otherwise paste an export, hard to help without that…

8

This looks much simpler, I will give it a shot although I think I did this before.

9

Some good news. This worked for getting the l2tp to connect through isp2, it broke some nat rules but I did not mention them in the post and I was able to fix them. I will give you partial credit and pm you for where to send some paypal.