( Solved )PCC Load Banance Router and VPN have no internet

Alexybg · June 19, 2017, 8:43am

Hello,
I’m new in mikrotik and need some help.
I have configure my mikrotik with 2 WAN
eth1 - PPPOE - GW 85.91.151.8
eth2 - DHCP - GW 192.168.0.1
bridge - 192.168.3.3
Load banace work fine.
Configure PPTP and L2TP Servers , they connect successfuly
/ip pool
add name=dhcp ranges=192.168.3.4-192.168.3.60
add name=pptp-pool ranges=192.168.3.61-192.168.3.100
add name=L2TP-Pool ranges=192.168.3.101-192.168.3.150

I want then connect throw VPN to have internet
i don’t know how to make it. Pls help

Regards

gustavomam · June 19, 2017, 2:05pm

Hello.

Please give more information about your configuration

/ip route print

/ip route export

/ip firewall mangle

/ip firewall filter

or you can give us this full config

/export

Alexybg · June 19, 2017, 2:39pm

Hello, that is my configuration. It work fine for me, just have no internet throw VPN, and I cant see local network
I cant ping router 192.168.3.3, but can open web interface ?

/ip route
add distance=1 gateway=85.91.151.8 routing-mark=ISP1
add distance=2 gateway=85.91.151.8 routing-mark=ISP1
add distance=1 dst-address=85.91.151.0/24 gateway=pppoe-out1 routing-mark=ISP1
add distance=1 dst-address=192.168.0.0/24 gateway=ether2-gateway routing-mark=ISP1
add distance=1 dst-address=192.168.3.0/24 gateway=bridge routing-mark=ISP1
add distance=1 gateway=192.168.0.1 routing-mark=ISP2
add distance=2 gateway=192.168.0.1 routing-mark=ISP2
add distance=1 dst-address=85.91.151.0/24 gateway=pppoe-out1 routing-mark=ISP2
add distance=1 dst-address=192.168.0.0/24 gateway=ether2-gateway routing-mark=ISP2
add distance=1 dst-address=192.168.3.0/24 gateway=bridge routing-mark=ISP2
add distance=1 gateway=192.168.0.1
add distance=1 gateway=85.91.151.8
add check-gateway=ping distance=10 gateway=85.91.151.8,192.168.0.1
add check-gateway=ping distance=1 dst-address=8.8.4.4/32 gateway=85.91.151.8 scope=10
add check-gateway=ping distance=1 dst-address=8.8.8.8/32 gateway=192.168.0.1 scope=10

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=ISP1
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2-gateway new-connection-mark=ISP2
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=ISP1 passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-routing chain=prerouting connection-mark=ISP1 new-routing-mark=ISP1 passthrough=no
add action=mark-connection chain=prerouting comment=" " connection-mark=no-mark new-connection-mark=ISP2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2 new-routing-mark=ISP2 passthrough=no
add action=mark-routing chain=output connection-mark=ISP1 new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=ISP2 passthrough=no

/ip firewall filter
add action=fasttrack-connection chain=forward comment=“default configuration” connection-state=established,related disabled=yes
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=80 protocol=tcp
add action=accept chain=forward comment=“default configuration” connection-state=established,related
add action=accept chain=input comment=VPN dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment=“L2TP VPN” dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=drop chain=forward comment=“default configuration” connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment=“D-Link access” disabled=yes dst-port=80 protocol=tcp
add action=drop chain=input in-interface=pppoe-out1
add action=drop chain=input in-interface=ether2-gateway
add action=drop chain=input dst-port=53 in-interface=ether2-gateway protocol=udp
add action=drop chain=input dst-port=53 in-interface=pppoe-out1 protocol=tcp

I try to change pptp pool to 192.168.3.50-192.168.3.10, VPN take IP same as my local network. but the problem is the same

gustavomam · June 19, 2017, 10:02pm

I think your L2TP VPN is load balance and thats why you couldn’t have internet connection as well

Try to add this line and the top of your firewall mangle

add action=mark-connection chain=prerouting src-address=192.168.3.101-192.168.3.150 action=accept

Where 192.168.3.101-192.168.3.150 is L2TP_Pool address.

Alexybg · June 20, 2017, 2:19pm

gustavomam:

I think your L2TP VPN is load balance and thats why you couldn’t have internet connection as well

Try to add this line and the top of your firewall mangle
add action=mark-connection chain=prerouting src-address=192.168.3.101-192.168.3.150 action=accept
Where 192.168.3.101-192.168.3.150 is L2TP_Pool address.

do u mean : add action=accept chain=prerouting src-address=192.168.3.101-192.168.3.150
( cant mark it and accept it both )
that good is that it detect packages .. and now I have ping to remote IP
But no internet again

gustavomam · June 20, 2017, 2:23pm

You are right, thanks for correct me.

It is not necessary mark-connection, my post have two action in the same rule so it couldn’t work as well.

I put here the correct rule

add chain=prerouting src-address=192.168.3.101-192.168.3.150 action=accept

Alexybg · June 20, 2017, 2:29pm

gustavomam:

You are right, thanks for correct me.

It is not necessary mark-connection, my post have two action in the same rule so it couldn’t work as well.

I put here the correct rule
add chain=prerouting src-address=192.168.3.101-192.168.3.150 action=accept

Now I just have ping to remote IP , Before I don’t have it.
but still not have internet

gustavomam · June 20, 2017, 2:30pm

Check step by step.

Can you reach other network? ping 8.8.8.8
Can you resolve dns? ping google.com

Alexybg · June 20, 2017, 2:47pm

Yes I can resolve , but no ping
I can ping my router 192.168.3.3, but can’t ping other in local network

gustavomam · June 20, 2017, 9:35pm

There is a trick to ping host in local network from vpn users in the same network.

Put your lan interface in this mode arp=proxy-arp

Alexybg · June 20, 2017, 9:59pm

I try all options bridge=local-proxy-arp and proxy-arp
not working in my case

Alexybg · June 21, 2017, 8:31am

I see that other people too have the same problem.
In load balancing with 2 WAN, they VPN connect but cant see local network and VPN have no internet

Alexybg · June 22, 2017, 10:36am

I found problem in mangle
It’s OK now

harimin · December 10, 2017, 12:19am

Hi Alexybg
Could you elaborate which part of your mangle is the problem? And how to fix it?

Best regards,
Harimin.

Alexybg · December 13, 2017, 8:48am

Yes, I just add this rules in mangle
where 192.168.3.0/24 is my local network, and all work fine

add action=mark-connection chain=prerouting comment=“VPN Internet” new-connection-mark=VPN passthrough=yes src-address=192.168.3.0/24
add action=accept chain=prerouting src-address=192.168.3.0/24