Static routes

Hi all,
I am trying to configure static routing, and most of the configuration is working. However, I believe I am missing something and hope someone can help me out.

Starlink, in bypass mode, is plugged into ether 1 on my MikroTik router. I also have an L2TP client configured to provide a static IP address, which is used exclusively for the CCTV and remote access to the router.

The routing setup is quite simple:

• A default route (0.0.0.0/0) has a gateway set to Starlink’s IP, reachable via ether 1.
  
  
  
• I have a separate routing table for the camera, with a rule that specifies traffic from the camera’s IP (192.168.1.9) should only use the CAMERA routing table.
  
  
  
• Similarly, I have another routing table for remote access, with a rule that specifies the destination (the IP I use to access the router) and looks up the REMOTE ACCESS routing table.

For both of these rules (camera and remote access), I have static routes configured with a destination of 0.0.0.0/0, and the gateway is the L2TP client.

So far, the camera is accessible via the IP provided by the L2TP client, as expected, and remote access is working as well. However, my speed test results show that while the download speed is around 200 Mbps, the upload speed is nonexistent. I suspect there may be an issue with my routing configuration.

Based on this description, is there anything obvious that I might be missing?

I dont play guessing games…
/export file=anynameyouwish (minus router serial number, mac address, public WANIP information, keys etc. )

/interface bridge
add arp=proxy-arp comment=defconf name=bridge
/interface l2tp-client
add add-default-route=yes connect-to= disabled=no name=
“Internet Out” use-ipsec=yes user=ppp-3si
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.1.50-192.168.1.250
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add disabled=no fib name=WEBCAM-OVER-VPN
add disabled=no fib name=“REMOTE ACCESS”

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=“Internet Out” list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=
192.168.1.0
/ip arp
add address=192.168.1.9 interface=bridge mac-address=
/ip dhcp-client
add default-route-distance=5 interface=ether1
/ip dhcp-relay
add dhcp-server=172.16.0.1 interface=ether5 name=relay1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4
gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=<publicIP/24> list=
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input src-address-list=
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment=“CCTV STREAM” dst-port=2220 protocol=
tcp to-addresses=192.168.1.9 to-ports=80
add action=dst-nat chain=dstnat comment=“CCTV STREAM” dst-port=554 protocol=
tcp to-addresses=192.168.1.9 to-ports=554
add action=dst-nat chain=dstnat comment=“CCTV 80” dst-port=6600
in-interface-list=WAN protocol=tcp to-addresses=192.168.1.9 to-ports=80
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

/ip route
add comment=“WEBCAM ONLY” disabled=no distance=1 dst-address=0.0.0.0/0
gateway=“Internet Out” pref-src=“” routing-table=WEBCAM-OVER-VPN scope=30
suppress-hw-offload=no target-scope=10
add comment=“REMOTE ACCESS” disabled=no distance=1 dst-address=0.0.0.0/0
gateway=“Internet Out” routing-table=“REMOTE ACCESS” suppress-hw-offload=
no
add comment=“INTERNET VIA STARLINK” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=100.64.0.1 pref-src=“” routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=“Internet Out”
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10 vrf-interface=“Internet Out”
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.1.9/32 table=
WEBCAM-OVER-VPN
add action=lookup-only-in-table disabled=no dst-address=<publicIP/32>
table=“REMOTE ACCESS”

Why do you have two dstnat rules for the same port???
The first one has no WAN interface identified, but the second does.
Thus just want to know the purpose/reason for both rules!

/ip firewall nat
add action=dst-nat chain=dstnat comment=“CCTV STREAM” dst-port=2220 protocol=
tcp to-addresses=192.168.1.9 to-ports=80
add action=dst-nat chain=dstnat comment=“CCTV STREAM” dst-port=554 protocol=
tcp to-addresses=192.168.1.9 to-ports=554
add action=dst-nat chain=dstnat comment=“CCTV 80” dst-port=6600
in-interface-list=WAN protocol=tcp to-addresses=192.168.1.9 to-ports=80
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

Okay understand you have
a. ONE WAN via starlink.
b. over this one WAN you have an L2TP connection and assuming its in a client capacity and is connecting to an L2TP server somewhere.
This remote site has access to a public IP that is reachable for remote access via the LT2p tunnel and further, has a public IP address where the CCTV cameras can reach the internet.

So for routes you need CCTV cameras but not rest of LAN
Sounds like you need to do one of two things.
a. put CCTV on a separate subnet or vlan from rest of lan users: OR
b. use firewall address-list to identify only the cctv cameras and use mangling to push them out LT2P tunnel.

By the way your allowed list on the input chain should ONLY be admin devices.
So admin connections wired and wifi using static set dhcp leases
OR
admin connections via an admin LTP2 address…

Finally you will probably need some rule to ensure that incoming L2TP traffic coming into the router is allowed, in the forward chain to go out the local WAN.

Hello, that is correct, I have one WAN and an L2TP client configured, so the L2TP server provides a static IP address.

Thank you for your advice on how to fix this. It’s important for me to understand how it works rather than simply follow the steps, as I’m trying to learn about routing. Could you please explain why mangle rules and separate subnet are necessary to get this configured? Aren’t routing policies enough to direct traffic through a selected interface? For example: I specified that only traffic sourcing from 192.168.1.9 should go through VPN so the rest of LANs IP shouldn’t be affected, right? I’m a bit confused because everything seems to be working fine - CCTV is reachable with static public IP address, traceroute from the router to 8.8.8.8 is showing the correct route (not through the VPN), and download speeds are very fast. The issue is that upload speeds are nearly nonexistent, and I don’t understand why only the upload is affected???

Okay so the CCTV ip address is 192.168.1.9 and is the only IP address on the router that requires access to the LT2P tunnel…
But this is not true, you have port forwarding so IS IT THE CASE THAT you want to access the CCTV remotely?? Confused,
I though you wanted to co nfigure the router remotely…

What is the truth here… If for example the CCTV originates traffic where is it going? to a third party cloud server?
And you need to do this not through your local WANIP for some reason but out an L2TP connection to a different public WANIP?

Describe the traffic flow in more detail.

Apologies for the confusion. I’ll try to keep this as simple as possible. Let’s set aside the remote access for now, as it’s not important here.

As you know, there is one WAN connection provided by Starlink, and I have an L2TP client configured.

The camera has an IP address of 192.168.1.9, and I want to ensure that all traffic to and from the camera is using the L2TP VPN.

All other traffic should use the Starlink connection and not touch the L2TP connection. Hope that makes sense.

the whole purpose of this setup is to have the camera accessible via the public IP address provided by the L2TP connection.

I don’t want to route all traffic through the L2TP, as it would unnecessarily slow down everything. I only want the camera’s traffic to utilize the VPN, while keeping all other traffic on the regular Starlink connection.

Fair enough, now what is on the other end of the L2TP connection,
a. you have a cloud server with public IP (which OS?)
b. a friends router with a public IP
c. ???

Problem is am unfamiliar with how L2TP works… Wireguard I understand more fully.

In any case for your scenario…
If you can identify the gateway IP of the L2TP interface then what you have done is close.

1. Remove the dstnat rules for now and keep the sourcenat rule.
   /ip firewall nat
   add action=masquerade chain=srcnat comment=“defconf: masquerade”
   ipsec-policy=out,none out-interface-list=WAN

2. On the other site, still unknown, that is where the port forwarding is setup such that external users using the public IP can reach the server.
   So the other ends router will need to be configured, its impossible to do it all from this MT router…

3. Confused as you have ether5 on the bridge but ALSO the below, and do not understand where that address came from and is used for???
   /ip dhcp-relay
   add dhcp-server=172.16.0.1 interface=ether5 name=relay1

4. Not sure why you put distance=5 on the default route connection for your WAN, not required. Since there is no other main table route its meaningless.

5. Lets fix IP routes.
   The primary main route already exists from the ip dhcp client settings… no other IP routes for starlink are required and thus should remove the recursive stuff going on.
   /ip dhcp-client
   add default-route interface=ether1

So we need only be concerned with identifying the route for the special table.
add dst-address=0.0.0.0/0 gateway=l2TP gateway IP address routing-table=WEBCAM-OVER-VPN

Next as you done we simply use routing rules which will make use of the new route.
/routing rules
add min-prefix=0 action=lookup-only-in-table table=main comment=“ensures local traffic requirements met”
add src-address=192.168.9.1 action=lookup-only-in-table table=WEBCAM-OVER-VPN

This covers all traffic originating from 192.168.9.1. Any comms needed with other local interfaces will be allowed to occur such as you as admin wanting to access the device and the RETURN traffic from the device… All of its other traffic will be captured by the routing rule and will use the special table created..

Since we stated the L2TP was part of the WAN interface list, that means all traffic going out the L2TP interface will be sourcenatted to the MTs assigned LT2P ip address.
This should make the traffic appear correctly at the other side. You still have to ensure such traffic is allowed to access the local WAN on the other end of course.

++++++++++++++++++++++++++++++++++++++++

Now lets consider the incoming question. Imagine trying to have to deal with any possible www public IP reaching your CCTV server being port forwarded from the other end device into the L2TP tunnel. The easiest thing for us is for the remote site to also sourcnat all inquiries from the www those source addresses, to the single L2TP ip address of the Server at the other end, so all traffic will be recognized by the L2TP client settings on the MT router and will be able to reach the LAN server.

If that is not done, then imagine every possible IP address, not sure if allowed in LT2P , could possibly come over the L2TP tunnel hit CCTV and the problem is, where would the return traffic go. Well currently it would go out the local WAN and we dont want that.
In this situation we would HAVE TO mark and mangle the incoming traffic and then route it out back to the L2TP tunnel.

So in summary what is going on at the other end of this connection is critical.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++