Tunnel with multiple gateway

Hi,

I have long been using RB very successfully for tunnels and advanced routing and have been delighted. I have always had one problem that I have never been able to solve satisfactorily. A current setup has just raised a situation when a solution to this would be useful.

The problem is simple. I have two (or more) connections to the Internet. One is default gateway and one is used with policy routing for selected traffic. Failover changes the default gateway. I would like to be able to force general Internet traffic in default gateway and tunnels on the non-default gateway. I would also like to be able to split tunnels between the two lines as the tunnel line is now close to capacity.

The question I have been unable to answer is simple. Is there any way to force a tunnel to use a specific gateway? The tunnel to use is not important - I can use PPTP, L2TP, EoIP or IPIP as they are used simply to connect sites. I had thought the local interface in IPIP would work by selecting a command in mangle to tag traffic from the local IP address to add a routing mark, add a route table in routing then add a routing rule to lookup traffic with the route mark in the alternative table thus changing the gateway. I was unable to get this to work.

Any ideas or suggestions on similar solutions? Any comments would be gratefully received! Thanks in advance for your time and attention.

I have a similar scenario, and what I have done is that, all internet traffic leaves the router through the default gateway, and if main gateway fails than traffic is routed via the second gateway, but at the same time all the traffic between remote sites goes through the IPIP tunnels. I’m using two IPIP tunnels per site, all tunnels are configured with /30 addressing scheme, the policy based routing is applied with different distances to route traffic through the default gateways and tunnels, and then if needed to failover to the back-up lines.

I hope this will help you.

Regards.

Faton

Thanks for reply. Sort of helps and is similar to what I would do for non tunnel traffic. The problem is how to select the tunnel traffic on a per-tunnel basis for policy routing. Ideally it would be great if RB supported a mangle rule that could identify a tunnel by id. Failing that IPIP has local and remote address. It seems obvious to use source address based policy routing on output interface but regardless of local address used all traffic seems to egress on default gateway. Any ideas?

What kind of traffic you want to sent through the tunnels, Internet, VPN ?

Traffic through the tunnels will be VPN inter-site. Routing that traffic is not a problem and if I have an active tunnel I can policy route that easily. The problem is ensuring the tunnels use different gateways and I cannot see any easy way to do this. Ideally I would like to bind the local tunnel endpoint to a specific IP address and route based on egress IP address but I cannot see an option for this.

If you want to route traffic back out the same IP / interface it came in on then you can use dst-nat redirect action on l2tp I believe. Tell port udp/1701 to redirect to localhost:1701. This puts it into the connections table and then NAT will work on the way back out. We run this setup now, the vpn server has multihomed NICs and IPs, and the clients stay on they connected to.

That does indeed work but depends on one end being able to initate the connection. Problem is I have the same setup at each site - one DSL line for Internet and one for VPN. I need to ensure default gateway is general line and that VPN traffic uses VPN line. That means being able to route traffic originating from router onto specific line. To make it more awkward there are also VPNs on the main line. I need to be able to select and allocate one specific VPN to the VPN line.

Ideally I would like to be able to select the output interface based on the tunnel id. Failing this I would like to be able to bind a tunnel to a specific local IP address. I thought IPIP would allow this but even when I set the local IP address it appears to egress on default gateway

Can you just put here a simple drawing of what you intent to do? Do you get from your ISP static IPs or IPs are obtained automatically?

I will post later my setup with all configuration.

Regards.

Faton

I will draw something up shortly - I appreciate the comments.

A brief overview - IP addresses are fictional but typical of what we have. Each DSL line has a routed /30 with static IP addresses. No firewalls or NAT at DSL routers - RB sees real IP addresses.

Site 1

DSL Line 1: 1.1.1.0/30 RB is 1.1.1.1 gateway is 1.1.1.2
DSL Line 2: 1.1.1.4/30 RB is 1.1.1.5 gateway is 1.1.1.6

Default Gateway on RB is 1.1.1.1 and DSL Line 1 is the main Internet link

Site 2

DSL Line 1: 1.1.2.0/30 RB is 1.1.2.1 gateway is 1.1.2.2
DSL Line 2: 1.1.2.4/30 RB is 1.1.2.5 gateway is 1.1.2.6

Default Gateway on RB is 1.1.2.1 and DSL Line 1 is the main Internet link

I want to establish two tunnels from each site.

One tunnel is to other sites - in this case offsite backup. This works fine and is a simple tunnel on the main Internet line. It is used “outside hours” so the traffic is not a problem. This is allocated to line 1 at each site and default gateway takes care of routing.

I want a tunnel between site 1 and site 2 and I want this routed over DSL Line 2.

I would prefer not to route based on destination IP address as there is a possibility I will later link the two sites to a head office site and this may need two tunnels (one on each line) with load balance as head office has much higher capacity than the satellite offices.

Ideally I want to be able to select the line for egress based upon the source IP address at the local router.

I wanted top setup tunnels as follows

1.1.1.5 — gw 1.1.1.6 — tunnel — gw 1.1.2.6 — 1.1.2.5

I had hoped to be able to setup an IPIP tunnel at each site using the following (reverse at remote end)

Local IP: 1.1.1.5
Remote IP: 1.1.1.6

I have a mangle rule inserted that route marks traffic from 1.1.1.5 then a route that has a default gateway of 1.1.1.6 for route marked traffic and finally a route rule to ensure lookup in the relevant routing table for route marked traffic.

Here is my setup I hope it will help you.

Router1
ISP1 Interface: 10.128.1.100/24 gateway 10.128.1.1
ISP2 Interface: 10.255.1.100/24 gateway 10.255.1.1
Local Interface: 192.168.1.1/24

Remote Router
ISP1 Interface: 10.24.1.150/24 gateway 10.24.1.1
ISP2 Interface: 10.240.1.50/24 gateway 10.240.1.1
Local Interface: 192.168.2.1/24

Tunnel1 on router1
local address: 10.255.1.100
remote address: 10.240.1.50
IP address of the tunnel 10.0.0.1/30
Tunnel mode IPIP

Tunnel2 (failover) on router1
local address: 10.128.1.100
remote address: 10.24.1.150
IP address of the tunnel 10.0.0.1/30
Tunnel mode IPIP

Tunnel1 on remote router
local address: 10.240.1.50
remote address: 10.255.1.100
IP address of the tunnel 10.0.0.2/30
Tunnel mode IPIP

Tunnel2 (failover) on remote router
local address: 10.24.1.150
remote address: 10.128.1.100
IP address of the tunnel 10.0.0.1/30
Tunnel mode IPIP

the routes on router1 are:
dst-address=0.0.0.0/0 gateway=10.128.1.1 routing-mark=Internet check-gateway=ping
dst-address=0.0.0.0/0 gateway=10.255.1.1 routing-mark=Internet distance=50 check-gateway=ping
dst-address=10.240.1.50 gateway=10.255.1.1
dst-address=10.24.1.150 gateway=10.128.1.1
dst-address=192.168.2.0/24 gateway=10.0.0.2 routing-mark=VPN check-gateway=ping
dst-address=192.168.2.0/24 gateway=10.0.0.2 routing-mark=VPN distance=50 check-gateway=ping

the routes on remote router are:
dst-address=0.0.0.0/0 gateway=10.24.1.1 routing-mark=Internet check-gateway=ping
dst-address=0.0.0.0/0 gateway=10.255.1.1 routing-mark=Internet distance=50 check-gateway=ping
dst-address=10.255.1.100 gateway=10.24.1.1
dst-address=10.128.1.100 gateway=10.255.1.1
dst-address=192.168.1.0/24 gateway=10.0.0.1 routing-mark=VPN check-gateway=ping
dst-address=192.168.1.0/24 gateway=10.0.0.1 routing-mark=VPN distance=50 check-gateway=ping

Routing mark VPN is marking the traffic from local to remote local and vice-versa, while the routing mark Internet marks all other traffic.

Regards.

Faton

Thanks for reply and detailed summary. That looks very similar to what I am looking to achieve.

I had not been using IPIP tunnels as I have tended to prefer the use of EoIP for some situations where I need to use a bridge occasionally. However in those situations I could run the EoIP over IPIP then apply the bridge.

When you use this system does selecting the local IP address on the tunnel ensure the traffic leaves from that local interface?

Do you need to apply routing rules to ensure traffic from a specific local IP address leaves the router on the gateway assigned to that interface rather than the default gateway?

I have setup a test system to debug the setup and will apply these ideas later today. I will feedback the results.

Thanks again - help and comments are much appreciated!

Q: When you use this system does selecting the local IP address on the tunnel ensure the traffic leaves from that local interface?
I always use static routes for remote peers, so that ensures that you will reach the remote peer through the next hop you want.

Q: Do you need to apply routing rules to ensure traffic from a specific local IP address leaves the router on the gateway assigned to that interface rather than the default gateway?
What I do is that, I only apply routing rules to separate internet traffic from VPN traffic, and route them through appropriate interface.

If you run eoip through ipip make sure you adjust MTU since you may face some MTU issues.

Regards.

Faton

I have also used static routes to reach remote peers and that has worked fine. However that raises the problem with the head office connection I suggested. Head office has one high speed link and I need two tunnels from the remote office terminated on the same IP address at the head office. This means I cannot use static routing to direct traffic via the correct local gateway. This is the main reason I had been interested

On Linux and Cisco routers that I use all traffic by default leaves by the interface that locally sourced or terminated the traffic. If traffic arrives on a connection it leaves on the same connection and I can also setup tunnels that bind to the correct local address and thus leave on the correct gateway. I have been trying to simulate this behaviour on RB. I am quite sure it can be done - I just have not figured it out yet!

tucker have you found a solution yet ?
ive a similar issue, posted here: http://forum.mikrotik.com/t/multiple-l2tp-tunnels/27042/1