Upgrade to Router OS7 broke a few things Firewall rules, routes and L2TP.
I fix the L2TP Tunnel.
I have Phone that are on 172.16.19.0/24 and computers are on 192.168.2.0/24
The computers are going thought the L2TP which is right. But the Phones are going thought there to.
The Phone should be going right to the internet not thought the L2TP tunnel. How do I get the Phone to go right to the internet?
To make devices in one subnet use one WAN, and devices in another subnet use another WAN, routes alone are not sufficient - you must use VRF (if feasible) or policy routing, i.e. multiple routing tables and, in case of policy routing, routing rules or firewall mangle rules matching on source address and telling the packets which routing table to use.
So if it worked before upgrade to RouterOS 7 and now it doesn’t, some part of that configuration must have not been converted properly, or, as has been reported multiple times here, part of the configuration got lost on reboot.
Can’t say more without seeing the full export of the config (see my automatic signature below, hide-sensitive must not be used as it is the default in ROS 7 that can be overridden by show-sensitive - not required here).
Well I have read some other post that there VRF are not working after upgrading to OS7 and cant getting them working again. So what would you do to route phones to the wan with out using VRF unless you think you can get VRF working again?
As someone has pointed out in the first thread you’ve linked, VRF in Mikrotik is just another way of assigning the routing mark (routing table name) - you define each virtual router by a list of interfaces that belong to it and the routing table name. What RouterOS does is that it assigns the routing table name to use to a packet as soon as it enters it via an interface (and if you attach an IP subnet to an interface, the route to that connected subnet is automatically added to the corresponding routing table).
As this apparently doesn’t work in ROS 7, you have to assign the routing marks some other way. The simplest one is to use routing rules:
and, of course, you have to add the corresponding routing tables, each containing only a single default route via the correct gateway.
I had an impression that you had it working in ROS 6 and it got broken by the upgrade. So the easiest way to me seemed to be to fix what has already been there, but now it seems as if you are starting from scratch?
I was working on its own. I did not have to set any routing rules or VRF. It just worked. The stuff that we wanted to go out to the wan did and the stuff that we wanted to go to the L2TP tunnel did. We just added it to the route list. The only things I can think of is. This is on the L2TP Server side.
Maybe I’ve misunderstood the requirement. My understanding was that the computers and phones are connected to a different LAN subnet of the router each, and you want each group to use a different “WAN” of the router (one of the WANs actually being an L2TP tunnel) to get to the internet.
If you had in mind that the PCs and the phone were L2TP clients, and you want the phone to access only the LAN subnets of the router via L2TP but get to internet directly, not via the tunnel and the router, I don’t know any mechanism allowing that in ROSv6 with L2TP on a phone, so I don’t get how that could be working before unless controlled by a setting at the phone client.
So we have 1 HQ and 2 site or offices if you want to think of it that way
Both site connect to HQ using Mikrotik Routers (RB750G r2) so the tunnels are established using the routers.
The phones are IP phones using VOIP.
Before we upgrading site1 The IP phone were going out right to the wan port. But after the upgrade now everything is going thought the L2TP tunnel witch would be fine if the internet was more reliable.
I had to put this in on the HQ Router to get the phone to work since they want to go through the tunnel
/ip route
add comment=“Site1 Phones” disabled=no distance=1 dst-address=172.16.19.0/24 gateway=192.168.2.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
So it turns out I did get it right initially after all, i.e. that the OP describes the requirements on Site 1 and/or Site 2 where the intention is that the phones use the local gateway to get to the internet whereas the computers either do not get to internet at all or use the HQ’s internet connection?
But then this may be the key question - are the computers supposed to get to internet at all, or can they talk only to the HQ (and maybe use a http proxy there to get further to the internet)?
Because if a computer should ping an address in the internet via L2TP, but a phone should ping the same address in the internet directly via a WAN gateway, there is no other way than to use two distinct routing tables and some rules that determine which of the routing tables to use based on something else than the destination address alone - in particular, in-interface or src-address.
So I can ony imagine it worked before by mere routes in a single routing table (i.e. with no need for routing marks) if the default route was via the WAN gateway, and routes to all private ranges were via L2TP, whilst the phones didn’t need to talk to private ranges whereas the computers didn’t need to talk directly to internet.
Could it be that simple?
If so, the only thing you need is to set add-default-route to no in the /interface l2tp-client row, so that it would stop adding a default route via itself. Which probably was like that in 6.x, and the configuration conversion might have broken it.
whereas the computers either do not get to internet at all or use the HQ’s internet connection?
And yes the computer to get internet and use HQ internet connection.
And the computers can ping each other via L2TP.
I will try to go to those site tomorrow and set the default route to no. Just in case it breaks and I can turn it back on.
I will let you know what happens.
