VPN connection using 2 WAN connections

mambotech · December 31, 2007, 5:14pm

Hi Guys

I am having problems connecting to a VPN server when I have both WAN connections enabled.

Current setup is as follows

WAN1–Netgear ADSL Router-----
|------MT-----ether1
WAN2–Nertgear ADLS Router----/

I have add a mangle rule to mark the connection for port 1723 and also setup a routing mark. if I disable WAN2 I can connect with VPN fine. If enable WAN2 I cannot connect in consistently.

Basically I need to route all VPN traffic in and out over the same interface.

Thanks Mark

jwcn · January 1, 2008, 4:49am

just use a static route for your VPN server out the one gateway.

i.e.

ip route add dst-address=x.x.x.x (VPN server) gateway=x.x.x.x (WAN1 or WAN2)

mambotech · January 1, 2008, 1:55pm

Hi Jwcn,

Not sure what you are trying to say. The VPN server is actually the MT router. I am trying to connect in to the MT so I can maintain the network. If I add the static route this will only route all traffic over the connection which is not what I am trying to do.

The problem as I see it is, that when both WAN interfaces are enable the MT seems to have a problem with routing the VPN connection back out to the correct WAN interface.

I also want to setup and eoip connection to all of the other MT’s as well but can’t until I solve this problem.

here are the current rules:
add chain=prerouting action=mark-connection new-connection-mark=vpn
passthrough=yes in-interface=WAN1 dst-port=1723 protocol=tcp comment="VPN
routing " disabled=no

add chain=prerouting action=mark-packet new-packet-mark=vpn_pkt
passthrough=yes connection-mark=vpn comment=“” disabled=no
dd chain=prerouting action=mark-routing new-routing-mark=vpn_routing
assthrough=yes packet-mark=vpn_pkt comment=“” disabled=no

add dst-address=0.0.0.0/0 gateway=172.22.1.1 pref-src=172.22.1.100 scope=255 target-scope=10 routing-mark=vpn_routing
comment=“VPN Routing” disabled=no

add routing-mark=vpn_routing interface=WAN1 action=lookup table=vpn_routing comment=“” disabled=no

add chain=dstnat action=dst-nat to-addresses=172.100.1.1 to-ports=0-65535
in-interface=WAN1 dst-address=172.22.1.100 dst-port=1723 protocol=tcp
comment=“” disabled=no

I don’t no what else to do …

Thanks Mark

jwcn · January 1, 2008, 3:04pm

Ahh, I understand now. You have two WAN addresses. You probably can’t ping both when they are both active? I thought this was for outgoing connections not incoming.