Hello everyone,
We’ve recently got a Mikrotik router and replaced our old Cisco device. The setup went smooth and we had no issues, up till now. I’ve initially setup one WAN connection and setup a L2TP VPN server on it. In this initial setup it worked fine. After a week of trial I decided to move the second ISP line on the device with the ping load balancing flag. This worked well, but it ended up breaking any kind of traffic between the VPN connections and the local network. We only connect through one of the ISP interfaces for VPN and the router is responding to ping and also acting as a good proxy server for internet but I can’t figure out why it won’t allow any traffic with the internal network. The internal network is getting in through a bridge of most ports from various separate switches. I’ve tried all sorts of bad stuff, different ip pools (same network or separate), nat-ing the inbound traffic towards lan, no success whatsoever.
Small note that I’m not a networking engineer, just the dude that had the courage to fiddle with it. Please bear in mind I have only basic knowledge of networking principles.
I’ve attached the device info and the config we are currently running. Any advice would be greatly appreciated.
This is the current running config:
# apr/13/2018 08:31:00 by RouterOS 6.41.3
# software id = HDEV-0E7S
#
# model = CCR1036-8G-2S+
# serial number = 11111111111
/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=ether2_lan
set [ find default-name=ether8 ] name=WAN2
/interface list
add name=WAN1l
add name=WAN2l
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
/ip pool
add name=pptp-pool ranges=10.10.99.85-10.10.99.119
add name=pool-vpn ranges=10.10.100.200-10.10.100.220
/ppp profile
add change-tcp-mss=yes local-address=pptp-pool name=pptp-profile \
remote-address=pptp-pool
add change-tcp-mss=yes dns-server=4.4.4.4 local-address=pool-vpn name=\
vpn-profile remote-address=pool-vpn use-encryption=yes
/interface bridge port
add bridge=bridge1 hw=no interface=ether2_lan
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 hw=no interface=ether6
add bridge=bridge1 hw=no interface=ether7
add bridge=bridge1 hw=no interface=sfp-sfpplus1
add bridge=bridge1 hw=no interface=sfp-sfpplus2
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile enabled=yes \
ipsec-secret=fIeSXASfl16BicvQgszx2NWBwi4V8xPM max-mru=1460 max-mtu=1460 \
use-ipsec=yes
/interface list member
add interface=WAN1 list=WAN1l
add interface=bridge1 list=LAN
add interface=ether2_lan list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=WAN2 list=WAN2l
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
/ip address
add address=21.22.23.24/22 comment=defconf interface=WAN1 network=21.22.23.0
add address=10.10.100.254/16 interface=ether2_lan network=10.10.0.0
add address=31.32.33.34/29 interface=WAN2 network=31.32.33.32
/ip dhcp-client
add dhcp-options=hostname,clientid interface=WAN1
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=forward protocol=gre
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=\
WAN1_conn
add action=mark-connection chain=input in-interface=WAN2 \
new-connection-mark=WAN2_conn
add action=mark-routing chain=output connection-mark=WAN1_conn \
new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
new-routing-mark=to_WAN2
add action=accept chain=prerouting dst-address=5.2.148.0/24 in-interface=\
bridge1
add action=accept chain=prerouting dst-address=178.156.192.0/24 in-interface=\
bridge1
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge1 new-connection-mark=WAN1_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge1 new-connection-mark=WAN2_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
in-interface=bridge1 new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
in-interface=bridge1 new-routing-mark=to_WAN2
add action=accept chain=prerouting dst-address=0.0.0.0 src-address=\
10.10.99.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=accept chain=srcnat dst-address=10.10.100.0/24 src-address=\
10.10.99.0/24
add action=masquerade chain=srcnat dst-address=0.0.0.0 src-address=\
10.10.99.0/24
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 exchange-mode=main-l2tp \
generate-policy=port-override local-address=10.10.99.1 secret=\
fIeSXASfl16BicvQgszx2NWBwi4V8xPM
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override \
secret=fIeSXASfl16BicvQgszx2NWBwi4V8xPM
/ip ipsec policy
add dst-address=10.10.100.0/32 src-address=10.10.99.0/32
/ip route
add check-gateway=ping distance=1 gateway=21.22.23.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=31.32.33.1 routing-mark=\
to_WAN2
add check-gateway=ping distance=1 gateway=21.22.23.1
add check-gateway=ping distance=2 gateway=31.32.33.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.10.100.0/24
set ssh address=10.10.100.0/24
set winbox address=10.10.100.0/24
/ppp secret
add name=test password=?????? profile=\
pptp-profile
The device info:
version: 6.41.3 (stable)
build-time: Mar/08/2018 11:55:40
factory-software: 6.38.5
free-memory: 15.4GiB
total-memory: 15.9GiB
cpu: tilegx
cpu-count: 36
cpu-frequency: 1200MHz
cpu-load: 0%
free-hdd-space: 883.3MiB
total-hdd-space: 1024.0MiB
architecture-name: tile
board-name: CCR1036-8G-2S+
platform: MikroTik