Hi, I have set up 2 Wan with failover option (dsl -backup and Lte-primary). dsl has static IP so I could connect my laptop through vpn network using this connection. But dsl works as Bly if lte is down. How I could set routing to be able get through miktotik using dsl connection when lte is up and working?
Wysłane z iPhone za pomocą Tapatalk
Hi,
Did you try setting distance=1 to primary and distance=2 to backup in /ip route?
Mark incoming connections and routing based on connection marks..
Create default gateways for those routing marks.
Probably like this:
/ip firewall mangle
add action=mark-connection chain=input comment="DSL in -> DSL out" in-interface=ether1-DSL new-connection-mark=DSL_conn passthrough=yes
add action=mark-routing chain=output comment="DSL in -> DSL out" connection-mark=DSL_conn new-routing-mark=DSL_traffic passthrough=no
add action=mark-connection chain=input comment="LTE in -> LTE out" in-interface=ether2-LTE new-connection-mark=LTE_conn passthrough=yes
add action=mark-routing chain=output comment="LTE in -> LTE out" connection-mark=LTE_conn new-routing-mark=LTE_traffic passthrough=no
add action=mark-connection chain=forward comment="DSL in -> DSL out forward" connection-state=new in-interface=ether1-DSL new-connection-mark=DSL_pfw passthrough=no
add action=mark-routing chain=prerouting comment="DSL in -> DSL out forward" connection-mark=DSL_pfw in-interface=LAN new-routing-mark=DSL_traffic passthrough=no
add action=mark-connection chain=forward comment="pfw LTE, out LTE" connection-state=new in-interface=ether2-LTE new-connection-mark=LTE_pfw passthrough=no
add action=mark-routing chain=prerouting comment="pfw LTE, out LTE" connection-mark=LTE_pfw in-interface=LAN new-routing-mark=LTE_traffic passthrough=no
/ip route
add distance=1 gateway=<DSL gateway> routing-mark=DSL_traffic
add distance=1 gateway=<LTE gateway> routing-mark=LTE_traffic
-Chris
How I can set if this is variable address.
Specify the interface, not the gateway address.
-Chris
It seems something is blocking the connection.
Here you have IP FIREWALL config:
/ip firewall filter
add chain=input comment="allow gre protocol fo 47" protocol=gre
add chain=input comment="allow gre protocol fo 47" dst-port=47 protocol=tcp
add chain=input comment="allow tcp 1723 for VPN" dst-port=1723 in-interface=DSL protocol=tcp
add chain=input comment="allow tcp 1723 for VPN" dst-port=1723 in-interface=DSL log=yes protocol=udp
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=1723 in-interface=DSL log=yes protocol=tcp to-addresses=1 to-ports=1723
What else I should change to be able to connect from outside?
Remove your dst-nat rule. Useless (you’re running the server on your router), pointless (to-addresses=1) and most likely constraining you from success.
And you can easily remove a couple of filter rules, all you need is tcp/1723 and GRE. Nothing more.
-Chris
I’ve done it, however still receive the same message from Windows 10:
“The network connection between your computer and the VPN server was interrupted. This can be caused by a problem in the VPN transmission and is commnly the result of internet latency or simply that your VPN server has reached capacity.”
If I connect from my LAN there’s no problem. I assume there’s no problem with VPN configuration from client side (Windows 10)
i have same problem
this error on log
11:24:35 firewall,info dstnat: in:2-Wan out:(none), src-mac 06:f5:03:fe:99:a4, proto TCP (SYN), 177.85.250.69:57580->192.168.25.2:1723, len 60
my conf
RouterOS 6.39.1
Interface 1-Wan = WAN1
Interface 2-Wan = WAN2
Interface 3-Rede = Lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="Bloqueio Facebook" content=facebook.com disabled=yes protocol=tcp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes in-interface=1-Wan
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=1-Wan
add chain=input comment="allow tcp 1723 for VPN" dst-port=1723 in-interface=2-Wan protocol=tcp
add chain=input comment="allow tcp 1723 for VPN" dst-port=1723 in-interface=2-Wan log=yes protocol=udp
add action=accept chain=input in-interface=2-Wan protocol=gre
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=1-Wan new-connection-mark=WAN1_connection
add action=mark-connection chain=prerouting in-interface=2-Wan new-connection-mark=WAN2_connection
add action=mark-routing chain=prerouting connection-mark=WAN1_connection in-interface=3-Rede new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_connection in-interface=3-Rede new-routing-mark=to_WAN2
add action=mark-routing chain=output new-routing-mark=to_WAN1 passthrough=yes src-address=192.168.100.1
add action=mark-routing chain=output new-routing-mark=to_WAN2 passthrough=yes src-address=192.168.25.1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=1-Wan
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=0.89.168.192-255.89.168.192
add action=masquerade chain=srcnat out-interface=1-Wan
add action=masquerade chain=srcnat out-interface=2-Wan
add action=dst-nat chain=dstnat dst-port=1723 in-interface=2-Wan log=yes protocol=tcp to-addresses=192.168.10.1 to-ports=1723
/ip firewall service-port
set pptp ports=1723
/ip route
add check-gateway=ping distance=1 gateway=192.168.100.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.25.1 routing-mark=to_WAN2
add comment="1-Copel route" distance=1 gateway=192.168.100.1
add check-gateway=ping distance=1 gateway=192.168.100.1
add check-gateway=ping distance=2 gateway=192.168.25.1
Any solution ?