Community discussions

MikroTik App
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Force LT2P (IPSec) tunnel over specific WAN interface

Wed Dec 23, 2020 6:32 pm

So I have two ISPs, both are a member of "WAN" interface lists in Interface>List.

I have ExpressVPN configured with LT2P+IPSec with NAT/Policy Routing for LAN and it works as expected.

But by default RouterOS picks the shortest route to establish the tunnel and that's WAN1. I've tried with mangle to force LT2P tunnel over WAN2 but it simply does nothing and keeps using shortest route aka WAN1. Any ideas on how to work-around this?

Also, the freshly created LT2P client is now added to "WAN" interface lists as I think it makes more sense than putting it on "LAN" as it is a VPN over WAN where LAN traffic goes through the VPN, hence acting as WAN itself. Maybe this is wrong though?
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Force LT2P (IPSec) tunnel over specific WAN interface  [SOLVED]

Wed Dec 23, 2020 6:51 pm

1) Fill the src-address field in l2tp-client.
2) Use /ip route rule (lookup-only-in-table) to force connections originated from this ip to desired routing table.
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Wed Dec 23, 2020 7:21 pm

1) Fill the src-address field in l2tp-client.
2) Use /ip route rule (lookup-only-in-table) to force connections originated from this ip to desired routing table.
ExpressVPN does not support static server IPs. They use DDNS based hostnames and the IPs change in every session. It is a commercial VPN after all.

Any workaround?
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Wed Dec 23, 2020 8:24 pm

src-address :)
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Wed Dec 23, 2020 8:33 pm

src-address :)
Just what exactly do I use for the src-address in LT2P client? Both my WANs are dynamic IPs over PPPoE.

I tried using something random/unused like "192.168.3.1" but that resulted in errors
phase1 negotiation failed due to send error. 192.168.3.1[500]<=>45.56.157.40[500] 2bf06a1def2a7095:0000000000000000
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Wed Dec 23, 2020 8:41 pm

Two possibilities:
1) Create a loopback interface (empty bridge) and assign this random/unused address there. That should work.
2) Add a script to PPP profile used for PPPoE to update the address in l2tp-client and route rule any time it changes.

Anyway, try to make it work with you current dynamiс WAN address first.
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Wed Dec 23, 2020 8:51 pm

Two possibilities:
1) Create a loopback interface (empty bridge) and assign this random/unused address there. That should work.
2) Add a script to PPP profile used for PPPoE to update the address in l2tp-client and route rule any time it changes.

Anyway, try to make it work with you current dynamiс WAN address first.
I already have load balancing in place. Any way to intercept the LT2P initial connection/handshake using Mangle/Mark connection rules instead? That would simplify this issue greatly.
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Wed Dec 23, 2020 10:17 pm

You can try, if it's the only l2tp connection originated by the router.
Mangle output and srcnat chains are at your service.
But I don't see in what way is it simpler.
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Thu Dec 24, 2020 9:16 am

You can try, if it's the only l2tp connection originated by the router.
Mangle output and srcnat chains are at your service.
But I don't see in what way is it simpler.
Yeah, so I went with the null-bridge method, it works!

Basically, I created a null-bridge, then in IP>Address List I added a non-existent network IP and a single static IP, and used said IP for the LT2P client.

1. I used "lookup" instead of "lookup only" in IP>Routes to give it redundancy/failover which works relatively well but not that "fast" in switching between the available tables, it takes some time, any workarounds?
2. But how does this null-bridge/non-existent network/static address work though? I would like to understand it fundamentally.
3. Also, I set the VPN client as "WAN" instead of "LAN" in their interface list to get treated accordingly by the firewall filters, that's logical, right?
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Thu Dec 24, 2020 11:03 am

1) You can create second l2tp-tunnel through the second wan connection the same way and revert to lookup-only-in-table for both of them: switching routes between two tunnels will be much faster than rebuilding the tunnel. Especially if OSFP + BFD can be used on top of that.
2) You need this address for two things - to choose the right route from the very packet creation and creating a valid ipsec policy.
Some random address works because it will be src-nated anyway, and assigning it any interface makes it valid.
Loopback-bridge is just as good a place for it as any other, with the addition that it won't interfere with the behaviour of other interfaces. And does not depend on them to be working.
3) That is totally up to you and depends on what is located on the other side of the tunnel.
 
aah
newbie
Posts: 27
Joined: Wed Apr 21, 2021 7:37 pm

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Fri Jun 18, 2021 6:27 am

1) You can create second l2tp-tunnel through the second wan connection the same way and revert to lookup-only-in-table for both of them: switching routes between two tunnels will be much faster than rebuilding the tunnel. Especially if OSFP + BFD can be used on top of that.
2) You need this address for two things - to choose the right route from the very packet creation and creating a valid ipsec policy.
Some random address works because it will be src-nated anyway, and assigning it any interface makes it valid.
Loopback-bridge is just as good a place for it as any other, with the addition that it won't interfere with the behaviour of other interfaces. And does not depend on them to be working.
3) That is totally up to you and depends on what is located on the other side of the tunnel.
Hi to xvo and the op writer,
I have the same situation. I have three ISPs. ISP1 and ISP2 are setup with PCC for loadbalancing and FO. Now, I want to force my ExpressVPN L2TP to dial out over ISP3 interface instead of the default gateway.ISP3 is PPPoE and has a valid IP address. I am trying to follow the communications in this thread. But unfortunately I have just recently switched to Mikrotik (coming from PfSense) and I am new to many concepts, so it is somewhat beyond my level. I am trying to read as much as possible to get this working. But unfortunately it seems like I need a little bit of spoon-feeding to get me going and need little of bit explanation in laymen terms. I would really appreciate it if you helped me with my situation. Many thanks.
 
Ziko
just joined
Posts: 7
Joined: Fri Aug 06, 2021 10:18 am

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Sun Aug 08, 2021 8:47 am

XVO can you please help me ?
i have three FTTH 16MB bandwidth i have successfully made a PCC Load Balancer using this scrip
/interface ethernet
set [ find default-name=ether5 ] name=LAN
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=WAN3
set [ find default-name=ether4 ] disabled=yes

/ip address
add address=192.168.0.1/24 interface=LAN network=192.168.0.0
add address=192.168.1.4/24 interface=WAN1 network=192.168.1.0
add address=192.168.2.4/24 interface=WAN2 network=192.168.2.0
add address=192.168.3.4/24 interface=WAN3 network=192.168.3.0

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=\
    WAN1_conn passthrough=yes
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=\
    WAN2_conn passthrough=yes
add action=mark-connection chain=input in-interface=WAN3 new-connection-mark=\
    WAN3_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN3_conn \
    new-routing-mark=to_WAN3 passthrough=yes
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
    LAN
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=\
    LAN
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface=\
    LAN
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=LAN new-connection-mark=WAN3_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn \
    in-interface=LAN new-routing-mark=to_WAN3 passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN3

/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN1 \
    scope=255
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_WAN2 \
    scope=255
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=to_WAN3 \
    scope=255
add check-gateway=ping distance=1 gateway=192.168.1.1 scope=255
add check-gateway=ping distance=2 gateway=192.168.2.1 scope=255
add check-gateway=ping distance=3 gateway=192.168.3.1 scope=255
and on speedtest.com my speed is balanced 48mb
i added a l2tp ExpressVPN in PPP and create NAT to masquerade out-interface=l2tp-out
and create a mangle rule
add action=mark-routing chain=prerouting new-routing-mark=vpn-now passthrough=no src-address=192.168.0.100-192.168.0.150
and create router for the routing mark vpn-now
add distance=1 gateway=l2tp-out routing-mark=vpn-now
when i assign 192.168.0.110 ip for my laptop the VPN works fine put it is only using 1 of the WAN interfaces and it look like i cant control witch WAN that i can make the VPN connects to
i need you to help me to make a Load Balancer that the VPN connect to all my WAN's
i can make a 3 l2tp-out connections with my ExpressVPN account but how can i make every l2tp connect throw 1 of the WAN's and balance the hole thing
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Sun Aug 08, 2021 7:27 pm

Specify src-address in l2tp-out interfaces and use /ip route rule action=lookup-only-in-table (for these src-addresses) to force each of l2tp-out interfaces to use appropriate WAN.
 
Ziko
just joined
Posts: 7
Joined: Fri Aug 06, 2021 10:18 am

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Sun Aug 08, 2021 8:38 pm

Thank you xvo for the quick response
And after doing this how i can load balance the l2tp interfaces (same way for wan) ??
And if i break the pcc load balancer and do what you have said then i balance the hole thing right ?
Please be patient with me (new to all this)
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Mon Aug 09, 2021 1:46 pm

With several l2tp to the same l2tp-server you can actually do load balancing much easier, as there is no NAT involved for traffic going into the tunnels - all you need is an ECMP route(s) on both sides to the needed destinations.
For example iа first tunnel is 172.16.1.1 <-> 172.16.1.100, second 172.16.2.1 <-> 172.16.2.100, third 172.16.3.1 <-> 172.16.3.100 and local subnet is 192.168.0.1, then routes will look like:

Default route on client side:
/ ip route add dst-address=0.0.0.0/0 gateway=172.16.1.1,172.16.2.1,172.16.3.1 check-gateway=ping

On server side:
/ ip route add dst-address=192.168.0.1/24 gateway=172.16.1.100,172.16.2.100,172.16.3.100 check-gateway=ping
 
Ziko
just joined
Posts: 7
Joined: Fri Aug 06, 2021 10:18 am

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Sat Sep 04, 2021 10:20 pm

XVO
please help me
when i put src-address in the l2tp client the VPN disconnect and never reconnect
i put the routing rule in the /ip router and still no connect
can u please specify the script needed to force each l2tp-out to use one of the WAN and PCC load Balance the three l2tp-out1 - l2tp-out2 - l2tp-out3
 
clueluzz
newbie
Posts: 34
Joined: Sun Feb 23, 2020 5:47 pm
Location: Jakarta, Indonesia
Contact:

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Thu May 05, 2022 4:09 pm

Can you advise how to use this with RoS7.2.3? I'm using CCR2004.

I've followed this https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS

My VPN connection is working to Nord but my specific client traffic is not going thru there.
 
alna7ari
just joined
Posts: 2
Joined: Wed Nov 10, 2021 1:15 am

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Sun Sep 25, 2022 4:11 am

from ros7 u can use VRF
 
miankamran7100
Member Candidate
Member Candidate
Posts: 251
Joined: Tue Sep 17, 2019 9:28 am

Re: Force LT2P (IPSec) tunnel over specific WAN interface

Sat Sep 16, 2023 7:26 pm

1) Fill the src-address field in l2tp-client.
2) Use /ip route rule (lookup-only-in-table) to force connections originated from this ip to desired routing table.
I have tried this rule.
I'm able to ping only my LAN Gateway 192.168.94.1 but not able to ping LAN IPs 192.168.94.44.

Who is online

Users browsing this forum: Ahrefs [Bot], LeoNaXe, NimbuS and 40 guests