Community discussions

 
Pericynthion
newbie
Topic Author
Posts: 37
Joined: Tue Jan 02, 2018 8:54 pm

Conditional 'Mark Routing' only if interface available

Thu May 03, 2018 12:27 am

Hi Everyone! quick Mangle question from someone new to RouterOS.

I have my Hex up and running with a L2TP IPSec tunnel to a VPN provider, and top of my mangle list is a mark-routing for my local subnet to flag all outgoing traffic via the VPN.
add action=mark-routing chain=prerouting comment="Tag all local LAN traffic for routing via VPN" new-routing-mark=L2TPVPN passthrough=yes src-address=\
  192.168.118.0/24
There are then a couple of subsequent Mangle rules for specific devices that override this routing mark with 'main' so they follow the standard direct-route to the ISP.

Then I have a default static route that points to the l2tp-out1 interface (which has a better metric than the regular WAN-ISP default) , and under normal circumstances this all works fine.
/ip route add distance=1 gateway=l2tp-out1 routing-mark=L2TPVPN



Q: Is there a way I can ask the mark-routing via tunnel be conditional on the interface being up - In the event that the tunnel drops for some reason, I'd like it to fall back and not apply this LT2PVPN rule (and so default to the 'main' mark-routing action.) Appreciate there may be a more elegant way to designate the default route/routing mark, so open to any and all suggestions!
 
User avatar
nickshore
Member
Member
Posts: 473
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Conditional 'Mark Routing' only if interface available

Thu May 03, 2018 12:34 pm

Just add the fallback route with a greater distance into this L2TPVPN table.

Then when the l2tp interface is down the first route won't be used.

Hope that helps
Nick
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Conditional 'Mark Routing' only if interface available

Thu May 03, 2018 7:30 pm

Do you mean this Nick?
/ip route 
add gateway=l2tp-out1 routing-mark=L2TPVPN ping gateway distance=1 
add destination=0.0.0.0/0 gateway=ISPgateway-IP distance=2
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Pericynthion
newbie
Topic Author
Posts: 37
Joined: Tue Jan 02, 2018 8:54 pm

Re: Conditional 'Mark Routing' only if interface available

Thu May 03, 2018 7:50 pm

Yes - thats what I already have , but it still blackholes those packets if the L2TP is down - the IP address is technically reachable (via the default, default route) but without the VPN the traffic is non routable at the far end.
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE

0 A S  0.0.0.0/0                          l2tp-out1                 1
1 ADS  0.0.0.0/0                          70.95.64.yyy               2
2 ADC  10.0.0.2/32        10.7.4.xxx      l2tp-out1                 0
3 ADC  70.95.64.0/19      70.95.93.yyy    ether1-EXTERNAL           0
4 ADC  192.168.118.0/24   192.168.118.1   bridge-LAN                0

I'm thinking about this and maybe the issue is I have the L2TP default gateway as a manual static route. If I change the L2TP interface to 'add default route' option (so its dynamically created), with a metric of 1 - and set the DHCP client on the WAN to have a metric of 2 , it should only ever have routes for active interfaces.

Maybe its my misudnerstanding of the routing-mark - I though it was effectively setting up a VRF, so it will push it to that routing table with that mark and not cross over into the 'main' routing table.
 
Pericynthion
newbie
Topic Author
Posts: 37
Joined: Tue Jan 02, 2018 8:54 pm

Re: Conditional 'Mark Routing' only if interface available

Thu May 03, 2018 8:02 pm

Continued thought.... I changed the L2TP to add a default route, and it added one - but without the routing mark for L2TP so thats not going to work.

Maybe I answered my own question in the previous post - I need to create a VRF/FIB for that routing mark (which has the dual-default gateways with different metrics, and another one without (just the standard default route)

Either that or just lose the routing-mark altogether, and add mangle rules for the clients that should always use the higher-metric default route - and let everything just follow the dynamic routing table.
Last edited by Pericynthion on Thu May 03, 2018 8:27 pm, edited 1 time in total.
 
msatter
Forum Guru
Forum Guru
Posts: 1299
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Conditional 'Mark Routing' only if interface available

Thu May 03, 2018 8:25 pm

I have the opposite problem that traffic destined for the VPN is wanting to get out through the ISP (pppoe-out-1). In my routing table all the VPN connections and the ISP have as distance "1". When I set the ISP distance to 2 and the VPN stays 1 then my VPN connections don't start any more.

I don't want my packet destined for the VPN over the ISP connection so I block those wanting to get out in Filters.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta59 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
Pericynthion
newbie
Topic Author
Posts: 37
Joined: Tue Jan 02, 2018 8:54 pm

Re: Conditional 'Mark Routing' only if interface available

Fri May 04, 2018 6:17 pm

So I think my config would help you then! If you set a mangle-rule to 'mark-routing' for the subnet or addresses you want to 'force' over the VPN, then have a default route which includes that routing mark via the VPN interface - those packets will only every follow that route. All the traffic with no routing-mark follow the standard default route via the ISP (if there are any).
(Dont forget to also add a srcnat masquerade for that out-interface of the VPN , looks exactly the same as the default just on the VPN interface. You'll have to disable the fasttrack rule in the firewall as its incompatible with policy based routing).

Who is online

Users browsing this forum: No registered users and 27 guests