Community discussions

MikroTik App
 
User avatar
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Sat Dec 20, 2008 2:33 am
Location: Croatia, Europe

Routing pptp through a specific (dedicated) gateway in dual gateway system

Wed Jun 02, 2021 1:43 am

I would kindly ask for help in my (still unsuccessful) effort to route a pptp client connection through a specific gateway in a Mikrotik system with two LTE gateways.

I want to route a pptp client connection from Mikrotik remote router to Mikrotik central router through its lte2 interface and all other regular traffic through its lte1 interface. Central router - PPTP server has dynamic public IP (dsl) that changes every 24h, so this an additional problem to solve.

Remote router - pptp client - is RB951G with two usb LTE dongles using usb hub.
Central router - pptp server - is HAP ac3 with pppoe connection and dynamic public IP.

I tried with prerouting marking the gre protocol but without sucess. I tried to read several topics that seem similar but can not figure it out how to route only this specific pptp connection through lte2 and all other things through lte1 gateway.
When I started I tought that it will not be so demanding, but can not figure it out. I would really appreciate any help
 
User avatar
iHyenDeer
just joined
Posts: 12
Joined: Wed Apr 18, 2018 10:45 am
Location: Mexico
Contact:

Re: Routing pptp through a specific (dedicated) gateway in dual gateway system

Wed Jun 02, 2021 8:04 am

needs:
a) Route a a PPTP Client to Central PPTP Server over specified WAN.
b) The Central PPTP Server has a public IP Address that regulary changues.
c) Divide traffic between 2 wan. (I'd like to discuss this one later if you want cause its more advanced)


b) You need a way to constantly feetch your public IP from your pptp server, Thats easy, all you have to do is get a NO-IP domain for free, or use the IP>CLOUD DDNS SERVICE its free, and it keeps good track of your public IP from your central pptp server.

b) Now, that you got a domain name that keeps track of the public ip from your router, all you have to do is translate that public ip from a domain name to a ip address that you can actually use on your pptp client.

b) For that all you have to do is add it on your pptp client on IP>FIREWALL>ADDRESS LIST

b) What you gonna have to do is, add that weird domain name you got from DDNS Service (Previously obtained from your PPTP Server) to a new rule on your pptp client.

You can name it whatever you want, Just make sure that you fill with your domain name on the "Adress" space on the rule, it will automatically fetch from the ddns service the public ip from your PPTP Server.

With This we can proceed to;

Make sure the pptp client will always connect to the correct pptp server public ip address.
Make sure that the pptp interface always Dials over your specified desired rute.

a) First, we need to create a rule that routes specified destination traffic.

for this you gonna have to go on your PPTP Client to IP>FIREWALL>MANGLE and create a new rule.
Its gonna be on the prerouting chain, then you gonna go to navigate to the "Advanced" tab, and on the second option "dst Adress List" you gonna have to select the name of the "Adress" you already colected before. hint; (You can name it whatever you want, Just make sure that you fill with your domain name on the "Adress" space on the rule, it will automatically fetch from the ddns service the public ip from your PPTP Server.
and then you gonna have to select the "Action tab" and and select "Mark routing", now it is going to promp you to add a name to it, again you can name it whatever you want.

Lastly all you gonna have to do is add this new routing mark to a specified route on your PPTP Client Routerboard, for this just go to IP>ROUTE and add the gateway you want our new rule to follow, make sure to add the routing mark from the blank on the bottom of the rule, with a distance of 1 (Don't worry this won't change your default routes).

This will make sure, that wenever your public ip changues, your PPTP client will always follow a specific path to your pptp server.

and lastly you'll have to add the pptp client interfase on your PPTP Client, Just do it regulary as you usually do, just instead of typing a public ip adress on the addesspace, just add the ddns domain name you got from the cloud service on your PPTP SERVER.

Now, if you want to route your private LAN or CIDR, to specific routes (ak the pptp client or whatever wan you want)
Thats more complex, I can still help you trought here, I'd just need more information to work with.

ps: Sorry for my jibbery english i'll improve it over time.
 
User avatar
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Sat Dec 20, 2008 2:33 am
Location: Croatia, Europe

Re: Routing pptp through a specific (dedicated) gateway in dual gateway system

Wed Jun 02, 2021 11:07 am

Thank you very much on your time and willingness to provide me help!
I have all the things that you are mentioning successfully setup (dynamic dns, pptp server, pptp client) beside the specific routing issue.
I tried with the mark-routing the tcp 1723 as well as gre and than route this through the lte2 gateway but this breaks the pptp connection.
Everything works 100% beside the thing that I can not "separete" that pptp client traffic and force it to go through lte2 interface while routing all other traffic through lte1 interface of the remote router.
 
User avatar
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Sat Dec 20, 2008 2:33 am
Location: Croatia, Europe

Re: Routing pptp through a specific (dedicated) gateway in dual gateway system

Wed Jun 02, 2021 2:41 pm

This is my config (relevant part) at the moment that unfortunately doesn't work:
/ip firewall address-list
add address=my.server.ddns.address list=adressddns

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=adressddns new-routing-mark=markpptpclient passthrough=yes protocol=tcp dst-port=1723
add action=mark-routing chain=prerouting dst-address-list=adressddns new-routing-mark=markpptpclient passthrough=yes protocol=gre

/ip route
add distance=1 gateway=192.168.8.1
add distance=2 gateway=192.168.51.1 routing-mark=markpptpclient
Please help. I would really appreciate just a hint if I'm on the right track. Tnx
 
User avatar
iHyenDeer
just joined
Posts: 12
Joined: Wed Apr 18, 2018 10:45 am
Location: Mexico
Contact:

Re: Routing pptp through a specific (dedicated) gateway in dual gateway system

Wed Jun 02, 2021 7:32 pm

There is no need to specify the port and protocol, thus with the dst-adress-list should be more than enought to route trought a specific wan, ps, unmark "passtrought"
This is my config (relevant part) at the moment that unfortunately doesn't work:
/ip firewall address-list
add address=my.server.ddns.address list=adressddns

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=adressddns new-routing-mark=markpptpclient passthrough=yes protocol=tcp dst-port=1723
add action=mark-routing chain=prerouting dst-address-list=adressddns new-routing-mark=markpptpclient passthrough=yes protocol=gre

/ip route
add distance=1 gateway=192.168.8.1
add distance=2 gateway=192.168.51.1 routing-mark=markpptpclient
Please help. I would really appreciate just a hint if I'm on the right track. Tnx
 
User avatar
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Sat Dec 20, 2008 2:33 am
Location: Croatia, Europe

Re: Routing pptp through a specific (dedicated) gateway in dual gateway system

Thu Jun 03, 2021 12:43 am

I have implemented your suggestions but unfortunately it still doesn't work. All traffic including vpn connection goes through lte1.

This is my code at the moment
/ip firewall address-list
add address=my.server.ddns.address list=adressddns

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=adressddns new-routing-mark=markpptpclient passthrough=no

/ip route
add distance=1 gateway=192.168.8.1
add distance=2 gateway=192.168.51.1 routing-mark=markpptpclient
 
User avatar
iHyenDeer
just joined
Posts: 12
Joined: Wed Apr 18, 2018 10:45 am
Location: Mexico
Contact:

Re: Routing pptp through a specific (dedicated) gateway in dual gateway system

Thu Jun 03, 2021 5:27 am

Modify the following.

add distance=1 gateway=192.168.51.1 routing-mark=markpptpclient
I have implemented your suggestions but unfortunately it still doesn't work. All traffic including vpn connection goes through lte1.

This is my code at the moment
/ip firewall address-list
add address=my.server.ddns.address list=adressddns

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=adressddns new-routing-mark=markpptpclient passthrough=no

/ip route
add distance=1 gateway=192.168.8.1
add distance=2 gateway=192.168.51.1 routing-mark=markpptpclient
 
User avatar
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Sat Dec 20, 2008 2:33 am
Location: Croatia, Europe

Re: Routing pptp through a specific (dedicated) gateway in dual gateway system

Thu Jun 03, 2021 11:17 am

Hi! I also tried this but it still doesn't work.
It seams that the vpn traffic can not be routed in such an easy way. I really can not figure it out why exactly but it does not work for me. I tried also with l2tp/ipsec and it also ignores that routing mark.
For the memoment I figured out the let's say "inverted" workaround but this is still not a real solution for my needs. My temporary workaround is to mark preoruting all "normal" transport from local IP clients range (192.168.0.0/16) and then route this traffic through lte1 (distance=2) using routing mark "normal" and leave lte2 with distance=1 to route all other "vpn" unmarked traffic.
 
User avatar
iHyenDeer
just joined
Posts: 12
Joined: Wed Apr 18, 2018 10:45 am
Location: Mexico
Contact:

Re: Routing pptp through a specific (dedicated) gateway in dual gateway system

Fri Jun 04, 2021 12:01 pm

I might not understand what we're trying to achieve.

that routing mark rule is to make the pptp tunnel to use a specific route, Not you lan traffic, just the tunnel itself, since there is no relevant routing mark for your local traffic, it will still go trought your main route.

Thats still a good aproach to fix the issue, but since I don't know your criteria for what specific ip range, or specific services you need to route trought your pptp tunnel I didn't include a solution for it,

Remember that, with that pptp tunnel its just a client, and to fordward traffic trought it the easies way its just to NAT your pptp client, if you wanna add a specific ip range, you certainly can just add it to another routing mark rule (They can share the same name) and now on your host or servies can go trought that pptp route.

I hope I got the idea right this time.
 
User avatar
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Sat Dec 20, 2008 2:33 am
Location: Croatia, Europe

Re: Routing pptp through a specific (dedicated) gateway in dual gateway system

Sat Jun 05, 2021 1:16 am

Thank you very much on your help.
My need is to route the pptp tunel to go through lte2 (gw 192.168.51.1) interface. I do not need to route another traffic through that tunel. I just want to force pptp client to use lte2 interface when it makes connection with the ppptp main server.
On the other hand, I want all other let's say regular traffic to go through lte1 (gw 192.168.8.1) interface.
I hope that it is easier to understand now.
The routing mark doesn't seem to work for vpn connections as suggested, so my workaround was to mark regular non-vpn traffic and route this through lte1 (distance=2) while allowing vpn traffic to go through lte2 that has lower distance=1 so it is preferred for unmarked traffic. I think that the problem might be that vpn traffic can not be marked in the same way as non-vpn traffic. I am not an expert but it seems so in my case.
That workaround that I just described has additional problem that I can not ping the router any more if all traffic is marked.
 
User avatar
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Sat Dec 20, 2008 2:33 am
Location: Croatia, Europe

Re: Routing pptp through a specific (dedicated) gateway in dual gateway system

Mon Jun 07, 2021 12:59 am

I am really stuck here.
I would really appreciate advice where to go next to search for a solution to properly prerouting mark to force the pptp-client to establish the tunnel through the specific ( lte2 ) interface. It seams that an easy (general) approach described here above doesn't work for vpn traffic.
 
User avatar
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Sat Dec 20, 2008 2:33 am
Location: Croatia, Europe

Re: Routing pptp through a specific (dedicated) gateway in dual gateway system

Tue Jun 08, 2021 12:49 am

I would kindly ask for some help! I am kind of desparate.
I am so happy with Mikrotik for more than a decade but this task is too much for me at the moment.
It is obvious that I am not doing the right thing but can not figure it out what and how it should be. I am googling arround and going throughout the forum for days but can not figure it out. I tried milions of combinqtions of routing-mark, connection-mark, packet-mark following multiple topics here but I can not figure it out.
To make things as simple as possible: I need to route the pptp-client to go through lte2 interface while all other traffic goes through lte1 interface.
Please, I am so gratefull for any hint, just to move forward because I am stuck at the moment. Trial and error doesn't make sense any more. What seams obvious doesn't work. Tnx in advance
 
User avatar
webor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Sat Dec 20, 2008 2:33 am
Location: Croatia, Europe

Re: Routing pptp through a specific (dedicated) gateway in dual gateway system  [SOLVED]

Tue Jun 08, 2021 2:57 pm

Oh, the catch was in chain. It was necessary to set chain=output instead of prerouting. After days of searching, the solution was so... hmm..
/ip firewall address-list
add address=my.server.ddns.address list=adressddns
/ip firewall mangle
add action=mark-routing chain=output dst-address-list=adressddns new-routing-mark=markpptpclient passthrough=no protocol=tcp dst-port=1723
add action=mark-routing chain=output dst-address-list=adressddns new-routing-mark=markpptpclient passthrough=no protocol=gre
/ip route
add distance=1 gateway=192.168.8.1
add distance=1 gateway=192.168.51.1 routing-mark=markpptpclient

Who is online

Users browsing this forum: BioMax, cdblue, CJWW, JDF, sybadi and 43 guests