Community discussions

MikroTik App
 
Carr0t
just joined
Topic Author
Posts: 2
Joined: Mon Jun 21, 2021 4:25 pm

Looking for help with routing over L2TP client connection

Mon Jun 21, 2021 5:12 pm

I'm looking for help with what I've done wrong with my setup. I've got a MikroTik hAPac^2 running RouterOS 6.48.3. My normal ISP only offers a connection using CGNAT (for v4), and for various reasons I can't change away from them, so I've bought an L2TP tunnel service from another ISP but I'm having trouble getting it to run as I expect. The router is getting a connection and the IP I expected, but using that from my internal network is proving problematic.

I'm mangling connections out of the L2TP interface as well as the regular one, NATing specific inbound ports to either the XBox or my file server, and marking new inbound connections to the L2TP IP so I can mark the responses for routing. For the time being rather than doing any sort of split tunnel I want to route all connections from the XBox down the tunnel, or even just all traffic from the entire house. Once I've got _that_ working reliably I'll change things so that only the bits I need go down there.

I've verified with 'ping' on my Mac (allows setting do-not-fragment and payload size) that 1450 is the correct MTU for the tunnelled connection (set a mark rule that sent any requests to 1.1.1.1 down the tunnel, then pinged that with different payload sizes. Payload 1422 was the max I could do, plus 28 for the packet header, to get 1450 set on the router). That worked fine, but if I change that rule to route all traffic down the tunnel everything stops working.

Potentially of note, I run DHCP and DNS servers for the house, the latter of which sends requests upstream to Google/CloudFlare when it gets something not local/cached. So DCHP has _some_ config on the router from initial setup but isn't actually enabled any more.

_Something_ is obviously happening, because if I have dst nat rules for port 3074 (one of the main XBox Live ports) to the XBox, and mangle rules that mark port 3074 from it to go up the tunnel via a routing mark, it changes my NAT type from Strict with Double-NAT to Open, and keeps my 120Mbps download speed. But it also reports 97% packet loss (I don't know enough about the tests it's doing to fully understand what's going on there, I suspect the download speed is via HTTP not via the tunnel, and the NAT test is to make an inbound connection to the port a request on 3074 detects as). If I tell it to send everything over the tunnel instead of just 3074 then the test fails with 0.00Mbps download speed.

If I try similar for my laptop, and tell it to send _everything_ down the tunnel, I still get (very slow) Internet access, but fast.com reports my download as ~640Kbps instead of the 120Mbps I get without the tunnel. I've verified that I can still ping the local DNS server in that instance, as I did wonder if I was locking myself out my of local network accidentally.

Given that the ISP providing the tunnel is well known for being highly technical and solid, I am 99.9% sure I've just messed up the config somewhere. Or that my regular ISP is somehow detecting and messing with the tunnel... But probably I've just messed something up. Can anyone see an obvious issue with this?:
# jun/22/2021 09:00:18 by RouterOS 6.48.3
# software id = ZAWF-AEUP
#
# model = RBD52G-5HacD2HnD
# serial number = CDFD0D59564D
/interface bridge
add admin-mac=08:55:31:CD:58:18 auto-mac=no comment=defconf name=bridge
/interface l2tp-client
add allow-fast-path=yes connect-to=$TUNNEL_ISP_PROVIDED_IP disabled=no keepalive-timeout=disabled name=l2tp-aaisp password=$TUNNELPASS user=$TUNNELUSER
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country="united kingdom" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=getoffmyLAN station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country="united kingdom" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=getoffmyLAN station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=$WIFI_PSK
/ip pool
add comment="InfiniteFunSpace unknown hosts DHCP range" name=ifs-dhcp ranges=192.168.6.0-192.168.255.254
/ip dhcp-server
add address-pool=ifs-dhcp interface=bridge name="InfiniteFunSpace DHCP"
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=l2tp-aaisp list=WAN
/ip address
add address=192.168.0.1/16 comment="InfiniteFunSpace gateway address" interface=bridge network=192.168.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/16 comment="InfiniteFunSpace config" dns-server=192.168.0.2 domain=masaq.infinitefunspace.co.uk gateway=192.168.0.1 netmask=16
/ip dns static
add address=192.168.0.1 comment="InfiniteFunSpace router" name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment="For ping from the tunnel to the router itself" connection-mark=from-l2tp-aaisp in-interface=l2tp-aaisp new-routing-mark=l2tp-aaisp passthrough=yes protocol=icmp
add action=mark-connection chain=prerouting connection-state=related,new in-interface=l2tp-aaisp new-connection-mark=from-l2tp-aaisp passthrough=yes
add action=mark-routing chain=prerouting comment="For responses to connections from the tunnel to the internal network" connection-mark=from-l2tp-aaisp in-interface-list=LAN new-routing-mark=l2tp-aaisp passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to-l2tp-aaisp in-interface-list=LAN new-routing-mark=l2tp-aaisp passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat comment="Masquerade packets leaving L2TP interface" ipsec-policy=out,none out-interface=l2tp-aaisp
add action=dst-nat chain=dstnat comment="SSH to mended-drum" dst-port=22 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.2 to-ports=22
add action=dst-nat chain=dstnat comment="HTTPS to mended-drum, for containers" dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.2 to-ports=443
add action=dst-nat chain=dstnat comment="Plex default port for remote access" dst-port=32400 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.2 to-ports=32400
add action=dst-nat chain=dstnat disabled=yes dst-port=3074 in-interface-list=WAN protocol=tcp to-addresses=192.168.5.2 to-ports=3074
add action=dst-nat chain=dstnat disabled=yes dst-port=3074 in-interface-list=WAN protocol=udp to-addresses=192.168.5.2 to-ports=3074
/ip route
add comment="Default route for return traffic over the L2TP tunnel" distance=2 gateway=$ROUTER_IP_ON_TUNNEL routing-mark=l2tp-aaisp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set winbox disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add forced-ip=$ROUTER_IP_ON_TUNNEL interface=l2tp-aaisp type=external
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=v6-fibrenest request=address,prefix
add interface=l2tp-aaisp pool-name=v6-aaisp request=address,prefix
/system clock
set time-zone-name=Europe/London
/system ntp client
set enabled=yes primary-ntp=85.199.214.99 secondary-ntp=81.21.65.168 server-dns-names=uk.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I've also tried clamping the TCP MSS to (if I'm understanding correctly) try to ensure I don't send packets over the MTU, as per viewtopic.php?p=658458. And I've tried setting the MTU on the tunnel to 1400 in combination with that in case my reckoning of 1450 being right was... not. Still not working.
 
Carr0t
just joined
Topic Author
Posts: 2
Joined: Mon Jun 21, 2021 4:25 pm

Re: Looking for help with routing over L2TP client connection

Tue Jun 22, 2021 11:38 pm

For anyone who might come across this in future, my issue appears to have been the default 'fasttrack' rule in the forwarding table of the firewall. Disable that, and everything works swimmingly...

Who is online

Users browsing this forum: No registered users and 46 guests