Our DSL subscription base is small, Mikrotik would make a perfect fit to serve as LNS. Although the LNS seemed to work, there were problems I was unable to solve in the maintenance window sadly. I attribute the combination of being tired and not fulling knowing PPP to be part of my failure in definitively diagnosing the issue.Here are some steps I took to bring the LNS up:
- started work at 3:30am to 5:30am minimize disruption to customers
- brand new CCR1009-8G-1S with ROS 6.33.3 loaded / vanilla installation (standard stuff)
- set up the P2P /29 IP addresses Bell provides us (3 IPs for our LNS equipment - for load balancing, all 3 IPs terminated to same MT CCR) Bell does this so that the ISP can have a few units for redundancy/failover/balancing/etc
- configured routes - Bell provides us with 2 /23's & default route installed/tested
- tested P2P and routes by pinging (setting source IP as well)
- verified 'jumbo' frame sizes on physical and VLAN interface to Bell
- verified RADIUS server connection
- Enabled L2TP server, adjusted MTU/MRU to 1480, used mschap2/mschap1/chap/pap authentication, set Use IPsec and entered in IPSec Secret
- Under LT2P Secrets, I added the 'secret key' to the subnets involved (the two /23's from Bell and the /29 P2P from Bell)
- Under IP IPpool - I set up a /25 pool under "pool1" (we are small) for dynamic customers (most customers are static IP outside of this pool, still small however)
- Under PPP Profiles, I edited both default and default-encryption profiles to have the local address of the router, and the remote address to be 'pool1' (for dynamic IP customers) + DNS server numbers
What's next? Time to jockey around some VLANs on our Bell carrier facing switching platform to re-direct the L2TP traffic from the old LNS to the new Mikrotik LNS (and the internet uplink on the new Mikrotik LNS CCR1009)
"Patiently wait"..... and wait, and wait,
Familiar customer sessions are beginning to populate in the PPP->Active Connections index!!
Do a few ping tests, everything seems to be good.
SOMETHING WRONG: After a while, I observe that only about half or two-thirds of our customers connect. (This is what I was unable to resolve) Here are some observations/troubleshooting steps I took:
- Bell gives us two /23's to connect to the Broadband Access Servers on their network (BAS) 67.69.X.X and 184.150.X.X
- All successful L2TP/PPP sessions seem to be coming in from hosts on the 184.150.X.X space
- All sessions I would expect to see that originate from the 67.69.X.X space are not working
- I note in the Mikrotik LOG that there are messages "first L2TP UDP packet recieved from 67.69.XXX.XXX" (the space where we have NO working PPP sessions)
- I see only one of two Log messages indicating the same for the 184.150.XXX.XXX space (this is the space where we have working sessions)
I 'played' around by enabling/disabling IPSec and the L2TP Secrets. I found this surprising as I thought the main issue with Mikrotik LNS up to this point is it would not support this form of security. The sessions still worked despite adjusting the security key settings (perhaps this is because the sessions were already established earlier and the changes had no immediate effect)
Packet capturing and filtering to the 67.69.X.X space showed sessions being presented to the Mikrotik LNS, I could see the passwords in clear text.
Packet capturing and filtering to the 184.150.X.X space showed sessions, I didn't observe any authentication requests, but I suspect this has to do with the sessions having already been established earlier despite disabling and re-enabling the L2TP server. This could be a reboot/patience thing.
If anyone has any ideas/suggestions, I am open to them. I am determined to make this work. I noted the lack of documentation on how to establish the LNS features, perhaps this could help others set up their environment. It will be slow to diagnose as I am working on a live system and need to make attempts in maintenance windows.
Mikrotik, we love you!
