when one of my WANs is PPPoE marks all comming from this WAN as comming from VPN. At least that's what I have observed when I was trying to implement his solution.in-interface=all-ppp
part from my routing mark it works but with this part included, not., mr_vpn
and I can't connect.ipsec,error phase1 negotiation failed due to time up...
If there is no connection why should it work?This kind of interface is inactive until connection is established so this mangle rule is not going to work.
I wish I would know it.And how?
# l2tp-in1 not ready
add action=mark-connection chain=prerouting comment="VPN TRAFFIC" in-interface=\
l2tp-in1 new-connection-mark=mc_vpn passthrough=yes
, mr_vpn
Can you disable all your wan interfaces except the one you want to use with your l2tp?
If yes then it works? Even if you have mr_vpn in your routing table?
Well, it does not seem likely. I was trying to connect with vpn using my WAN2 IP address.... because obviously your L2TP connection was initiated from wan1
?You can change the priority of your wan interfaces...
That was my starting point and this is exactly how I have it set up right now, for quite a time already. It seems to work good, but not with VPN, hence the whole story.My advice is to study carefully the mangles PCC example... https://wiki.mikrotik.com/wiki/Manual:PCC
As for now, I have asked my ISP to change config of my connection to static IP instead of PPPoE.There is certainly a mistake in your configuration... if you want you can export the whole router's configuration with hide sensitive and post is here...
Yes, I'm aware of that. And I understand it as "route it to vpn interface (from which connection comes) and further to gateway of WAN1". Am I correct?Quick note, routing-mark="to_WAN1, mr_vpn" means one routing mark named "to_WAN1, mr_vpn", NOT two routing marks "to_WAN1" and "mr_vpn".
So, I think I have misunderstood the thing completely. I thoughtMangle rule sets the first one, but there's no routing table for it.
to_WAN1, mr_vpn
/ip firewall nat
add action=masquerade chain=srcnat comment="TEST VPN PING REMOTE"
/ ip firewall nat
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade
Thanks.I like your approach.
I think it all depends on if you have enough satisfaction from having flawlessly running system or from making it by yourself it to run like that... trial & error, exploring dead ends, things like that..
/ip firewall mangle
add action=accept chain=prerouting comment="PCC - Policy routing VPN" dst-address=10.11.12.0/24 in-interface=LAN
/ip route rule
add action=lookup-only-in-table dst-address=10.11.12.0/24 table=main
I coulnd't agree more.... goal is to have all, flawlessly running system, knowing why it does that (it's very helpful), and good feeling from doing it yourself...
Let me dig more into this to have better understanding of things. As for now, I don't get much of it, unfortunately. I'm just occupied being happy with having flawlessly running systemYou basically tell the router to ignore routing marks for some destination, and it will only use main routing table for them.Code: Select all/ip route rule add action=lookup-only-in-table dst-address=10.11.12.0/24 table=main
You can just use an accept rule if you want the main routing table to be used...
/ip firewall mangle
add action=accept chain=prerouting comment="PCC - Policy routing VPN" dst-address=10.11.12.0/24 in-interface=LAN