Community discussions

MikroTik App
 
icsterm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Sun Mar 11, 2018 11:11 pm

L2TP VPN selective routing using mangle filters

Tue Mar 20, 2018 11:38 pm

Hi,

Here is my setup: RB750Gr3 running 6.42rc46, PPPoE WAN connection, NAT with fasttrack enabled, and a L2TP client for selective NAT routing.

Config:
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fasttrack non-vpn" connection-state=established,related \
in-interface=!l2tp-out out-interface=!l2tp-out
add action=accept chain=forward comment="non-fasttrack fallover" connection-state=established,related
/ip firewall mangle
add action=mark-routing chain=prerouting comment=MARK-VPN-OUT1 new-routing-mark=USA-OUT passthrough=yes \
src-address=192.168.137.104
add action=mark-routing chain=prerouting comment=MARK-VPN-OUT2 new-routing-mark=USA-OUT passthrough=yes \
src-address=192.168.137.100
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT enable" out-interface=pppoe-out
add action=masquerade chain=srcnat comment="l2tp NAT" out-interface=l2tp-out

Because fasttrack is not working with mangling properly, I've negated the l2tp client in the in/out interface setting (marked in red), in the fasttrack firewall rule. Is that the best way to do this? It sure does fix the VPN speed.
I've tried routing-mark=!USA-OUT or routing-mark=main but the rule didn't work, the VPN still doesn't work properly, getting 1mbps instead of 50mbps.

Any advice?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP VPN selective routing using mangle filters

Wed Mar 21, 2018 11:19 pm

Because fasttrack is not working with mangling properly, I've negated the l2tp client in the in/out interface setting (marked in red), in the fasttrack firewall rule. Is that the best way to do this? It sure does fix the VPN speed.
I've tried routing-mark=!USA-OUT or routing-mark=main but the rule didn't work, the VPN still doesn't work properly, getting 1mbps instead of 50mbps.
Somehow it's too many thoughts not clearly separated from one another. Does "the VPN still doesn't work properly, getting 1mbps instead of 50mbps" apply only to your rule with
routing-mark=!USA-OUT
or
routing-mark=main
, or does it apply also to the rule with
in-interface=!l2tp-out out-interface=!l2tp-out
?

If it applies only to the rules which use the
routing-mark
, the reason is that the rule with
action=fasttrack-connection
matches on either direction (inbound or outbound) of a member packet of a connection. And as you don't mark packets incoming via the
l2tp-out
interface with any routing mark, the
action=fasttrack-connection
matches on them if the exception is based on the routing mark.
 
User avatar
diego73
newbie
Posts: 26
Joined: Tue Feb 12, 2019 8:22 pm
Location: ciudad de buenos aires, argentina

Re: L2TP VPN selective routing using mangle filters

Tue Jun 22, 2021 9:30 pm

Hi!

can u help me with this?

viewtopic.php?f=13&t=176098

thanks!

Who is online

Users browsing this forum: anav, Bing [Bot], Cr4shOnPc and 80 guests