Community discussions

 
User avatar
greek
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Thu Nov 04, 2010 11:37 pm
Location: Russia, 78rus

L2TP to different wan?

Sun Aug 05, 2018 8:47 pm

Hi!
How to direct output l2tp-connection to new WAN after disconnect\reconnect?

I have 2 routing tables.
I try to catch 1 packet of new l2tp-connection in mangle output with "connection state = new" option, but not seen any packets.

How to solve?
 
sindy
Forum Guru
Forum Guru
Posts: 4041
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP to different wan?

Mon Aug 06, 2018 12:31 am

Not sufficient information (your rule may be at wrong position in the chain), but most likely the lifetime of the connection in the firewall's connection tracker (180s for UDP) is longer than the pause between the L2TP failure and the re-connection attempt following the failure, so the connection tracker treats an actually new connection to the same destination as if it was the old one. This happens (if it does) because RouterOS follows the L2TP recommendation so although it is acting as a client, it uses port 1701 also at local side, so the connection tracker cannot distinguish between the old and new attempt as all the distinctive fields of a UDP connection (local IP and port, remote IP and port) are the same.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
greek
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Thu Nov 04, 2010 11:37 pm
Location: Russia, 78rus

Re: L2TP to different wan?

Mon Aug 06, 2018 3:13 am

Yes, you are right.

And i have no idea, how to reconnect l2tp via new wan.
 
sindy
Forum Guru
Forum Guru
Posts: 4041
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP to different wan?

Mon Aug 06, 2018 8:02 pm

There is a four-letter word describing the situation, starting with letter ж.

Do you use L2TP over IPsec or a plain L2TP? In either case, the solution might be to capture the initial packet, analyse it using wireshark, compose a hex pattern matching that packet using the content match condition, and use it together with a size match condition in a rule which would add a short-lived item to /ip firewall address-list. A script scheduled for every second would look for that address-list item and if found, it would remove the existing /ip firewall connection, so the next retransmission of the initial packet would create a new connection and would also be treated as a connection-state=new packet.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
greek
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Thu Nov 04, 2010 11:37 pm
Location: Russia, 78rus

Re: L2TP to different wan?

Tue Aug 07, 2018 12:20 pm

Спасибо a lot.

I am also think about script to check l2tp-connection state and removing connection from conntrack table.

But i am still hope to find native solution (without scripts).

Who is online

Users browsing this forum: No registered users and 75 guests