Community discussions

 
JordanR
just joined
Topic Author
Posts: 9
Joined: Fri Jan 18, 2019 10:18 pm

[Lost Interface] IP->Routes

Fri Feb 08, 2019 4:40 am

I run a site-to-site VPN connection between my home site and a number of other locations. This works great.

But for whatever reason at random intervals, I lose a custom route that I've set up that is required for me to see the other locations IP range. It changes from the L2TP VPN interface to unknown even though the interface has already presumably reconnected after a brief disconnection (not sure if it is dropping it at random or not).

Any ideas on how to maintain this without having to go in and manually correct the route each time it cannot find it again. And hold on to the actual value?

It is slightly but persistently frustrating.

Thanks!
 
User avatar
vecernik87
Member
Member
Posts: 432
Joined: Fri Nov 10, 2017 8:19 am

Re: [Lost Interface] IP->Routes

Fri Feb 08, 2019 6:16 am

I assume we are talking about home site, where you assigned the route to dynamic interface (which gets created for every connected client), right?
Anything assigned to particular dynamic interface will get broken with any reconnection of that VPN. There is a "L2TP server binding" interface which will make it static (and will go up/down based on status of particular VPN connection)

If i am wrong with my assumption or suggested solution does not work, please share more details to specify issue. (ideally whole config with
/export hide-sensitive
where you can easily find&replace any personal details)
 
JordanR
just joined
Topic Author
Posts: 9
Joined: Fri Jan 18, 2019 10:18 pm

Re: [Lost Interface] IP->Routes

Sun Feb 10, 2019 8:32 pm

Sorry for the delay on my response.
L2TP-8794 is the (L2TP Server Binding) interface. Within the IP - Routes. I have set the gateway to L2TP-8794 (reachable) for AD (10.0.1.0/24). This works perfectly.

But this is also what randomly gets switched back to 'unknown'.

I might point out this down not happen on another L2TP-8794 pointing to DAC (172.0.0.240).

I noticed the only difference between these two setting wise. Is the distance of 0 to 1. And the scope is 30 vs 10. I adjusted them both to 10.

Any thoughts?
 
Cvan
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Sat Jun 09, 2018 3:32 am

Re: [Lost Interface] IP->Routes

Mon Feb 11, 2019 2:07 am

Same issue here... with PPTP and L2TP; when the interface falls out due to loss of connectivity... It can not re-establish the correct interface and always resets back to an unused sfp interface in fw rules and unknown in routes.. have not searched extensively for a solution as it has not gotten annoying enough.. My VPN tunnels are configured as server bindings.. Anyone have a solution?

(extending my keep-alive to 5 minutes vs 30 seconds)
 
Azma
newbie
Posts: 36
Joined: Sat Sep 27, 2014 8:10 am

Re: [Lost Interface] IP->Routes

Mon Feb 11, 2019 3:36 am

Hi Jordan,
does the interface after brief disconnected and back reconnect with interface name its their name of /ppp secret? and binding interface wasn't running?
 
User avatar
vecernik87
Member
Member
Posts: 432
Joined: Fri Nov 10, 2017 8:19 am

Re: [Lost Interface] IP->Routes

Tue Feb 12, 2019 12:14 am

I am more and more convinced that @JordanR and @Cvan are talking about dynamic interfaces. Not static ones which I earlier identified as most probable solution.
In both cases (both dynamic and static), the interface is marked as as "PPTP/L2TP/SSTP Server Binding" so it may be not easy to understand, however if you check the flag, it will be clear.

I tested both situation with SSTP and PPTP and it simply did not occur as long as I used manually created server binding. I have FW rules bound to Server Binding in my normal config, I on purpose created route and it worked despite disconnecting/reconnecting.
I also replicated exactly same result as those two (i.e. broken FW rules and broken routes) when I left the interface to be dynamic.


Let me give you example config:
/ip pool add name=pool2-VPN ranges=10.100.1.191-10.100.1.199
/ppp profile add local-address=10.100.1.254 name=VPN remote-address=pool2-VPN
/ppp secret
   add name=Adam password=test profile=VPN service=pptp
   add name=Betty password=test profile=VPN service=pptp
/interface pptp-server server set default-profile=VPN enabled=yes
/interface pptp-server add name=BettyVPN user=Betty
Magic happens on last line of that code, where I am manually creating server binding, which stays as a existing (but not running) interface even if Betty disconnect. Once Betty reconnects, interface goes back to running state and keeps same internal ID which is linked to firewall rule or routes...
If both Adam and Betty connects, I can print something like this:
[admin@mikrotik] > /interface  print where type="pptp-in"   
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0 DR  <Adam>                              pptp-in          1500
 1  R  BettyVPN                            pptp-in          1500

Now lets block both of them access to rest of local network:
/ip firewall filter 
   add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=<Adam>
   add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=BettyVPN

at the moment, it works. But once they disconnect, following will happen:
[admin@mikrotik] > /interface  print where type="pptp-in"   
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0     BettyVPN                            pptp-in          
 
[admin@mikrotik] > /ip firewall filter export
 ...
# no interface
add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=*F00110   
add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=BettyVPN

See? Adam's rule got broken because his interface does not exist anymore. It is actually not linked via name (that is just displayed as user-friendly description) but link happens via internal ID, in this case it was F00110. Once Adam connects again, he won't get same ID again despite the fact that his dynamic server binding will have same name.
Same would happen for routes.

Please, lets focus on those interfaces - whether they are dynamic (automatically created when client connects) or static (manually created by admin)
 
Cvan
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Sat Jun 09, 2018 3:32 am

Re: [Lost Interface] IP->Routes

Tue Feb 12, 2019 4:27 am

Bravo! I knew the answer would eventually surface! You are exactly precisely correct, vecernik87 - Thanks for that

I am more and more convinced that @JordanR and @Cvan are talking about dynamic interfaces. Not static ones which I earlier identified as most probable solution.
In both cases (both dynamic and static), the interface is marked as as "PPTP/L2TP/SSTP Server Binding" so it may be not easy to understand, however if you check the flag, it will be clear.

I tested both situation with SSTP and PPTP and it simply did not occur as long as I used manually created server binding. I have FW rules bound to Server Binding in my normal config, I on purpose created route and it worked despite disconnecting/reconnecting.
I also replicated exactly same result as those two (i.e. broken FW rules and broken routes) when I left the interface to be dynamic.


Let me give you example config:
/ip pool add name=pool2-VPN ranges=10.100.1.191-10.100.1.199
/ppp profile add local-address=10.100.1.254 name=VPN remote-address=pool2-VPN
/ppp secret
   add name=Adam password=test profile=VPN service=pptp
   add name=Betty password=test profile=VPN service=pptp
/interface pptp-server server set default-profile=VPN enabled=yes
/interface pptp-server add name=BettyVPN user=Betty
Magic happens on last line of that code, where I am manually creating server binding, which stays as a existing (but not running) interface even if Betty disconnect. Once Betty reconnects, interface goes back to running state and keeps same internal ID which is linked to firewall rule or routes...
If both Adam and Betty connects, I can print something like this:
[admin@mikrotik] > /interface  print where type="pptp-in"   
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0 DR  <Adam>                              pptp-in          1500
 1  R  BettyVPN                            pptp-in          1500

Now lets block both of them access to rest of local network:
/ip firewall filter 
   add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=<Adam>
   add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=BettyVPN

at the moment, it works. But once they disconnect, following will happen:
[admin@mikrotik] > /interface  print where type="pptp-in"   
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0     BettyVPN                            pptp-in          
 
[admin@mikrotik] > /ip firewall filter export
 ...
# no interface
add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=*F00110   
add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=BettyVPN

See? Adam's rule got broken because his interface does not exist anymore. It is actually not linked via name (that is just displayed as user-friendly description) but link happens via internal ID, in this case it was F00110. Once Adam connects again, he won't get same ID again despite the fact that his dynamic server binding will have same name.
Same would happen for routes.

Please, lets focus on those interfaces - whether they are dynamic (automatically created when client connects) or static (manually created by admin)
 
User avatar
vecernik87
Member
Member
Posts: 432
Joined: Fri Nov 10, 2017 8:19 am

Re: [Lost Interface] IP->Routes

Tue Feb 12, 2019 5:55 am

I knew the answer would eventually surface!
I wrote it earlier but I guess bad words were chosen - I did not specifically mention how to create the static interface, despite the fact I had it in mind the whole time.
Anyway, I am happy that it helped at least you :) hopefully @JordanR will confirm the solution as well.
 
algisr
just joined
Posts: 13
Joined: Sat Apr 28, 2018 11:30 am

Re: [Lost Interface] IP->Routes

Wed Feb 13, 2019 10:53 pm

You problem is that you set manual route via dynamic Interface. It gets unknown if VPN interface gets unknown for some reason.
Solution is simple:
A.) Create routing protocol if you doing some crazy +3 Site-to-Site VPN solution.
Or
B.) If we assume that you want to reach 172.16.10.0/24 in this example:
PPP -> Interface. Open your VPN interface (does not matter CLIENT or SERVER, but if you have more than one then you need to open the correct one). Go to tab "Status". Find "Remote Address" (for example 10.50.20.2)
IP -> Routes. Add destination address (172.16.10.0/24) set it's gateway as Remote VPN address (in this example 10.50.20.2).

I'd suggest to do same on the other side of VPN if it is MikroTik also (and you manage it). Everything would be the same only Destination route and VPN remote Address should be different.

Who is online

Users browsing this forum: mozerd, someone2 and 34 guests