Hi all,

I don't know how to do this.
I've 3 interfaces: WAN1, WAN2 and LAN.

With mangle and routing policy, I'm using voip over WAN2. WAN1 is default gateway for everything else.

What I need know (because bandwith balancing) is to let some l2tp users connect through WAN2 and the rest through WAN1.

My problem is that WAN2 seems that is not serving any Mikrotik service. No winbox, ping or the most important: l2tp.

I've tryed to mark connection incoming throung WAN2 and them mark routing but it's not working for this. I think this work for internal services (as Web server, terminal, etc.) but not for Mikrotik services.

Any ideas?

Thanks!

Are you trying to allow l2tp inbound on multiple ips ? If so, use dst-nat and action=redirect, and specify 2 rules, 1 for each wan ip. It seems to make this work on our setup. I had the same problems, anything local had to get an entry in the connection table, and the only way to do that it seemed was to add a redirect rule.

Sam

Hi, yes I'm trying to allow l2tp over two WAN IPs at diferents ISP.
I don't understand you at all. Can you please write an example?

Thanks,
Luis

add chain=dstnat dst-address=204.x.x.1 protocol=udp dst-port=1701 \
action=redirect to-ports=1701 comment="" disabled=no
add chain=dstnat dst-address=204.x.x.2 protocol=udp dst-port=1701 \
action=redirect to-ports=1701 comment="" disabled=no
add chain=dstnat dst-address=204.x.x.3 protocol=udp dst-port=1701 \
action=redirect to-ports=1701 comment="" disabled=no

Without these redirect rules all l2tp responses always seemed to go back with the preferred source ip, breaking the l2tp tunnel after about 10-60 seconds (udp stream timeout?) The above rules allow me to listen on 3 ips independently.

Sam

Just stumbled over this one myself and have spent a couple of hours trying to work out why the hell it wasn't working before coming across this post.

It seems that even trying to force connection/route marks on these connections fails - the route marks are set, but are then completely ignored by the routing table.

Given this has been known about for three years, can somebody comment on why it works in this way (or, more to the point, why it doesn't work properly)?

After doing some more digging, it appears that both the L2TP clients and servers are ignoring any routing marks and packets are just passed to the default (no-mark) route.

The only way I can get two ROS boxes to talk to each other over two differently routed L2TP connections is to src-nat on the client and dst-nat on the server. This seems to have the effect of making the routing tables be consulted.

I should point out that in the above example, the client has two IP addresses and the server has two IP addresses, the tunnels are between c1:s1 and c2:s2. Although mangle rules appear to correctly classify and mark routes, these route marks are ignored when the packet is sent (unless the NAT rules, above) are specified. When src/dst-nat rules are not used and the no-mark route entry has a preferred source, that source appears to be being ignored and the last known working (i.e. connected on) IP is used.

Not good.