Community discussions

MikroTik App
 
Askey307
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Fri Sep 29, 2017 10:20 am
Location: South Africa
Contact:

PPPoE and L2TP Connection/Routing Issue

Sat Oct 17, 2020 6:58 pm

Hi guys

Having a little bit of an issue. Cisco got damaged and had to replace it with RB2011 laying around. My issue I'm having is that I have to connect to office network via L2TP.
My main internet WAN connection is via PPPoE. Up to the Mikrotik, everything works and I can ping local ranges at the office etc.
Issue I'm having is my client device such as my workstation and other client device cannot see these ranges or ping. See picture attached of what I mean.
Assistance will be appreciated.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: PPPoE and L2TP Connection/Routing Issue

Sat Oct 17, 2020 7:47 pm

The quality of an answer depends on the quality of the question. So to get any useful advice, post your configuration in text form, following the anonymisation hint in my automatic signature right below. Screenshots are useless for any analysis, and yours in particular just show that it doesn't work, nothing else.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Askey307
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Fri Sep 29, 2017 10:20 am
Location: South Africa
Contact:

Re: PPPoE and L2TP Connection/Routing Issue

Sat Oct 17, 2020 7:59 pm

The quality of an answer depends on the quality of the question. So to get any useful advice, post your configuration in text form, following the anonymisation hint in my automatic signature right below. Screenshots are useless for any analysis, and yours in particular just show that it doesn't work, nothing else.
I've added the config. The 192.168.0.0/24 range randomly started working on client devices such as 192.168.0.102 in the office. The 192.168.80.0/24 ranges till not reachable by client devices. I'm using the default config and firewall of MT for now. Let me know what else you require.
/interface bridge
add admin-mac=E4:8D:8C:0A:FF:0A auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
   xxxxxxxxx@xxxxxxx.co
/interface l2tp-client
add connect-to=mail.xxxxx.com disabled=no name=l2tp-out1 user=conrad
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-0AFF13 station-roaming=enabled wireless-protocol=\
    802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.10.200-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.10.1/24 comment=defconf interface=ether2 network=\
    192.168.10.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.10.254 client-id=1:54:be:f7:38:e4:c0 mac-address=\
    54:BE:F7:38:E4:C0 server=defconf
add address=192.168.10.251 client-id=1:b0:be:76:22:9d:42 mac-address=\
    B0:BE:76:22:9D:42 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=l2tp-out1 pref-src=\
    192.168.10.1
add distance=1 dst-address=192.168.80.0/24 gateway=l2tp-out1 pref-src=\
    192.168.10.1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add type=external
add interface=pppoe-out1 type=external
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Africa/Johannesburg
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: PPPoE and L2TP Connection/Routing Issue  [SOLVED]

Sat Oct 17, 2020 8:14 pm

It's strange, as everything looks fine in your configuration. The routes are there, the masquerade rule is there (it could be more selective but it doesn't cause any trouble as-is given the rest of the configuration). So try pinging something in the 192.168.80.0/24 range that you know to respond, from a client device in 192.168.10.0/24, and run
/tool sniffer quick interface=l2tp-out1 ip-protocol=icmp ip-address=192.168.80.x
(change the x accordingly). What can you see?

There is one minor mistake, the own address of the Mikrotik, 192.168.10.1/24, should not be attached to ether2 but to bridge, but it doesn't explain the issue. To fix that part, use
/ip address set [find interface=ether2] interface=bridge
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Askey307
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Fri Sep 29, 2017 10:20 am
Location: South Africa
Contact:

Re: PPPoE and L2TP Connection/Routing Issue

Sat Oct 17, 2020 8:25 pm

It's strange, as everything looks fine in your configuration. The routes are there, the masquerade rule is there (it could be more selective but it doesn't cause any trouble as-is given the rest of the configuration). So try pinging something in the 192.168.80.0/24 range that you know to respond, from a client device in 192.168.10.0/24, and run
/tool sniffer quick interface=l2tp-out1 ip-protocol=icmp ip-address=192.168.80.x
(change the x accordingly). What can you see?

There is one minor mistake, the own address of the Mikrotik, 192.168.10.1/24, should not be attached to ether2 but to bridge, but it doesn't explain the issue. To fix that part, use
/ip address set [find interface=ether2] interface=bridge
I fixed the "ether2" issue. Thank you for noticing. Yeah, I can ping the main router over in the one NDC on 80.1.
I can even open the NMS on 80.3 without an issue but cannot ping it. The 80 range is a VSAT 550ms+ range. Still don't explain it.
The other ranges just started pinging and became accessible randomly without intervention half an hour after creating this post.
Sniffer also get response from 80.3
Think I'm getting high.
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: PPPoE and L2TP Connection/Routing Issue

Sat Oct 17, 2020 8:32 pm

I can even open the NMS on 80.3 without an issue but cannot ping it.
...
Sniffer also get response from 80.3
Do I read you right that the sniffer shows an ICMP response from the 80.3 but the client cannot see it? I.e. the response doesn't make it through the Mikrotik to the client?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Askey307
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Fri Sep 29, 2017 10:20 am
Location: South Africa
Contact:

Re: PPPoE and L2TP Connection/Routing Issue

Sat Oct 17, 2020 8:39 pm

I can even open the NMS on 80.3 without an issue but cannot ping it.
...
Sniffer also get response from 80.3
Do I read you right that the sniffer shows an ICMP response from the 80.3 but the client cannot see it? I.e. the response doesn't make it through the Mikrotik to the client?
Yeah you did read that right. I know you don't like screenshots, but see attached. To the right is the client pc that can't ping it but can access the NMS. The screenshot also shows the response of the sniffer.
You do not have the required permissions to view the files attached to this post.
 
Askey307
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Fri Sep 29, 2017 10:20 am
Location: South Africa
Contact:

Re: PPPoE and L2TP Connection/Routing Issue

Sat Oct 17, 2020 8:53 pm

I can even open the NMS on 80.3 without an issue but cannot ping it.
...
Sniffer also get response from 80.3
Do I read you right that the sniffer shows an ICMP response from the 80.3 but the client cannot see it? I.e. the response doesn't make it through the Mikrotik to the client?
Aaaaand there it started pinging randomly without intervention....
Am I missing something about Mikrotik's dynamic process'?
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: PPPoE and L2TP Connection/Routing Issue

Sat Oct 17, 2020 9:01 pm

The 80 range is a VSAT 550ms+ range.
The sniffer says the response from the 80.3 arrives 40-60 ms after the request is sent in the opposite direction. But as you mention there's a VSAT link in the path, 40-60 ms is mission impossible, so could it actually be 1040-1060 ms (i.e. response to request N arriving after request N+1)? In that case, pinging from the Windows with -w 1500 might give better results?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Askey307
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Fri Sep 29, 2017 10:20 am
Location: South Africa
Contact:

Re: PPPoE and L2TP Connection/Routing Issue

Mon Oct 19, 2020 12:59 pm

The 80 range is a VSAT 550ms+ range.
The sniffer says the response from the 80.3 arrives 40-60 ms after the request is sent in the opposite direction. But as you mention there's a VSAT link in the path, 40-60 ms is mission impossible, so could it actually be 1040-1060 ms (i.e. response to request N arriving after request N+1)? In that case, pinging from the Windows with -w 1500 might give better results?
Everything works great now. However, did found something Saturday evening after a lot of reading that caused this "anomaly" even though I was a bit skeptical about it, it seem though that it was the route table cache in the background. Did test it yesterday quite a bit by disabling "route-cache" and all routes establish instantly but then losing the fast path functionality and when enabling it as it is on default, it "hangs" the route for a time again before responding. Can't say for sure that this was the issue.

Who is online

Users browsing this forum: No registered users and 150 guests