Community discussions

MikroTik App
 
ColinSlater
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Sep 12, 2021 2:32 pm

L2TP - I think the response is going out through the wrong interface

Sun Sep 12, 2021 3:10 pm

Hi,
I have a number of hEX products which we use to link remote sites together via L2TP/EoIP.
This was working absolutely find until a couple of weeks ago when something apparently changed. Now, the existing main firewall that we have is dropping the packets for the L2TP because the reply from the MikroTik is coming back on the wrong interface (and therefore appears to be an IP-Spoof).

I think the problem is that the MikroTik is not sending the packets back through the right interface, although I could be 100% wrong about this.

The setup is fairly simple. The WAN port of the MikroTik is connected to one of the interfaces of our external facing firewall. It (the MikroTik WAN interface) is given the IP Address 192.168.20.2.
The necessary rules are setup in the external firewall to forward the L2TP and so on to the MikroTik from the internet.
On the mikrotik, Eth1 is the WAN port, and Eth2 is connected to the LAN (physcially) and has the EoIP bridges in a network bridge in the config.
So, there are L2TP connections between the Mikrotik boxes (or there should be) and then the EoIP Bridge runs over the L2TP... has worked like a charm for about a year since we set it up last summer.

I did a packet trace on the MikroTik, filtering for anything that is UDP(1701). Below is a copy/paste of one of the sets of entries for one of the remote sites. I've removed the actual public IP of the remote site for obvious reasons.

Interface Direction Src. Address Src. Port Dst. Address Protocol IP Protocol
ether1 rx [Remote Site Public IP] 28651 192.168.20.2 2048 (ip) 17 (udp)
Bridge-Local tx 192.168.20.2 1701 [Remote Site Public IP] 2048 (ip) 17 (udp)
ether2 tx 192.168.20.2 1701 [Remote Site Public IP] 2048 (ip) 17 (udp)
Bridge-Local tx 192.168.20.2 1701 [Remote Site Public IP] 2048 (ip) 17 (udp)
ether2 tx 192.168.20.2 1701 [Remote Site Public IP] 2048 (ip) 17 (udp)

I should say at this point that I have a bit better than basic networking knowledge, but not much more than basic.
To my idiots way of thinking, based on the packet trace, it looks like the requests are coming in on the Eth1 interface of the MikroTik (rx on Eth1 has the IP addresses where I would expect them to be for receiving a request from the outside world), but the reply seems to be being sent back to the outside world through the Eth2 which I don't think is right (well, it can't be because the external firewall is complaining that the IP Address doesn't belong to the subnet of the interface on which it is being received).

Anyway - any thoughts or ideas here? I guess I just need to tell the MikroTik which interface to use for what and then all is good... but don't know how to do this.

Thanks in advance...

Colin
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: L2TP - I think the response is going out through the wrong interface

Sun Sep 12, 2021 9:02 pm

What ROS version you run?
Did you upgrade routers?

More details please.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP - I think the response is going out through the wrong interface

Sun Sep 12, 2021 10:56 pm

1) post the export of the configuration from one of the affected routers, it sure looks as if a route was either missing or one too many. As @BartoszP suggests, this may be a consequence of an upgrade. See my automatic signature right below for a mini-howto on the export.
2) do you use the EoIP tunnels to transport VLAN-tagged packets? If not, you can save some packet space by directly using BCP (L2) tunnels instead of EoIP over IPCP tunnels.
 
ColinSlater
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Sep 12, 2021 2:32 pm

Re: L2TP - I think the response is going out through the wrong interface  [SOLVED]

Sun Sep 04, 2022 8:03 pm

Problem was a dodgy default route.
Now fixed.

Who is online

Users browsing this forum: itamx and 91 guests