Hi forum!

I have a routerOS running on x86. This router has 3 ethernet interfaces each of them connected to its own dsl multiport router. I want to set up 3 different l2tp/pptp tunnels but I want each of them to be routed through each different interface. The problem is that the remote pptp/l2tp server is the same one for the 3 tunnels so there is no way to distinguish routes by destination address. The only difference between tunnels is its user and password. Do I have to move to layer7 properties? If so, any idea how?

Thanks in advance.
Nando.

Hi,

use 3 metarouters, if you not scared to maintain 4 routers instead of one.

I am interested in this as well. I have an identical setup to the OP. Is metarouter the only way?

Can outgoing filter under profile be of any use to this?

Hi,

I am interested in this as well. I have an identical setup to the OP. Is metarouter the only way?

probably not only, but i guess it is safe bet. May be someone has this done with VRF, or mangle/PBR.

Can outgoing filter under profile be of any use to this?

Try it and let us know, but filters are for IP packets inside L2TP tunnel

In a few days I will have my 2nd connection set up and will be tackling this. Hopefully I won't need a 2nd router but I have one ready just in case. I'd rather keep it to just one. If anyone else has any suggestions I'm all ears

Well I just ended up getting another 450g for the other connection. Then just routed them together. It adds another hop to trace routes but for what I'm doing it's fine. Plus it might have been too much for one 450g to handle. Either way problem is solved. I would like a way to distinguish similar ppp tunnels though. Like a way to put a mark on them or something

Has anyone figured out how to do this on a single mikrotik device? i see how the OP did this with 2 Routerboards, but i have 2 public IP gateways on one RB1200 and i need to do l2tp tunnels on the 2nd interface but i cant get any of my mangle rules to grab and mark that traffic.

does anyone have a mangle rule that will properly mark the internal mikrotik l2tp traffic so that i may then routing mark it out of my desired public interface (the same public gateway that the client is dialing into).

im going to try a meta router now on the 2nd interface, i will report back as im sure it will work, but im really looking for a cleaner, more efficient solution of just normal mangle packet marks. ill also try sending mikrotik support a supout.

thanks!

EDIT: OMG there is no metarouter support on mikrotiks most powerful router due to cpu incompatibility. that is terrible..so i'll just have to wait and hope there is a mangle solution, i have emailed mikrotik support with a supout file and the info. i really hope there is a solution to this bug.

mikrotik support replied with this (does anyone know what this means?) I have asked for clarification, and i tried a few rules around this comment but no success:

------
Hello,

To make it work set up nat rule to ro change source address of l2tp packets, then it will go out on correct interface.

-----

here is one rule i tried, unsuccessfully:


/ip firewall nat
add action=src-nat chain=srcnat disabled=no dst-port=1701 protocol=udp \
to-addresses=69.197.xxx.xxx to-ports=1-65000

i am just wondering what is the reason for 3 tunnels over 3 links to one endpoint?

if you are trying to get two locations connected and need all these 3 tunnels to get you safely over network and to get maximum bandwidth out of 3 connections. You could try the following - create 3 unsafe tunnels (EoIP, IPIP) that has attribute of local address, so that tunnels is created for specific outgoing interface. then bridge all these interfaces together and create one l2tp tunnel over there. and make ECMP route over these 3 tunnels, so that l2tp packets are sent over all 3 tunnels.

It is just my idea, do not like it very much, since you will going to put tunnel into tunnel to make tunnel.

on the other hand, creating simple tunnels and then route traffic over them and use IPSec for decryption could solve the problem, that is if you can use other tunnel but l2tp in your case.

One more options is to create just IPSec, on one end you create peer with remote address and ECMP route on the other you set up 3 peers with addresses of 3 real addresses you have.

in a nutshell - you have to choose tunnel where you can control to what addresses tunnel is binded to. That cannot be done for l2tp and pptp.

anyone know how to route the vpn listen server (if you search this question has been asked about 10 times, mikrotik support never replies or helps on this question which leads me to think it is a bug they do not want to acknowledge.)

how about answering this outstanding issue vs asking more questions pls.

how do you direct the internal l2tp mikrotik server to use a different public gateway?



mikrotik support replied with this (does anyone know what this means?) I have asked for clarification, and i tried a few rules around this comment but no success:

------
Hello,

To make it work set up nat rule to ro change source address of l2tp packets, then it will go out on correct interface.

-----

here is one rule i tried, unsuccessfully:


/ip firewall nat
add action=src-nat chain=srcnat disabled=no dst-port=1701 protocol=udp \
to-addresses=69.197.xxx.xxx to-ports=1-65000

i want to see how you will make 3 different clients from one source to same destination server and then reliably mark what packet is part of what tunnel.

With that rule you will move all 3 tunnels to one connection and that is that all you can do with these 3 tunnels.

You have a way how to reliably assign a tunnel to interface. And that can only be done with tunnels i have named in previous post, that you so gratefully ignored.

i am just wondering what is the reason for 3 tunnels over 3 links to one endpoint?

I thought i'd jump back in here. Here is my network layout. I have 3 separate connections that I want to have their own tunnel. Internetgateway 2 and 3 are at the same location and share the wifi link to tower1. The location with the two connections had to have it's own router. All tunnels meet at the data center. All routers are mikrotik including data center router. Is there a better another way? My setup has been working fine since adding the extra router but i'd still like to use just one router at the location with 2 gateways. Perhaps there is a more efficient way than L2TP? Right now I use ECMP to balance the load across the connections. The whole network is also running OSPF.

maybe I am not asking the question right, but I ignored your answer because it has nothing to do with my question. I am not talking about connecting 2 locations. I'm talking about a vpn, I need to make it so the mt vpn server response over the given public gateway / interface forget about everything else and only address that....do not tell me to use another solution or ask why I'm doing something a certain way, that was not the question this is not hey how do you guys to guess I should do this? This is a very that is not an option unless microsoft everyone else is supporting you ip ip sec
if I were to use a secondary server based vpn solution, plugged into the ethernet port of the mikrotik, I would not be asking this question and I would know how to implement the solution and it would not be a problem, this is why I think there is a bug with mikrotik in regards to this- other people have the same issue and no solution anywhere on this message board those very same people asking the question over and over and over.

Does this mean something to anyone in terms of a real applicable rule, please:


Hello,

To reroute L2TP over specific gateway. Add routing-mark=route_via_154 in output chain for all l2tp traffic. Then all traffic will be routed over second gateway.
Also since you have two IP addresses on the interface, to use correct one, you also need to add nat rule that redirects l2tp traffic to itself.

Regards,
Maris
MT Support


can someone convert that into a REAL rule (why MT support does not ever give syntax/code i do not know would save both of us alot of time, bc now i have to write back.). I dont know how to convert "For All l2tp traffic". I mean obviously that is what i want to do, but how does that convert into a rule????? is that Protocol = GRE? i mean if they had a option for VPN, i would be able to convert this rule, but there is nothing like that in the rule options.

thanks!
thanks

L2TP is UDP/1701 for anyone else that do not know that.

well still a very weak answer for MT support to give, OF CORSE IVE TRIED MARKING UDP 1701/1700 this was clearly pointed out to MT support. And ofcorse that does not work on the internal VPN.

If im running a VPN server ON MY COMPUTER, this works fine, and ive tested it. THE PROBLEM BECOMES WHEN YOU NEED TO MARK THE INTERNAL MIKROTIK VPNS SERVER.

AGAIN, FOR MIKRORIK:
THE problem comes when i have to mark your OWN INTERNAL VPN SERVER.

I await a real life rule from MT that grabs this internal traffic. becuase it will not work then they will see the bug here. (after wasting about 2 weeks of my times paying word games and asking rhetorical questions..)

MT Support is no longer replying, this was their last reply:


tks to anyone who can help.

why does MT play such games when it comes to support??? Ive been with them since 2004 and its been like this ever since. They never give straight answers or things that you can apply directly, bc they know if it doesnt work than that is more work for them to do. vs just firing off a one word email reply.

call me crazy but this entire thread and my 10+ emails to MT could have been delt with in 2 emails:


MT: HEY TRY THIS RULE, THAT I TOO AS A MT SUPPORT TECH HAS TRIED AND TESTED ON MY END.

ME: HEY THAT DOES NOT WORK, MUST BE A BUG THAT YOU GUYS CAN NOW REASREACH.

MT: HEY MAYBE TRY THIS,

ME: HEY THAT DOES WORK. THANKS A LOT, PROBLEM RESOVLED IN 2 EMAILS..


(but no, lets do 10 emails back in forth with poorly worded sentences and spelling errors and no conculstion or no solution.)

again it is my postion that im not just doing the wrong rule, but that this is a BUG in the MT OS that should be easy for them to look at and resolve.

again, i can never get any rule so far to even grab any internal VPN server packets. As in the Counter never goes above 0. Im not new to this, ive helpd ppl on here with multi gatway load balencing (with real syntax example btw, when no one else from support would reply). 0 in the mangle rule count tells you something

I have run into times where I cannot get this to work either, however its a little different situation. I am trying to just get incoming l2tp/pptp connections to leave the same interface / ip that they came in on...

If you are just trying to send traffic outbound a certain way you have 2 options ... one is to put a static route to the l2tp endpoint in your routing table and just give it the other gateway you want to use - easy.

Second, you can try this:

/ip firewall mangle
add action=mark-routing chain=output disabled=no dst-port=1701 new-routing-mark=\
out-wireless out-interface=3-development passthrough=yes protocol=udp

With this rule on the output chain (in the right order) I am able to mark routing on all packets - counters are going up no problems. You then need to create that second policy routing table as the other posters did.

Once you have done this, and it doesnt seem to be working, post the following:

/ip firewall mangle export
/ip firewall route print terse

hi, thanks change, what you are tying to do is exactly what im trying to do.

I just described it as leaving via a specifed outgoing interface becuase you can already set the incoming interface based upon the public IP the VPN client dials into the mikrotik on.

So were you ever able to get your example working (which is the same thing i want to do).

---------------------------------------------
just to be clear, what you want is:

MT: (the routers default gateway is 216.21.53.1, you can only have one for dst 0.0.0.0/0)
Interface 1: Public IP: 216.21.53.2/29 Gateway: 216.21.53.1
Interface 2: Public IP: 216.21.54.154/29 gateway: 216.21.54.151

Give the above, if a VPN client (public IP: 24.10.55.64) tries to connect to ip 216.21.53.2 it will ofcorse work bc the vpn server will connect to 24.10.55.64 via the default gateway (216.21.53.1).

Now if the VPN client (his public IP: 24.10.55.64) tries to connect to ip 216.21.54.154/29, the router/VPN server will connect to 24.10.55.64 via the default gateway of (216.21.53.1) and clealry the connection does not work.

So the solution is to force all VPN traffic out 216.21.54.154, using gateway 216.21.54.151. which is what im trying to do.

I CAN DO ALL OF THIS AND HAVE TESTED THIS WITH A OPENVPN LINUX SERVER PLUGGED INTO THE ETHERNET OF MIKROTIK, HOWEVER IF THE VPN SERVER IS THE MIKROTIK DEVICE IT SELF (THUS IM NOT USING A PLUG IN VPN LINUX SERVER), I CAN NEVER MAKE RULES TO FIND THE PACKETS TO MARK (FROM THE MT INTERNAL VPN SERVER), TO DIRECT

i put this is caps bc this is the paragraph that mt support just doesnt seem either hear, or want to hear.


------------------------------------------
(i know how to write rules for everything ive described above, the problem comes when you have to mark the INTERNAL MIKROTIK VPN SERVER)

thanks alot!!

wifi442: tks for the post, but that network diagram does not apply to this bc you can easily put static routes for all those internal private IP subnets, and the problem is solved and traffic directed as tell it.

i cant do specific static routes for public IPs as i dont know the IP the VPN client will be dialing in from.

ie you just say for 10.100.10.0/24 to VPN to 10.254.0.2 use gateway X.

and for 10.100.0.0/24 to VPN to 10.254.0.9 use gateway Y.

tks for your help/info.