Community discussions

MUM Europe 2020
 
syadnom
Member
Member
Topic Author
Posts: 424
Joined: Thu Jan 27, 2011 7:29 am

how to select interface for PPTP/SSTP tunnels

Fri Apr 20, 2012 7:06 pm

I have an interesting scenario


I have a few sites with two internet connections:
eth1-DSL
eth2-Cable
0.0.0.0/0 > eth2-Cable distance 1
0.0.0.0/0 > eth1-DSL distance 2


My colo, and center for my hub & spoke (partially meshed) VPN is a signel IP address.

I want to make to PPTP tunnels, each out a separate wan interface on the dual internet sites. PPP interfaces dont have an option to select an outbound interface.

My thought was to use mangle and put packets associated with the PPTP or SSTP interfaces into a separate routing table and add a gateway out the prefered interface for the routing table , but I can't see anyway to do that.
 
syadnom
Member
Member
Topic Author
Posts: 424
Joined: Thu Jan 27, 2011 7:29 am

Re: how to select interface for PPTP/SSTP tunnels

Tue Apr 24, 2012 11:36 pm

anyone? Is this even possible?
 
User avatar
skillful
Trainer
Trainer
Posts: 557
Joined: Wed Sep 06, 2006 1:42 pm
Location: Abuja, Nigeria
Contact:

Re: how to select interface for PPTP/SSTP tunnels

Wed Apr 25, 2012 1:05 am

You can force packets out on a particular interface by simply adding a route to that IP in your routing table.

Assuming that the remote IP addresses you want to establish a tunnel to are x.x.x.x and y.y.y.y, You want the tunnel to x.x.x.x to be routed through DSL uplink while y.y.y.y is routed through Cable uplink.
/ip route
add  distance=1 dst-address=x.x.x.x gateway=DSL_Uplink
add  distance=1 dst-address=y.y.y.y gateway=cable_Uplink
That all! Go ahead and setup the required PPTP tunnels.
 
syadnom
Member
Member
Topic Author
Posts: 424
Joined: Thu Jan 27, 2011 7:29 am

Re: how to select interface for PPTP/SSTP tunnels

Wed Apr 25, 2012 1:21 am

No, the destination is a single IP address, the site has two internet connections. I can't see a way to tell a specific dialout interface (PPTP, SSTP, etc) to use one gateway over another.
 
User avatar
skillful
Trainer
Trainer
Posts: 557
Joined: Wed Sep 06, 2006 1:42 pm
Location: Abuja, Nigeria
Contact:

Re: how to select interface for PPTP/SSTP tunnels

Wed Apr 25, 2012 3:27 am

In that case, you have to use mangle to force PPTP packets to be routed over one uplink while SSTP packets engress the other uplink.

PPTP make use of TCP:1723 and IP Protocol=GRE (value 47)

SSTP make use of TCP:443
/ip firewall mangle
add action=mark-routing chain=output disabled=no dst-port=1723 new-routing-mark=PPTP passthrough=no protocol=tcp
add action=mark-routing chain=output disabled=no new-routing-mark=PPTP passthrough=no protocol=gre
add action=mark-routing chain=output disabled=no dst-port=443 new-routing-mark=SSTP passthrough=no protocol=tcp

Now add policy routes for routing-marks PPTP and SSTP
/ip route
add disabled=no distance=1 dst-address=x.x.x.x gateway=DSL_Uplink routing-mark=PPT
add disabled=no distance=1 dst-address=x.x.x.x gateway=cable_Uplink routing-mark=SSTP

/ip route rule
add action=lookup comment="" disabled=no routing-mark=SSTP table=SSTP
add action=lookup comment="" disabled=no routing-mark=PPTP table=PPTP
add action=lookup comment="" disabled=no table=main

Replace x.x.x.x with the actual IP address of VPN server.

Now fire up your SSTP-client and PPTP Client.
 
syadnom
Member
Member
Topic Author
Posts: 424
Joined: Thu Jan 27, 2011 7:29 am

Re: how to select interface for PPTP/SSTP tunnels

Wed Apr 25, 2012 5:32 pm

Thanks, I do appreciate the help. Unfortunately this isn't what I'm looking for. I can see how my original request wasn't clear.


Lets say I want to have 2 PPTP tunnels like so
Site-PPTP1->WAN1 IP2.2.2.2>----\
                                IP1.1.1.1 WAN1-VPNConcentrator
Site-PPTP2->WAN2 IP3.3.3.3>----/
There is only 1 IP address for the VPNCencentrator
The site would have 2 same type tunnels.
 
Zebble
newbie
Posts: 45
Joined: Mon Oct 17, 2011 4:07 am

Re: how to select interface for PPTP/SSTP tunnels

Wed Apr 25, 2012 10:56 pm

Hi syadnom,

skillful's response is what you want. Marking the outbound packets through mangling, based on the characteristics of PPTP and SSTP, and then applying policy routing based on those marks will force PPTP out the "DSL_Uplink" interface, and SSTP out the "cable_Uplink" interface.
 
syadnom
Member
Member
Topic Author
Posts: 424
Joined: Thu Jan 27, 2011 7:29 am

Re: how to select interface for PPTP/SSTP tunnels

Wed Apr 25, 2012 11:22 pm

Hi syadnom,

skillful's response is what you want. Marking the outbound packets through mangling, based on the characteristics of PPTP and SSTP, and then applying policy routing based on those marks will force PPTP out the "DSL_Uplink" interface, and SSTP out the "cable_Uplink" interface.

?? if both interfaces are PPTP then I can't, see diagram in my previous post.
 
Zebble
newbie
Posts: 45
Joined: Mon Oct 17, 2011 4:07 am

Re: how to select interface for PPTP/SSTP tunnels

Wed Apr 25, 2012 11:25 pm

That's correct, but the last sentence in the first post indicated you were trying to use PPTP and SSTP and alter routing tables but couldn't figure it out. That's exactly what skillful's response addressed.
 
syadnom
Member
Member
Topic Author
Posts: 424
Joined: Thu Jan 27, 2011 7:29 am

Re: how to select interface for PPTP/SSTP tunnels

Wed Apr 25, 2012 11:37 pm

Which is why in my 3rd post I clarified. What I meant was basically ANY PPP type connection is impossible to identify with mangle. You can identify ALL PPTP, but not just 1 PPTP.


I am going to work around this issue by adding a /29 to the WAN side of my RB1200 (concentrator) and then do

route dest 0.0.0.0/0 gateway WAN1 gateway
route dest VPNIP1 gateway WAN1 gateway
route dest VPNIP2 gateway WAN2 gateway

PPTP1 with go to VPNIP1 which will route out WAN1
PPTP2 with go to VPNIP2 which will route out WAN2
all other traffic will go out WAN1 as it is the default route.

I put in a feature request to add the option to specific routing mark in all applicable PPP interfaces (PPTP, SSTP, L2TP)

This fits another test I am doing where I auto-gen peers for IPSEC and have an IP setup with a policy to encrypt traffic to/from 0.0.0.0/0 so I can do transport based encryption and L2TP tunnels from dynamic clients. Unfortunately, this eats up another public IP, but I will live with it.
 
Zebble
newbie
Posts: 45
Joined: Mon Oct 17, 2011 4:07 am

Re: how to select interface for PPTP/SSTP tunnels

Wed Apr 25, 2012 11:54 pm

Got it...

I wonder if you could mangle using the "Content" field? If you can identify something specific within the packet of each PPTP connection, then you could do what you need to do...

Alternatively, if you could change the PPTP server to accept PPTP connections on another port in addition to 1723, that might work? RouterOS on the server end doesn't support this, but others might.

Otherwise, your alternative is as you suggested: additional IP's on the server end. Mind you, this does open you up to other possibilities like bonding the 2 connections over EoIP, etc...
 
syadnom
Member
Member
Topic Author
Posts: 424
Joined: Thu Jan 27, 2011 7:29 am

Re: how to select interface for PPTP/SSTP tunnels

Thu Apr 26, 2012 12:32 am

I just wiresharked a dump from the packet sniffer on my router. I can't see anything in the PPP header to identify which tunnel they are on. Looks like the PPP id is set during dialin and I have no way to identify that. If I could find something in there for the 'content' field in mangle I then that would be great, but it looks like a dead end.
 
BulliteShot
just joined
Posts: 8
Joined: Thu May 23, 2013 3:56 pm

Re: how to select interface for PPTP/SSTP tunnels

Sun Feb 01, 2015 2:00 pm

I know this is an old post but this is the only relative thing in a google search.

For anyone else having the same issue wanting to route 2 different PPTP connections through seperate gateways, on your PPTP server you can setup port redirection in NAT. This allows you to connect to 2 different ports at the same server. Then you can use firewall in mikrotik to mark packets for each port and mark the connection. Then you need a 2nd firewall rule to mark routing of packets with each connection mark. Custom routing tables for each interface will allow you to route over each gateway.

On Linux the port redirection is as follows... (you could theoretically do the same if Mikrotik is the server)
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1724 -j REDIRECT --to-port 1723
Then your PPTP server is listening on ports 1723 AND 1724

Who is online

Users browsing this forum: Google [Bot], intersaar, mzahor123, petertosh and 103 guests