Community discussions

MikroTik App
 
LifeGame
newbie
Topic Author
Posts: 44
Joined: Mon Sep 26, 2016 5:30 pm

Routing Problem

Thu Jan 16, 2025 3:30 pm

Mikrotik goes online via lte1. lte1 ip looks like 10.92.201.134 but actually the real ip is 176.89.208.201.
I need to add the real ip to the address list to do ipsec with the center.
It also checks the constantly changing public ip address with a script and corrects it automatically.
It works as long as the public ip address is not changed by the ISP. But as soon as the ISP changes the public ip, mikrotik cannot go to the internet. I have to manually disable and re-enable pubaddr in the address list otherwise I can't go online.

Do you have a suggestion for a solution?


/interface bridge
add name=bridge
add name="bridge guest"

/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" sms-protocol=auto \
    sms-read=no

/interface vlan
add interface=ether5 name=vlan13 vlan-id=13

/interface list
add name=WAN
add name=LAN

/interface lte apn
set [ find default=yes ] add-default-route=no use-network-apn=no \
    use-peer-dns=no
add add-default-route=no apn=superbox use-peer-dns=no

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name="Sec Profile" \
    supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=otu \
    supplicant-identity=""

/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=modp2048 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
    aes-256 hash-algorithm=sha256 lifetime=8h name=ike_crypto nat-traversal=\
    no

/ip ipsec peer
add address=111.111.111.111/32 disabled=yes exchange-mode=ike2 local-address=\
    176.238.169.228 name=peer profile=ike_crypto

/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1h name=ipsec_crypto pfs-group=\
    modp2048

/ip pool
add comment=10.5 name=pool_lan ranges=10.10.5.20-10.10.5.200
add comment=10.5 name=pool_misafir ranges=10.11.5.20-10.11.5.200

/ip dhcp-server
add address-pool=pool_lan interface=bridge name=dhcp
add address-pool=pool_misafir interface="bridge guest" name=dhcp_misafir

/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge="bridge guest" interface=vlan13
add bridge="bridge guest" interface=wlan1-vlan13
add bridge="bridge guest" interface=wlan2-vlan13

/ip firewall connection tracking
set udp-timeout=10s

/interface detect-internet
set detect-interface-list=all

/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=lte1 list=WAN

/interface wireless access-list
add mac-address=00:19:3B:21:F9:F3

/ip address
add address=10.10.5.1/24 interface=bridge network=10.10.5.0
add address=10.11.5.1/24 interface="bridge guest" network=10.11.5.0

/ip cloud
set ddns-enabled=yes

/ip dhcp-client
add disabled=yes interface=ether1

/ip dhcp-server network
add address=10.10.5.0/24 comment=LAN dns-server=10.10.5.1 gateway=10.10.5.1
add address=10.11.5.0/24 comment=Misafir dns-server=10.11.5.1 gateway=\
    10.11.5.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1

/ip firewall address-list
add address=10.10.5.0/24 list=LAN
add address=10.10.5.0/24 list=AdminAccess
add address=10.11.5.0/24 list=AdminAccess

/ip firewall filter
add action=accept chain=input comment=Input connection-state=\
    established,related,untracked
add action=drop chain=input comment="Input Drop Invalid" connection-state=\
    invalid
add action=accept chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment="Router Access" src-address-list=\
    AdminAccess
add action=accept chain=input comment="LAN DNS queries-TCP" connection-state=\
    "" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="LAN DNS queries-UDP" connection-state=\
    "" dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Input Drop All Else"
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes

/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec In" \
    ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="Mark IPsec Out" \
    ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=change-ttl chain=prerouting in-interface-list=WAN new-ttl=\
    increment:5 passthrough=yes ttl=equal:1
add action=change-ttl chain=postrouting new-ttl=set:64 out-interface-list=WAN \
    passthrough=yes

/ip firewall nat
add action=accept chain=srcnat dst-address=0.0.0.0/0 \
    src-address=10.10.5.0/24
add action=masquerade chain=srcnat out-interface-list=WAN

/ip ipsec identity
add peer=peer

/ip ipsec policy
add action=none disabled=yes dst-address=10.10.5.0/24 src-address=\
    10.10.5.0/24
add comment=ipsec disabled=yes dst-address=0.0.0.0/0 peer=peer proposal=\
    ipsec_crypto src-address=10.10.5.0/24 tunnel=yes

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=lte1 routing-table=main \
    suppress-hw-offload=no
add comment=pubaddr disabled=no distance=2 dst-address=31.142.247.255 \
    gateway=lte1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10

/system scheduler
add disabled=yes interval=5m name=PubIP on-event=ReNewPubIP policy=\
    read,write,policy,test start-date=1970-01-01 start-time=23:59:59

/system script
add dont-require-permissions=no name=ReNewPubIP owner=admin policy=\
    read,write,policy,test source=":local NewIP [/ip cloud get public-address]\
    \r\
    \n/ip address set [find where comment=\"pubaddr\"] address=\$NewIP network\
    =\$NewIP\r\
    \n/ip ipsec peer set peer local-address=\$NewIP"




/ip address
add address=10.10.5.1/24 interface=bridge network=10.10.5.0
add address=10.11.5.1/24 interface="bridge guest" network=10.11.5.0
add address=176.89.208.201 comment=pubaddr interface=lte1 network=176.89.208.20
1.png
You do not have the required permissions to view the files attached to this post.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 777
Joined: Tue Dec 17, 2019 1:08 pm

Re: Routing Problem

Thu Jan 16, 2025 4:23 pm

A few years back, i had a Telekom-SIM assigned to a Mikrotik-Device
Encountered some Issues, but was able to find an alternativ APN / LTE configuration that directly assigned the PublicIP.
 
LifeGame
newbie
Topic Author
Posts: 44
Joined: Mon Sep 26, 2016 5:30 pm

Re: Routing Problem

Thu Jan 16, 2025 5:38 pm

I don't have such a chance. There is no gsm operator in the region that provides static ip.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11387
Joined: Mon Dec 04, 2017 9:19 pm

Re: Routing Problem

Thu Jan 16, 2025 6:00 pm

From your description and configuration it seems to me that the actual issue you need to address may be different.

Since you use IKEv2, the remote peer (the "center" as you call it) should not need that the local-address in your configuration was the public one. So I assume that what actually happens when you change the local-address is that the IPsec stack stops attempting to keep the old session alive and initiates a new one from the new address, which causes a creation of a new UDP "connection" both in the firewall of your Mikrotik itself and the one of the mobile ISP. Since both the previous and new connection use the same address and port on the remote side and the same port on the local side, the Mikrotik firewall cannot reuse the same local port on the lte interface for the new connection and randomly choses another one, which makes the ISP treat the UDP connection as a new one as well and let it through, while it most likely drops the packets belonging to the "old" one. This whole assumption only makes sense if the address the ISP assigns to your lte1 interface "internally" remains unchanged when the public one changes, is that the case?

If it is, disabling the peer for about 10 minutes and then re-enabling it should be sufficient for the connection to re-establish even without changing the address, so this should be your first test. If it proves true, the bad news is that it is an issue with how the ISP handles UDP connections in the process that, from the outside, manifests as a change of the public address, and there is no way to prevent the connection from getting interrupted for a while each time this process takes place. It can be done in much less than 10 minutes but there will still be some time required to detect the outage, albeit faster than waiting for the /ip cloud to notice the change of the public address.
 
LdB
Member Candidate
Member Candidate
Posts: 199
Joined: Thu May 20, 2021 4:23 pm

Re: Routing Problem

Fri Jan 17, 2025 4:48 am

I don't think the issue is the ISP it sounds quite normal.

I take it the lte device switches public ip because it's keep alive time was up and it renegotiates new ip with ISP.
The tik is sitting on some NAT behind the public IP and is blissfully unaware the public IP has changed.

That about sum it up?

In that case you would need to look at command set for lte device which gives it's IP and script a poll on the lte device to pick when it changes IP.
 
LifeGame
newbie
Topic Author
Posts: 44
Joined: Mon Sep 26, 2016 5:30 pm

Re: Routing Problem

Fri Jan 17, 2025 9:02 am

Actually, I don't have a problem with VPN. The problem occurs when I add the real public IP to the address list in order to make VPN.
From your description and configuration it seems to me that the actual issue you need to address may be different.
The tik is sitting on some NAT behind the public IP and is blissfully unaware the public IP has changed.


I tried this;
# i removed local adress from Peers config and also pubaddr in the address list is disabled;
/ip ipsec peer
add address=111.111.111.111/32 disabled=yes exchange-mode=ike2 name=peer \
    profile=ike_crypt
While the Mikrotik settings are like this at the Center (PaloAlto);
description contains 'IKEv2 IKE SA negotiation is failed as responder, non-rekey. Failed SA: 111.111.111.111[4500]-176.238.239.255[51435] SPI:0239b91635ed0e98:426762ab448185a9.'
received ID_I (type ipaddr [10.222.191.127]) does not match peers id
176.238.239.255 -> Mikrotik pulic ip for now
10.222.191.127 -> ISP is giving me for now

I know that if I make the Peer IP Adress Type dynamic in paloalto ike gateway settings, the problem will be solved, but I don't want to do it.
2.png


When I delete pubaddr in the address list and add public ip to the routing table with distance=2, when ISP changes my public ip, there is no internet disconnection problem, but the vpn problem persists. microtik tries to set up vpn with the ip given by ISP and paloalto does not accept it.

PlaoAlto Log;
description contains 'received ID_I (type ipaddr [10.222.191.127]) does not match peers id
Mikrotik Log;
got fatal error: AUTHENTICATION_FAILED
You do not have the required permissions to view the files attached to this post.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11387
Joined: Mon Dec 04, 2017 9:19 pm

Re: Routing Problem  [SOLVED]

Fri Jan 17, 2025 12:46 pm

It depends on how Palo Alto has actually implemented it, but it might be possible to set the "peer identification" field to type "DNS" or "FQDN" and value to whateverisyourserial.sn.mynetname.net and do an appropriate change at the Mikrotik side - /ip/ipsec/identity/set [find where peer=peer] my-id=fqdn:whateverisyourserial.sn.mynetname.net. This way, Mikrotik would stop using an auto-generated ID which is ip:lo.cal.add.ress. Maybe it is even enough to do this change on the Mikrotik side and keep the Palo Alto config as-is.
 
LifeGame
newbie
Topic Author
Posts: 44
Joined: Mon Sep 26, 2016 5:30 pm

Re: Routing Problem

Tue Feb 04, 2025 9:23 am

It depends on how Palo Alto has actually implemented it, but it might be possible to set the "peer identification" field to type "DNS" or "FQDN" and value to whateverisyourserial.sn.mynetname.net and do an appropriate change at the Mikrotik side - /ip/ipsec/identity/set [find where peer=peer] my-id=fqdn:whateverisyourserial.sn.mynetname.net. This way, Mikrotik would stop using an auto-generated ID which is ip:lo.cal.add.ress. Maybe it is even enough to do this change on the Mikrotik side and keep the Palo Alto config as-is.
For the last 1 week mikrotik has been working like this and I think this is the solution to my problem.

Thank you very much.