Community discussions

MikroTik App
 
Matzada
just joined
Topic Author
Posts: 3
Joined: Fri Apr 22, 2022 6:05 pm

L2TP Bridging on CHR

Fri Apr 22, 2022 7:02 pm

Hi Everyone,

So, i'm encounterring some problems with L2TP bridging on CHR.

Some context, i'm doing L2TP bridging between some Cambium networks AP (offsite) and a CHR (onsite) to bridge wifi clients on external site to my LAN.
My CHR 7.1.2 is a P 1 on an ESXi 6.7

And i'm getting some weird behavior that i can't find any way to troubleshoot.

Things that works :
- ppp auth is ok
- L2TP dynamic tunnel is ok
- Packet going from Offsite (AP side) to LAN (CHR side) are ok

Things that doesn't work :
- Return packets never goes through the tunnel.

After some digging, i found out that the dymanic "host" creation (under /interface/bridge/host) is behaving weirdly.
When a new client connect through the L2TP tunnel, a new host is correctly created linked with the correct l2tp dynamic interface for return purpose, but it vanished after a split second.
Which explain why my packets never comes back. I guess the bridge dump them because the dst-mac doesn't belong to him anymore.

And sometime, like one time in a hundred, it just, start to work. For a minute or so. (host entry are stable as they should be, and packet transit is ok). And then it breaks again.

What i already tried:
- New VM, same conf but in 7.2.1 => Same problem (mac vanished in the host table)
- New VM, same conf but in 6.48 long-term => Same problem (mac vanished in the host table)
- P10/ Punlimited trial licence.

Nothing seems to do the trick.

Now the funny part. The same setup, with the exact same conf is functionnal on another site, but with a Proxmox environnement.
Only difference between the two site : Proxmox vs VMWare and more client and traffic on the VMWare site (the bridge see approx 200 hosts and 100M traffic).

So could it be a VMWare compatibility problem? Or just too many client connected to the bridge that break the l2tp service?

Any idea or similar experience are welcomed (i'm in it for 3 full days now, and i fear that not much of my hair are gonna survive this trial)

Below is the compact conf of my CHR. Tunnel enter on BR-DATA-IN and are then bridged to BR-DATA-OUT.

# apr/22/2022 15:10:46 by RouterOS 7.1.2
# software id =
#
/interface bridge
add name=BR-DATA-IN
add name=BR-DATA-OUT
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
/disk
set sata1 disabled=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ppp profile
add bridge=BR-DATA-OUT name=ppp-bridging use-ipv6=no
/interface bridge port
add bridge=BR-DATA-IN interface=ether1
add bridge=BR-DATA-OUT interface=ether2
/ipv6 settings
set max-neighbor-entries=15360
/interface l2tp-server server
set default-profile=ppp-bridging enabled=yes max-mru=1500 max-mtu=1492 mrru=\
1600
/ip address
add address=10.0.40.111/24 interface=BR-DATA-IN network=10.0.40.0
/ip dns
set servers=10.0.40.254
/ip route
add dst-address=0.0.0.0/0 gateway=10.0.40.254
/ppp secret
add name=ppp-secret-1 profile=ppp-bridging



Many thanks by advance !

Regards.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: L2TP Bridging on CHR

Fri Apr 22, 2022 7:49 pm

It could be a CHR bug or VM host issue, otherwise:
From what I recall it is recommended to set the bridge MAC address to the address of any of the local bridge port members when using BCP.
BCP is known not to work with VLAN-aware bridges, yours are OK unless you have redacted that setting from the config posted.
Why max-mru=1500 max-mtu=1492 - either 1492 for both, or 1500 if both ends and intervening transport support baby-jumbo / RFC 4638.
As there is no address on BR-DATA-OUT nothing will be routed between the two bridges.
 
Matzada
just joined
Topic Author
Posts: 3
Joined: Fri Apr 22, 2022 6:05 pm

Re: L2TP Bridging on CHR

Tue May 10, 2022 4:32 pm

Thanks for your answer,

But still no luck playing with the MTU and MRRU.

It is however working on another VMWare instance (same conf file, same ESXi version, but not the exact same server hardware)

So i guess it's may be hardware related... But both server are kinda similar (Xeon Gold base, Intel X722 NIC...)

I'll try to dig around to see if it can be linked to some BIOS options like VT-c or something similar...

Who is online

Users browsing this forum: No registered users and 4 guests