Community discussions

MikroTik App
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

Re: v7.2.2 [stable] and v7.2.3 [stable] are released!

Sun May 15, 2022 6:29 pm

Hi,
For testing purposes i use L2TP connection to other Mikrotik and then Mangle rules, to only select one client, that must use internet acess through VPN. For quite some time this worked pretty well. Now when i checked it has stopped working. As soon as i enable mangle rule i loose connection to my Mikrotik, but i can still acess remote Mikrotik and it's internal network. Internet acces doesn't work, but has worked before. Is there anything changed in last firmware versions, that i'm missing? I use 7.2.3 on all devices. Ping to the internet works, only DNS is dead. Where should i look? Devices are Ac2 and Ac3.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: v7.2.2 [stable] and v7.2.3 [stable] are released!

Sun May 15, 2022 7:02 pm

Maybe you have "fasttrack" enabled? That cannot be used alongside such mangle rules, and using it will lead to strange behavior.
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

Re: v7.2.2 [stable] and v7.2.3 [stable] are released!

Sun May 15, 2022 7:30 pm

No, i have Mangle rule, that marks all PPP connections and then i exclude them in fasttrack rule. It's the same if i disable fasttrack.

The strange thing is, that everything worked maybe a month or two back. Now, as soon as i enable mangle rule to send some client through the VPN i loose connection to my home network and internet stops working on that device (ping to internet and acess to remote network still works). If i remember correctly i did not lost connection to my home network on the device that should use VPN before. And i realy don't remember, that i would change anything in setting so i asssume, something in firmware had to change.

Also if i connect from my phone on mobile network to the remote L2TP VPN everything works normally so i assume problem is on my side (client) Mikrotik.
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

Re: v7.2.2 [stable] and v7.2.3 [stable] are released!

Mon May 16, 2022 12:05 am

As much as i could find out is, that as soon as i turn on mangle rule for a client to use a specific VPN, this client looses connection to my own network with DNS on my router. And because there is no such DNS server in remote network everything stops working. Any ideas?
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: v7.2.2 [stable] and v7.2.3 [stable] are released!

Mon May 16, 2022 8:25 am

As your issue isn't release related, but a bad config, please open another topic with your issue where you'll be attaching a sanitized export of your config(s).
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

Problems with L2TP VPN with Mangle rules

Mon May 16, 2022 12:45 pm

Hi,

For testing purposes i use L2TP connection between two Mikrotik devices and then Mangle rules, to only select one client, that must use internet acess through VPN. For quite some time this worked pretty well. Now when i checked it has stopped working. As soon as i enable Mangle rule i loose connection to my Mikrotik, but i can still acess remote Mikrotik and it's internal network.

Opening WEB pages doesn't work, ping works normally, so there is only problem with DNS. I use 7.2.3 on all devices. Devices are Ac2 and Ac3. I can't seem to find what i missed, since this worked before and i didn't realy change anything. I use this to connect to remote Mikrotik devices to test if everything is ok with internet speed. If i connect with my phone to the remote network using L2TP everything works and also if i connect with phone back to my internal network from mobile network everything also works.

I'm using RPI with PiHole as DNS server using Unobund on adress 192.168.3.6 and on Ac3 i have this IP entered at DNS. All other devices on network then get DNS through DHCP at AC3.

The problem as i see it now is that as soon as i enable Mangle rule i loose connection to the DNS ip 192.168.3.3 at AC3 and apparently DNS also isn't resolved on the remote Mikrotik in that case.

Since this worked before and as i remember i did not lost connection to my local Mikrotik when i enabled Mangle rule for that device i'm realy not sure what could be wrong.

Export file is quite long since this is Wireguard, Zerotier, Capsman, L2TP server and my main device:
[admin@MikroTik] > export hide-sensitive
# may/16/2022 11:22:03 by RouterOS 7.2.3
# software id = 4VF2-IWBE
#
# model = RBD53iG-5HacD2HnD
# serial number = X
/caps-man channel
add band=2ghz-b/g/n name=channel2
add band=5ghz-onlyac name=channel5
/interface bridge
add igmp-snooping=yes name="IOT bridge"
add igmp-snooping=yes name="Sejanci IPTV"
add name=Sejanci_Internet
add admin-mac=48:8F:5A:AF:4B:A4 auto-mac=no comment=defconf igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=4C:5E:0C:65:A1:58
set [ find default-name=ether5 ] poe-out=off
/interface wireless
# managed by CAPsMAN
# channel: 2432/20-eC/gn(21dBm), SSID: Kmetija, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=no_country_set distance=indoors frequency=auto \
    frequency-mode=manual-txpower installation=indoor mode=ap-bridge ssid=Kmetija wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5200/20-eCee/ac(11dBm), SSID: Kmetija 5, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=no_country_set distance=indoors frequency=\
    5260 frequency-mode=manual-txpower installation=indoor mode=ap-bridge scan-list=5180-5640 ssid="Kmetija 5" wireless-protocol=\
    802.11
/interface l2tp-server
add name=Gregor user=gregor
add name=HapAC2_potovalni_IN user=hapac2
add name="L2TP_server 1" user=vpndani
add name=b535_IN user=b535
/interface wireguard
add listen-port=51821 mtu=1420 name=WG
/interface eoip
add local-address=192.168.69.254 mac-address=02:FC:88:6C:74:D3 name=eoip-tunnel1 remote-address=192.168.69.1 tunnel-id=400
/interface vlan
add interface=eoip-tunnel1 name=IPTV3999 vlan-id=3999
add interface=ether5 name=VLAN3999_ETH5 vlan-id=3999
/caps-man datapath
add bridge=bridge name=datapath1
add bridge="IOT bridge" name=datapath2
/interface wireless
add keepalive-frames=disabled mac-address=4A:8F:5A:AF:4B:A8 master-interface=wlan1 multicast-buffering=disabled name=IOT_WLAN \
    ssid=IOT wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1
/caps-man configuration
add channel=channel2 channel.band=2ghz-b/g/n .extension-channel=eC .tx-power=24 datapath=datapath1 \
    datapath.client-to-client-forwarding=yes .local-forwarding=no name=cfg1 security=security1 ssid=Kmetija
add datapath=datapath2 name=cfg_IOT security=security1 ssid=IOT
add channel=channel2 channel.tx-power=24 datapath=datapath1 datapath.client-to-client-forwarding=yes .local-forwarding=no name=\
    cfg_Benjamin security=security1 ssid=AP
add channel=channel2 channel.band=2ghz-b country=no_country_set datapath=datapath2 name=cfg_Benjamin_IOT security=security1 ssid=\
    IOT
add channel=channel5 channel.band=5ghz-onlyac datapath=datapath1 name=cfg5ghz security=security1 ssid="Kmetija 5"
add channel.band=5ghz-onlyac .tx-power=24 country=etsi datapath=datapath1 installation=any name=cfg_Benjamin_5 security=security1 \
    ssid="AP 5"
/caps-man interface
add configuration=cfg_Benjamin disabled=no l2mtu=1600 mac-address=48:8F:5A:35:98:AB master-interface=none name=Benjamin radio-mac=\
    48:8F:5A:35:98:AB radio-name=488F5A3598AB
add configuration=cfg_Benjamin_5 datapath.client-to-client-forwarding=yes .local-forwarding=yes disabled=no l2mtu=1600 \
    mac-address=48:8F:5A:35:98:AA master-interface=none name="Benjamin 5" radio-mac=48:8F:5A:35:98:AA radio-name=488F5A3598AA
add configuration=cfg_Benjamin_IOT disabled=yes l2mtu=1600 mac-address=4A:8F:5A:35:98:AB master-interface=Benjamin name=\
    Benjamin_IOT radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg1 disabled=yes mac-address=48:8F:5A:C9:71:80 master-interface=none name=HapAc2_vecnamenski radio-mac=\
    48:8F:5A:C9:71:80 radio-name=488F5AC97180
add configuration=cfg5ghz disabled=yes mac-address=48:8F:5A:C9:71:81 master-interface=none name="HapAc2_vecnamenski 5" radio-mac=\
    48:8F:5A:C9:71:81 radio-name=488F5AC97181
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=48:8F:5A:A5:33:FE master-interface=none name=HapLite_Dnevna radio-mac=\
    48:8F:5A:A5:33:FE radio-name=488F5AA533FE
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=48:8F:5A:AF:4B:A8 master-interface=none mtu=1500 name=Mansarda \
    radio-mac=48:8F:5A:AF:4B:A8 radio-name=488F5AAF4BA8
add configuration=cfg5ghz disabled=no l2mtu=1600 mac-address=48:8F:5A:AF:4B:A9 master-interface=none name=Mansarda5 radio-mac=\
    48:8F:5A:AF:4B:A9 radio-name=488F5AAF4BA9
add configuration=cfg_IOT disabled=no l2mtu=1600 mac-address=4A:8F:5A:AF:4B:A8 master-interface=Mansarda name=Mansarda_IOT \
    radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=08:55:31:3D:6E:22 master-interface=none mtu=1500 name=Silosi radio-mac=\
    08:55:31:3D:6E:22 radio-name=0855313D6E22
add configuration=cfg5ghz disabled=no l2mtu=1600 mac-address=08:55:31:3D:6E:23 master-interface=none name="Silosi 5" radio-mac=\
    08:55:31:3D:6E:23 radio-name=0855313D6E23
add configuration=cfg_IOT disabled=no l2mtu=1600 mac-address=0A:55:31:3D:6E:22 master-interface=Silosi name="Silosi IOT" \
    radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=48:8F:5A:C9:71:79 master-interface=none name=Sobica radio-mac=\
    48:8F:5A:C9:71:79 radio-name=488F5AC97179
add configuration=cfg5ghz disabled=no l2mtu=1600 mac-address=48:8F:5A:C9:71:7A master-interface=none name="Sobica 5" radio-mac=\
    48:8F:5A:C9:71:7A radio-name=488F5AC9717A
add configuration=cfg_IOT disabled=no l2mtu=1600 mac-address=4A:8F:5A:C9:71:79 master-interface=Sobica name=Sobica_IOT radio-mac=\
    00:00:00:00:00:00 radio-name=""
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=08:55:31:2B:63:8B master-interface=none name=Stala radio-mac=\
    08:55:31:2B:63:8B radio-name=0855312B638B
add configuration=cfg5ghz disabled=no l2mtu=1600 mac-address=08:55:31:2B:63:8C master-interface=none name=Stala5 radio-mac=\
    08:55:31:2B:63:8C radio-name=0855312B638C
add configuration=cfg_IOT disabled=no l2mtu=1600 mac-address=0A:55:31:2B:63:8B master-interface=Stala name=Stala_IOT radio-mac=\
    00:00:00:00:00:00 radio-name=""
add configuration=cfg1 datapath.client-to-client-forwarding=yes .local-forwarding=yes disabled=no l2mtu=1600 mac-address=\
    4C:5E:0C:65:A1:62 master-interface=none name=Zahod radio-mac=4C:5E:0C:65:A1:62 radio-name=4C5E0C65A162
add configuration=cfg_IOT datapath.client-to-client-forwarding=no .local-forwarding=no disabled=no l2mtu=1600 mac-address=\
    4E:5E:0C:65:A1:62 master-interface=Zahod name=Zahod_IOT radio-mac=00:00:00:00:00:00 radio-name=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d \
    tur-sun=0s-1d tur-thu=0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.3.110-192.168.3.200
add name=IOT_pool ranges=172.16.1.100-172.16.1.254
add name=vpn ranges=192.168.80.2-192.168.80.250
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=23h59m59s name=defconf
add address-pool=IOT_pool interface="IOT bridge" lease-time=23h59m59s name=IOTdhcp
/ppp profile
add name=Koroska use-compression=no use-encryption=yes use-mpls=no
add name=Sejanci
add name=Tadej
add name=Testni
add name=Janko
set *FFFFFFFE local-address=192.168.80.1 remote-address=vpn
/interface l2tp-client
add connect-to=X.sn.mynetname.net disabled=no name=Janko profile=Janko use-ipsec=yes user=vpn
add connect-to=X.sn.mynetname.net disabled=no name=KoroskaL2TP_OUT profile=Koroska use-ipsec=yes user=grabe
add connect-to=X.sn.mynetname.net disabled=no name=SejanciAC2 profile=Sejanci use-ipsec=yes user=vpndani
add connect-to=X disabled=no name=Tadej profile=Tadej use-ipsec=yes user=Tadej
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=t2tv
add fib name=sejanci
add fib name=koroska
add fib name=t2test
add fib name=marko
add fib name=janko
add disabled=no fib name=gregor_net
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" identity="X" name=zt1 port=9993
/zerotier interface
add instance=zt1 name=zerotier1 network=X
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn master-configuration=cfg1 slave-configurations=cfg_IOT
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn master-configuration=cfg_IOT name-format=prefix-identity \
    name-prefix=2ghz
add action=create-dynamic-enabled disabled=yes hw-supported-modes=ac name-format=prefix-identity name-prefix=5ghz-ac
add action=create-dynamic-enabled disabled=yes hw-supported-modes=an name-format=prefix-identity name-prefix=5ghz-an
/interface bridge filter
add action=drop chain=output comment="DROP Multicast on WIFI" out-interface=wlan1 packet-type=multicast
add action=drop chain=output comment="DROP Multicast on WIFI" out-interface=wlan2 packet-type=multicast
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge="IOT bridge" ingress-filtering=no interface=IOT_WLAN
add bridge=bridge ingress-filtering=no interface=ether5
add bridge="Sejanci IPTV" fast-leave=yes ingress-filtering=no interface=IPTV3999
add bridge=Sejanci_Internet fast-leave=yes ingress-filtering=no interface=eoip-tunnel1
add bridge="Sejanci IPTV" interface=VLAN3999_ETH5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes keepalive-timeout=60 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface="L2TP_server 1" list=LAN
add interface=HapAC2_potovalni_IN list=LAN
add interface=zerotier1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.0.0.2/32 comment="Note 10" interface=WG public-key="X"
add allowed-address=10.0.0.3/32 comment="Chromecast TV" interface=WG public-key="X"
add allowed-address=10.0.0.4/32 interface=WG public-key="X"
add allowed-address=10.0.0.5/32 interface=WG public-key="X"
add allowed-address=10.0.0.6/32 interface=WG public-key="X"
add allowed-address=10.0.0.7/32 interface=WG public-key="X"
add allowed-address=10.0.0.8/32 interface=WG public-key="X"
add allowed-address=10.0.0.9/32 interface=WG public-key="X"
add allowed-address=10.0.0.10/32 interface=WG public-key="X"
add allowed-address=10.0.0.11/32 interface=WG public-key="X"
add allowed-address=10.0.0.12/32 interface=WG public-key="X"
add allowed-address=10.0.0.13/32 interface=WG public-key="X"
add allowed-address=10.0.0.14/32 interface=WG public-key="X"
add allowed-address=10.0.0.15/32 interface=WG public-key="X"
add allowed-address=10.0.0.16/32 comment=Katja_Redmi_Note_9 interface=WG public-key="X"
add allowed-address=10.0.0.17/32 interface=WG public-key="X"
add allowed-address=10.0.0.18/32 interface=WG public-key="X"
add allowed-address=10.0.0.19/32 interface=WG public-key="X"
add allowed-address=10.0.0.20/32 interface=WG public-key="X"
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 discovery-interfaces=bridge enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.3.3/24 comment=defconf interface=bridge network=192.168.3.0
add address=172.16.1.1/24 interface="IOT bridge" network=172.16.1.0
add address=192.168.11.1/24 interface="Sejanci IPTV" network=192.168.11.0
add address=10.0.0.1/24 interface=WG network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.3.121 client-id=1:0:e4:0:91:3d:e6 mac-address=00:E4:00:91:3D:E6 server=defconf
add address=192.168.3.130 client-id=1:c:9d:92:83:e0:1d mac-address=0C:9D:92:83:E0:1D server=defconf
add address=192.168.3.150 client-id=1:0:1d:ec:a:35:d8 mac-address=00:1D:EC:0A:35:D8 server=defconf
add address=192.168.3.8 mac-address=E4:5F:01:5F:71:CC server=defconf
add address=192.168.3.110 client-id=1:fc:d5:d9:9f:6c:f mac-address=FC:D5:D9:9F:6C:0F server=defconf
add address=192.168.3.5 client-id=1:b8:27:eb:9d:90:1e mac-address=B8:27:EB:9D:90:1E server=defconf
add address=192.168.3.36 mac-address=48:8F:5A:A5:33:FA server=defconf
/ip dhcp-server network
add address=172.16.1.0/24 comment=IOT dns-server=8.8.8.8 gateway=172.16.1.1
add address=192.168.3.0/24 comment=DHCP dns-server=192.168.3.3 gateway=192.168.3.3
/ip dns
set allow-remote-requests=yes servers=192.168.3.6
/ip dns static
add address=192.168.3.3 comment=defconf name=router.lan
/ip firewall address-list
add address=X list=X
add address=192.168.3.5-192.168.3.6 disabled=yes list="DNS Gregor"
/ip firewall filter
add action=accept chain=input comment="BTEST Janko" disabled=yes protocol=tcp src-address=X
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment=IGMP protocol=igmp
add action=accept chain=input comment="WIREGUARD HAP AC3" dst-port=51821 protocol=udp
add action=accept chain=input comment=L2TP dst-port=4500,500,1701 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=!ppp connection-state=\
    established,related hw-offload=yes
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=7461 protocol=tcp
add action=accept chain=input comment=WIREGUARD in-interface=WG protocol=udp
add action=accept chain=input comment=CAPSMAN src-address=192.168.3.3
add action=accept chain=input comment="CAPSMAN PORTS" port=5246,5247 protocol=udp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Accept GRE" protocol=gre
add action=drop chain=forward comment="Tadej L2TP drop" in-interface=Tadej
add action=drop chain=forward comment="Gregor L2TP drop" disabled=yes dst-address-list="!DNS Gregor" in-interface=Gregor
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
add action=drop chain=forward comment="Drop traffic between IOT and Bridge" in-interface="IOT bridge" out-interface=bridge
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="Drop traffic between Bridge and IOT" in-interface=bridge out-interface="IOT bridge"
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-connection chain=forward comment="Mark PPP connections to exclude them from fasttrack" new-connection-mark=ppp \
    out-interface=all-ppp passthrough=no
add action=mark-routing chain=prerouting dst-address-list=T2_TV new-routing-mark=t2tv passthrough=yes
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=sejanci passthrough=yes src-address=192.168.3.128
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=koroska passthrough=yes src-address=192.168.3.132
add action=mark-routing chain=prerouting disabled=yes dst-address=X new-routing-mark=t2test passthrough=yes src-address=\
    192.168.3.116
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=janko passthrough=yes src-address=192.168.3.132
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=gregor_net passthrough=yes src-address=192.168.3.110
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Hairpin NAT dostop kot od zunaj" dst-address=192.168.3.0/24 src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.80.0/24
add action=masquerade chain=srcnat comment="masq. Wireguard vpn traffic" src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment=PPP_Out_Masquarade out-interface=all-ppp
add action=dst-nat chain=dstnat comment=Wireguard_AC2 disabled=yes dst-port=51821 in-interface=ether1 log=yes protocol=udp \
    to-addresses=192.168.3.31 to-ports=51821
add action=dst-nat chain=dstnat comment=WOL_Mansarda dst-port=6030 in-interface=ether1 protocol=udp to-addresses=192.168.3.130 \
    to-ports=9
add action=dst-nat chain=dstnat comment=WOL_7 disabled=yes dst-port=7 in-interface=ether1 protocol=udp to-addresses=192.168.3.255 \
    to-ports=7
add action=dst-nat chain=dstnat comment=WOL_9 disabled=yes dst-port=9 in-interface=ether1 protocol=udp to-addresses=192.168.3.255 \
    to-ports=7
add action=dst-nat chain=dstnat comment="Wireguard VPN RPI" dst-port=51820 in-interface=ether1 protocol=udp to-addresses=\
    192.168.3.6 to-ports=51820
add action=dst-nat chain=dstnat comment="Wireguard VPN RPI4" dst-port=51822 in-interface=ether1 protocol=udp to-addresses=\
    192.168.3.8 to-ports=51822
add action=accept chain=srcnat disabled=yes dst-address=192.168.3.0/24 protocol=tcp src-address=10.0.0.0/24
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=Tadej routing-table=t2tv
add disabled=no dst-address=10.6.0.0/24 gateway=192.168.3.6
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=SejanciAC2 pref-src=0.0.0.0 routing-table=sejanci scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.60.0/24 gateway=Janko pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Janko pref-src=0.0.0.0 routing-table=janko scope=30 suppress-hw-offload=\
    no target-scope=10
add disabled=yes distance=1 dst-address=192.168.4.0/24 gateway=HapAC2_potovalni_IN pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.10.0/24 gateway=SejanciAC2
add disabled=yes distance=1 dst-address=192.168.50.0/24 gateway=KoroskaL2TP_OUT pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.61.0/24 gateway=Gregor pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=Gregor pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Gregor pref-src="" routing-table=gregor_net scope=30 suppress-hw-offload=\
    no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=KoroskaL2TP_OUT pref-src=0.0.0.0 routing-table=koroska scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=X
set ssh disabled=yes
set api disabled=yes
set winbox address=0.0.0.0/0 port=X
set api-ssl disabled=yes
/ip smb
set enabled=yes
/ip smb shares
add comment="default share" directory=/pub name=pub
/ip smb users
add name=root read-only=no
add name=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn
add name=vpndani profile=default-encryption
add name=hapac2 profile=default-encryption
add name=koroska profile=default-encryption
add name=gregor profile=default-encryption
add name=b535 profile=default-encryption
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface="Sejanci IPTV" upstream=yes
add interface=bridge
/system clock
set time-zone-name=Europe/Ljubljana
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system logging
add topics=wireless,debug
/system ntp client
set enabled=yes
/system ntp client servers
add address=193.2.1.117
add address=193.2.4.2
/tool bandwidth-server
set enabled=no max-sessions=1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add host=10.255.255.0 interval=25m
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

Re: v7.2.2 [stable] and v7.2.3 [stable] are released!

Mon May 16, 2022 12:52 pm

As your issue isn't release related, but a bad config, please open another topic with your issue where you'll be attaching a sanitized export of your config(s).
Done.
 
rplant
Member Candidate
Member Candidate
Posts: 280
Joined: Fri Sep 29, 2017 11:42 am

Re: Problems with L2TP VPN with Mangle rules

Tue May 17, 2022 6:42 am

Not sure,
but it looks like that if you route mark a packet that should go to the router, it will go via the specified routing table.

eg. if a packet destined for router ip address got marked with l2tv, it would get sent to Tadej
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

Re: Problems with L2TP VPN with Mangle rules

Tue May 17, 2022 11:36 am

Yes, this works. Specialy this Tadej route you mentioned is only used to take one request from one device on my network through the VPN. Here DNS isn't used, because this adress is already in adress list with the name and IP.

Problem is with all the others, Janko, Koroska, Sejanci etc. On Sejanci L2TP there is also EOIP link and on it Internet and VLAN and this also works normaly (i can put one eth interface on my home Mikrotik on that EOIP and acess Internet and TV without problem). Problem is only with DNS if i try to send device through VPN with Mangle rules. It has internet acess but DNS is completly dead.
 
dcavni
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Sun Mar 31, 2013 6:02 pm

Re: Problems with L2TP VPN with Mangle rules  [SOLVED]

Tue May 17, 2022 1:17 pm

OK, i found the solution here:

viewtopic.php?t=161158

It's the anwer from Sindy:

The thing is that if a packet has got a routing-mark, and a route whose dst-address matches the packet's destination address and whose routing-mark matches the one attached to the packet exists, that route is used. Since you only have the default route via the WAN's gateway marked with To_WAN2, and you attach the routing-mark To_WAN2 to all packets matching the respective src-address-list no matter what their destination is, even packets for your connected subnets are sent out via WAN2 because no routes to local subnets marked with To_WAN2 exist.

There are several ways to deal with this:
prevent packets for any local subnets from getting the routing-mark by adding dst-address-list=!local-subnets to the action=mark-routing rules (and populate the address list with the necessary rows), maybe it is enough to use dst-address=!192.168.0.0/16 instead.
use /ip route rule add dst-address=192.168.0.0/16 action=lookup-only-in-table table=main to override the routing-mark assigned by the action=mark-routing rules for destination subnets (but you may actually need several rules depending on your network topology, you cannot use address lists in /ip route rule)
add routes to local subnets with routing-mark=To_WAN2


I added the dst-address=!192.168.3.0/24 in the Mangle rule, so that local devices can acess my DNS server. The strange thing is, why this worked before without that rule added and now it's not working without it.

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot] and 62 guests