Community discussions

MikroTik App
 
thokr
just joined
Topic Author
Posts: 3
Joined: Wed Jul 20, 2022 5:37 am

Force L2TP through a specified interface/gateway on a client

Tue Aug 02, 2022 7:29 pm

On my MikroTik router ("router A") I have primary internet connection with a static IP address and backup connection with a dynamic address. I'd like to set up 2 simultaneous L2TP tunnels to another MikroTik router ("router B"), which has static IP, using both connections: in case the primary connection goes down, backup connection takes over, and the routes are automatically adjusted by OSPF.

Since you can't use a dynamic IP address for an L2TP server (or I guess you can with DDNS, which I'd like to avoid), I want to make a reverse tunnel - the router A will be an L2TP client and the router B will be an L2TP server (since it has a static IP).

My problem is that I can't seem to make the L2TP client on router A use the backup connection - it keeps using the default route, which is the primary connection.

I tried to create a mangle rule that modifies the routing table for the L2TP-client interface, and it seems to kinda work, the tunnel is established, but for some reason the router B can't reach the router A, while router A can reach router B. Maybe it modifies the routing table only for incoming traffic, but not for outgoing? I'm not sure. And in the "active connections" tab on router B the caller-id is still router A's static address, not the dynamic one.

[admin@MikroTik] /ip firewall mangle> p
Flags: X - disabled, I - invalid, D - dynamic 
 3    chain=prerouting action=mark-routing new-routing-mark=backup 
      in-interface=l2tp-backup-client log=yes log-prefix="FFFF" 

Maybe there's a simpler solution that I'm missing here? Any help or hint would be hugely appreciated!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Force L2TP through a specified interface/gateway on a client

Wed Aug 03, 2022 9:10 pm

What you've done here is that you have assigned a routing mark to the payload traffic that arrives via the backup L2TP tunnel. What you actually need to do is to assign a routing mark to the transport traffic of the L2TP tunnel. Somewhere between 6.45.something and 6.47.9, it became possible to specify src-address for the /interface l2tp-client. If the IP address of your secondary WAN was static, it would be sufficient to use an /ip route rule saying src-address=ip.of.backup.wan action=lookup-only-in-table table=FFFF. But since it is a dynamic one, you have to use any static address of the router itself except the one of the primary WAN instead, and add a masquerade rule (if it is not there already) to src-nat the packets sent from that static address as they leave via the secondary WAN.

It can be done using a mangle rule too, but it has to be placed to chain output rather than prerouting (because it has to handle own traffic of the router, not a transit one), and the masquerade would be required even if you would use the address of the backup WAN.

Who is online

Users browsing this forum: Google [Bot], GoogleOther [Bot], jahieulislam, MaxwellsEq, PeterWiebing, Renfrew, rogerioqueiroz and 80 guests