ExpressVPN does not support static server IPs. They use DDNS based hostnames and the IPs change in every session. It is a commercial VPN after all.1) Fill the src-address field in l2tp-client.
2) Use /ip route rule (lookup-only-in-table) to force connections originated from this ip to desired routing table.
Just what exactly do I use for the src-address in LT2P client? Both my WANs are dynamic IPs over PPPoE.src-address :)
phase1 negotiation failed due to send error. 192.168.3.1<=>184.108.40.206 2bf06a1def2a7095:0000000000000000
I already have load balancing in place. Any way to intercept the LT2P initial connection/handshake using Mangle/Mark connection rules instead? That would simplify this issue greatly.Two possibilities:
1) Create a loopback interface (empty bridge) and assign this random/unused address there. That should work.
2) Add a script to PPP profile used for PPPoE to update the address in l2tp-client and route rule any time it changes.
Anyway, try to make it work with you current dynamiс WAN address first.
Yeah, so I went with the null-bridge method, it works!You can try, if it's the only l2tp connection originated by the router.
Mangle output and srcnat chains are at your service.
But I don't see in what way is it simpler.
Hi to xvo and the op writer,1) You can create second l2tp-tunnel through the second wan connection the same way and revert to lookup-only-in-table for both of them: switching routes between two tunnels will be much faster than rebuilding the tunnel. Especially if OSFP + BFD can be used on top of that.
2) You need this address for two things - to choose the right route from the very packet creation and creating a valid ipsec policy.
Some random address works because it will be src-nated anyway, and assigning it any interface makes it valid.
Loopback-bridge is just as good a place for it as any other, with the addition that it won't interfere with the behaviour of other interfaces. And does not depend on them to be working.
3) That is totally up to you and depends on what is located on the other side of the tunnel.
/interface ethernet set [ find default-name=ether5 ] name=LAN set [ find default-name=ether1 ] name=WAN1 set [ find default-name=ether2 ] name=WAN2 set [ find default-name=ether3 ] name=WAN3 set [ find default-name=ether4 ] disabled=yes /ip address add address=192.168.0.1/24 interface=LAN network=192.168.0.0 add address=192.168.1.4/24 interface=WAN1 network=192.168.1.0 add address=192.168.2.4/24 interface=WAN2 network=192.168.2.0 add address=192.168.3.4/24 interface=WAN3 network=192.168.3.0 /ip dns set allow-remote-requests=yes servers=220.127.116.11,18.104.22.168 /ip firewall mangle add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=\ WAN1_conn passthrough=yes add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=\ WAN2_conn passthrough=yes add action=mark-connection chain=input in-interface=WAN3 new-connection-mark=\ WAN3_conn passthrough=yes add action=mark-routing chain=output connection-mark=WAN1_conn \ new-routing-mark=to_WAN1 passthrough=yes add action=mark-routing chain=output connection-mark=WAN2_conn \ new-routing-mark=to_WAN2 passthrough=yes add action=mark-routing chain=output connection-mark=WAN3_conn \ new-routing-mark=to_WAN3 passthrough=yes add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\ LAN add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=\ LAN add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface=\ LAN add action=mark-connection chain=prerouting dst-address-type=!local \ in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes \ per-connection-classifier=both-addresses-and-ports:3/0 add action=mark-connection chain=prerouting dst-address-type=!local \ in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes \ per-connection-classifier=both-addresses-and-ports:3/1 add action=mark-connection chain=prerouting dst-address-type=!local \ in-interface=LAN new-connection-mark=WAN3_conn passthrough=yes \ per-connection-classifier=both-addresses-and-ports:3/2 add action=mark-routing chain=prerouting connection-mark=WAN1_conn \ in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes add action=mark-routing chain=prerouting connection-mark=WAN2_conn \ in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes add action=mark-routing chain=prerouting connection-mark=WAN3_conn \ in-interface=LAN new-routing-mark=to_WAN3 passthrough=yes /ip firewall nat add action=masquerade chain=srcnat out-interface=WAN1 add action=masquerade chain=srcnat out-interface=WAN2 add action=masquerade chain=srcnat out-interface=WAN3 /ip route add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN1 \ scope=255 add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_WAN2 \ scope=255 add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=to_WAN3 \ scope=255 add check-gateway=ping distance=1 gateway=192.168.1.1 scope=255 add check-gateway=ping distance=2 gateway=192.168.2.1 scope=255 add check-gateway=ping distance=3 gateway=192.168.3.1 scope=255
add action=mark-routing chain=prerouting new-routing-mark=vpn-now passthrough=no src-address=192.168.0.100-192.168.0.150
add distance=1 gateway=l2tp-out routing-mark=vpn-now