Community discussions

MikroTik App
 
KasterBlaster
newbie
Topic Author
Posts: 27
Joined: Mon Jan 16, 2017 11:17 am

Two providers VPN problem

Mon Sep 26, 2022 12:54 pm

Hello,
The company's Mikrotik RB 3011 router is set up with two providers, through both links, employees from home, access the company's resources through Microsoft's PPTP tunnel, the connection to Microsoft's VPN server is Nated, everything worked flawlessly for more than 2 years, but as of a few days ago, the tunnel became unavailable through one of the providers. The provider's support was contacted and it was confirmed that their router has no problems. The problem is reflected in the following: employees practically can't see the static IP address on the router of the company to which the VPN tunnel points, more precisely we have a request time out.From the inside ( in company) through that same link, Internet traffic proceeds unhindered in both directions.
When I used Mikrotik tools to ping the static address of only that problematic interface, I got a request time out, but when I added the routing table of that provider through the advanced settings, I got a reply of our static address, talking to the support of the provider, they are of the opinion that it is a bug on Mikrotik, after all I updated Mikrotik to the latest version 6.49.6 but the VPN didn't work, does anyone have any advice what else could be done?
If anyone have an idea and needs parts of the router setup please let me know so I don't send everything now
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two providers VPN problem

Mon Sep 26, 2022 4:35 pm

if you can ping the public IP in question from your iphone on cellular, then its probably reachable...........
if not, it sounds like the ISP is blocking something.
 
KasterBlaster
newbie
Topic Author
Posts: 27
Joined: Mon Jan 16, 2017 11:17 am

Re: Two providers VPN problem

Mon Sep 26, 2022 4:58 pm

Thank you, right now I'm thinking the same thing, I can ping the gateway on their side but I can't go beyond that
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Two providers VPN problem

Mon Sep 26, 2022 5:27 pm

Pinging can be used to verify routing but not to verify eventual blocking of protocol ports. If I've understood properly that it first stopped working and only then you've upgraded the 3011 to 6.49.6, I can imagine two scenarios:
  • the routes belonging to that additional routing table did exist and someone/something has removed them from the configuration
  • the additional routing table never existed, which would mean that the responses from the public address that is now "broken" were being sent via the other uplink, and the ISP providing that other uplink was not filtering packets by source address in the past but now they started fighting IP address spoofing
To check the filter at the ISP side, run /tool sniffer quick interface=name-of-that-wan-interface ip-protocol=tcp port=1723 and let a client try to connect; if you can see at least incoming packets, the ISP is indeed not filtering the TCP traffic. But they may still be filtering GRE, without which PPTP cannot work.

Just out of curiosity, given that the configuration of L2TP/IPsec at both the Windows clients and Mikrotik is almost equally simple (or complex), what makes you stick with PPTP years after it started being considered insecure?
 
KasterBlaster
newbie
Topic Author
Posts: 27
Joined: Mon Jan 16, 2017 11:17 am

Re: Two providers VPN problem

Tue Sep 27, 2022 12:45 pm

Hello,
I compared the configurations from previous backups and they are identical

/ip route
add distance=1 gateway=91.143.x.x routing-mark=to_ISP2 problematic ISP
add distance=1 gateway=79.101.x.x routing-mark=to_ISP1
add distance=1 gateway=79.101.x.x
add check-gateway=ping distance=1 gateway=79.101.x.x
add distance=2 gateway=91.143.x.x

through the link of another provider vpn works normally
I checked with the command you suggested and there are incoming packets

pptp remained from the time of the former admin because employees work with large models where this vpn remained the fastest.. though
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Two providers VPN problem

Tue Sep 27, 2022 1:46 pm

I checked with the command you suggested and there are incoming packets
OK, so it suggests that it is still a routing problem. You've posted the routes but nothing regarding the configuration items responsible for assigning the routing marks. These could be /ip route rule rows or /ip firewall mangle rows, please post both.

Just to double-check, is the 3011 itself the PPTP server or it just forwards the incoming PPTP connections to a Microsoft server running in the LAN?
 
KasterBlaster
newbie
Topic Author
Posts: 27
Joined: Mon Jan 16, 2017 11:17 am

Re: Two providers VPN problem

Tue Sep 27, 2022 2:09 pm

Hello,

there is nothing in the rules section

MANGLE SECTION
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough

1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough

3 ;;; ADMIN comp na SBB
chain=prerouting action=mark-routing new-routing-mark=to_ISP2
passthrough=yes src-address=192.168.x.x log=no log-prefix=""

4 ;;; BWK_L2TP_SBBInOut
chain=prerouting action=mark-routing new-routing-mark=to_ISP2
passthrough=yes src-address=10.0.x.x-10.0.x.x log=no log-prefix=""

5 X ;;; BWKB na SBB
chain=prerouting action=mark-routing new-routing-mark=to_ISP2
passthrough=yes src-address=192.168.x.x log=no log-prefix=""

6 ;;; WIFI na SBB_BWKGosti
chain=prerouting action=mark-routing new-routing-mark=to_ISP2
passthrough=yes src-address=192.168.x.xlog=no log-prefix=""

7 ;;; WIFI na SBB_BWKGosti1
chain=prerouting action=mark-routing new-routing-mark=to_ISP2
passthrough=yes src-address=192.168.x.x1 log=no log-prefix=""

8 ;;; WIFI na SBB_BWKGosti3
chain=prerouting action=mark-routing new-routing-mark=to_ISP2
passthrough=yes src-address=192.168.x.x log=no log-prefix=""

it just forwards the incoming PPTP connections to a Microsoft server running in the LAN
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Two providers VPN problem

Tue Sep 27, 2022 2:19 pm

Unless the private addresses of the PPTP server in LAN are different for connections coming to each WAN, the mangle rules you have posted do not take into account through which WAN the request has arrived. Can you clarify (e.g. by posting the dst-nat rules)?
 
KasterBlaster
newbie
Topic Author
Posts: 27
Joined: Mon Jan 16, 2017 11:17 am

Re: Two providers VPN problem

Tue Sep 27, 2022 2:34 pm

Hello,

14 ;;; VPN to server main
chain=dstnat action=dst-nat to-addresses=192.168.x.x to-ports=1723
protocol=tcp in-interface=01 Telekom Srbija port=1723 log=yes
log-prefix=""

15 ;;; VPN to server main_SBB link
chain=dstnat action=dst-nat to-addresses=192.168.x.x to-ports=1723
protocol=tcp in-interface=02 SBB port=1723 log=no
log-prefix=""


the ip address of the microsoft server is the same in both cases
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Two providers VPN problem

Tue Sep 27, 2022 2:55 pm

the ip address of the microsoft server is the same in both cases
That confirms my assumption that the responses to packets arriving via ISP 2 were always sent via ISP 1, and now ISP 1 stopped delivering the responses as they have a "wrong" source address.

Read this post first; start reading from the last paragraph as it relates the post to your context. If you need a more specific advice instead, you'll have to post the complete export.
 
KasterBlaster
newbie
Topic Author
Posts: 27
Joined: Mon Jan 16, 2017 11:17 am

Re: Two providers VPN problem

Tue Sep 27, 2022 3:13 pm

Ok, thank you very much, Ill try it first
 
KasterBlaster
newbie
Topic Author
Posts: 27
Joined: Mon Jan 16, 2017 11:17 am

Re: Two providers VPN problem

Fri Sep 30, 2022 12:55 pm

Hello,
Is this
IP mangle.
new routing mark-bypassvpn source-address-list =(list created in IP firewall lists to identify which IPs) "bypasslist" chain=prerouting
IP route
destination=0.0.0.0/0 gateway=gateway_IPaddress_ISP1 mark route=bypassvpn

two step mangle rule?
 
KasterBlaster
newbie
Topic Author
Posts: 27
Joined: Mon Jan 16, 2017 11:17 am

Re: Two providers VPN problem

Fri Sep 30, 2022 1:54 pm

....
does the problem of packet return also apply to ping requests from the Internet on a problematic interface, ie a static address?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Two providers VPN problem

Fri Sep 30, 2022 6:07 pm

Hello,
Is this
...
two step mangle rule?
A short answer is "yes, but actually no".

I think @anav's naming of the idea as a "two step mangle rule" is unfortunate because it doesn't highlight the point. The point is that during handling of the initial (or, in some cases, the second) packet of a connection, you store a note (a connection-mark) that will be automatically retrieved when handling any subsequent packet belonging to the same connection. And then, when handling the LAN->WAN packets belonging to that connection, you assign them a routing-mark value based on the value of the connection-mark (aka you "translate" the connection-mark into a routing-mark). So the "first step" is only taken once per connection, the "second step" is taken for every LAN->WAN packet of that connection (in your application - in other applications or scenarios, you can build simpler or more complex setups).

does the problem of packet return also apply to ping requests from the Internet on a problematic interface, ie a static address?
Not sure what you mean here, but unless you assign a routing-mark to a packet, the router sends it using the best matching active route in routing table main, regardless what is its source address.


If I haven't answered what you have actually asked, ask again using other words.
 
KasterBlaster
newbie
Topic Author
Posts: 27
Joined: Mon Jan 16, 2017 11:17 am

Re: Two providers VPN problem

Fri Sep 30, 2022 7:36 pm

Part of the problem is the inability to ping a static ip address from
the external side to which the vpn tunnel goes, so I'm wondering if it also matters for those packets that they return via the wrong route
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Two providers VPN problem

Fri Sep 30, 2022 8:31 pm

I'm wondering if it also matters for those packets that they return via the wrong route
Yes, it does. "Any packet" means also the response to the ping, whose source address is the one to which the ping request has arrived.
 
KasterBlaster
newbie
Topic Author
Posts: 27
Joined: Mon Jan 16, 2017 11:17 am

Re: Two providers VPN problem

Sat Oct 01, 2022 7:35 pm

Would a set of commands like this solve the problem?

/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark connection so packets from ISP2 returned to ISP2 properly" disabled=no in-interface=ISP2 new-connection-mark=ISP2-packets passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2-packets disabled=no new-routing-mark=ISP2-packets passthrough=no
add action=mark-routing chain=output connection-mark=ISP2-packets disabled=no new-routing-mark=ISP2-packets passthrough=no


/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ISP2 gateway routing-mark=ISP2-packets
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Two providers VPN problem

Sat Oct 01, 2022 7:44 pm

You are really close. You just have to make sure that the connection-mark ISP2-packets will not be translated to routing-mark ISP2-packet for packets that arrive via WAN, because the routing table ISP2-packets contains no route(s) to the LAN subnet(s), so these packets would also be routed via ISP2 gateway. I.e. add in-interface-list=!WAN if you have such an interface list defined, or in-inteface=!ISP2 if you haven't, to the mark-routing rule in prerouting.
 
KasterBlaster
newbie
Topic Author
Posts: 27
Joined: Mon Jan 16, 2017 11:17 am

Re: Two providers VPN problem

Sat Oct 01, 2022 8:00 pm

When you say WAN do you mean the ISP1 interface in my case?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Two providers VPN problem

Sat Oct 01, 2022 9:00 pm

If you are not familiar with the idea of interface lists, forget about WAN and just use in-interface=!isp2 to get going.
 
KasterBlaster
newbie
Topic Author
Posts: 27
Joined: Mon Jan 16, 2017 11:17 am

Re: Two providers VPN problem

Sat Oct 01, 2022 10:14 pm

Ok, thank you, Ill try it
 
KasterBlaster
newbie
Topic Author
Posts: 27
Joined: Mon Jan 16, 2017 11:17 am

Re: Two providers VPN problem

Mon Oct 03, 2022 11:23 am

Many thanks for your help, this set of commands did the job, otherwise I added in-interface-list=!WAN and with that variant everything works as it should

Who is online

Users browsing this forum: A9691, Amazon [Bot], GoogleOther [Bot], JesusUve, Kanzler and 90 guests