Community discussions

MikroTik App
 
User avatar
thanpolas
just joined
Topic Author
Posts: 13
Joined: Wed May 11, 2022 9:22 pm
Location: Greece
Contact:

L2TP Server force WAN interface from multiple

Sun Jan 15, 2023 3:45 pm

Hey all,

I am trying to setup my L2TP server on Mikrotik while having a Policy Based Routing to manage multiple (3) WAN interfaces.

The problem is that Mikrotik choses the wrong WAN to respond to the L2TP clients and thus a connection cannot be established. The three WANs I have are:
1. Starlink
2. Cosmote
3. 5G

I am trying to connect via the Cosmote WAN but MT responds through the Starlink one. When I disable Starlink and 5G the L2TP connection gets established and works.

I tried various PBR rules to force L2TP connections to go through cosmote but I just cannot figure out the right one...

The kicker: To prevent me from creating another post, I am also trying and failing, to instruct Mikrotik's "cloud feature" (DDNS) to use the Cosmote WAN instead of the Starlink one, the mangle rule I use is:
/ip firewall address-list
add address=cloud.mikrotik.com list="Mikrotik Cloud"
add address=cloud2.mikrotik.com list="Mikrotik Cloud"

/ip firewall mangle add action=mark-routing chain=prerouting comment="PBR Mikrotik Cloud (MT itself, used for self-DDNS ip/cloud)" dst-address-list="Mikrotik Cloud" \
    new-routing-mark=to-wan-cosmote passthrough=no
but it appears this rule captures no traffic and my mikrotik DDNS host points to the starlink IP...

Could someone give an assist please?

My `/export hide-sensitive` with some sensitive info redacted:
[admin@Polas Core] > /export hide-sensitive
# jan/15/2023 15:36:19 by RouterOS 7.5
# software id = 122G-66AK
#
# model = CCR2004-16G-2S+
# serial number = HAV072JXDKM
/interface bridge
add name=bridge-vlan-IoT
add name=bridge-vlan-guests-wifi
add name=bridge-vlan-home-wifi
add name=bridge1-LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Cosmote
set [ find default-name=ether2 ] name=ether2-5G-Modem
set [ find default-name=ether3 ] name=ether3-Starlink
set [ find default-name=ether8 ] name=ether8-Lina
set [ find default-name=ether9 ] name=ether9-Polas
set [ find default-name=ether10 ] name=ether10-UniFi-Switch
set [ find default-name=ether11 ] name=ether11-Markos
set [ find default-name=ether13 ] name=ether13-reolink
/interface l2tp-server
add name=l2tp-in-polas user=thanpolas-pptp
/interface pppoe-client
add allow=pap,chap interface=ether1-Cosmote name=pppoe-out-cosmote use-peer-dns=yes user=ozxph6@otenet.gr
/interface vlan
add interface=ether10-UniFi-Switch name=vlan-IoT vlan-id=30
add interface=ether10-UniFi-Switch name=vlan-guests-wifi vlan-id=20
add interface=ether10-UniFi-Switch name=vlan-home-wifi vlan-id=10
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.0.50-192.168.0.254
add name=pptp-clients-polas ranges=192.168.5.10-192.168.5.100
add comment="Home WiFi VLAN Pool" name=pool-dhcp-vlan-home ranges=192.168.50.20-192.168.50.254
add comment="Guests WiFi VLAN Pool" name=pool-dhcp-vlan-guests ranges=192.168.10.20-192.168.10.254
add comment="IoTi VLAN Pool" name=pool-dhcp-vlan-iot ranges=192.168.20.20-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1-LAN lease-time=4d4h40m39s name=dhcp-core
add add-arp=yes address-pool=pool-dhcp-vlan-home interface=bridge-vlan-home-wifi lease-time=4d1h40m39s name=dhcp-home-wifi
add add-arp=yes address-pool=pool-dhcp-vlan-guests interface=bridge-vlan-guests-wifi lease-time=4d1h40m39s name=dhcp-guests-wifi
add add-arp=yes address-pool=pool-dhcp-vlan-iot interface=bridge-vlan-IoT lease-time=4d1h40m39s name=dhcp-iot
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add bridge=bridge1-LAN local-address=192.168.5.20 name=polas-l2tp remote-address=pptp-clients-polas
/routing table
add disabled=no fib name=to-wan-cosmote
add disabled=no fib name=to-wan-5g
add disabled=no fib name=to-wan-starlink
add disabled=no fib name=to-wan-starlink-no-resursive
/interface bridge port
add bridge=bridge1-LAN ingress-filtering=no interface=ether15
add bridge=bridge1-LAN ingress-filtering=no interface=ether14
add bridge=bridge1-LAN ingress-filtering=no interface=ether13-reolink
add bridge=bridge1-LAN ingress-filtering=no interface=ether12
add bridge=bridge1-LAN ingress-filtering=no interface=ether11-Markos
add bridge=bridge1-LAN ingress-filtering=no interface=ether10-UniFi-Switch
add bridge=bridge1-LAN ingress-filtering=no interface=ether9-Polas
add bridge=bridge1-LAN ingress-filtering=no interface=ether8-Lina
add bridge=bridge1-LAN ingress-filtering=no interface=ether7
add bridge=bridge1-LAN ingress-filtering=no interface=ether6
add bridge=bridge1-LAN ingress-filtering=no interface=ether5
add bridge=bridge1-LAN ingress-filtering=no interface=ether4
add bridge=bridge1-LAN ingress-filtering=no interface=ether16
add bridge=bridge1-LAN ingress-filtering=no interface=ether2-5G-Modem
add bridge=bridge-vlan-home-wifi interface=vlan-home-wifi
add bridge=bridge-vlan-guests-wifi interface=vlan-guests-wifi
add bridge=bridge-vlan-IoT interface=vlan-IoT
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether1-Cosmote list=WAN
add interface=ether2-5G-Modem list=WAN
add interface=ether3-Starlink list=WAN
add interface=bridge1-LAN list=LAN
add interface=ether13-reolink list=LAN
add interface=l2tp-in-polas list=LAN
add interface=ether10-UniFi-Switch list=LAN
add interface=bridge-vlan-IoT list=LAN
add interface=bridge-vlan-guests-wifi list=LAN
add interface=bridge-vlan-home-wifi list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set default-profile=*1
/ip address
add address=192.168.0.1/24 comment=LAN interface=bridge1-LAN network=192.168.0.0
add address=192.168.30.1/24 comment="Cosmote Model Subnet" interface=ether1-Cosmote network=192.168.30.0
add address=192.168.1.10/24 comment="Starlink Subnet" interface=ether3-Starlink network=192.168.1.0
add address=192.168.50.1/24 comment="Home WiFi VLAN" interface=bridge-vlan-home-wifi network=192.168.50.0
add address=192.168.20.1/24 comment="IoT VLAN" interface=bridge-vlan-IoT network=192.168.20.0
add address=192.168.10.1/24 comment="Guests WiFi VLAN" interface=bridge-vlan-guests-wifi network=192.168.10.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,8.8.8.8,1.1.1.1 gateway=192.168.0.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.0.1,8.8.8.8,1.1.1.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.0.1,8.8.8.8,1.1.1.1 gateway=192.168.20.1
add address=192.168.50.0/24 dns-server=192.168.0.1,8.8.8.8,1.1.1.1 gateway=192.168.50.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=cloud.mikrotik.com list="Mikrotik Cloud"
add address=cloud2.mikrotik.com list="Mikrotik Cloud"
/ip firewall mangle
add action=mark-routing chain=prerouting comment="PBR Force certain destinations to go through Cosmote" dst-address-list="Dst Addresses for Cosmote" \
    in-interface-list=LAN new-routing-mark=to-wan-cosmote passthrough=no
add action=mark-routing chain=prerouting comment="L2TP direct through cosmote" new-routing-mark=to-wan-cosmote passthrough=no protocol=l2tp
add action=mark-routing chain=prerouting comment="PBR Mikrotik Cloud (MT itself, used for self-DDNS ip/cloud)" dst-address-list="Mikrotik Cloud" \
    new-routing-mark=to-wan-cosmote passthrough=no
add action=mark-routing chain=prerouting comment="PBR to Cosmote" dst-address-list="!Private IP Addresses" in-interface-list=LAN new-routing-mark=\
    to-wan-cosmote passthrough=no src-address-list=clients-to-cosmote
add action=mark-routing chain=prerouting comment="PBR to Starlink" dst-address-list="!Private IP Addresses" in-interface-list=LAN new-routing-mark=\
    to-wan-starlink passthrough=no src-address-list=clients-to-starlink
add action=mark-routing chain=prerouting comment="PBR to 5G" dst-address-list="!Private IP Addresses" in-interface-list=LAN new-routing-mark=to-wan-5g \
    passthrough=no src-address-list=clients-to-5g
add action=mark-routing chain=prerouting comment="PBR to Starlink - WITHOUT Recursive Route" dst-address-list="!Private IP Addresses" \
    in-interface-list=LAN new-routing-mark=to-wan-starlink-no-resursive passthrough=no src-address-list=clients-without-recursive-routes
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT Internet" out-interface-list=WAN
/ip route
add disabled=yes distance=1 dst-address=192.168.20.0/24 gateway=192.168.0.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=192.168.2.0/24 gateway=192.168.0.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=192.168.10.0/24 gateway=192.168.0.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment="Monitor Cosmote" disabled=no distance=5 dst-address=1.0.0.1/32 gateway=192.168.30.2 pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Catch-all route to Starlink" disabled=no distance=20 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment="Catch-all Backup route to Cosmote" disabled=no distance=30 dst-address=0.0.0.0/0 gateway=1.0.0.1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=11
add comment="Catch-all 2nd Backup to 5g Cellular" disabled=no distance=50 dst-address=0.0.0.0/0 gateway=192.168.0.3 pref-src="" routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment="PBR Starlink 1st Route" disabled=no distance=8 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=\
    to-wan-starlink scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment="PBR Cosmote 1st Route" disabled=no distance=8 dst-address=0.0.0.0/0 gateway=1.0.0.1 pref-src="" routing-table=\
    to-wan-cosmote scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment="PBR Starlink 2nd Route(Cosmote)" disabled=no distance=9 dst-address=0.0.0.0/0 gateway=1.0.0.1 pref-src="" \
    routing-table=to-wan-starlink scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment="PBR Cosmote 2nd Route (Starlink)" disabled=no distance=10 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" \
    routing-table=to-wan-cosmote scope=30 suppress-hw-offload=no target-scope=11
add comment="Monitor Starlink" disabled=no distance=5 dst-address=8.8.4.4/32 gateway=192.168.1.1 pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
add comment="Non recursive route clients" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src="" routing-table=\
    to-wan-starlink-no-resursive scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="PBR 5G 1st Route" disabled=no distance=8 dst-address=0.0.0.0/0 gateway=1.0.0.2 pref-src="" routing-table=to-wan-5g \
    scope=30 suppress-hw-offload=no target-scope=11
add comment="Monitor 5G" disabled=no distance=5 dst-address=1.0.0.2/32 gateway=192.168.0.3 pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
/ppp secret
add local-address=192.168.5.20 name=thanpolas-pptp profile=polas-l2tp remote-address=192.168.5.21
/system clock
set time-zone-name=Europe/Athens
/system identity
set name="Polas Core"
/tool bandwidth-server
set authenticate=no

Who is online

Users browsing this forum: archemist, tangent and 60 guests