Community discussions

 
User avatar
hgonzale
Member Candidate
Member Candidate
Topic Author
Posts: 267
Joined: Thu Nov 06, 2014 1:12 pm
Location: Fuengirola, Spain
Contact:

Loosing VPN interfaces when reconnect

Wed Sep 26, 2018 1:23 pm

I have some mikrotiks in differents countries and I have "mark routing" to some IP for going to that IP using that route.

The problem is... I have a mark routing with the "vpn internface" but when the vpn is down, the vpn name dissapear, and all the relations are loose, when the VPN reconnect, the "interface: are still missing.... and I need to do fix it manually.

Is some way to fix it? Any trick...

Thank you

PD: Here, some useful info

[admin@Sprinfield Mikrotik] /ppp active> print
Flags: R - radius
# NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING
0 casavzla l2tp 186.14.xxx.xxx 192.168.16.11 3d20h... cbc(aes) + hmac(sha256)
1 gutierolm... l2tp 190.77.xxx.xxx 192.168.16.26 1d11h... cbc(aes) + hmac(sha1)
2 mayjo l2tp 80.27.xxx.xxx 192.168.16.10 3h54m47s cbc(aes) + hmac(sha256

----------------

[admin@Sprinfield Mikrotik] /ip firewall mangle> export
# sep/26/2018 12:25:49 by RouterOS 6.42.3
# software id = xxxx-xxxx
#
# model = 2011UiAS-2HnD
# serial number = xxxxxxxxxxxx
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Marcado via VPN USA" new-routing-mark=VIA_VPN_USA passthrough=yes src-address-list=\
salida-via-vpn-usa
add action=mark-routing chain=prerouting comment="Marcado via VPN Troca" connection-state=new connection-type="" new-routing-mark=VIA_VPN_TROCA \
passthrough=yes src-address-list=salida-via-trocadero
add action=mark-routing chain=prerouting comment="Marcado via Sat" disabled=yes new-routing-mark=VIA_SAT passthrough=yes src-address-list=\
salida-via-sat
add action=mark-routing chain=prerouting comment="Marcado via Vzla" connection-state=new new-routing-mark=VIA_VPN_VZLA passthrough=yes \
src-address-list=salida-via-vpn_vzla
add action=mark-routing chain=prerouting comment="Marcado via Vzla para banesco" connection-state="" dst-address-list=banesco new-routing-mark=\
VIA_VPN_VZLA passthrough=no src-address=192.168.10.0/24
add action=mark-routing chain=prerouting comment="Salida via Troca" new-routing-mark=VIA_VPN_TROCA passthrough=yes src-address-list=\
salida-via-trocadero

--------------------------------

[admin@Sprinfield Mikrotik] /ip firewall nat> export
# sep/26/2018 12:27:44 by RouterOS 6.42.3
# software id = xxxx-xxxx
#
# model = 2011UiAS-2HnD
# serial number = xxxxxxxxxxx
/ip firewall nat
add action=masquerade chain=srcnat comment="Default Gateway FTTH" out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="FTTH con marca" out-interface=ether10-gateway routing-mark=VIA_SAT
add action=masquerade chain=srcnat comment="Via VPN_USA" dst-address=0.0.0.0/0 out-interface=ppptp-usa src-address-list=salida-via-vpn-usa
add action=masquerade chain=srcnat comment="Via VPN_VZLA" dst-address=0.0.0.0/0 out-interface=<l2tp-casavzla> routing-mark=VIA_VPN_VZLA \
src-address-list=salida-via-vpn_vzla
add action=masquerade chain=srcnat comment="Via VPN_VZLA Banesco" dst-address-list=banesco out-interface=<l2tp-casavzla> routing-mark=VIA_VPN_VZLA \
src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="Via VPN_Troca" dst-address=0.0.0.0/0 out-interface="Trocadero-vpn Oficina" routing-mark=VIA_VPN_TROCA \
src-address-list=salida-via-trocadero

------------------------------


[admin@Sprinfield Mikrotik] /ip route> export
# sep/26/2018 12:30:39 by RouterOS 6.42.3
# software id = xxxx-xxxx
#
# model = 2011UiAS-2HnD
# serial number = xxxxxxxxxxxxxxx
/ip route
add comment="Salida via USA" distance=1 gateway=ppptp-usa routing-mark=VIA_VPN_USA
add comment="Salida via Troca" distance=1 gateway="Trocadero-vpn Oficina" routing-mark=VIA_VPN_TROCA
add comment="Salida via WLAN 3G/4G" distance=1 gateway=192.168.42.129 routing-mark=VIA_DOOGEE
add comment="Salida via Sat con Mark Routing" distance=2 gateway=ether10-slave-local routing-mark=VIA_SAT
add comment="Salida via Vzla" distance=1 gateway=<l2tp-casavzla> routing-mark=VIA_VPN_VZLA
add disabled=yes distance=1 gateway=ether1-gateway
add distance=1 dst-address=192.168.0.0/24 gateway="Trocadero-vpn Oficina"
add distance=1 dst-address=192.168.1.0/24 gateway="Trocadero-vpn Oficina"
add comment="Red de Vzla" distance=1 dst-address=192.168.14.0/24 gateway=<l2tp-casavzla>
add distance=1 dst-address=192.168.30.0/24 gateway="Trocadero-vpn Oficina"
add comment="GP Rooms red 30" disabled=yes distance=1 dst-address=192.168.30.0/24 gateway=*F03249
add distance=1 dst-address=192.168.31.0/24 gateway="Trocadero-vpn Oficina"
add distance=1 dst-address=192.168.75.0/24 gateway="Trocadero-vpn Oficina"
add distance=1 dst-address=192.168.76.0/24 gateway="Trocadero-vpn Oficina"
/ip route rule
add dst-address=142.4.201.85/32 interface=ether10-gateway routing-mark=VIA_SAT table=VIA_SAT
add dst-address=142.4.209.197/32 interface=ether10-gateway routing-mark=VIA_SAT table=VIA_SAT

---------------


The bold interfaces are missed when this VPN disconnect and I need to configure it again

Thank youuuuuuuu
 
Weverson
just joined
Posts: 4
Joined: Wed Aug 01, 2018 3:32 pm

Re: Loosing VPN interfaces when reconnect

Wed Sep 26, 2018 3:47 pm

I have some mikrotiks in differents countries and I have "mark routing" to some IP for going to that IP using that route.

The problem is... I have a mark routing with the "vpn internface" but when the vpn is down, the vpn name dissapear, and all the relations are loose, when the VPN reconnect, the "interface: are still missing.... and I need to do fix it manually.

Is some way to fix it? Any trick...

Thank you

PD: Here, some useful info

[admin@Sprinfield Mikrotik] /ppp active> print
Flags: R - radius
# NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING
0 casavzla l2tp 186.14.xxx.xxx 192.168.16.11 3d20h... cbc(aes) + hmac(sha256)
1 gutierolm... l2tp 190.77.xxx.xxx 192.168.16.26 1d11h... cbc(aes) + hmac(sha1)
2 mayjo l2tp 80.27.xxx.xxx 192.168.16.10 3h54m47s cbc(aes) + hmac(sha256

----------------

[admin@Sprinfield Mikrotik] /ip firewall mangle> export
# sep/26/2018 12:25:49 by RouterOS 6.42.3
# software id = xxxx-xxxx
#
# model = 2011UiAS-2HnD
# serial number = xxxxxxxxxxxx
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Marcado via VPN USA" new-routing-mark=VIA_VPN_USA passthrough=yes src-address-list=\
salida-via-vpn-usa
add action=mark-routing chain=prerouting comment="Marcado via VPN Troca" connection-state=new connection-type="" new-routing-mark=VIA_VPN_TROCA \
passthrough=yes src-address-list=salida-via-trocadero
add action=mark-routing chain=prerouting comment="Marcado via Sat" disabled=yes new-routing-mark=VIA_SAT passthrough=yes src-address-list=\
salida-via-sat
add action=mark-routing chain=prerouting comment="Marcado via Vzla" connection-state=new new-routing-mark=VIA_VPN_VZLA passthrough=yes \
src-address-list=salida-via-vpn_vzla
add action=mark-routing chain=prerouting comment="Marcado via Vzla para banesco" connection-state="" dst-address-list=banesco new-routing-mark=\
VIA_VPN_VZLA passthrough=no src-address=192.168.10.0/24
add action=mark-routing chain=prerouting comment="Salida via Troca" new-routing-mark=VIA_VPN_TROCA passthrough=yes src-address-list=\
salida-via-trocadero

--------------------------------

[admin@Sprinfield Mikrotik] /ip firewall nat> export
# sep/26/2018 12:27:44 by RouterOS 6.42.3
# software id = xxxx-xxxx
#
# model = 2011UiAS-2HnD
# serial number = xxxxxxxxxxx
/ip firewall nat
add action=masquerade chain=srcnat comment="Default Gateway FTTH" out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="FTTH con marca" out-interface=ether10-gateway routing-mark=VIA_SAT
add action=masquerade chain=srcnat comment="Via VPN_USA" dst-address=0.0.0.0/0 out-interface=ppptp-usa src-address-list=salida-via-vpn-usa
add action=masquerade chain=srcnat comment="Via VPN_VZLA" dst-address=0.0.0.0/0 out-interface=<l2tp-casavzla> routing-mark=VIA_VPN_VZLA \
src-address-list=salida-via-vpn_vzla
add action=masquerade chain=srcnat comment="Via VPN_VZLA Banesco" dst-address-list=banesco out-interface=<l2tp-casavzla> routing-mark=VIA_VPN_VZLA \
src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="Via VPN_Troca" dst-address=0.0.0.0/0 out-interface="Trocadero-vpn Oficina" routing-mark=VIA_VPN_TROCA \
src-address-list=salida-via-trocadero

------------------------------


[admin@Sprinfield Mikrotik] /ip route> export
# sep/26/2018 12:30:39 by RouterOS 6.42.3
# software id = xxxx-xxxx
#
# model = 2011UiAS-2HnD
# serial number = xxxxxxxxxxxxxxx
/ip route
add comment="Salida via USA" distance=1 gateway=ppptp-usa routing-mark=VIA_VPN_USA
add comment="Salida via Troca" distance=1 gateway="Trocadero-vpn Oficina" routing-mark=VIA_VPN_TROCA
add comment="Salida via WLAN 3G/4G" distance=1 gateway=192.168.42.129 routing-mark=VIA_DOOGEE
add comment="Salida via Sat con Mark Routing" distance=2 gateway=ether10-slave-local routing-mark=VIA_SAT
add comment="Salida via Vzla" distance=1 gateway=<l2tp-casavzla> routing-mark=VIA_VPN_VZLA
add disabled=yes distance=1 gateway=ether1-gateway
add distance=1 dst-address=192.168.0.0/24 gateway="Trocadero-vpn Oficina"
add distance=1 dst-address=192.168.1.0/24 gateway="Trocadero-vpn Oficina"
add comment="Red de Vzla" distance=1 dst-address=192.168.14.0/24 gateway=<l2tp-casavzla>
add distance=1 dst-address=192.168.30.0/24 gateway="Trocadero-vpn Oficina"
add comment="GP Rooms red 30" disabled=yes distance=1 dst-address=192.168.30.0/24 gateway=*F03249
add distance=1 dst-address=192.168.31.0/24 gateway="Trocadero-vpn Oficina"
add distance=1 dst-address=192.168.75.0/24 gateway="Trocadero-vpn Oficina"
add distance=1 dst-address=192.168.76.0/24 gateway="Trocadero-vpn Oficina"
/ip route rule
add dst-address=142.4.201.85/32 interface=ether10-gateway routing-mark=VIA_SAT table=VIA_SAT
add dst-address=142.4.209.197/32 interface=ether10-gateway routing-mark=VIA_SAT table=VIA_SAT

---------------


The bold interfaces are missed when this VPN disconnect and I need to configure it again

Thank youuuuuuuu
Does each VPN have an ip connection? If yes, as opposed to making the masquerade listen to an output interface, try doing the src-nat ip
 
User avatar
hgonzale
Member Candidate
Member Candidate
Topic Author
Posts: 267
Joined: Thu Nov 06, 2014 1:12 pm
Location: Fuengirola, Spain
Contact:

Re: Loosing VPN interfaces when reconnect

Wed Sep 26, 2018 3:58 pm

ummmmmm interesting!!!!!!!
And yes. It makes sense!
I will try Mr...
 
sindy
Forum Guru
Forum Guru
Posts: 3809
Joined: Mon Dec 04, 2017 9:19 pm

Re: Loosing VPN interfaces when reconnect  [SOLVED]

Wed Sep 26, 2018 6:08 pm

One of the simpler solutions is to link static interface names to /ppp secrets as follows:

/interface l2tp server add name=e-g-casavzla user=casavzla

and redo all the references (routes' gateways and out-interface matchers in firewall rules) to these static names.

Also, you can create an /interface list, like all-l2tp-clients, and copy the /ppp profile you use (possibly the one called default) to a new one, and set the interface-list parameter of the new one to all-l2tp-clients, and configure all /ppp secrets to use that new profile instead of the default one. Or you can modify the default one this way if you don't need it for anything else. This way, a single masquerade rule will be enough, referring to out-interface-list=all-l2tp-clients.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
hgonzale
Member Candidate
Member Candidate
Topic Author
Posts: 267
Joined: Thu Nov 06, 2014 1:12 pm
Location: Fuengirola, Spain
Contact:

Re: Loosing VPN interfaces when reconnect

Wed Sep 26, 2018 6:14 pm

I don't understanb, sorry

give a name to the l2tp server?

each connection to "me" has a name like: l2tp-username

is already, but when the VPN client disconnect, the "name" disappear....
and disappear from all the references, but now I am doing like the first answer, using IP..... waiting for loosing connections and checking!!!
 
sindy
Forum Guru
Forum Guru
Posts: 3809
Joined: Mon Dec 04, 2017 9:19 pm

Re: Loosing VPN interfaces when reconnect

Wed Sep 26, 2018 6:29 pm

each connection to "me" has a name like: l2tp-username
Yes, the interface is created dynamically, and gets a name composed of the ppp service type name (here, l2tp) and the ppp user name (here, casavzla). When the client connection goes down, the dynamically created interface gets destroyed, so references to it "hang in the air".

Using the method I've suggested, you create static interfaces which never disappear, and when a client for whom a static interface has been created using the command I gave above logs in, the corresponding static interface is used for him instead of dynamically creating a new one.

You have to make sure that only-one parameter of the /ppp profile is set to yes, otherwise if the connection breaks and the client re-connects before the previous connection expires locally, the new connection creates a dynamic interface and the idea fails.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
hgonzale
Member Candidate
Member Candidate
Topic Author
Posts: 267
Joined: Thu Nov 06, 2014 1:12 pm
Location: Fuengirola, Spain
Contact:

Re: Loosing VPN interfaces when reconnect

Wed Sep 26, 2018 7:08 pm

OHHHHHHHHHHHHHHHHHH WOWWWWWWWWW Supper explainin!!!!!!!

That is the best answer!!!!

I didn't know how to do it..... amazing my friend

I will try later, but this is super

And yes, I always have only ONE CONNECTION.
 
User avatar
hgonzale
Member Candidate
Member Candidate
Topic Author
Posts: 267
Joined: Thu Nov 06, 2014 1:12 pm
Location: Fuengirola, Spain
Contact:

Re: Loosing VPN interfaces when reconnect

Wed Sep 26, 2018 7:22 pm

My friend. THIS IS WORKING perfectly
I didn't know it. WOWWWWWWWWWWWWWWWWWWW
THANK YOUUUUUUUUUUUUUUUUUUUUUUUUU
many routers for changing it right now jajajaja

Who is online

Users browsing this forum: MSN [Bot] and 14 guests