Community discussions

 
psycoclan1
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Aug 11, 2008 4:30 pm
Location: England

2 default routes when ROS starts

Mon Nov 11, 2019 1:45 am

Hi guys, i want to route all of the local traffic through a VPN L2TP connection. Everything works. The part i am stuck at, is that every time i reboot mikrotik, the routes table generates 2 default routes with the same distance = 1.

I tried to disable both default routes (wlan client is the gateway to the internet, and l2tp client) and set static routes with distance 1 and 2. L2TP = 1, wlan = 2, but then, the wlan doesnt route and vpn doesnt connect.

The only way to make it work is to manually log into the ROS go to ip routes and delete the wlan route. Then everything works on my laptop and i get the remote public ip address from the vpn server. I somehow need this to be done automatically.
 
sindy
Forum Guru
Forum Guru
Posts: 3904
Joined: Mon Dec 04, 2017 9:19 pm

Re: 2 default routes when ROS starts

Mon Nov 11, 2019 4:40 pm

  1. the distance parameter of a route only plays a role when the other matching criteria of several routes (dst-address and routing-mark) are exactly the same. Out of all these routes whose gateway is currently reachable, the one with lowest value of distance becomes active.
  2. among all active routes whose dst-address matches the destination address of the packet and whose routing-mark matches the packet's one, the one with longest prefix of dst-address is always chosen to route the packet
So what happens when you reboot the machine: first, the WLAN interface goes up, so it gets an IP configuration including a default gateway via DHCP. Once the default route is installed, the LT2P/IPsec gets up, and once the L2TP interface gets up, the IPCP installs another default route via the L2TP tunnel. If you don't remove the default route via WLAN, it probably remains active, so the traffic keeps using it. Once you delete the default route via WLAN, the IPsec transport packet likely keep using its gateway because the routing cache remembers that routing decision, whereas the first packet of each new connection is routed using the route via the L2TP.
What surprises me a lot is that in this state, it keeps working for an unlimited amount of time, because a record in the routing cache normally expires every now and then and the routing has to be repeated. So once this happens, the tunnel should fail in the absence of the route via WLAN.
So a quick and dirty solution is to create a static route with dst-address matching the IP of the VPN server, and let the L2TP install a dynamic default route.
A slightly more complex but more future-proof solution would be to use policy routing or /ip route vrf to let the Mikrotik itself use the default route via WLAN, and let the traffic forwarded from the LAN port (where your PC is connected) use the default route via L2TP added into another routing table (i.e. with another routing-mark). The advantage here is that you can use a DNS name of the VPN server instead of its IP number. But in the latter case, do not use Mikrotik's own IP as the PC's DNS server, as the DNS requests would go via the WLAN route directly.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
xvo
Long time Member
Long time Member
Posts: 579
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: 2 default routes when ROS starts

Mon Nov 11, 2019 5:39 pm

So a quick and dirty solution is to create a static route with dst-address matching the IP of the VPN server, and let the L2TP install a dynamic default route.
Why you think of it as a dirty solution?
What can possibly be wrong if the default route distance for dhcp-client on wlan is changed to something >1 and there is a static route to l2tp server address with wlan interface as a gateway?
 
sindy
Forum Guru
Forum Guru
Posts: 3904
Joined: Mon Dec 04, 2017 9:19 pm

Re: 2 default routes when ROS starts

Mon Nov 11, 2019 6:08 pm

Why you think of it as a dirty solution?
Solely because it relies on the assumption that the VPN server will always run on the same single IP, whereas the VPN providers often give out an FQDN, like any other internet service, and use short-lived DNS records to distribute the load among their servers, or even to migrate the servers to completely different address ranges. So a fixed route may stop working one day. Tracking the server fqdn using an /ip firewall address-list item and assigning a routing-mark in mangle addresses this, but it is more complex to set up than just splitting the routing into "mikrotik's own one" and "connected LAN clients' one".
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5915
Joined: Mon Jun 08, 2015 12:09 pm

Re: 2 default routes when ROS starts

Mon Nov 11, 2019 6:09 pm

It depends on the type of VPN, but you always need to watch out for the situation where your VPN adds a default route and the VPN traffic itself (the traffic to the VPN server) gets routed via that same route, creating a loop which destroys the VPN.
When you see the VPN going up and down all the time, this likely is what is going wrong.
With Policy Routing you explicity construct the policy so that this will not happen.
 
psycoclan1
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Aug 11, 2008 4:30 pm
Location: England

Re: 2 default routes when ROS starts

Mon Nov 11, 2019 7:34 pm

So, as this is a test routeboard i didn't let it run for hours, so probably the routing cache expires eventually. I solely trying to find a solution to forward all traffic through the VPN (even if it's pptp or l2tp. in my case it is l2tp with ipsec).

The first solution (quick and dirty one), there is a routing rule where the dst-add is the VPN address and gateway is the wlan.

Image

With the above setup, mikrotik does have internet (obviously), but doesn't route to the PC. To make it work i have to delete to top route. Basically, the top one is the default route for the wlan, while the second route is the default route for the l2tp connection.

The 3rd route is what you are mentioning as a quick and dirty option i think, correct me if i'm wrong. It didn't work do the job so far.
 
User avatar
xvo
Long time Member
Long time Member
Posts: 579
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: 2 default routes when ROS starts

Mon Nov 11, 2019 8:31 pm

So, as this is a test routeboard i didn't let it run for hours, so probably the routing cache expires eventually. I solely trying to find a solution to forward all traffic through the VPN (even if it's pptp or l2tp. in my case it is l2tp with ipsec).

The first solution (quick and dirty one), there is a routing rule where the dst-add is the VPN address and gateway is the wlan.

Image

With the above setup, mikrotik does have internet (obviously), but doesn't route to the PC. To make it work i have to delete to top route. Basically, the top one is the default route for the wlan, while the second route is the default route for the l2tp connection.

The 3rd route is what you are mentioning as a quick and dirty option i think, correct me if i'm wrong. It didn't work do the job so far.
That is not enough.
You need to change distance of the default route via wlan (in DHCP-client Settings/Advanced).
 
User avatar
xvo
Long time Member
Long time Member
Posts: 579
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: 2 default routes when ROS starts

Mon Nov 11, 2019 8:34 pm

Why you think of it as a dirty solution?
Solely because it relies on the assumption that the VPN server will always run on the same single IP, whereas the VPN providers often give out an FQDN, like any other internet service, and use short-lived DNS records to distribute the load among their servers, or even to migrate the servers to completely different address ranges. So a fixed route may stop working one day. Tracking the server fqdn using an /ip firewall address-list item and assigning a routing-mark in mangle addresses this, but it is more complex to set up than just splitting the routing into "mikrotik's own one" and "connected LAN clients' one".
Now that makes perfect sense.
I guess I'm too used to VPN connections that I make between my own devices, that I didn't even think about it :)
 
psycoclan1
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Aug 11, 2008 4:30 pm
Location: England

Re: 2 default routes when ROS starts

Mon Nov 11, 2019 9:23 pm

xvo : wow that did the job!! Never thought of changing the distance from advanced tab in wlan!!! Now it works after rebooting mikrotik!
 
sindy
Forum Guru
Forum Guru
Posts: 3904
Joined: Mon Dec 04, 2017 9:19 pm

Re: 2 default routes when ROS starts

Mon Nov 11, 2019 10:48 pm

Well, I haven't realized I had to explicitly tell you to remove the default route via WLAN (you can try that it will work even if you disable adding the default route in the DHCP client configuration, not just set a higher distance value for it) as you've said you already tried to remove it, so I took that state as a starting point.

@xvo, we're in the same boat here, I've also never used any other VPN server than my own one, but the other use of VPN has become so popular that I've noticed some related information :-)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
psycoclan1
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Aug 11, 2008 4:30 pm
Location: England

Re: 2 default routes when ROS starts

Mon Nov 11, 2019 11:46 pm

Thank you all guys for taking some of your time to help me!!

sindy : yeah me too. i have never used any other vpn service other than my own mikrotik server on the cloud. All of my computers, devices work through that server. Now this project is a slightly different and got stuck because i didn't realize i had to change it from there :)

Who is online

Users browsing this forum: No registered users and 147 guests