Community discussions

MikroTik App
 
lewinsteiner
just joined
Topic Author
Posts: 1
Joined: Sat Dec 10, 2022 3:49 pm

Packets vanishing in my LTE/VRF setup

Sat Dec 10, 2022 5:15 pm

I just bought a wAP ac R LTE6 Kit to use it as a backup uplink, but I'm struggling to get it to work properly.

My entire home network is tunneled over GRE tunnels from my main router (VyOS based) to a server at a cloud provider so that I can announce my own IPv6 prefix via BGP. I have two tunnels, one for VDSL and one for LTE (as a fallback). This tunnel setup works perfectly, except for the LTE part, which stopped working since I replaced a janky USB tethering router with the wAP.

The wAP is connected via ether1 to a switch. It has access to two VLANs, one for management (untagged) and one for the LTE traffic (tagged 131). On the management VLAN it gets IPs via DHCPv4 and SLAAC and it's supposed to direct any normal traffic via this VLAN, thus it's in the main VRF. The LTE traffic is supposed to be completely separated into the VLAN and into an extra VRF, so that all the automatic default routes can work without breaking each other. I set the ipv6-interface on the lte1 interface to the lte VLAN interface and my router successfully gets an IPv6 address. IPv4 doesn't matter at all for the LTE setup.

The problem is that traffic doesn't always go where it's supposed to go. Pinging an IPv6 from the wAP in the lte VRF works fine, although the replies come in twice for some reason. Pinging from my router via the LTE VLAN has a packet loss of ~50%. For some reason the GRE tunnel over the LTE is happily working, and so is the BGP over the tunnel. But pinging the tunnel IP of the cloud server from my router doesn't work (packet are not forwarded from the lte interface to the ethernet interface on the wAP). Pinging the tunnel IP of my router from the cloud server works for some magical reason.

The packets seem to get lost after being arriving at the lte1 interface. I attached a screenshot of a packet capture from the wAP when pinging the tunnel IPs from each end (with only the two relevant ping sequences. The ICMP packets are actually inside of GRE packets, but Wireshark displays them unpacked. MAC addresses: a0=LTE provider, ac=wAP LTE interface, RB=wAP ether1, HP=Router).
In the first ping sequence the packets go all the way though and reach my cloud server (:1) again. In the second one, originating from my router (:2), they don't even reach the VLAN interface.

I suspect that there is something wrong with the routes, as for some reason there is one for the LTE IPv6 prefix in the main VRF. But I really don't get how it works one way but not the other. For some reason the default route in the main VRF is not printed, even though it has to be there, since the wAP has connectivity via IPv6.
[admin@lte-modem1] > /ipv6/route/print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded; + - ecmp
   DAc   dst-address=2001:xx:3::/64 routing-table=main gateway=bridge immediate-gw=bridge distance=0 scope=10
   DAm   dst-address=2a02:30xx::/64 routing-table=main gateway="" blackhole immediate-gw="" distance=1 scope=30 target-scope=10
   DAc   dst-address=fd30:xx:3::/64 routing-table=main gateway=bridge immediate-gw=bridge distance=0 scope=10
   DAc   dst-address=fe80::%bridge/64 routing-table=main gateway=bridge immediate-gw=bridge distance=0 scope=10
   DAm   dst-address=::/0 routing-table=lte gateway=fe80::xx02%lte1@lte immediate-gw=fe80::xx02%lte1 distance=2 scope=30 target-scope=10
   DAc + dst-address=2a02:30xx::/64 routing-table=lte gateway=lte-tr@lte immediate-gw=lte-tr distance=0 scope=10
   DAc + dst-address=2a02:30xx::/64 routing-table=lte gateway=lte1@lte immediate-gw=lte1 distance=0 scope=10
   DAc   dst-address=2a02:30xx:xx97/128 routing-table=lte gateway=lte-tr@lte immediate-gw=lte-tr distance=0 scope=10
   DAc   dst-address=fec0:0:0:ffff::/64 routing-table=lte gateway=lte-tr@lte immediate-gw=lte-tr distance=0 scope=10
   DAc   dst-address=fe80::%lte1/64 routing-table=lte gateway=lte1@lte immediate-gw=lte1 distance=0 scope=10
   DAc   dst-address=fe80::%lte-tr/64 routing-table=lte gateway=lte-tr@lte immediate-gw=lte-tr distance=0 scope=10
[admin@lte-modem1] > /ipv6/address/print detail
Flags: X - disabled, I - invalid, D - dynamic; G - global, L - link-local
 0 DL address=fe80::xx97/64 from-pool="" interface=bridge actual-interface=bridge eui-64=no advertise=no no-dad=no
 1 DL address=fe80::xx97/64 from-pool="" interface=lte-tr actual-interface=lte-tr eui-64=no advertise=no no-dad=no
 2 DG address=fd30:xx97/64 from-pool="" interface=bridge actual-interface=bridge eui-64=no advertise=no no-dad=no
 3 DG address=2001:xx97/64 from-pool="" interface=bridge actual-interface=bridge eui-64=no advertise=no no-dad=no
 4 DL address=fe80::xxfd/64 from-pool="" interface=lte1 actual-interface=lte1 eui-64=no advertise=no no-dad=no
 5 DG address=2a02:30xx:xxfd/64 from-pool="" interface=lte1 actual-interface=lte1 eui-64=no advertise=no no-dad=no
 6 DG address=fec0:0:0:ffff::1/64 from-pool="" interface=lte-tr actual-interface=lte-tr eui-64=no advertise=no no-dad=no
 7 DG address=2a02:30xx::/64 from-pool="" interface=lte-tr actual-interface=lte-tr eui-64=no advertise=yes no-dad=no
 8 DG address=2a02:30xx:xx97/128 from-pool="" interface=lte-tr actual-interface=lte-tr eui-64=no advertise=no no-dad=no
My config:
# dec/10/2022 15:32:25 by RouterOS 7.6
# software id = xxx
#
# model = RBwAPGR-5HacD2HnD
# serial number = xxx
/interface bridge
add admin-mac=xxx auto-mac=no name=bridge
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge name=lte-tr vlan-id=131
/interface ethernet switch port
set 0 default-vlan-id=0
set 2 default-vlan-id=0
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
add apn=internet ipv6-interface=lte-tr name=custom_o2 use-network-apn=yes use-peer-dns=no
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=custom_o2 band="" network-mode=lte
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip vrf
add interfaces=lte1,lte-tr name=lte
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=8192
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,switch1-cpu switch=switch1 vlan-id=131
add independent-learning=yes ports=ether1,switch1-cpu switch=switch1
/interface ovpn-server server
set auth=sha1,md5
/ip dhcp-client
add interface=bridge
/ip dns
set servers=xxx
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=lte-modem1

I would appreciate any help, thanks!
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: almdandi, Amazon [Bot], mtkvvv, xstrid3rx and 82 guests