L2TP tunnels and multiple WANs

angryuser · Wed Apr 03, 2013 1:30 pm

Hello everybody.

I have two MT with 5.12 firmware.

Every MT has 3 active interfaces: one of them for LAN and two another for WAN.

Every MT has settings like this ones:

/ip address
add address=192.168.1.2/24 comment="Main Internet channel" disabled=no interface=ether1-gateway network=192.168.1.0
add address=192.168.70.254/24 comment=LAN disabled=no interface=ether2-lan network=192.168.70.0
add address=192.168.2.2/24 comment="VoIP channel" disabled=no interface=ether3-voip network=192.168.2.0

Route rules on every MT looks like:

/ip route
add comment="Route marked via VoIP interface" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=VoIP scope=30 target-scope=10
add comment="Route marked via main interface" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=Main scope=30 target-scope=10
add comment="Default via main interface" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 target-scope=10

/ip route rule
add action=lookup comment="Marked for main comes via main" disabled=no routing-mark=Main table=Main
add action=lookup comment="Marked for VoIP comes via VoIP" disabled=no routing-mark=VoIP table=VoIP
add action=lookup comment="Route ignoring marks. Packets comes via table main" disabled=no dst-address=192.168.70.0/24 table=main
add action=lookup comment="Route ignoring marks. Packets comes via table main" disabled=no dst-address=192.168.1.0/24 table=main
add action=lookup comment="Route ignoring marks. Packets comes via table main" disabled=no dst-address=192.168.2.0/24 table=main
add action=lookup comment="Packets from main must returns via main interface" disabled=no src-address=192.168.1.0/24 table=Main
add action=lookup comment="Packets from VoIP must returns via VoIP interface" disabled=no src-address=192.168.2.0/24 table=VoIP

All works fine: every packet which comes from some interface are returns over this one. When I set src-address in ping command, every packet comes from right interface.

I want to connect 1st WANs on 1 and 2 MT and 2st WANs on 1 and 2 MT over l2tp tunnel.

It works ONLY with output client connection over default gateway, because source address of every packet is equal to IP address of interface which used as default route. Same situation we are get with input connections: ask packets going only over default route.

Marking rules for client like this:

chain=output action=mark-routing new-routing-mark=Main passthrough=no protocol=udp dst-address=ser.ver.add.ress dst-port=1701

has no effect.

Is it bug or feature?

CelticComms · Wed Apr 03, 2013 2:01 pm

I see a mixture of routing marks "Main" and "main" in the uploaded rules. RouterOS converts "main" to the empty string when entering a rule in Winbox but does not do the same to "Main" so perhaps case-sensitivity is causing you problems.

angryuser · Wed Apr 03, 2013 2:29 pm

RouterOS converts "main" to the empty string when entering a rule in Winbox but does not do the same to "Main" so perhaps case-sensitivity is causing you problems.

Thanks for answer. It is wrong version, because any other types of traffic except l2tp perfectly going in/out of every MT. I speak about only l2tp server/client on MT devices.

But I change name of routing mark and not has positive effect.

Any other version?

PS I scanned local forum for solution of my problem and find another topics without any solutions. Mikrotik has denied this problem.

tomaskir · Wed Apr 03, 2013 11:32 pm

This is a known L2TP bug, confirmed by support to be a known issue that will be fixed. I have been bugging support to fix this for over half a year now.

See the end of the presentation in my sig, it mentions more known issue like this relating to L2TP.

Write to official support and ask them to fix the bug.

iprob · Tue May 13, 2014 10:12 pm

Do you know if this was addressed in version 6? I'm running 6.12 and cannot get the L2TP packets of a L2TP/IPSec tunnel to route over a specific interface. Everything else works fine.

I'm using PCC and have tried two specific rules (one for PPTP and one for L2TP).

/ip firewall mangle
add action=mark-routing chain=prerouting comment="Force GRE packets out ISP1" dst-address-list=!safe-ips \
new-routing-mark=to_isp1 protocol=gre
add action=mark-routing chain=prerouting comment="Force IPSec packets out ISP1" dst-address-list=!safe-ips \
dst-port=1701 new-routing-mark=to_isp1 protocol=udp

I can see the L2TP packets going out the wrong interface and that they have no packet mark even though the mangle rule is getting a match (byte counts incrementing).

tomaskir · Wed May 14, 2014 12:42 am

Do you know if this was addressed in version 6? I'm running 6.12 and cannot get the L2TP packets of a L2TP/IPSec tunnel to route over a specific interface. Everything else works fine.

I'm using PCC and have tried two specific rules (one for PPTP and one for L2TP).

/ip firewall mangle
add action=mark-routing chain=prerouting comment="Force GRE packets out ISP1" dst-address-list=!safe-ips \
new-routing-mark=to_isp1 protocol=gre
add action=mark-routing chain=prerouting comment="Force IPSec packets out ISP1" dst-address-list=!safe-ips \
dst-port=1701 new-routing-mark=to_isp1 protocol=udp

I can see the L2TP packets going out the wrong interface and that they have no packet mark even though the mangle rule is getting a match (byte counts incrementing).

MikroTik confirmed that this will be fixed in 6.13. See here:
http://forum.mikrotik.com/viewtopic.php ... 50#p425747

iprob · Wed May 14, 2014 3:26 pm

Thanks for the heads up. We'll test it once 6.13 comes out. Appreciate the post!

L2TP tunnels and multiple WANs

L2TP tunnels and multiple WANs

Re: L2TP tunnels and multiple WANs

Re: L2TP tunnels and multiple WANs

Re: L2TP tunnels and multiple WANs

Re: L2TP tunnels and multiple WANs

Re: L2TP tunnels and multiple WANs

Re: L2TP tunnels and multiple WANs