VPN problem with Dual-Wan Load-Balancing Setup

tsatasos · Fri Jan 16, 2015 1:27 am

Hello,

I have a Dual-Wan setup with 2 VDSL connections (50Mbps down / 5Mbps up each) for Load Balancing / Failover using PCC according to this guide:
http://wiki.mikrotik.com/wiki/Manual:PCC

Load Balancing / Failover works fine, but when i try to connect from outside to inside network using pptp vpn i cannot ping any device.
When i disable everything under the "/ip firewall mangle" pptp vpn works perfect.
I have set up proxy-arp at lan interface and i don't have any firewall filter rule.

The code i use:

/ip firewall mangle
add chain=input in-interface=OtenetA action=mark-connection new-connection-mark=internet1_conn
add chain=input in-interface=OtenetB action=mark-connection new-connection-mark=internet2_conn

add chain=output connection-mark=internet1_conn action=mark-routing new-routing-mark=to_internet1
add chain=output connection-mark=internet2_conn action=mark-routing new-routing-mark=to_internet2

add chain=prerouting dst-address-type=!local in-interface=ether3-master per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=internet1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether3-master per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=internet2_conn passthrough=yes

add chain=prerouting connection-mark=internet1_conn in-interface=ether3-master action=mark-routing new-routing-mark=to_internet1
add chain=prerouting connection-mark=internet2_conn in-interface=ether3-master action=mark-routing new-routing-mark=to_internet2

/ip route
add dst-address=0.0.0.0/0 gateway=OtenetA routing-mark=to_internet1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=OtenetB routing-mark=to_internet2 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=OtenetA distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=OtenetB distance=2 check-gateway=ping

/ip firewall nat
add chain=srcnat out-interface=OtenetA action=masquerade
add chain=srcnat out-interface=OtenetB action=masquerade

What should i do to make pptp vpn work with load balancing enabled?

Thank you,
Tasos

tsatasos · Mon Jan 19, 2015 11:44 pm

I found the problem, i had to add an accept mangle rule for remote vpn ip.

Now i have another problem with load balancing setup.

When the modem/routers are in bridge mode and the pppoe is done from rb i cannot download torrents.
"torrentz.com" gives me an error that i cannot continue because load balancing detected.
I have the same problem using "jdownloader".

When pppoe is done from the modem/routers, i can download torrents using "torrentz.com", but "jdownloader" gives an error again.

Any solution on this please?

/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.101

add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local in-interface=ether3-lan-master new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local in-interface=ether3-lan-master new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses:2/1

add action=mark-routing chain=prerouting connection-mark=WAN1_conn disabled=no in-interface=ether3-lan-master new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn disabled=no in-interface=ether3-lan-master new-routing-mark=to_WAN2 passthrough=yes

add action=mark-routing chain=output connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes

add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no in-interface=Otenet1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no in-interface=Otenet2 new-connection-mark=WAN2_conn passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface=Otenet1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=Otenet2 src-address=192.168.1.0/24

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Otenet1 routing-mark=to_WAN1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Otenet2 routing-mark=to_WAN2 scope=30 target-scope=10
 
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Otenet1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=Otenet2 scope=30 target-scope=10

Toiletbowl · Tue Jan 20, 2015 4:43 am

i have a same problem cant ping local devices both but vpn tunnel connected well.

tsatasos · Tue Jan 20, 2015 12:14 pm

i have a same problem cant ping local devices both but vpn tunnel connected well.

You have to add an accept mangle rule for remote vpn ip (at the top of mangle rules).

For example if your subnet is 192.168.1.0/24, vpn local address = 192.168.1.100, vpn remote address=192.168.1.101
You have to add this rule:

add action=accept chain=prerouting dst-address=192.168.1.101

You can also check this thread:
http://forum.mikrotik.com/viewtopic.php ... ead#unread

tiagofrota · Thu Nov 05, 2015 7:28 pm

i have a same problem cant ping local devices both but vpn tunnel connected well.
You have to add an accept mangle rule for remote vpn ip (at the top of mangle rules).

For example if your subnet is 192.168.1.0/24, vpn local address = 192.168.1.100, vpn remote address=192.168.1.101
You have to add this rule:
Code: Select all
add action=accept chain=prerouting dst-address=192.168.1.101
You can also check this thread:
http://forum.mikrotik.com/viewtopic.php ... ead#unread

I had solve same issue for the vpn clients, adding a static route with longer distance than the load balance routes for the 0.0.0.0/0 dst address to one of my internet gateways.

The approach of adding the mangle rule for the vpn gateway didn't work for me.

Moloch · Tue Nov 01, 2016 11:21 am

Hello
I have the same problem, could somebody help me?
My mikrotik config is below:

/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN1"
set [ find default-name=ether2 ] name="ether2 - WAN2"
set [ find default-name=ether3 ] name="ether3 - LAN1"
set [ find default-name=ether4 ] name="ether4 - LAN2"

/ip pool
add name=dhcp_pool ranges=192.168.0.10-192.168.0.60
add name=pptp-pool ranges=192.168.1.10-192.168.1.20

/ppp profile
add local-address=pptp-pool name=pptp-profile remote-address=pptp-pool

/interface pptp-server server
set default-profile=pptp-profile enabled=yes

/ip address
add address=X.X.X.X/24 interface="ether1 - WAN1" network=X.X.X.X
add address=X.X.X.X/29 interface="ether2 - WAN2" network=X.X.X.X
add address=192.168.0.1/24 interface="bridge - LAN" network=192.168.0.0

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1

/ip firewall filter
add chain=input dst-port=1723 protocol=tcp
add chain=forward protocol=gre

/ip firewall mangle
add action=mark-connection chain=input in-interface="ether1 - WAN1" \
    new-connection-mark=WAN1_conn
add action=mark-connection chain=input in-interface="ether2 - WAN2" \
    new-connection-mark=WAN2_conn
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2
add chain=prerouting dst-address=X.X.X.X/24 in-interface="bridge - LAN"
add chain=prerouting dst-address=X.X.X.X/29 in-interface="bridge - LAN"
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface="bridge - LAN" new-connection-mark=WAN1_conn \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface="bridge - LAN" new-connection-mark=WAN2_conn \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface="bridge - LAN" new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface="bridge - LAN" new-routing-mark=to_WAN2

/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - WAN1"
add action=masquerade chain=srcnat out-interface="ether2 - WAN2"
add action=dst-nat chain=dstnat dst-port=9999 protocol=tcp to-addresses=\
    192.168.0.100 to-ports=3389

/ip route
add check-gateway=ping distance=10 gateway=X.X.X.X routing-mark=to_WAN1
add check-gateway=ping distance=20 gateway=X.X.X.X routing-mark=to_WAN2

/ppp secret
add name=admin password=XXXXXXXXXXX profile=pptp-profile

Moloch · Thu Nov 10, 2016 11:34 am

Somebody?

Grossy · Fri Nov 11, 2016 8:36 am

Somebody?

Your vpn connection didnt marked since you marking for in interface bridge lan? Try to set static on your ppp ipaddres eg: local: 10.10.10.1 remote :10.10.10.2

Moloch · Mon Nov 14, 2016 9:59 am

i think i should configure one more time this router.

VPN problem with Dual-Wan Load-Balancing Setup

VPN problem with Dual-Wan Load-Balancing Setup

Re: VPN problem with Dual-Wan Load-Balancing Setup

Re: VPN problem with Dual-Wan Load-Balancing Setup

Re: VPN problem with Dual-Wan Load-Balancing Setup

Re: VPN problem with Dual-Wan Load-Balancing Setup

Re: VPN problem with Dual-Wan Load-Balancing Setup

Re: VPN problem with Dual-Wan Load-Balancing Setup

Re: VPN problem with Dual-Wan Load-Balancing Setup

Re: VPN problem with Dual-Wan Load-Balancing Setup