I run a site-to-site VPN connection between my home site and a number of other locations. This works great.
But for whatever reason at random intervals, I lose a custom route that I've set up that is required for me to see the other locations IP range. It changes from the L2TP VPN interface to unknown even though the interface has already presumably reconnected after a brief disconnection (not sure if it is dropping it at random or not).
Any ideas on how to maintain this without having to go in and manually correct the route each time it cannot find it again. And hold on to the actual value?
It is slightly but persistently frustrating.
Thanks!
-
-
vecernik87
Forum Veteran
- Posts: 891
- Joined:
Re: [Lost Interface] IP->Routes
I assume we are talking about home site, where you assigned the route to dynamic interface (which gets created for every connected client), right?
Anything assigned to particular dynamic interface will get broken with any reconnection of that VPN. There is a "L2TP server binding" interface which will make it static (and will go up/down based on status of particular VPN connection)
If i am wrong with my assumption or suggested solution does not work, please share more details to specify issue. (ideally whole config with where you can easily find&replace any personal details)
Anything assigned to particular dynamic interface will get broken with any reconnection of that VPN. There is a "L2TP server binding" interface which will make it static (and will go up/down based on status of particular VPN connection)
If i am wrong with my assumption or suggested solution does not work, please share more details to specify issue. (ideally whole config with
Code: Select all
/export hide-sensitiveRe: [Lost Interface] IP->Routes
Sorry for the delay on my response.
L2TP-8794 is the (L2TP Server Binding) interface. Within the IP - Routes. I have set the gateway to L2TP-8794 (reachable) for AD (10.0.1.0/24). This works perfectly.
But this is also what randomly gets switched back to 'unknown'.
I might point out this down not happen on another L2TP-8794 pointing to DAC (172.0.0.240).
I noticed the only difference between these two setting wise. Is the distance of 0 to 1. And the scope is 30 vs 10. I adjusted them both to 10.
Any thoughts?
L2TP-8794 is the (L2TP Server Binding) interface. Within the IP - Routes. I have set the gateway to L2TP-8794 (reachable) for AD (10.0.1.0/24). This works perfectly.
But this is also what randomly gets switched back to 'unknown'.
I might point out this down not happen on another L2TP-8794 pointing to DAC (172.0.0.240).
I noticed the only difference between these two setting wise. Is the distance of 0 to 1. And the scope is 30 vs 10. I adjusted them both to 10.
Any thoughts?
Re: [Lost Interface] IP->Routes
Same issue here... with PPTP and L2TP; when the interface falls out due to loss of connectivity... It can not re-establish the correct interface and always resets back to an unused sfp interface in fw rules and unknown in routes.. have not searched extensively for a solution as it has not gotten annoying enough.. My VPN tunnels are configured as server bindings.. Anyone have a solution?
(extending my keep-alive to 5 minutes vs 30 seconds)
(extending my keep-alive to 5 minutes vs 30 seconds)
Re: [Lost Interface] IP->Routes
Hi Jordan,
does the interface after brief disconnected and back reconnect with interface name its their name of /ppp secret? and binding interface wasn't running?
does the interface after brief disconnected and back reconnect with interface name its their name of /ppp secret? and binding interface wasn't running?
-
-
vecernik87
Forum Veteran
- Posts: 891
- Joined:
Re: [Lost Interface] IP->Routes
I am more and more convinced that @JordanR and @Cvan are talking about dynamic interfaces. Not static ones which I earlier identified as most probable solution.
In both cases (both dynamic and static), the interface is marked as as "PPTP/L2TP/SSTP Server Binding" so it may be not easy to understand, however if you check the flag, it will be clear.
I tested both situation with SSTP and PPTP and it simply did not occur as long as I used manually created server binding. I have FW rules bound to Server Binding in my normal config, I on purpose created route and it worked despite disconnecting/reconnecting.
I also replicated exactly same result as those two (i.e. broken FW rules and broken routes) when I left the interface to be dynamic.
Let me give you example config:
Magic happens on last line of that code, where I am manually creating server binding, which stays as a existing (but not running) interface even if Betty disconnect. Once Betty reconnects, interface goes back to running state and keeps same internal ID which is linked to firewall rule or routes...
If both Adam and Betty connects, I can print something like this:
Now lets block both of them access to rest of local network:
at the moment, it works. But once they disconnect, following will happen:
See? Adam's rule got broken because his interface does not exist anymore. It is actually not linked via name (that is just displayed as user-friendly description) but link happens via internal ID, in this case it was F00110. Once Adam connects again, he won't get same ID again despite the fact that his dynamic server binding will have same name.
Same would happen for routes.
Please, lets focus on those interfaces - whether they are dynamic (automatically created when client connects) or static (manually created by admin)
In both cases (both dynamic and static), the interface is marked as as "PPTP/L2TP/SSTP Server Binding" so it may be not easy to understand, however if you check the flag, it will be clear.
I tested both situation with SSTP and PPTP and it simply did not occur as long as I used manually created server binding. I have FW rules bound to Server Binding in my normal config, I on purpose created route and it worked despite disconnecting/reconnecting.
I also replicated exactly same result as those two (i.e. broken FW rules and broken routes) when I left the interface to be dynamic.
Let me give you example config:
Code: Select all
/ip pool add name=pool2-VPN ranges=10.100.1.191-10.100.1.199
/ppp profile add local-address=10.100.1.254 name=VPN remote-address=pool2-VPN
/ppp secret
add name=Adam password=test profile=VPN service=pptp
add name=Betty password=test profile=VPN service=pptp
/interface pptp-server server set default-profile=VPN enabled=yes
/interface pptp-server add name=BettyVPN user=Betty
If both Adam and Betty connects, I can print something like this:
Code: Select all
[admin@mikrotik] > /interface print where type="pptp-in"
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 DR <Adam> pptp-in 1500
1 R BettyVPN pptp-in 1500
Now lets block both of them access to rest of local network:
Code: Select all
/ip firewall filter
add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=<Adam>
add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=BettyVPN
at the moment, it works. But once they disconnect, following will happen:
Code: Select all
[admin@mikrotik] > /interface print where type="pptp-in"
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 BettyVPN pptp-in
[admin@mikrotik] > /ip firewall filter export
...
# no interface
add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=*F00110
add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=BettyVPN
Same would happen for routes.
Please, lets focus on those interfaces - whether they are dynamic (automatically created when client connects) or static (manually created by admin)
Re: [Lost Interface] IP->Routes
Bravo! I knew the answer would eventually surface! You are exactly precisely correct, vecernik87 - Thanks for that
I am more and more convinced that @JordanR and @Cvan are talking about dynamic interfaces. Not static ones which I earlier identified as most probable solution.
In both cases (both dynamic and static), the interface is marked as as "PPTP/L2TP/SSTP Server Binding" so it may be not easy to understand, however if you check the flag, it will be clear.
I tested both situation with SSTP and PPTP and it simply did not occur as long as I used manually created server binding. I have FW rules bound to Server Binding in my normal config, I on purpose created route and it worked despite disconnecting/reconnecting.
I also replicated exactly same result as those two (i.e. broken FW rules and broken routes) when I left the interface to be dynamic.
Let me give you example config:
Magic happens on last line of that code, where I am manually creating server binding, which stays as a existing (but not running) interface even if Betty disconnect. Once Betty reconnects, interface goes back to running state and keeps same internal ID which is linked to firewall rule or routes...Code: Select all/ip pool add name=pool2-VPN ranges=10.100.1.191-10.100.1.199 /ppp profile add local-address=10.100.1.254 name=VPN remote-address=pool2-VPN /ppp secret add name=Adam password=test profile=VPN service=pptp add name=Betty password=test profile=VPN service=pptp /interface pptp-server server set default-profile=VPN enabled=yes /interface pptp-server add name=BettyVPN user=Betty
If both Adam and Betty connects, I can print something like this:Code: Select all[admin@mikrotik] > /interface print where type="pptp-in" Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS 0 DR <Adam> pptp-in 1500 1 R BettyVPN pptp-in 1500
Now lets block both of them access to rest of local network:
Code: Select all/ip firewall filter add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=<Adam> add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=BettyVPN
at the moment, it works. But once they disconnect, following will happen:
See? Adam's rule got broken because his interface does not exist anymore. It is actually not linked via name (that is just displayed as user-friendly description) but link happens via internal ID, in this case it was F00110. Once Adam connects again, he won't get same ID again despite the fact that his dynamic server binding will have same name.Code: Select all[admin@mikrotik] > /interface print where type="pptp-in" Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS 0 BettyVPN pptp-in [admin@mikrotik] > /ip firewall filter export ... # no interface add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=*F00110 add action=drop chain=forward dst-address=10.100.1.0/24 in-interface=BettyVPN
Same would happen for routes.
Please, lets focus on those interfaces - whether they are dynamic (automatically created when client connects) or static (manually created by admin)
-
-
vecernik87
Forum Veteran
- Posts: 891
- Joined:
Re: [Lost Interface] IP->Routes
I wrote it earlier but I guess bad words were chosen - I did not specifically mention how to create the static interface, despite the fact I had it in mind the whole time.I knew the answer would eventually surface!
Anyway, I am happy that it helped at least you
hopefully @JordanR will confirm the solution as well.Re: [Lost Interface] IP->Routes
You problem is that you set manual route via dynamic Interface. It gets unknown if VPN interface gets unknown for some reason.
Solution is simple:
A.) Create routing protocol if you doing some crazy +3 Site-to-Site VPN solution.
Or
B.) If we assume that you want to reach 172.16.10.0/24 in this example:
PPP -> Interface. Open your VPN interface (does not matter CLIENT or SERVER, but if you have more than one then you need to open the correct one). Go to tab "Status". Find "Remote Address" (for example 10.50.20.2)
IP -> Routes. Add destination address (172.16.10.0/24) set it's gateway as Remote VPN address (in this example 10.50.20.2).
I'd suggest to do same on the other side of VPN if it is MikroTik also (and you manage it). Everything would be the same only Destination route and VPN remote Address should be different.
Solution is simple:
A.) Create routing protocol if you doing some crazy +3 Site-to-Site VPN solution.
Or
B.) If we assume that you want to reach 172.16.10.0/24 in this example:
PPP -> Interface. Open your VPN interface (does not matter CLIENT or SERVER, but if you have more than one then you need to open the correct one). Go to tab "Status". Find "Remote Address" (for example 10.50.20.2)
IP -> Routes. Add destination address (172.16.10.0/24) set it's gateway as Remote VPN address (in this example 10.50.20.2).
I'd suggest to do same on the other side of VPN if it is MikroTik also (and you manage it). Everything would be the same only Destination route and VPN remote Address should be different.