Dual WAN/PCC + IPSEC
Posted: Tue Feb 11, 2014 6:11 pm
Hello,
I am having some difficulties trying to get my pcc routing to work evenly, I have programmed it up according to what I have seen in the wiki and tweaked it according to some other websites but it still seems to favor the first wan interface instead of the second. I don't know what I am missing. Also some of my VPN connections act funny, SSTP works perfectly when connecting to either of the wan interfaces (depending on certs), but my L2TP/IPSEC connections only seem to work on one of the two interfaces, and it switches between them on router reboot?
If anybody has any ideas on this that would be great, I am sure I am just missing something small. Thanks for your help in advance. This is ROS6.7 on RB750.
Here is the settings
Live Routes
I am having some difficulties trying to get my pcc routing to work evenly, I have programmed it up according to what I have seen in the wiki and tweaked it according to some other websites but it still seems to favor the first wan interface instead of the second. I don't know what I am missing. Also some of my VPN connections act funny, SSTP works perfectly when connecting to either of the wan interfaces (depending on certs), but my L2TP/IPSEC connections only seem to work on one of the two interfaces, and it switches between them on router reboot?
If anybody has any ideas on this that would be great, I am sure I am just missing something small. Thanks for your help in advance. This is ROS6.7 on RB750.
Here is the settings
Code: Select all
/ip firewall address-list
add address=192.168.204.220-192.168.204.239 comment="Exclude VPN Users From Loadbalance Mangle" list=vpnusers
/ip firewall filter
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment=UDP disabled=yes protocol=udp
add chain=input comment="Allow limited pings" limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add chain=input comment="From our private LAN" src-address=192.168.204.0/24
add chain=input comment="Allow PPTP Connections" protocol=gre
add chain=input dst-port=1723 protocol=tcp
add chain=input comment="Accept IPSEC" protocol=ipsec-esp
add chain=input protocol=ipsec-ah
add chain=input comment=L2TP dst-port=500 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=input dst-port=1701 protocol=udp
add chain=input comment="SSTP Allowed" dst-port=443 protocol=tcp
add chain=input comment="NAT Port Forwards" disabled=yes dst-address=142.XXX.XXX.XXX dst-port=22 protocol=tcp
add chain=input comment="OpenVPN Allowed" dst-port=1194 protocol=tcp
add action=log chain=input comment="Log everything else" log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop everything else"
add chain=input
/ip firewall mangle
add chain=prerouting comment="Dual Same Subnet Loadbalancing WAN Loadbalancing" dst-address=142.XXX.XXX.0/23 dst-address-list=!vpnusers \
in-interface=ether4-lan-204 src-address-list=!vpnusers
add chain=prerouting dst-address=142.XXX.XXX.0/23 dst-address-list=!vpnusers in-interface=vlan5-voice-172-16-5-0 src-address-list=\
!vpnusers
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!vpnusers in-interface=ether1-gw-telus1 \
new-connection-mark=pri-conn src-address-list=!vpnusers
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!vpnusers in-interface=ether2-gw-telus2 \
new-connection-mark=sec-conn src-address-list=!vpnusers
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!vpnusers dst-address-type=!local in-interface=\
ether4-lan-204 new-connection-mark=pri-conn per-connection-classifier=both-addresses:2/0 src-address-list=!vpnusers
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!vpnusers dst-address-type=!local in-interface=\
vlan5-voice-172-16-5-0 new-connection-mark=pri-conn per-connection-classifier=both-addresses:2/0 src-address-list=!vpnusers
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!vpnusers dst-address-type=!local in-interface=\
ether4-lan-204 new-connection-mark=sec-conn per-connection-classifier=both-addresses:2/1 src-address-list=!vpnusers
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!vpnusers dst-address-type=!local in-interface=\
vlan5-voice-172-16-5-0 new-connection-mark=sec-conn per-connection-classifier=both-addresses:2/1 src-address-list=!vpnusers
add action=mark-routing chain=prerouting connection-mark=pri-conn dst-address-list=!vpnusers in-interface=ether4-lan-204 \
new-routing-mark=pri src-address-list=!vpnusers
add action=mark-routing chain=prerouting connection-mark=pri-conn dst-address-list=!vpnusers in-interface=vlan5-voice-172-16-5-0 \
new-routing-mark=pri src-address-list=!vpnusers
add action=mark-routing chain=prerouting connection-mark=sec-conn dst-address-list=!vpnusers in-interface=ether4-lan-204 \
new-routing-mark=sec src-address-list=!vpnusers
add action=mark-routing chain=prerouting connection-mark=sec-conn dst-address-list=!vpnusers in-interface=vlan5-voice-172-16-5-0 \
new-routing-mark=sec src-address-list=!vpnusers
add action=mark-routing chain=output connection-mark=pri-conn dst-address-list=!vpnusers new-routing-mark=pri passthrough=no \
src-address-list=!vpnusers
add action=mark-routing chain=output connection-mark=sec-conn dst-address-list=!vpnusers new-routing-mark=sec passthrough=no \
src-address-list=!vpnusers
add action=mark-connection chain=input dst-address-list=!vpnusers in-interface=ether1-gw-telus1 new-connection-mark=pri-conn \
src-address-list=!vpnusers
add action=mark-connection chain=input dst-address-list=!vpnusers in-interface=ether2-gw-telus2 new-connection-mark=sec-conn \
src-address-list=!vpnusers
/ip route
add check-gateway=ping distance=1 gateway=142.XX.XXX.1%ether1-gw-telus1 routing-mark=pri
add check-gateway=ping distance=1 gateway=142.XX.XXX.1%ether2-gw-telus2 routing-mark=sec
add distance=2 gateway=142.XX.XXX.1
add distance=1 dst-address=172.16.101.0/24 gateway=192.168.204.196
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
3des,aes-128-cbc,aes-192-cbc,aes-256-cbc pfs-group=none
/ip ipsec peer
add comment=L2TP enc-algorithm=3des exchange-mode=main-l2tp generate-policy=\
port-override nat-traversal=yes secret=12345
Code: Select all
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 142.XX.XXX.1%ether1... 1 - pri routing mark
1 A S 0.0.0.0/0 142.XX.XXX.1%ether2... 1 - sec routing mark
2 A S 0.0.0.0/0 142.XX.XXX.1 2 - reachable by ether2
3 ADC 142.XX.XXX.0/23 142.XX.XXX.220 ether1-gw-telus1, ether2-gw-telus2 0 both reachable but pref source is ether1
4 ADC 172.16.5.0/24 172.16.5.253 vlan5-voice-172... 0
5 A S 172.16.101.0/24 192.168.204.196 1
6 ADC 192.168.204.0/24 192.168.204.253 ether4-lan-204 0
7 ADC 192.168.204.238/32 192.168.204.220 <l2tp-Dusto> 0