Hello everyone,
I have a MikroTik router running RouterOS 7.18.2 with two WAN connections:
The router is assigned a public IP address via an external 4G modem, which forwards the public IP to the router through the l2tp interface.
When I receive a ping on the 4G public IP (via the L2TP interface), it arrives correctly on the l2tp-4G interface.
However, the ICMP reply is not being routed back via the l2tp-4G interface and is instead going out via the Fiber interface because the distance of the fiber interface is distance 1 and the route for 4G is distance 2
Current config :
I have tried the following mangle rules:
The mangle seems to be working fine as it is marking the connections and routing as expected:
However, no ICMP reply is being sent when I enable the route for ICMP-4G.
What is the best way to force the ICMP replies to leave through the l2tp-4G interface?
Thank you in advance for your help!
I have a MikroTik router running RouterOS 7.18.2 with two WAN connections:
- Fiber (ether1-WAN-ONT)
- 4G (L2TP client, public IP address)
The router is assigned a public IP address via an external 4G modem, which forwards the public IP to the router through the l2tp interface.
When I receive a ping on the 4G public IP (via the L2TP interface), it arrives correctly on the l2tp-4G interface.
However, the ICMP reply is not being routed back via the l2tp-4G interface and is instead going out via the Fiber interface because the distance of the fiber interface is distance 1 and the route for 4G is distance 2
Current config :
Code:
# 2025-03-19 11:35:10 by RouterOS 7.18.2/interface bridgeadd name=BR_LAN/interface ethernetset [ find default-name=ether1 ] name=ether1-WAN-ONTset [ find default-name=ether2 ] name=ether2-WAN-4Gset [ find default-name=ether3 ] name=ether3-LANset [ find default-name=ether4 ] name=ether4-LANset [ find default-name=ether5 ] name=ether5-LAN/interface l2tp-clientadd add-default-route=yes connect-to=10.42.0.240 default-route-distance=2 disabled=no max-mtu=1300 name=l2tp-4G src-address=10.42.17.121/interface vlanadd interface=ether2-WAN-4G name=vlan100-mgtm-modemLTE vlan-id=100add interface=ether2-WAN-4G name=vlan101-passthrough-modemLTE vlan-id=101/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface lte apnset [ find default=yes ] add-default-route=no apn=datapro authentication=chap ip-type=ipv4 use-network-apn=no use-peer-dns=no/ip pooladd name=default-dhcp ranges=192.168.1.10-192.168.1.150/ip dhcp-serveradd address-pool=default-dhcp interface=BR_LAN lease-time=1d name=defconf/queue interfaceset ether1-WAN-ONT queue=ethernet-default/interface bridge portadd bridge=BR_LAN comment=defconf ingress-filtering=no interface=ether4-LANadd bridge=BR_LAN comment=defconf ingress-filtering=no interface=ether5-LANadd bridge=BR_LAN comment=defconf ingress-filtering=no interface=wlan1add bridge=BR_LAN comment=defconf ingress-filtering=no interface=wlan2add bridge=BR_LAN comment=defconf ingress-filtering=no interface=ether3-LAN/ip firewall connection trackingset udp-timeout=20s/ip neighbor discovery-settingsset discover-interface-list=none/ipv6 settingsset disable-ipv6=yes max-neighbor-entries=8192/interface list memberadd comment=defconf interface=BR_LAN list=LANadd interface=ether1-WAN-ONT list=WANadd interface=l2tp-4G list=WAN/ip addressadd address=192.168.1.1/24 comment=defconf interface=BR_LAN network=192.168.1.0add address=192.168.100.2/24 interface=vlan100-mgtm-modemLTE network=192.168.100.0/ip dhcp-clientadd interface=ether1-WAN-ONTadd add-default-route=no interface=vlan101-passthrough-modemLTE use-peer-dns=no/ip dhcp-server networkadd address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1/ip dnsset allow-remote-requests=yes servers=193.110.81.9,185.253.5.9,9.9.9.9/ip dns staticadd address=192.168.1.1 name=Box.lan type=A/ip firewall filteradd action=drop chain=input comment="drop ssh brute forcers" dst-port=22 in-interface=ether1-WAN-ONT protocol=tcp src-address-list=ssh_blacklistadd action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 in-interface=ether1-WAN-ONT protocol=tcp \ src-address-list=ssh_stage3add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 in-interface=ether1-WAN-ONT protocol=tcp src-address-list=ssh_stage2add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 in-interface=ether1-WAN-ONT protocol=tcp src-address-list=ssh_stage1add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 in-interface=ether1-WAN-ONT protocol=tcpadd action=drop chain=input comment="drop ssh brute forcers" dst-port=22 in-interface=l2tp-4G protocol=tcp src-address-list=ssh_blacklist_4Gadd action=add-src-to-address-list address-list=ssh_blacklist_4G address-list-timeout=1w3d chain=input connection-state=new dst-port=22 in-interface=l2tp-4G protocol=tcp src-address-list=ssh_stage3_4Gadd action=add-src-to-address-list address-list=ssh_stage3_4G address-list-timeout=1m chain=input connection-state=new dst-port=22 in-interface=l2tp-4G protocol=tcp src-address-list=ssh_stage2_4Gadd action=add-src-to-address-list address-list=ssh_stage2_4G address-list-timeout=1m chain=input connection-state=new dst-port=22 in-interface=l2tp-4G protocol=tcp src-address-list=ssh_stage1_4Gadd action=add-src-to-address-list address-list=ssh_stage1_4G address-list-timeout=1m chain=input connection-state=new dst-port=22 in-interface=l2tp-4G protocol=tcpadd action=accept chain=input port=22 protocol=tcpadd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yesadd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN/ip firewall natadd action=masquerade chain=srcnat out-interface=ether1-WAN-ONTadd action=masquerade chain=srcnat out-interface=l2tp-4G/ip firewall service-portset sip disabled=yes/ip routeadd comment="Route to l2tp-srv for auth 4G" dst-address=10.42.0.0/24 gateway=10.42.17.122/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset api disabled=yesset winbox disabled=yesset api-ssl disabled=yes/ip sshset forwarding-enabled=both/system clockset time-zone-name=Europe/Paris/system ntp clientset enabled=yes/system ntp client serversadd address=0.fr.pool.ntp.orgadd address=1.fr.pool.ntp.org/tool mac-serverset allowed-interface-list=none/tool mac-server mac-winboxset allowed-interface-list=noneI have tried the following mangle rules:
Code:
/routing tableadd fib name=icmp-4G/ip firewall mangleadd action=mark-connection chain=prerouting comment="Mark connection ICMP for 4G" in-interface=l2tp-4G new-connection-mark=icmp-con protocol=icmpadd action=mark-routing chain=prerouting comment="Mark routing ICMP for 4G" connection-mark=icmp-con new-routing-mark=icmp-4G passthrough=no protocol=icmpadd action=mark-routing chain=output comment="Mark icmp reply" new-routing-mark=icmp-4G protocol=icmp src-address=<ip_pub_4G>/ip routeadd comment="Route ICMP 4G" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=l2tp-4G routing-table=icmp-4GThe mangle seems to be working fine as it is marking the connections and routing as expected:
Code:
/ip/firewall/mangle> print statsFlags: D - DYNAMICColumns: CHAIN, ACTION, BYTES, PACKETS# CHAIN ACTION BYTES PACKETS;;; Mark connection ICMP for 4G3 prerouting mark-connection 4 956 59;;; Mark routing ICMP for 4G4 prerouting mark-routing 4 956 59;;; Mark icmp reply5 output mark-routing 4 956 59However, no ICMP reply is being sent when I enable the route for ICMP-4G.
What is the best way to force the ICMP replies to leave through the l2tp-4G interface?
Thank you in advance for your help!
Statistics: Posted by Mathz — Wed Mar 19, 2025 1:15 pm