Route all and/or specific traffic to a VPN

thepossum · February 21, 2019, 6:05pm

I am fairly new to Mikrotik. I’m generally more comfortable working on a command-line than on any webby clicky interface.

A customer has a webapp hosted on a specific ip address x.x.x.x ; This is a public ip address, not an internal/private one.
They also have multiple offices, none of which have static ip addresses (the number of locations and the ISP surcharge is cost-prohibitive). The webapp is secured by ip address: only clients connecting from specific ip addresses are allowed.

Our plan, basically, is to set up one Mikrotik device A with a static ip address, which will host a VPN server. It should be able to forward any/all traffic from the VPN clients onto the internet proper.
Each client site will get their own Mikrotik devices B through M to act as the routers for all the various PCs and such. They will establish individual VPN links (L2TP? OpenVPN?) to router A. Traffic from any of the PCs should be pushed through the VPN link, where it appears to the webapp as if it’s coming from router A and its static ip. If I had my personal preference (I may get … overruled on this by my manager) I would try to ONLY forward traffic destined for x.x.x.x to router A, letting routers B-M masquerade the majority of traffic themselves. (Partly to eliminate potential bandwidth bottlenecks at router A; partly because there is a maximum number of concurrent tcp streams on any ipv4 device.)

thepossum · February 27, 2019, 6:58pm

Routing traffic for a specific destination over the VPN is definitely much easier. After creating the VPN tunnel between two Mikrotik routers, it was a two-more step process:

/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=NAME-OF-L2TP-INTERFACE

/ip route
add distance=1 dst-address=ip.ip.ip.ip/32 gateway=IP-OF-L2TP-SERVER

Larger subnets than a single ip can be routed through the VPN, and multiple subnets can be routed too. The caveat for this simpler method is that you cannot route “all” traffic (ie. to 0.0.0.0) through the VPN, or else the client Mikrotik itself cannot route its own traffic either.

Finding a way to route ALL traffic onto the VPN server seems to be much more complicated. Somehow packets originating from inside the client Mikrotik’s LAN need to be tagged, without tagging the Mikrotik’s own traffic, and then a routing rule that only forwards tagged packets through the vpn interface. This is still a work in progress.

egrep · March 18, 2021, 4:48pm

There is also a good reply on StackExchange.