I am having an issue with policy based routing that I was hoping someone can help me with.
I have a home-office with an ADSL connection and a routerboard 600A.
When I work for certain clients I need to VPN into their network. Since I find it painful to change VPN tunnels constantly, I've setup the VPN through the Mikrotik router, and would like the traffic to choose the right path.
I've done the following so far, as a test.
1) I added a new interface (PPTP Client) and setup the VPN to the customer (tunnel is established), called it TestVPN.
2) As a test, I added a Mangle rule for one of my machines with the following config: Chain=prerouting, Src.Address=My_IP, Action=mark_routing, New Routing Mark=VPN, Passthrough=No.
3) I added a new route with the following configuration: Dst.Address=0.0.0.0/0, Gateway=TestVPN, Routing Mark=VPN
Enabling this however results in no network connectivity. However, if I establish the PPTP tunnel directly from my system it works just fine.
Any ideas what the problem could be or what I should check for?
Thanks!
-
-
greencomputing
Frequent Visitor
- Posts: 95
- Joined:
- Location: Italy
Re: Policy Based Routing
Hi sir
the rule will route all your internet traffic trough client vpn so you need to specify also the client dst address/network to be sure that only traffic to the client network will be routed trough VPN.
So the idea is, if you know that client private ip/network is CLIENT_IP or CLIENT_NETWORK, to use the following rule :
hoping this will help you
have a nice day
the rule will route all your internet traffic trough client vpn so you need to specify also the client dst address/network to be sure that only traffic to the client network will be routed trough VPN.
So the idea is, if you know that client private ip/network is CLIENT_IP or CLIENT_NETWORK, to use the following rule :
Code: Select all
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address= dst-address-type=!local new-routing-mark=VPN passthrough=no src-address=My_IP dst-address= CLIENT_NETWORK
or
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address= dst-address-type=!local new-routing-mark=VPN passthrough=no src-address=My_IP dst-address= CLIENT_IP
have a nice day
Re: Policy Based Routing
Hi,
Thanks for the reply, however, it is not working. I am trying to route all traffic through to the customer, once I get it working I can work on tweaking the mangle rules. Right now, I just want all traffic from my computer to go through the customer, this way I can make sure it works.
Any ideas what could be wrong?
Thanks for the reply, however, it is not working. I am trying to route all traffic through to the customer, once I get it working I can work on tweaking the mangle rules. Right now, I just want all traffic from my computer to go through the customer, this way I can make sure it works.
Any ideas what could be wrong?
-
-
StubArea51
Trainer
- Posts: 1739
- Joined:
- Location: stubarea51.net
- Contact:
Re: Policy Based Routing
Can you post your routing table and a compact export of your mangle rules?
-
-
MikroTikIQ
Trainer
- Posts: 44
- Joined:
Re: Policy Based Routing
Hi...
To reach each network you need to have specific route to that network..
Let say one of your client have network 10.0.0.0/24 and another one have 10.1.1.0/24 and you just connect to your clients network using vpn,
now you have multi vpn connection on your router and Still your route dont have any idea how to reach 10.0.0.0/24 and 10.1.1.0/24....
So by adding static route you will learn you router how to reach multi network via different path..
i.e
/ip route add dst-address=10.0.0.0/24 gatway=vpn-01
/ip route add dst-address=10.1.1.0/24 gatway=vpn-02
This way you will able to reach all you client network at the same time even if you have multiple vpn conneted..
Just please uncheck option use-as-default-route... this will avoid to make any of that vpn connection ad default route...
Wish you good luck
Please update me if all is work well
Ali Sami
To reach each network you need to have specific route to that network..
Let say one of your client have network 10.0.0.0/24 and another one have 10.1.1.0/24 and you just connect to your clients network using vpn,
now you have multi vpn connection on your router and Still your route dont have any idea how to reach 10.0.0.0/24 and 10.1.1.0/24....
So by adding static route you will learn you router how to reach multi network via different path..
i.e
/ip route add dst-address=10.0.0.0/24 gatway=vpn-01
/ip route add dst-address=10.1.1.0/24 gatway=vpn-02
This way you will able to reach all you client network at the same time even if you have multiple vpn conneted..
Just please uncheck option use-as-default-route... this will avoid to make any of that vpn connection ad default route...
Wish you good luck
Please update me if all is work well
Ali Sami
Who is online
Users browsing this forum: No registered users and 10 guests