Policy routing, route certain IPs over L2TP VPN connection

mtx · Tue Dec 20, 2011 12:52 pm

Hello community,

I have a RB493G router which serves a LAN and is connected to the Internet via one PPPoE connection (wan). In our country (Romania) some services from USA aren't available (netflix, pandora) because of copyright issues. I have found a way to access those services using an USA VPN provider (PureVPN in my case).

I configure the VPN on my laptop and I instantly have access to netflix and pandora. I have 2 devices on my network that I want to access the netflix and pandora services so I thought I'd configure the VPN client on the MT router and using Policy Routing I would route the connections initiated from those two devices via the PureVPN interface (pvpn-us).

Interfaces

Flags: D - dynamic, X - disabled, R - running, S - slave 
10  R  ;;; Family Local Area Network - LAN.
       name="flan" type="bridge" mtu=1500 l2mtu=1520 

13  R  ;;; RDS Internet connection.
       name="wan" type="pppoe-out" mtu=1480 

18  R  name="pvpn-us" type="pptp-out" mtu=1400

IP Addresses

[admin@MikroTik] > /ip address print detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     address=192.168.88.1/24 network=192.168.88.0 interface=ether1 actual-interface=ether1 

 1   ;;; Family network interface.
     address=172.21.0.1/24 network=172.21.0.0 interface=flan actual-interface=flan 

 3 D address=86.126.83.149/32 network=10.0.0.1 interface=wan actual-interface=wan 

 5 D address=10.3.3.4/32 network=10.3.3.2 interface=pvpn-us actual-interface=pvpn-us

Firewall mangle rules

[admin@MikroTik] > /ip firewall mangle print detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting action=mark-routing new-routing-mark=VPN-US passthrough=yes 
     src-address=172.21.0.65-172.21.0.66

IP Route Rules

[admin@MikroTik] > /ip route rule print detail 
Flags: X - disabled, I - inactive 
 0   dst-address=192.168.88.0/24 action=lookup table=main 

 1   dst-address=172.21.0.0/24 action=lookup table=main 

 2   dst-address=172.21.1.0/24 action=lookup table=main 

 3   routing-mark=VPN-US action=lookup table=VPN-US

IP Routes

[admin@MikroTik] > /ip route print detail 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=10.3.3.2 gateway-status=10.3.3.2 reachable pvpn-us distance=1
        scope=30 target-scope=10 routing-mark=VPN-US 

 1 ADS  dst-address=0.0.0.0/0 gateway=10.0.0.1 gateway-status=10.0.0.1 reachable wan distance=1 
        scope=30 target-scope=10 

 2 ADC  dst-address=10.0.0.1/32 pref-src=86.xx.xxx.x gateway=wan gateway-status=wan reachable 
        distance=0 scope=10

 3 ADC  dst-address=10.3.3.2/32 pref-src=10.3.3.4 gateway=pvpn-us gateway-status=pvpn-us reachable 
        distance=0 scope=10

 4 ADC  dst-address=172.21.0.0/24 pref-src=172.21.0.1 gateway=flan gateway-status=flan reachable 
        distance=0 scope=10

 5 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=ether1 
        gateway-status=ether1 unreachable distance=0 scope=200

IP Firewall NAT

[admin@MikroTik] > /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=wan 

 1   chain=srcnat action=masquerade out-interface=pvpn-us

The firewall is configured to allow all outgoing traffic from the local network. The problem is that I still cannot access the services that aren't available in my home country from those two devices on my LAN (172.21.0.65 and 172.21.0.66). Attached is the logical network topology simplified. How can I debug this situation further? Did I do something wrong in the configuration of the policy routing?

Thank you,
Vali

VPNDiagram.png

Policy routing, route certain IPs over L2TP VPN connection

Policy routing, route certain IPs over L2TP VPN connection

Who is online