Hi,

I do have a question. I'm looking for a way to setup a wifi accespoint (one out of three running on the RB2011).
I would like to have that WIFI ap connected to a (l2tp) VPN, preferably autoconnect when the router boots up and gets a connection.

I would like to have it seperated since when i'm away i would like to do secure banking and be able to watch our home camera's. But i wont like to share the VPN to all other users. So i thought it might be possible to do it like this.

So far i havent got it working

This is what i think of:

AP1 - Kids AP - Own iprange (192.168.89.x)Connected straight to internet incl traffic shaping -> WORKING
AP2 - Guest AP - Own iprange (192.168.99.x) Connected straight to internet but not able to talk to other AP's and other users and some extra firewalling -> WORKING
AP3 - Private AP - Own iprange (192.168.100.x) Connected over VPN to Internet (so the home internetline is beeing used for all traffic).

Is there anyone who have done it ? If search the fora and google but so far i cant come up with someone else who did it.

Hope someone is willing to think out a proof of concept with me.

No one ?

If you want 100% of the Internet to go through the VPN first and then out from the HQ's Internet connection, this is actually pretty easy with VRF.

Go into IP > Routes > VRF
Add a new VRF - choose a routing mark like vpn, and add two interfaces - the bridge or virtualAP for the private VLAN, and the L2TP interface.

Then, you create a static 0.0.0.0/0 route with routing mark = vpn, gateway=l2tp interface.

This will completely isolate the vpn network - no firewall rules will really even be necessary. VRF creates a parallel universe in IP the way a VLAN creates a parallel universe in Ethernet.

I'm not sure how to interpret your 100%. I want 100% of one AP (the mentioned private AP) go through the tunnel so i can reach my own lan, camera etc. The other AP's should go out on the internet without going through the tunnel.

Am i clear enough i'm not a native english speaker. (sorry)

I'm i think i misread your post. I'm going to give that a go once i return from my travels !

I will get back on this.

I'm not sure how to interpret your 100%. I want 100% of one AP (the mentioned private AP) go through the tunnel so i can reach my own lan, camera etc. The other AP's should go out on the internet without going through the tunnel.

Am i clear enough i'm not a native english speaker. (sorry)

Then put tunnel and private AP on the VRF
Make default route to VPN with routing mark = vrf's routing mark

This will make normal users unable to go through the VPN (even if you made a filter rule that allows the interfaces - the VPN is invisible to 'normal' traffic, and the 'normal' interfaces are invisible to vpn traffic.
This is like a VPN for IP addresses.

I'm not sure how to interpret your 100%. I want 100% of one AP (the mentioned private AP) go through the tunnel so i can reach my own lan, camera etc. The other AP's should go out on the internet without going through the tunnel.

Am i clear enough i'm not a native english speaker. (sorry)

Then put tunnel and private AP on the VRF
Make default route to VPN with routing mark = vrf's routing mark

This will make normal users unable to go through the VPN (even if you made a filter rule that allows the interfaces - the VPN is invisible to 'normal' traffic, and the 'normal' interfaces are invisible to vpn traffic.
This is like a VPN for IP addresses.

Can you clearify how i do that ? "Make default route to VPN with routing mark = vrf's routing mark"

Can you clearify how i do that ? "Make default route to VPN with routing mark = vrf's routing mark"

If VPN is a tunnel-type interface like L2tP, PPtP, or EoIP, you can use the interface name itself as the default gw - otherwise, use the next hop... my example will say the default gw in the vpn is 10.1.1.1, and that the vrf's packet mark is mgmt.

/ip route add dst=0.0.0.0/0 gateway=10.1.1.1 routing-mark=mgmt

When i try to do the VRF on IP -> ROUTE i cant add the vpn adapter.. it is not shown in the list...


I try to connect as a L2TP user (which is working when i connect by hand). Also when i change the default route it works but then for all AP's which is not what i'm trying to achieve.

Is your setup intended as a lan-to-lan setup ? Which is not possible as i never know from which ip i will be able to connect from a camping.

I've found another problem with this solution - apparently services on the Mikrotik (winbox, telnet, ssh, http, etc) don't respond on VRF interfaces - vpn or otherwise. (I hit a snag setting it up on one of my own routers, and found similar things in others' posts on the forums)

What a pity. Management VRF is such a clean solution.

Yeah the idea behind your concept i really liked. But it doesnt work unfortunately.

Do you have any other suggestion on how to link a wireless AP to a vpn. (eg. the wiresless ap should only work (route) when the vpn is active, if it is not active you shouldn't be able to connect).

Would really love to figure this out.

You're just going to need to set up your filter rules to disallow traffic combinations you don't want - in-interface=guest, out-interface=l2tp-vpn1 action=drop

etc.

Now that is a good suggestion ! Why didnt i think of that
Wonder tho if that wont interfere routing rules. Since i have to set the vpn as default route.

Will have to test it out.

The issue isn't the LAN / WLAN being forced onto vpn.
It's the management.

With route-marking you can easily force the wlan clients to only use the vpn routes, and allow only the wlan from the vpn. Here is some pseudocode that I think will work:

prerouting mangle chain:
connection-mark = no-mark --> jump to MarkConnection
connection-mark = vpn --> mark routing = vpn

MarkConnection chain:
in-interface=vpn,private wlan --> mark connection = vpn (pass-through)
connection-mark = no-mark --> mark connection = novpn (pass-through)
return

With the right mix of connection marking you can make the Mikrotik's mgmt connectivity be forced onto the vpn....

output mangle chain connection-state=new --> mark connection = vpn (pass-through = yes)
output mangle chain if connection-mark=vpn --> mark routing = vpn

Then the vpn routing table should just have two routes:
local LAN = wlanX and 0.0.0.0/0 --> vpn

I belive that will give you what you want.
The 'tik will still reply to pings, etc on the non-mgmt interfaces correctly. If you want to block that stuff, do it with the filter table like you normally would.

The issue isn't the LAN / WLAN being forced onto vpn.
It's the management.

With route-marking you can easily force the wlan clients to only use the vpn routes, and allow only the wlan from the vpn. Here is some pseudocode that I think will work:

prerouting mangle chain:
connection-mark = no-mark --> jump to MarkConnection
connection-mark = vpn --> mark routing = vpn

MarkConnection chain:
in-interface=vpn,private wlan --> mark connection = vpn (pass-through)
connection-mark = no-mark --> mark connection = novpn (pass-through)
return

With the right mix of connection marking you can make the Mikrotik's mgmt connectivity be forced onto the vpn....

output mangle chain connection-state=new --> mark connection = vpn (pass-through = yes)
output mangle chain if connection-mark=vpn --> mark routing = vpn

Then the vpn routing table should just have two routes:
local LAN = wlanX and 0.0.0.0/0 --> vpn

I belive that will give you what you want.
The 'tik will still reply to pings, etc on the non-mgmt interfaces correctly. If you want to block that stuff, do it with the filter table like you normally would.

Just my ignorance (and not able to test from hotel) but isnt this mangle allowing all wifi traffic (thus from all the different AP's) through the vpn ?

Going to give this a go once i return home thanks !

Just my ignorance (and not able to test from hotel) but isnt this mangle allowing all wifi traffic (thus from all the different AP's) through the vpn ?

Going to give this a go once i return home thanks !

I was figuring management / vpn wifi - but it doesn't have to be wifi - whatever local management+vpn interface(s) you want to use. In general, the non-vpn side of things won't see the vpn routes anyway, since they're in a different routing table, but if you want to make sure, you can make a forwarding filter which allows users<--> real WAN, allows private lan <--> vpn, denies all else.

This is exactly what I wanted to achieve. I use the following tuto and it worked fine for me...
https://invisibleman.tech/mikrotik-conf ... d-network/

This is exactly what I wanted to achieve. I use the following tuto and it worked fine for me...
https://invisibleman.tech/mikrotik-conf ... d-network/

Hi, I followed this link and for first time I've managed to get my PureVPN to connect and access the internet with a disguised IP address. The only issue is my connection last for about a minute then drops out. I've also tested the speed and it's 1mb or less. Something must be working against it. If I use purevpn app on my phone I get a minimal drop in speed, so that suggests their servers are ok. Any ideas?

This is exactly what I wanted to achieve. I use the following tuto and it worked fine for me...
https://invisibleman.tech/mikrotik-conf ... d-network/

Hi, I followed this link and for first time I've managed to get my PureVPN to connect and access the internet with a disguised IP address. The only issue is my connection last for about a minute then drops out. I've also tested the speed and it's 1mb or less. Something must be working against it. If I use purevpn app on my phone I get a minimal drop in speed, so that suggests their servers are ok. Any ideas?

This link is no longer valid. Could you please send/copy the setup steps or even an obfuscated copy of your settings/export? I'm trying to do the same thing!

Thanks.