All traffic over VPN

duckbrained · July 18, 2017, 5:34pm

Hello,

I bought this device to achieve a simple goal but as it’s so complex, it’s not as straightforward as I’d hoped.

The idea is that the Mikrotik router simply acts as a VPN client, and any devices connected to it, are served data from the VPN.

Basically I have managed to set up a PPTP connection on the Mikrotik router, this connects absolutely fine.

However I want ALL internet traffic to travel over this connection and at the moment, it doesn’t seem that any does.

I’ve scoured the web and these forums and not turned up anyone doing something seemingly so simple. Any pointers are appreciated!

pukkita · July 19, 2017, 9:15am

What you need is to set the VPN connection as the default route.

You can set this by ticking the Add Default Route parameter on the PPTP-Client Interface Dial Out tab settings to achieve that automatically.

You’ll also need to add a IP > Firewall > Nat masquerade or srcnat rule for traffic exiting via the PPTP-Client interface.

duckbrained · July 19, 2017, 6:22pm

Thanks for the reply.

I already had that “add default route” box ticked, which is why I was surprised it didn’t work as expected.

I’ll take a look at the NAT setting you mention, and report back. Thanks!

amt · July 20, 2017, 12:12pm

please check your nat. should be like that;

/ip firewall nat
add action=masquerade chain=srcnat out-interface=PPTP-Client

DaKater · July 20, 2017, 1:02pm

What kind of VPN are you using?

PPTP needs some firewall rules.

IP → Firewall
ADD NEW
Chain → input
Protocol → GRE (Protocol 47)
APPLY and OK (no port or anything else needed)

Same rule with Chain → output with GRE
APPLY and OK

And now add the last rule
CHAIN → input
Protocol → TCP
Destination Port (Dst. Port) → 1723

For all needs I would add following ports to your firewall too.
Input - UDP - Dst. Port 500
Input - IPSEC-ESP - (no port)
Input - TCP - Dst. Port 80 and 8291
the first 2 are for ipsec and the last tcp ports are for webinterface and winbox via WAN.

There are of course some more rules if you want to use another vpn like IPIP or whatever.
For your needs it should work like this.

Try this. I hope your default route (IP → Routes) is set right, too.
What kind is your uplink? PPoE, Static LAN IP? Static Public IP?
If you are behind another router and dont have a public IP (or PPoE Uplink) the main router will need some ports and protocoll forwardings, too. (like GRE and TCP)

Maybe in routes (IP → Routes) you will need one manual entry, too.

P.S.: ALMOST FORGOT IT!
You have to move the firewall rules to the TOP over the DROP.
CLICK and HOLD the rule in the overview and move it up over the last DROP action.

Well there are ways how you should sort it, that a packet dont have to run again and again rules which are not needed often. In your case start like this first.
Sorting your firewall rules will be a part later if you have more, and more … and too much rules

duckbrained · July 20, 2017, 3:01pm

Would I need to modify firewall rules, for outgoing VPN? Again to clarify, I’m not connecting to a Mikrotik router. I’m setting one up as a VPN client. The VPN server is already set up and tested, working fine.

I will try the NAT thing.

pukkita · July 20, 2017, 4:33pm

No firewall rules needed for outgoing VPN, DaKater rules are targeted for providing VPN service. Just the NAT rule.

kevintitus81 · July 20, 2017, 4:43pm

It sounds like you need to srcnat allow your local lan subnet to the remote lan subnet.

You would add this in /ip > firewall > NAT:
src local lan subnet
dst remote lan subnet
action: allow

And you should masq internal subnet out to your ppp or vpn interface.

duckbrained · August 4, 2017, 1:27pm

The last line is what I was missing. I added this and all works perfectly. Thank you!

bar1 · March 4, 2019, 2:45pm

Hi everyone…bump!

can anyone help me add specific traffic to VPN?
(port 2 on the router).