All traffic throuth VPN via WLAN

DaniilBas · August 8, 2022, 8:11pm

Hi guys.
I have the mikrotik mAp lite device. I try to set-up this case:

mAp connect to WIFI as client. OK
Create virtual WIFI on mAp. OK
Establish VPN (OpenVPN). OK
Ping to local network over VPN. OK.
Traceroute on mAp to google.com seems to be throuh VPN. OK
Client connect to Virtual WIFI. OK.
Client go to internet throuth VPN. FAIL.
Client ping to local network over VPN. OK.

Here my config:

# aug/08/2022 20:57:45 by RouterOS 7.4
# software id = 9BZY-U0FB
#
# model = RBmAPL-2nD
# serial number = FAC90FE9FDE8
/interface pwr-line
set [ find default-name=pwr-line1 ] mtu=1400
/interface bridge
add admin-mac=DC:2C:6E:AB:D3:43 auto-mac=no comment=defconf name=bridge-lan
/interface ovpn-client
add add-default-route=yes certificate=cert_export_client-map.crt_0 cipher=\
    aes256 connect-to=134.XXX.YYY.26 mac-address=02:BD:CF:6A:B3:5C name=\
    OpenVPN protocol=udp user=none
/interface list
add comment=defconf name=LAN
add comment=defconf name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=MikroTikmAp supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=MobileAP1 supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=MobileAP2 supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=Kellermano supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=client-mode band=\
    2ghz-b/g/n disabled=no frequency=auto installation=indoor \
    security-profile=Kellermano ssid=Kellermano wds-ignore-ssid=yes \
    wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=76:4D:28:FD:A4:D8 \
    master-interface=wlan1 multicast-buffering=disabled name=MikroTikmAp \
    security-profile=MikroTikmAp ssid=MikroTikmAp wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.99.10-192.168.99.250
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-lan name=server1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge-lan comment=defconf ingress-filtering=no interface=\
    MikroTikmAp
add bridge=bridge-lan comment=defconf ingress-filtering=no interface=\
    pwr-line1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=bridge-lan list=LAN
add interface=wlan1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireless connect-list
add interface=wlan1 security-profile=Kellermano ssid=Kellermano
add interface=wlan1 security-profile=MobileAP1 ssid="OnePlus 7 Pro"
add interface=wlan1 security-profile=MobileAP2 ssid="OPPO A5"
/ip address
add address=192.168.99.1/24 interface=bridge-lan network=192.168.99.0
/ip dhcp-client
add comment=defconf interface=wlan1
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.99.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.99.0/24 list=local
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wlan1
add action=masquerade chain=srcnat out-interface=OpenVPN
/system clock
set time-zone-name=Europe/Budapest
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

But.
If i reset config (Mikrotik mAp use eth1 as WAN by default) and make next steps:

Setup WIFI AP.
Set-up OpenVPN client.
Add NAT masquarade for OpenVPN interface.
Client go to internet throuth VPN. OK. But WAN is eth1
Here is this config:

# aug/08/2022 22:27:02 by RouterOS 7.4
# software id = 9BZY-U0FB
#
# model = RBmAPL-2nD
# serial number = FAC90FE9FDE8
/interface bridge
add admin-mac=DC:2C:6E:AB:D3:43 auto-mac=no comment=defconf name=bridge
/interface ovpn-client
add add-default-route=yes certificate=cert_export_client-map.crt_0 cipher=\
    aes256 connect-to=134.XXX.YYY.26 mac-address=02:5D:43:9C:CF:DC name=\
    ovpn-out1 protocol=udp user=none
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=MikroTikmAp \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge security-profile=MikroTikmAp ssid=MikroTikmAp \
    wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ovpn-out1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zaporozhye
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

What i do wrong, can you help me, please?
I also try to use WireGuard, but it is the same problem. Network over the WireGuard is available, internet throuth WireGuard for clients - NO. (WireGuard with the same settings on my phone as client - works well, phone go to internet throuth WireGuard server IP)

DaniilBas · August 14, 2022, 8:54am

I solved this problem.
If you look in Routes, there are main route with destination 0.0.0.0/0 and interface wlan1 with distance 1 and OpenVPN route 0.0.0.0/0 with distance 1.
So, i change distance for default route to 2 via DHCP-client.

/ip dhcp-client
add comment=defconf default-route-distance=2 interface=wlan1

And after this - all traffic goes throught OpenVPN interface.

Here is the whole my config for Mikrotik mAp lite.

# aug/10/2022 23:04:55 by RouterOS 7.4
# software id = 9BZY-U0FB
#
# model = RBmAPL-2nD
# serial number = FAC90FE9FDE8
/interface bridge
add admin-mac=DC:2C:6E:AB:D3:43 auto-mac=no comment=defconf name=bridge-lan
/interface ovpn-client
add certificate=cert_export_client-map.crt_0 cipher=aes256 connect-to=\
    134.XXX.YYY.26 mac-address=02:DD:BF:90:22:9E name=ovpn-out1 protocol=udp \
    user=none
/interface list
add comment=defconf name=LAN
add comment=defconf name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=MikroTikmAp supplicant-identity="" wpa2-pre-shared-key="WIFI PASSWORD OWN AP"
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=MobileAP1 supplicant-identity="" wpa2-pre-shared-key="MOBILE AP WIFI PASSWORD 1"
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=MobileAP2 supplicant-identity="" wpa2-pre-shared-key="MOBILE AP WIFI PASSWORD 2"
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=WLAN1-Q0YL6L supplicant-identity="" wpa2-pre-shared-key="HOTEL WIFI PASSWORD"
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=client-mode band=\
    2ghz-b/g/n disabled=no frequency=auto installation=indoor \
    security-profile=WLAN1-Q0YL6L ssid=WLAN1-Q0YL6L wds-ignore-ssid=yes \
    wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=76:4D:28:FD:A4:D8 \
    master-interface=wlan1 multicast-buffering=disabled name=MikroTikmAp \
    security-profile=MikroTikmAp ssid=MikroTikmAp wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.99.10-192.168.99.250
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-lan name=server1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=ToOpenVPN
/interface bridge port
add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge-lan comment=defconf ingress-filtering=no interface=\
    MikroTikmAp
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=bridge-lan list=LAN
add interface=wlan1 list=WAN
/interface wireless connect-list
add interface=wlan1 security-profile=WLAN1-Q0YL6L ssid=WLAN1-Q0YL6L
add interface=wlan1 security-profile=MobileAP1 ssid="OnePlus AP"
add interface=wlan1 security-profile=MobileAP2 ssid="OPPO A5"
/ip address
add address=192.168.99.1/24 interface=bridge-lan network=192.168.99.0
/ip dhcp-client
add comment=defconf default-route-distance=2 interface=wlan1
/ip dhcp-server lease
add address=192.168.99.10 client-id=1:c8:e2:65:58:d4:69 mac-address=\
    C8:E2:65:58:D4:69 server=server1
add address=192.168.99.11 client-id=1:7e:b6:d8:64:e4:da mac-address=\
    7E:B6:D8:64:E4:DA server=server1
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.99.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.99.0/24 list=local
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wlan1
add action=masquerade chain=srcnat out-interface=ovpn-out1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.1.0.1%ovpn-out1 \
    routing-table=ToOpenVPN suppress-hw-offload=no
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.99.11/32 \
    table=ToOpenVPN
add action=lookup-only-in-table disabled=no src-address=192.168.99.10/32 \
    table=ToOpenVPN
/system clock
set time-zone-name=Europe/Podgorica
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I use it as travel router for connection to public/hotel WIFI and creating own WIFI for clients with access to internet throught my OpenVPN connection on mAp lite. In this config I only block internet access if no VPN connection established for 2 devices with IP 192.168.99.10, 192.168.99.11. I am try to make it for all subset 192.168.99.0/24, but then i cannot connect to Mikrotik using Winbox to manage it.
If someone know how to allow it - please reply.

sindy · August 17, 2022, 2:55pm

/routing rule
add disabled=no dst-address=192.168.99.1/32 action=lookup table=main
add disabled=no src-address=192.168.99.0/24 action=lookup-only-in-table table=ToOpenVPN

nichky · August 18, 2022, 6:22am

why no Policy Based Routing ?

sindy · August 18, 2022, 7:56am

This is policy based routing - this term means that the route choice depends on something more than just the destination address, but it doesn’t say anything about which particular means you use. I. e. using a /routing/rule item instead of an /ip/firewall/mangle item to assign the routing table changes nothing about the essence.

Routing rules are a better choice than mangle rules whenever it is enough to take in-interface and IP addresses into account, because they work even with fasttracking enabled.

nichky · August 18, 2022, 10:29am

usually i’m using /routing/rule because that cost low CPU comparison than mangle

Routing rules are a better choice than mangle rules whenever it is enough to take in-interface and IP addresses into account, because they work even with fasttracking enabled.

i’m not sure what u want to say by that

sindy · August 18, 2022, 10:39am

The essence of fasttracking is that certain parts of firewall processing (like mangle) and IPsec policy matching are skipped by most packets belonging to fasttracked connections. So if you want to use mangle or IPsec for some connections, you must prevent those connections from ever getting fasttracked, otherwise those packets would be handled the default way.

Routing rules are not skipped even by packets belonging to fasttracked connections.

nichky · August 19, 2022, 6:29am

however mangel is much more flexible, i had case where i had to split the range,like 192.168.x.50-192.168.x.200.

By using /ip route rule doesn’t give me that options, or maybe i’m missing something

sindy · August 19, 2022, 6:40am

As I wrote in post #5 - it depends on the requirements. If you need the flexibility of mangle, use mangle, but disable fasttracking. If you need the throughput improvement provided by fasttracking, use routing rules. If you need both but only a small amount of traffic needs to be policy-router (not the OP’s case), you can selectively exempt traffic that needs to be mangled from fasttracking. And if you need to mangle everything (or to use queues, or to use IPsec for everything) and the throughput is poor, replace the hardware.