Change the routing table for OVPN connections dynamically on a MikroTik router

RouterOS General
1

Hi,

Scenario

  • Pool1: 192.168.15.1 - 192.168.15.99
  • Pool2: 192.168.10.1 - 192.168.10.99
  • IP address for bridge1: 192.168.15.100/24
  • IP address for bridge2: 192.168.10.100/24
  • ether1 (ISP1): IP 10.15.24.2/30
  • ether2 (ISP2): IP 10.15.40.2/30
  • DHCP1: On bridge1 with Pool1
  • DHCP2: On bridge2 with Pool2
  • OVPN: Local address 192.168.15.200, remote address from Pool1

Routing Tables

  1. Table_ISP1
  2. Table_ISP2

Routing Rules

  • Rule 1:

  • Source Address: 192.168.15.0/24

  • Action: Lookup only in Table_ISP1

  • Rule 2:

  • Source Address: 192.168.10.0/24

  • Action: Lookup only in Table_ISP2

Routes

  • Route1:

  • Destination Address: 0.0.0.0/0

  • Gateway: 10.15.24.1

  • Routing Table: Table_ISP1

  • Route2:

  • Destination Address: 0.0.0.0/0

  • Gateway: 10.15.40.1

  • Routing Table: Table_ISP2

  • Route3 (DAC):

  • Destination Address: 192.168.15.0/24

  • Gateway: bridge1

  • Routing Table: main

  • Route4 (DAC):

  • Destination Address: 192.168.10.0/24

  • Gateway: bridge2

  • Routing Table: main

Problem

When I connect to this MikroTik router via OVPN from my computer (on a different internet connection), my computer gets an IP from Pool1. However, I am unable to access devices on bridge1.

The issue is that bridge1 is in the main routing table, while my rule forces Pool1 IPs to route through Table_ISP1.

How can I establish a connection between main Table and Table_ISP1 so that I can access the devices on bridge1 from my MikroTik router?

2

It’s not a good practice to have same pool for LAN and VPN clients.
What you can best do is to make a separate pool for OVPN clients and setup routing to both bridges.
What you can do if you don’t want solution above is to add route to another bridge to Table_ISP1 like dst-address=192.168.10.0/24 gateway=192.168.10.100

3

Please pay attention to this point:
“The issue is that bridge1 is in the main routing table, while my rule forces Pool1 IPs to route through Table_ISP1.”
Even when I change the IP VPN range, for example 192.168.20.1, I can’t access Pool 1’s IPs.
Please suggest if anyone knows a solution.

4

Hi,

A couple of things.

I would put a routing rule like:

add action=lookup comment=“min-prefix=0, all except 0.0.0.0/0” disabled=no min-prefix=0 table=main

before your existing routing rules.

So only for traffic that needs to go via a default gateway will use Table_ISP1 or Table_ISP2.

I would enable some kind of proxy arp on the bridge1 when using the Same IP address range for your OVPN client
as on the bridge, or devices on the bridge you attempt to connect to won’t be able to reply.

This can be done by changing the arp setting on the bridge to proxy arp.
Alternatively for a more controlled configuration you can add a published arp entry for the OVPN client IP address (with the bridges mac address)
I haven’t tried the second option at this time, but it should work ok.
The first option works well but can be a bit blunt.

5

@hesaam,

How can I establish a connection between main Table and Table_ISP1 so that I can access the devices on bridge1 from my MikroTik router?

from where did you connect your ovpn client to the router? was it from the lan side of the router or from the internet side of the router?

have you fixed the problem?

try post:
ip route details from your ovpn client and from the router.