Hi,
I’m trying to set up my router to route all LAN clients’ internet access via a Linux box running a VPN, which then uses my actual WAN connection to connect out to the internet back via the router. The problem is I’m not really sure the best way to approach this - I’ve got what I suppose would be called “triple NAT” working, but it works extremely slowly even without a VPN being used. To simplify this question/example, I’ve removed the VPN from the equation. The following configuration does work, but extremely slowly - I can ping internet addresses but speedtests and youtube refuse to work due to a connectivity issue (not sure what).
I’m not sure if I’m approaching this the correct way, but the way this is currently set up is as follows.
TL;DR; LAN Client > [ether2 Router ether4] > [eth0 Linux Box eth1] > [ether5 Router ether1] > ISP
-
Traffic enters the router via ether2-LAN which hits the following mangle rule:
add action=mark-routing chain=prerouting in-interface=!ether5-daedalus-eth1 new-routing-mark=VPNWAN passthrough=noThis rule adds the VPNWAN mark which causes the default route to be changed to 10.0.0.2 -
Traffic leaves the router via ether4 (10.0.0.1) and enters eth0 on the Linux box (10.0.0.2).
Upon leaving it is masqueraded via the following rule:
add action=masquerade chain=srcnat out-interface=ether4-daedalus-eth03) The default route of the Linux box is 10.0.0.3, so the traffic leaves via eth1 and re-enters the router via ether5. Upon leaving it is once again masqueraded due to the following iptables rule on the linux box:
*nat
-A POSTROUTING -o eth1 -j MASQUERADE4) Now that the traffic re-enters the router it does not hit the mangle rule that it previously hit because that rule states “in-interface=!ether5-daedalus-eth1” (which excludes traffic entering via ether5) so the default route provided by my ISPs DHCP is used, and the connection finally leaves the WAN interface. At this point it is masqueraded for a third time due to the following rule:
add action=masquerade chain=srcnat out-interface=ether1-WANWith this in place, the following traceroute completes succesfully from my PC:
C:\Users\xvar>tracert 4.2.2.2
Tracing route to b.resolvers.level3.net [4.2.2.2]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms router [192.168.1.1]
2 <1 ms <1 ms <1 ms DAEDALUS [10.0.0.4]
3 <1 ms <1 ms <1 ms MikroTik [10.0.0.1]
4 * * * Request timed out.
5 10 ms 14 ms 10 ms xxxxxx.network.virginmedia.net [81.xx.xx.xx]
6 * * * Request timed out.
7 * * * Request timed out.
8 33 ms 13 ms 13 ms xxxxx.network.virginmedia.net [62.xx.xx.xx]
9 17 ms 15 ms 15 ms m674-mp2.cvx1-b.lis.dial.ntli.net [62.254.42.162]
10 * * * Request timed out.
11 18 ms 17 ms 18 ms uk-lon01c-ri1-ae4-0.aorta.net [84.116.135.50]
12 451 ms 566 ms 888 ms 213.46.174.170
13 17 ms 15 ms 23 ms ae-230-3606.edge4.london1.level3.net [4.69.166.21]
14 23 ms 18 ms 15 ms b.resolvers.level3.net [4.2.2.2]
Trace complete.
However, the connection is not usable - YouTube videos barely play at 144p and speedtest.net refuses to even run the test. I know the Linux box isn’t at fault as if I directly connect a laptop to its eth0 port with its default gateway set to 10.0.0.2 the Linux box routes the connection fine - it’s something specifically about the roundtripping from router > Linux > router that’s going wrong I think.
Any suggestions on what I’m doing wrong? Is this the correct way to approach this or should I be doing it a completely different way? Any advice would be appreciated.
Cheers,
XVar
Linux box and router config details / export:
Linux Box (Centos 7.3)
eth0 10.0.0.2 (connected to router’s ether4 interface)
eth1 10.0.0.4 (connected to router’s ether5 interface)
[root@daedalus ~]# ip route show
default via 10.0.0.3 dev eth1
10.0.0.0/8 dev eth0 proto kernel scope link src 10.0.0.2
10.0.0.0/8 dev eth1 proto kernel scope link src 10.0.0.4
Linux box’s iptables NAT table:
-A POSTROUTING -o eth1 -j MASQUERADE
RB2011UiAS-2HnD-IN (RouterOS 6.38.5)
ether1-WAN (connected to cable modem)
ether2-LAN 192.168.1.1 (connected to switch)
ether4-daedalus-eth0 10.0.0.1 (connected to Linux box’s eth0 interface)
ether5-daedalus-eth1 10.0.0.3 (connected to Linux box’s eth1 interface)
/ip address
add address=192.168.1.1/24 interface=ether2-LAN network=192.168.1.0
add address=10.0.0.1/16 interface=ether4-daedalus-eth0 network=10.0.0.0
add address=10.0.0.3/16 interface=ether5-daedalus-eth1 network=10.0.0.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
add action=masquerade chain=srcnat out-interface=ether4-daedalus-eth0
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=!ether5-daedalus-eth1 new-routing-mark=VPNWAN passthrough=no
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input in-interface=ether1-WAN log-prefix=WANDROP
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
/ip route
add distance=1 gateway=10.0.0.2 routing-mark=VPNWAN
/interface bridge
add admin-mac=6C:3B:6B:09:7D:DE auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] master-port=ether2-LAN
set [ find default-name=ether4 ] name=ether4-daedalus-eth0
set [ find default-name=ether5 ] name=ether5-daedalus-eth1
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-LAN
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1