Dedicated AP for VPN "out" using VRF

dandare100 · May 9, 2020, 3:43pm

Hello

I am trying to set up 2 AP’s at home. RouterOS v6.46.4
1 AP for normal internet browsing through my ISP (pppoe) and the 2nd for access to the internet through a VPN provider (l2tp).

I saw this thread
http://forum.mikrotik.com/t/route-all-traffic-via-vpn/67142/1
and I have tried to implement the VRF solution, but for the life of me the VRF rules for routing don’t seem to be taking effect.

My config is :
The stock standard “Quick Setup” with the “guest” wifi enabled.
Before adding the second l2tp client for the VPN I tested both AP’s and they connect to the internet successfully over the pppoe client created by the quick setup.
I added the VPN client l2tp connection and it comes up successfully.
I then created a VRF entry called vpnout that included the wlan2 and l2tp interfaces.
I then added a route 0.0.0.0/0 with gateway of the l2tp interface and routing mark vpnout.

All my AP2 traffic still goes out over the default route 0.0.0.0/0 gateway pppoe.

What have I done wrong ?

dandare100 · May 10, 2020, 3:01pm

Hello

I solved it another way, but way less efficient.

Create extra wlan and join it to the existing bridge
Apply a bridge filter rule to mark a packet coming in from this new wlan interface
Create an ip mangle rule to check for this marked packet and write a routing mark on the packet
Add a routing entry to route these packets to the l2tp interface.

It uses quite a bit of CPU under load, I suppose because of the 2 packet markings.

If anyone has a cleaner, more efficient method, please reply if you get a gap.

Thanks