Force traffic from main site to other remote sites

Hello everyone,
I have a main site and two other remote sites. The remote sites are connect with GRE over IPSec to the main site and everyone can talk to each other.
In the main site I have two VMs and I want one of the VMs traffic to go trough the tunnel and get on the internet using one remote site public IP, and the same thing with the other VM using the second remote site. Practically, from the main site, for some of the clients I want to use the public IPs from the remote sites.

I tried using source NAT, and off course is not working, but I kind of have the feeling I will have to use some mange rules?

Can I get some guidance on how can I achieve this?

Thanks, and much appreciated.

No one? At least where to start from…

I tried using some mangle rules and routing but it’s not working.

Hi

Is this what you want?
https://help.mikrotik.com/docs/spaces/ROS/pages/59965508/Policy+Routing

No exactly. Just by setting up routes, the traffic does not get forced trough the IPSec/GRE tunnel.

It needs a combination of prerouting or mangle to force some of the client trough VPN, just don’t know how to do this right now. I will keep testing see if get to the bottom of this.

Thanks for the reply,

Sure it does, that’s what the core role of routing is

Have a closer look at the linked article, mangling is ONE of the options, not the only one. Which one is best will depend on your criteria…

Sorry I confused this with IP routes, but even using the Routing Policy it does not seem to work.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys)

Here you go

# 2025-06-05 19:29:09 by RouterOS 7.13.2
#
# model = RB5009UG+S+
/interface bridge
add admin-mac=78:92:73 arp=proxy-arp auto-mac=no name=bridge_LAN \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_ROCLJVKRUISW
set [ find default-name=ether3 ] name=ether3_ROCLJVKRHV01
set [ find default-name=ether4 ] name=ether4_ROCLJVKRHV02
set [ find default-name=ether5 ] name=ether5_ROCLJVKRHV03
set [ find default-name=ether6 ] name=ether6_ROCLJVKRHV04
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1_WAN name=RDS_PPOE_01 \
    user=user1
add allow=pap,chap,mschap2 disabled=no interface=ether1_WAN name=RDS_PPOE_02 \
    user=user2
/interface gre
add allow-fast-path=no local-address=PPPOE_01_PubIP name=BRC-GRE_tunnel \
    remote-address=GRE_SITE2
add allow-fast-path=no local-address=PPPOE_01_PubIP name=JUC-GRE_tunnel \
    remote-address=GRE_SITE1
/interface vlan
add interface=bridge_LAN name="vKernelRO IoT" vlan-id=20
/caps-man configuration
Not needed here
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    BRC-GRE_tunnel
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    JUC-GRE_tunnel
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    ROCLJVKRNOT_tunnel prf-algorithm=sha256
/ip ipsec peer
add address=GRE_SITE2 exchange-mode=ike2 local-address=PPPOE_01_PubIP \
    name=BRC-GRE_tunnel profile=BRC-GRE_tunnel
add address=GRE_SITE1 exchange-mode=ike2 local-address=PPPOE_01_PubIP \
    name=JUC-GRE_tunnel profile=JUC-GRE_tunnel
add disabled=yes exchange-mode=ike2 local-address=PPPOE_01_PubIP name=\
    ROCLJVKRNOT_tunnel passive=yes profile=ROCLJVKRNOT_tunnel \
    send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm \
    name=BRC-GRE_tunnel
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm \
    name=JUC-GRE_tunnel
add auth-algorithms=sha256 disabled=yes enc-algorithms=\
    aes-256-cbc,aes-256-ctr,aes-256-gcm name=ROCLJVKRNOT_tunnel
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/routing table
add disabled=no fib name=PPPOE_02
add disabled=no fib name=Forward_to_BRC_pubIP
/system logging action
add email-to=AlertSMTPserver name=EmailNotifications target=\
    email
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=\
    "BRC_vKernelRO Network" name-format=identity radio-mac=48:A9:8A:EF:BE:F0
add action=create-dynamic-enabled master-configuration="BRC_vKernelRO IoT" \
    name-format=identity radio-mac=48:A9:8A:EF:BE:F0
/certificate settings
set crl-download=yes crl-store=system crl-use=yes
/interface bridge port
add bridge=bridge_LAN comment=defconf interface=ether2_ROCLJVKRUISW \
    internal-path-cost=10 path-cost=10
add bridge=bridge_LAN interface=ether4_ROCLJVKRHV02 internal-path-cost=10 \
    path-cost=10
add bridge=bridge_LAN interface=ether5_ROCLJVKRHV03 internal-path-cost=10 \
    path-cost=10
add bridge=bridge_LAN interface=ether6_ROCLJVKRHV04 internal-path-cost=10 \
    path-cost=10
add bridge=bridge_LAN interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN comment=defconf interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge_LAN interface=ether3_ROCLJVKRHV01 internal-path-cost=10 \
    path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge_LAN list=LAN
add comment=defconf interface=ether1_WAN list=WAN
/interface ovpn-server server
set auth=sha256 certificate=PublicNAME cipher=aes256-cbc,aes256-gcm
/ip address
add address=192.168.10.254/24 interface=bridge_LAN network=192.168.10.0
add address=192.168.20.254/24 interface="vKernelRO IoT" network=192.168.20.0
/ip dhcp-client
add comment=defconf interface=ether1_WAN use-peer-dns=no use-peer-ntp=no
/ip dhcp-relay
add dhcp-server=192.168.10.1 disabled=no interface="vKernelRO IoT" name=\
    "vKernelRO IoT - ROCLJVKRDC01"
/ip dhcp-server
add address-pool=*2 disabled=yes interface=ether3_ROCLJVKRHV01 name=dhcp1
/ip dns
set allow-remote-requests=yes servers=192.168.10.1,192.168.10.2
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=GRE_SITE1 list="IPsec Allow IPs"
add address=GRE_SITE2 list="IPsec Allow IPs"
add address=192.168.10.1 list="vKernel.home Internal DNS"
add address=192.168.10.2 list="vKernel.home Internal DNS"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" log=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input src-address=192.168.9.0/24
add action=accept chain=forward src-address=192.168.8.0/24
add action=accept chain=forward disabled=yes src-address=192.168.21.0/24
add action=accept chain=input src-address-list="IPsec Allow IPs"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="IPsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="vKernelRO IoT Devices" \
    connection-state="" dst-port=80,443 out-interface=RDS_PPOE_01 protocol=\
    tcp src-address=192.168.20.0/24
add action=accept chain=forward dst-address-list="vKernel.home Internal DNS" \
    dst-port=53 protocol=udp src-address=192.168.20.0/24
add action=drop chain=input in-interface="vKernelRO IoT"
add action=drop chain=forward dst-address=192.168.10.0/24 in-interface=\
    "vKernelRO IoT"
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Policy based routing for VPS Blog on RDS_PPPOE_02" in-interface=\
    bridge_LAN new-routing-mark=PPPOE_02 passthrough=no src-address=\
    192.168.10.230
add action=mark-routing chain=prerouting comment=\
    "Policy based routing for ROCLJVKREMBX - IMAP on RDS_PPPOE_02" \
    in-interface=bridge_LAN new-routing-mark=PPPOE_02 passthrough=no \
    src-address=192.168.10.64
add action=mark-connection chain=input comment=\
    "Policy based routing for ICMP on RDS_PPPOE_02" connection-state=new \
    in-interface=RDS_PPOE_02 new-connection-mark=PPPOE_02_WAN-Connection \
    passthrough=no protocol=icmp
add action=mark-routing chain=output connection-mark=PPPOE_02_WAN-Connection \
    new-routing-mark=PPPOE_02 passthrough=no protocol=icmp
add action=mark-routing chain=prerouting comment=\
    "Policy based routing for SMTP SmartHost on RDS_PPPOE_02" in-interface=\
    bridge_LAN new-routing-mark=PPPOE_02 passthrough=no src-address=\
    192.168.10.55
add action=mark-routing chain=prerouting comment=testing disabled=yes \
    in-interface=bridge_LAN new-routing-mark=PPPOE_02 passthrough=no \
    src-address=192.168.10.230
add action=mark-routing chain=prerouting disabled=yes in-interface=bridge_LAN \
    new-routing-mark=Forward_to_BRC_pubIP passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=RDS_PPOE_01
add action=dst-nat chain=dstnat comment="Sophos UTM9 Proxy" connection-mark=\
    "" dst-address=PPPOE_01_PubIP dst-port=443,80,8080,8443 protocol=tcp \
    to-addresses=192.168.10.10
add action=masquerade chain=srcnat comment="HairPin NAT - Sophos UTM9 Proxy" \
    dst-address=192.168.10.10 protocol=tcp src-address=192.168.10.0/24
add action=dst-nat chain=dstnat comment=OPNSense connection-mark="" \
    dst-address=PPPOE_01_PubIP dst-port=8400,8600,8511 in-interface=RDS_PPOE_01 \
    protocol=tcp to-addresses=192.168.10.61
add action=dst-nat chain=dstnat comment="SMTP on ROCLJVKRSMTP" dst-address=\
    PPPOE_02_PubIP dst-port=25,465 in-interface=RDS_PPOE_02 protocol=tcp \
    to-addresses=192.168.10.55
add action=src-nat chain=srcnat out-interface=RDS_PPOE_02 routing-mark=\
    PPPOE_02 src-address=192.168.10.55 to-addresses=PPPOE_02_PubIP
add action=dst-nat chain=dstnat comment="VPS Blog" dst-address=PPPOE_02_PubIP \
    dst-port=80,443 in-interface=RDS_PPOE_02 protocol=tcp to-addresses=\
    192.168.10.230
add action=src-nat chain=srcnat out-interface=RDS_PPOE_02 routing-mark=\
    PPPOE_02 src-address=192.168.10.230 to-addresses=PPPOE_02_PubIP
add action=dst-nat chain=dstnat comment="ROCLJVKREMBX - IMAP" dst-address=\
    PPPOE_02_PubIP dst-port=143,993,587 in-interface=RDS_PPOE_02 protocol=tcp \
    to-addresses=192.168.10.64
add action=src-nat chain=srcnat out-interface=RDS_PPOE_02 routing-mark=\
    PPPOE_02 src-address=192.168.10.64 to-addresses=PPPOE_02_PubIP
add action=src-nat chain=srcnat comment=TESTING disabled=yes out-interface=\
    BRC-GRE_tunnel protocol=tcp routing-mark=Forward_to_BRC_pubIP \
    src-address=192.168.10.68 to-ports=0-65535
/ip firewall raw
add action=drop chain=prerouting src-address-list=BlockIPs
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec identity
add comment=BRC-GRE_tunnel peer=BRC-GRE_tunnel
add comment=JUC-GRE_tunnel peer=JUC-GRE_tunnel
add disabled=yes peer=ROCLJVKRNOT_tunnel
/ip ipsec policy
add dst-address=xxxx peer=JUC-GRE_tunnel proposal=JUC-GRE_tunnel \
    protocol=gre src-address=PPPOE_01_PubIP/32
add dst-address=xxxx peer=BRC-GRE_tunnel proposal=BRC-GRE_tunnel \
    protocol=gre src-address=PPPOE_01_PubIP/32
add disabled=yes dst-address=192.168.99.0/24 peer=ROCLJVKRNOT_tunnel \
    proposal=ROCLJVKRNOT_tunnel src-address=192.168.10.0/24 tunnel=yes
/ip route
add check-gateway=none comment="SophosUTM VPN vKernel.home" disabled=no \
    distance=1 dst-address=10.10.10.0/24 gateway=192.168.10.10 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10 \
    vrf-interface=RDS_PPOE_01
add comment="OpenSense_VPN Clienti Personali" disabled=no distance=1 \
    dst-address=10.10.9.0/24 gateway=192.168.10.61 pref-src="" routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=10
add comment="OpenSense_VPN Scoli Administrativ" disabled=no distance=1 \
    dst-address=10.10.11.0/24 gateway=192.168.10.61 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=RDS_PPOE_02 routing-table=\
    PPPOE_02 suppress-hw-offload=no
add disabled=no distance=1 dst-address=10.10.12.0/24 gateway=192.168.10.61 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment="GRE Tunnels" disabled=no distance=1 dst-address=192.168.8.0/24 \
    gateway=BRC-GRE_tunnel pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.9.0/24 gateway=JUC-GRE_tunnel \
    routing-table=main suppress-hw-offload=no
add comment="vKernelRO IoT Jucu" disabled=no distance=1 dst-address=\
    192.168.21.0/24 gateway=JUC-GRE_tunnel pref-src="" routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.22.0/24 gateway=JUC-GRE_tunnel \
    routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=1180
set ssh address=192.168.10.0/24,192.168.9.0/24
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set active-flow-timeout=5m interfaces=RDS_PPOE_01,RDS_PPOE_02
/ip traffic-flow target
add dst-address=192.168.10.69 src-address=192.168.10.254 version=ipfix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add disabled=yes name=adrian service=ovpn
/routing rule
add action=lookup-only-in-table disabled=no dst-address=::/0 interface=\
    BRC-GRE_tunnel routing-mark=Forward_to_BRC_pubIP src-address=\
    192.168.10.71/32 table=Forward_to_BRC_pubIP
/snmp
set contact="" trap-version=2
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=ROCLJVKREDGE
/system logging
add action=remote disabled=yes topics=firewall
add action=EmailNotifications prefix="- ROCLJVKREDGE" topics=critical
add action=EmailNotifications prefix="- ROCLJVKREDGE" topics=error
add action=EmailNotifications prefix="- ROCLJVKREDGE" topics=account
/system note
set note=E0-CB-4E-A6-87-78 show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=vkernel.home
/tool e-mail
set from=Mikrotik_Notifications_VKR@PublicDomain server=PublicDomain \
    user=AlertSMTPserver
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-dst-ip-address=10.10.10.2/32

Not ipsec trained, but if you elect to use wireguard, have all the time in the day.

I will want to stick with IPSec since all of the sites are already connected to each other and working just great for years. I really don’t want to start over.

Thanks for trying though…

Have you looked at the article…?

I have a main site and two other remote sites. The remote sites are connect with GRE over IPSec to the main site and everyone can talk to each other.
In the main site I have two VMs and I want one of the VMs traffic to go trough the tunnel and get on the internet using one remote site public IP,…

what you want is to force all traffic from “VM1” over IPSec1 → dedicated routing table “IPS1”, with associated routing rule for that vm1
gw should be the IPS1.other-endpoint.ip

…and the same thing with the other VM using the second remote site.

what you want is to force all traffic from “VM2” over IPSec2 → dedicated routing table “IPS2”, with associated routing rule for that vm2
gw should be the IPS2.other-endpoint.ip

clients similarly…

Notes:
when using routing rules, it’s better not to use route mangling
the routing table Forward_to_BRC_pubIP is empty…

So I tried using your advice, but I guess I must be doing something wrong because is still not working.

1460×524 42.6 KB

2594×370 33.2 KB

I don’t know what you mean by IPS1.other-endpoint.ip
IPS1 is the public IP on the main location

Thanks,

in the route entry:
remove “Pref. Source”

in the routing rule remove:
Dst Address
Routing Mark
Interface

gateway is normally the ip of remote router on local network (here over tunnel)
but you specify the interface, and have RouterOS figure it out, which if fine too

Is the 192.168.10/24 network known to BRC? hence if response come back, it knows to forward over tunnel back to this router?

It really works! I don’t know how to thank you.

Just as a last question: How does this work?

The routing rule puts the packets into a new table and the Route looks up into that table end forwards it to the new gateway which is the IPSec tunnel?

The article in first reply explains it…

High level:
the routing rule tells routing logic to route specific packets using a dedicated table / rule set ( so not exactly “puts packet in a new table”)

rest is correct

Thank you very much. Appreciate the help.