Forwarding 1 interface to another

CrazyCoco · August 18, 2024, 12:48pm

Hello, I have a Mikrotik HAP AX2 router. I was recommended to get it because its “very customizable”, but I’m not a network specialist and ran into a few issues.

Task:
Create a Wi-Fi that would connect to the internet via a VPN connection.

What is already done:

An OpenVPN server running on a AWS server.
Mirotik Router says its connected to the OVPN server as a Client.

Thoughts:

Since I already have wifi setup form the default config, internet access on the router(via ether1 thru my main router at home generously provided by my ISP), and a vnp-out interface, all i need is just a way to force all traffic from wifi interface, to vpn-out interface, correct?

More Data:

Router model: Mikrotik HAP AX2.
Router OS version: 7.15.3.

Please advise on a solution as I’ve tried so many outdated things that don’t work anymore.

TheCat12 · August 19, 2024, 11:01am

Easiest way would be to create a routing table, add a default route with gateway the OVPN to it and use routing rules:

/routing table
add fib name=through_VPN

/ip route
add dst-address=0.0.0.0/0 gateway="OVPN_interface" routing-table=through_VPN

/routing rule
add action=lookup-only-in-table src-address="WiFi_subnet" table=through_VPN

CrazyCoco · August 24, 2024, 2:34pm

After I tried this solution, the router became a brick. No internet, no vpn, on access to the router via 192.168.88.1 ip address.

jaclaz · August 24, 2024, 2:49pm

It is improbable, those settings are only related to outbound traffic and wi-fi, it is more likely that something else caused the issue.
Anyway, you should be able to access it with Winbox (via MAC address) if for whatever reason the IP address has been lost.

If you cannot connect via Winbox you can still reset it and start fresh, which could not be a bad idea overall if you already made lots of attempts and something was not undone fully.

A good idea - as a general rule - particularly when doing tests is to take one of the LAN ports out of the bridge to be used as management with the 192.168.88.1 assigned to it.

rplant · August 25, 2024, 12:54am

Hi,

I would also include the first routing rule below.

It allows devices on your wifi subnet to connect to other local devices, and only internet bound traffic goes via the vpn.
(Order matters, put it before the other rule)

Note: If using winbox, you likely should have still been able to connect to the Mikrotik using the mac address.

/routing rule
add action=lookup comment="min-prefix=0, all except 0.0.0.0/0" disabled=no min-prefix=0 table=main
add action=lookup-only-in-table src-address="WiFi_subnet" table=through_VPN

warp0ut · August 26, 2024, 1:06pm

What will be less CPU intensive routing rule or routing mark with mangle for similar tasks? It works for me with both methods, but which one is “correct”?

jaclaz · August 26, 2024, 11:48pm

Routing rules are usually “better”, but mangle marks allow more granularity, so if you can obtain the expected result with routing rules, they should be preferred.