hAP Lite - Policy route RouterOS 7

akas059 · January 7, 2026, 5:42pm

Hello,

I have a series of hAP lite devices with RouterOS v6 connected via Ovpn to an RB4011iGS+ router with RouterOS v7.

All traffic from clients connected to the hAP lite routers is forwarded through the Ovpn tunnel with nat enabled and exits the RB4011iGS+ router correctly.

The configuration is solid and has never given me any problems.

After some time, I ordered another hAP lite, which had RouterOS v7 installed by default, and that's when the trouble started. I updated it to the latest available version (7.20.6) and started the configuration.

I immediately noticed that the command for configuring route policies had changed, but that was no big deal.

I then saw that it no longer seemed necessary to use the "routing-mark," but it was necessary to create a new routing table and a route that called it up, no big deal.

Then I configured the routing rule, basically the same configuration but with a different menu.

When I tested the router, the Ovpn came up correctly, I could reach the hAP lite router remotely, but the traffic from the clients connected to the hAP router came out directly from the local connectivity and not on the Ovpn tunnel. That's when I started to get frustrated.

To simplify your help, here is the configuration:

/ppp profile
add local-address=192.168.200.27 name=openvpn-server remote-address=192.168.200.254

/ip firewall nat
add action=masquerade chain=srcnat comment="LAN to Internet Remote" \
    log-prefix="LAN to Internet Remote" src-address=192.168.88.0/24

/routing/table/
add name=ovpn fib
/ip route
add comment="LAN to Internet Remote" distance=1 gateway=ovpn-client routing-table=ovpn

/routing rule
add comment="Policy Route - LAN to Internet" dst-address=0.0.0.0/0 \
    src-address=192.168.88.0/24 table=ovpn

Thanks in advance.

safelogj · January 7, 2026, 6:50pm

Start by adding the action lookup only in table to the routing rule.

Why don't you specify a destination address in the route?

akas059 · January 7, 2026, 7:52pm

Because I want all client traffic to pass through Open VPN. While the router has its default route to the internet provider's modem.

safelogj · January 7, 2026, 7:58pm

And this route is for the main table, why don't you make the same route for the ovpn table for clients?

lurker888 · January 7, 2026, 8:19pm

It has been a fairly long time since I had the pleasure of dealing with v6, but as far I recall, policy routing, at least for the relatively simple cases, can be transplanted 1-1 into v7, with the necessary manual addition of the routing table.

So, if you're happy with your v6 config, attempt to use it as-is in v7.

It is very nice that you highlighted the portion of the config that you think is relevant. But: please also include a full export as well.

There are two things I suspect might be your problem:

There is no default route installed in the ovpn table. With "lookup" being the action in your routing rule, the lookup falls back to "main" if it is not successful in the specified table. Add the default!
Just a warning: the default firewall has changed a lot from v6 to v7 - be careful that it doesn't mess things up for you. Either transplant the firewall from v6 (again, if you're fully happy with it) or carefully analyze the new one and make sure that it fits your use case.

EDIT: Sorry, I missed that you have in fact added the route.

akas059 · January 8, 2026, 7:57am

It is already present:

akas059 · January 8, 2026, 8:00am

The configuration is the same, I just had to change the policy route mode, which in v7 no longer uses only the "routing-mark."

Here are the differences I found:

RouterOS v6 - Route

/ip route

add comment="LAN to Internet Remote" distance=1 gateway=192.168.200.254 routing-mark=ovpn

RouterOS v7 - Route

/routing/table/

add name=ovpn fib

/ip route

add comment="LAN to Internet Remote" distance=1 gateway=ovpn-client routing-table=ovpn

Policy Route

RouterOS v6 - Policy Route

/ip route rule

add comment="Policy Route - LAN to Internet" dst-address=0.0.0.0/0 \

src-address=192.168.88.0/24 table=ovpn

RouterOS v7 - Policy Route

/routing rule

add comment="Policy Route - LAN to Internet" dst-address=0.0.0.0/0 \

src-address=192.168.88.0/24 table=ovpn

safelogj · January 8, 2026, 8:13am

and it inactive?

So, here are my settings for network 88, which operates via a PPTP connection to CHR.

/interface pptp-client
add connect-to=92.00.122.33 disabled=no name=ppptp_to_CHR user=safelogj

/routing table
add disabled=no fib name=vpn_to_CHR

/routing rule
add action=lookup-only-in-table comment=88net disabled=no dst-address=
0.0.0.0/0 src-address=192.168.88.0/24 table=vpn_to_CHR

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.56.1 routing-table=
vpn_to_CHR suppress-hw-offload=no

192.168.56.1 is pptp gateway

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ppptp_to_CHR src-address=
192.168.88.0/24

CGGXANNX · January 8, 2026, 8:23am

The default route in the ovpn table is shown as inactive and won't work. Did you by chance put ovpn-client in a VRF (named ovpn)? If yes, the static route you added has to specify the gateway as ovpn-client@ovpn, not just ovpn-client.

jaclaz · January 8, 2026, 10:49am

Still, it is IMHO missing the action:

action=lookup-only-in-table

Full rule:

/routing rule

add action=lookup-only-in-table comment="Policy Route - LAN to Internet" dst-address=0.0.0.0/0 src-address=192.168.88.0/24 table=ovpn

akas059 · January 8, 2026, 11:38am

I added "ovpn-client@ovpn" as the gateway:

akas059 · January 8, 2026, 11:41am

I added the action "lookup-only-in-table."

but the problem persists. I always exit the local provider and not the ovpn tunnel.

akas059 · January 8, 2026, 11:43am

Yes, it was inactive because I hadn't set the correct gateway "ovpn-client@ovpn" as reported by @CGGXANNX.

CGGXANNX · January 8, 2026, 11:59am

Oh, if you really use VRF and ovpn-client is in VRF ovpn then in your routing table you also need to leak the return route for 192.168.88.0/24 to be accessible from the ovpn VRF.

/ip route
add dst-address=192.168.88.0/24 gateway=bridge@main routing-table=ovpn scope=10 target-scope=5

Alternatively, don't use VRF anymore (remove the VRF assignment). Then you won't need to put @ovpn at the end of the gateway in the table ovpn. And the route I just mentioned above is also not needed.

However, if your traffic still exits via main then the issue is somewhere else. If possible post the full configuration /export (after redaction of sensitive data).

jaclaz · January 8, 2026, 12:50pm

And - also - the output of:
/ip route print

So that we can understand the routing tables in their entirety.

CGGXANNX · January 8, 2026, 1:17pm

Ah, I only noticed this screenshot right now. Remove min-prefix=0 from this routing rule, please. Better to remove the rule and recreate it without setting anything in min-prefix at all.

Also, next time, please write in your post the true content of your configuration. It's now obvious that the commands you wrote in your posts don't match what really are on your router, forcing us to play guessing games.

lurker888 · January 8, 2026, 4:37pm

Yep. Also the routing rule path was replaced.

However, your config would still have worked verbatim had you not placed the openvpn client's interface into a vrf.

akas059 · January 8, 2026, 5:06pm

Here is the configuration:

/interface bridge
add admin-mac=04:F4:1C:43:17:1C auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=italy disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=TV wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk comment=\
    defconf disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.200.27 name=openvpn-server remote-address=\
    192.168.200.254
/interface ovpn-client
add certificate=haplite7 cipher=aes128-cbc connect-to=myrouter.myrouter.com \
    mac-address=02:06:21:38:93:95 name=ovpn-client profile=openvpn-server \
    user=haplite7
/ip vrf
add interfaces=ovpn-client name=ovpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input src-address=192.168.200.254
add action=accept chain=input src-address=192.168.0.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="LAN to Internet Remote" \
    log-prefix="LAN to Internet Remote" src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment="LAN to Internet Remote" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=ovpn-client@ovpn routing-table=ovpn scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set www-ssl disabled=no
set winbox vrf=ovpn
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup-only-in-table comment="Policy Route - LAN to Internet" \
    disabled=no dst-address=0.0.0.0/0 min-prefix=0 src-address=\
    192.168.88.0/24 table=ovpn

CGGXANNX · January 8, 2026, 5:29pm

Like I wrote above: you have to remove this from your routing rule. If you keep it like this, the default route in the ovpn table will not be used!

Also choose one of the alternatives described here:

Either keep the VRF but then you need the additional route in ovpn that point to bridge@main.
Or remove the VRF, only keep the routing table and the default route you added to that table.

akas059 · January 9, 2026, 7:59am

You're absolutely right. I removed min-prefix=0:

And added the route for the local network with the routing table "ovpn":

Now the remote client with IP 192.168.88.x browses with the public IP of the central router connected to Ovpn.

The configuration of RouterOS version 6 was much simpler and more intuitive; here, I have complicated matters for myself. I also note that this type of router (RB941-2nD) with version 7 is particularly slow.

I sincerely thank everyone for their assistance; on my own, it would have taken me a long time.