How to use vpn only for incoming connexion ?

dad2312 · October 15, 2020, 2:57pm

Hello

I use LTE connexion with LHGLTE6 in passtrough with hapac2 and i want to use my vpn on hapac2 just for incoming connexion from outside and all other connexion from LAN have to go trough wan ( lte provider) connexion.

if my distance route vpn is the first (distance =1) all works but of course all trafic from lan go trough VPN

if i put my distance route vpn to 2 and distance route to lte provider to 1 : then all trafic go trough lte provider but i can’t incoming with my vpn ip..

what i missing ?

thank for your help

Sob · October 16, 2020, 12:20am

It’s basically like dual-WAN config. VPN is secondary, but default route uses LTE, so if new connection comes in via VPN, response is send out via LTE and it doesn’t work. To fix it, router need a little help. Add new default route that uses VPN interface and put it in separate routing table (parameter routing-mark). Then mark new incoming connections from VPN. And finally mark routing for responses that have previously assigned connection mark, to use the new routing table.

dad2312 · October 16, 2020, 11:09am

Thank Sob, i tried several things without success. I use ROS 7.1 beta2.

i try this :
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VPN

/ip vrf
add list=all name=main
add list=LAN name=LAN
add list=VPN name=VPN

/ip firewall mangle
add action=accept chain=input in-interface=ovpn-out1
add action=mark-connection chain=prerouting in-interface=ovpn-out1
new-connection-mark=VPN-CONN passthrough=yes
add action=mark-routing chain=output connection-mark=VPN-CONN passthrough=no <= New routing mark=VPN

Sob · October 16, 2020, 11:42am

This should be it:

/routing table
add fib name=vpn
/ip route
add dst-address=0.0.0.0/0 gateway=212.58.77.1 routing-table=vpn
/ip firewall mangle
add chain=prerouting in-interface=ovpn-out1 connection-state=new action=mark-connection new-connection-mark=VPN-CONN passthrough=no
add chain=output connection-mark=VPN-CONN action=mark-routing new-routing-mark=vpn passthrough=no

Based on https://help.mikrotik.com/docs/display/ROS/ROSv7+Basic+Routing+Examples, and simple test works here.

dad2312 · October 16, 2020, 3:11pm

Thank You Sob works !!

question : we can’t make theses rules via winbox only via terminal ?

/routing table
add fib name=vpn
/ip route
add dst-address=0.0.0.0/0 gateway=212.58.77.1 routing-table=vpn

Sob · October 16, 2020, 3:50pm

In WinBox it’s currently a little unfinished, it’s known problem.