I have been playing around with my Mikrotik for some time and have been able to do some amazing things with it (at least I think so
It provides me with a rocksolid connection and great wifi. I have created a wifi guest account for everyone to access and a wifi account for my own familty, guest account can not access the internal network, but can access the internet
I have been able to completely bypass the router my provider has given me (which sucks..).
I have been able to setup incomming VPN (IPSEC based) to access my network.
I have been able to setup outgoing VPN for specific connection types (based on ports, specifically nntp and bittorent).
I have tried to setup QOS using queues and I think I have succeeded.
I basically have two challenges:
(1)
The way I would it like to work is have ALL my outgoing internet traffic go thru vpn (so not based on protocol/port), if I set this up however I get into conflict with my incomming vpn connection, I am able to connect but cannot reach anything in my network. I need some way to tell the system to send everything over the outgoing vpn EXCEPT for traffic that is initiated by the incomming VPN connection..
(2)
I have done a lot of stuff here by combining google searches with some basic knowledge.. Although everything appears to be ok I am fully confident that stuff could be setup better. I would have no problem in paying someone to spend an our or so on my configuration to check, adapt and make better (learning me something in the progress).
(1) is the priority one, but (2) is something I feel like I need to do..
Typicalā¦ Just after entering the message I figured out something wrt (1) ..
I have added a mangle āacceptā rule (actually two, one for IN and one for OUT) based on the IP address that is dhcpād to the incomming vpn deviceā¦ It appears to work..
Some more infomration is needed to be able to help much more, but here are some things that might point you in the direction that you want to go.
Depending on the type of VPN you have setup (L2TP/IPSec, pure IPSec, ect) will determine what you are trying to do. Since RouterOS does not support VTI for IPsec, what it encrypts is controlled by the policies. You can set the policy to only encrypt things from a given network segment, so you could narrow it down by IP. Or if you use another tunnel and encrypt that with IPSec, you can assign IP addresses and setup routing. The extra tunnel does add overhead to the overall setup, but does give you a lot more flexibility on how to control traffic.
As far as number 2, if there is something you are looking for specific feedback on, you can always post a specific question, along with the relivant parts of an export of your config for comment/tweaking. The more specific the question, the better and more specific answer you will get, a general question without specifics of what you are looking to do usually nets an general answer that doesnāt really address what you are looking for.
Thanks for your response, I actually solved my own issue 5 minutes after I wrote this post.. Figuresā¦ It must still be in moderation.. What I did / do is the following:
I have an outgoing VPN connection (ExpressVPN), it is L2TP/IPSEC
I have an incomming VPN server configured on the microtic (L2TP/IPSEC)
The incomming VPN is used by myself only to access my own intranet
The outgoing VPN is triggered by traffic from one specific machine in my network. I am using a prerouting mangle rule to place a routing mark on that traffic. I have a route configured for that routing mark, it is pointing to the gateway āexpressvpnā that basically dials on demand.
I had been trying to create a mangle rule to catch that traffic before the routing mark for outgoing vpn was added, I could not get this to work, I was doing it based on the interface, that failed however since that interface does nog exist when there is no traffic.
The brainwave I had was doing basically that but differentiating based on IP address, so I now did the following (and this is working):
BEFORE the mangle rule that gives the outgoing VPN routing mark I have now placed another prerouting mangle rule that is triggered on the used IP address, if that IP address is out of the pool that my Mikrotik is giving to the incomming VPN connection the traffic gets an ACCEPT (therefor stopping processing the other Mangle rule and never placing the outgoing VPN routing mark).
I am basically doing all of this using a mix of common sense and google Issue is (and this goes back to my point 2) that I know it works, but I do not know if its also the best way to do it..
Now I have my outgoing VPN and incomming VPN both working (explained above how), I am now trying to make an exception for specific application running on the system that is routed over the vpn..
To be specific, I have Plex running on the system that is routed over the VPN. My initial thought was to place a mangle rule -above- the rule that tags the traffic with the specifc routing mark and giving it an except (just like I had succesfully done with the incomming VPN as explained above).
Plex network traffic uses port 32400, so I created the mangle accept rule with that port number, unfortunately it does not seem to work.. Plex still thinks it is communicating over the VPN..
then plex works.. But ofcourse then all my tcp traffic is no longer sent over the outgoing vpn.
Now as far as I can logically think that would mean that plex is using another address then 32400 .. But I know for a fact that this isn't the case.. (or whole of google is wrong).. So it must be something on my side..
Is that the only port it uses to communicate? You could use the torch tool to view the communiactions and narrow down the rules and see what is going on. The second option is to use connection marks to catch both sides of the connection (assuming the first rule is incramenting). Something like this maybe.
I moved the chain of the plex to forward since mangle prerouting happens before dst-nat, and looking at your NAT rules you are forwarding to the plex server. This should catch the incoming connections, and then the reply connections should not be subject to the VPN.
I tried the second option, but unfortunately that gives no change in results.. I have been trying to use torch to see the traffic but cannot get the hang of what I should look at..
Is the first rule incrementing at all and catching traffic?
As far as torch goes, it is one of the greatest tools on RouterOS. When you open it through WinBox, I usually disable Src and Dst. Address6, set the interface to the one I want to watch, and enable port and protocol. Then let it run and watch the traffic/connections. Once you get a feel for the traffic going across, you can then narrow things down by specifying specific addresses, protocols and ports.
Ok, where are the connections to the plex server coming from, are they using the NAT rules from the outside? A local machine, or something else? The interface that you want to look at for torch is the interface of the router facing the plex server.
So it is 192.168.1.13 (client) connecting TO an outside server. That does make a difference to the rule setup. For some reason I was thinking you had a plex server locally and were trying to use that.
A client in most cases will pick a random src-port when making a connection. Itās the destination port that will usually be static, so that is what you are looking for. If the traffic is coming from the client on the LAN interface, then it will see the 192.168.1.13 connections. Since the client is local and not the server, you do not need to catch both parts of the connection to prevent them from traversing the VPNs.
Just tried this, unfortunately the same result.. I see no traffic getting ācaughtā by this rule ( I placed it above the rule giving the vpn routing mark).. It seems to go thru it, get the vpn routing mark and getting routed over the vpn..
Then use the Torch tool to see what is going on traffic wize when you try and connect to the plex server.
Set the interface to your LAN, the one facing the plex client. Specify the Src.Adress of 192.168.1.13 and try and connect to the plex service. You will be able to watch the various connections coming from that IP address and it should help you narrow down and figure out what is going on.
Thanks a lot for your help, just tried that again for an hourā¦ Donāt understand it at all.. I see numerous ports comming thru, they also change.. Iāll solve it another way ! You cant win them all.
I have looked (and not found) setup guides for Mikrotik and ExpressVPN that work. I have tried to follow guides by other vpn providers, but nothing seems to work for me, I tried PPTP, L2PT and OpenVPN.
Please can you let me know how you got the VPN connection to establish?
Issue is (and this goes back to my point 2) that I know it works, but I do not know if its also the best way to do it..