I’m trying to run a Mikrotik device as a VPN client for an Apple TV box, since it is not possible to run VPN software directly on Apple TV.
The intent is to use a Mikrotik device as a bridge to the existing network. At the same time have the Mikrotik device create a IPsec tunnel, and then using IP Firewall rules to control what is put into the tunnel (when working all traffic beside internal networks).
I want to do this as a bridge for multiple reasons:
I keep my original network setup intact with existing firewall, dns and dhcp
Existing client devices (computers, phones etc) should still be able to control the Apple TV box on the same broadcast domain
Apple TV should be able to communicate with the existing internal network
I want to be able to use a small Mikrotik device, that might not be able to accommodate all traffic
I have on top of the IPsec configuration, been using the “option 2” using IP Firewall mangle rule. In this testing phase, the rule have only been created to forward all traffic to 8.8.8.8, but this will be changed when the setup is working.
I’ve seen use-ip-firewall=yes in /interface bridge settings to break NAT operation, whereas you need NAT to work properly so that the connections marked with connection-mark=nordvpn would get src-nated to the address assigned by NordVPN’s IPsec responder peer.
So to make the Apple TV connect to the internet via the tunnel, you’ll have to set Mikrotik as the default gateway for the Apple TV on your DHCP server, and set use-ip-firewall and use-ip-firewall-for-vlan to no under /interface bridge settings.
If your DHCP server is not flexible enough, come back for some more tricks.
Setting the Apple TV with default gateway to the Mikrotik was actually what I tried to avoid. I want all devices on the client network to be able to communicate directly with the Apple TV, and have the Apple TV be able to communicate with any devices on the client network (same broadcast domain). I also wanted to use existing routing for communication with other networks.
I hoped that you could use the IP Firewall on the bridge interface - only intercepting the traffic that should be forwarded to the IPsec tunnel, and keep hands off all other traffic.
Devices in the same subnet/broadcast domain will talk directly to the Apple TV, so to talk to them, the default gateway will not be used at all. It is only used for traffic routed towards addresses outside the own subnet.
You are of course absolutely correct, don’t know how I couldn’t see that.
How will the traffic flow be for communication from Apple TV to other subnets, if I change the default gateway to the Mikrotik - would I need to configure anything specific for other devices being able to reach back to the Apple TV device?
If you have in mind other subnets at the site, you don’t need to change the settings on those other devices. The main router of the subnet where the Apple TV is connected will still be in the same subnet like the Apple TV and the Mikrotik, and will be able to deliver packets to the Apple TV directly at L2, like all the other devices in the same subnet. But one of the following mechanisms must be available on the Apple TV so that the Apple TV would send packets to other site subnets via the main router rather than via the Mikrotik:
if it supports DHCP Option 121 or DHCP Option 249, you can use the supported one to push a routing table to it from the DHCP server. The difference is that Option 249 is used in addition to the default gateway option, whereas the presence of Option 121 supersedes the default gateway option. In this case, the Apple TV will send these packets to the main router straight away.
if it supports ICMP redirect packets, it is enough that the Mikrotik had routes to the other local subnets with the main router’s IP address a gateway. When the Mikrotik receives a packet for which the routing returns a gateway address in the same subnet like the source address of the packet, it sends back to the sender an ICMP redirect message indicating that there is a better gateway available. I’m not sure what happens if Mikrotik has only a default route to those subnets, as I do not remember whether it sends the dst-address prefix of the route in the ICMP redirect packet (so if there was only the default route on the Mikrotik, it could ruin the whole idea) or whether the redirection is sent just for the individual destination address.
I am not convinced.
Why would one want to put a perfectly good gigabit port connected AppletV Device for the purpose of streaming high quality video and then hamstring it with some third party VPN.
MY assumption is that you are trying to circumvent something and perhaps this is a work environment…???
This is exactly why I tried to avoid the change of gateway in the first place. But if Mikrotik is not able to support this in any way, I will try this one and see how it goes.
Apple TV is not some hackable android device, there are no such settings or places to config it for ICMP or anything else… No I cant help your config and yes my illegal usage speculation sensor is tingling (or its homework you want others to solve for you) , but if you come to Canada, weed is legal and probably can find you better stuff than you seem to be smoking.
Well the answer is MT VPN is designed to work with remote clients or other company VPN connections and not to connect to 3rd party VPN providers. However many have made it work with various 3rd party vpn providers… perhaps that is where you are headed?
For Apple TV NATing, use the address list and then configure address list name in IPsec->Mode Configs->Src. Address List (not Responder). Use this Mode Config in your NordVPN IPsec Identity.
It’s not much about what Mikrotik is capable of doing, it’s about the networking principles. Even with use-ip-firewall=yes in bridge settings, the frame is still being bridged as its destination MAC address remains the one of the main router’s interface in the AppleTV’s subnet.
So you may try the following: /interface bridge nat
add chain=dstnat in-interface=etherAppleTV dst-address=10.0.0.0/8 action=accept
add chain=dstnat in-interface=etherAppleTV dst-address=172.16.0.0/12 action=accept
add chain=dstnat in-interface=etherAppleTV dst-address=192.168.0.0/16 action=accept
add chain=dstnat in-interface=etherAppleTV action=redirect
These rules should divert all frames arriving to the ethernet port to which the Apple TV is connected and carrying IP packets with other-that-private destination IP addresses to Mikrotik’s own MAC address, which will make them visible for Mikrotik’s L3 stack, which will thus route them as if it was configured as a default gateway at the Apple TV.
The difference as compared to the ICMP redirection or pushing the routing table via DHCP is that every single frame needs to be handled by all 4 rules (but that would be the same case with use-ip-firewall=yes).
So let’s see how it goes.
Oh yes, and of course there must be hw=no on the row of /interface bridge port which adds the etherAppleTV interface as a member port of the bridge.
I converted the bridge NAT rule to a single entry. I use the mangle rule approach with connection mark. That way I can control the traffic better if I want to add additional VPN’s later on.
This is the configuration that works with the original use-case:
BTW: I checked the alternative solution - having the Mikrotik on a stick, and changing the default gateway on the Apple TV. This works as well, without the bridge NAT rule.
