Hi guys, I just wonder if anyone could do me favour and take a look at my setup. (Don’t laugh, I’m probably doing something fundamentally wrong.)

RB2011 is basically running like a switch for PC_VPN & PC3 and others. All the PCs can access each others’ resources. AC56U is sitting at the gateway simply because of its hardware NAT acceleration. I will lose nearly half the bandwith if RB2011 sits there.

My question is, is it possible to set up MikroTik to divert only traffic from PC_VPN (or to a certain destination) thru its VPN connection, while PC4’s traffic will just go the normal way.

I tried working on Policy Based Routing, but I either have no internet at all for both PC4 and PC_VPN, or all traffic will go thru the normal way, as if there is no VPN.

The following script is my setup, it will probably take you guys just two minutes to work it out, so please do me a favour:



_# oct/30/2014 15:45:20 by RouterOS 6.20

software id = xxxx-xxxx

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether2 ] comment=“Ether2 to 5 switched off Ether2”
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether6 ] comment=“Ehter6 to 10 switched off Ether6”
name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=
ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=
ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=
ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=
ether10-slave-local
/ip neighbor discovery
set ether1 discover=no
set ether2 comment=“Ether2 to 5 switched off Ether2”
set ether6-master-local comment=“Ehter6 to 10 switched off Ether6”
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“”
management-protection=allowed mode=dynamic-keys name=WPA2
supplicant-identity=“” wpa-pre-shared-key=xxxxxxxx wpa2-pre-shared-key=
xxxxxxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=
20/40mhz-ht-above distance=indoors l2mtu=2290 mode=ap-bridge
security-profile=WPA2 ssid=MikroTik-6B3A0D
/ip pool
add name=dhcp ranges=192.168.88.11-192.168.88.20
/ip dhcp-server
add address-pool=dhcp interface=ether2 name=default
/port
set 0 name=serial0
/interface pptp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=
5.254.100.70 dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=
1450 max-mtu=1450 mrru=disabled name=FreeVPN_me password=xxxxxx profile=
default-encryption user=xxxx
/system logging action
set 2 remember=yes
/interface bridge port
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether1
add bridge=bridge-local interface=ether2
/ip address
add address=192.168.88.1/24 comment=“default configuration” interface=
bridge-local network=192.168.88.0
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid interface=
bridge-local
/ip dhcp-server network
add address=192.168.88.0/24 comment=“default configuration” dns-server=
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,114.114.114.114
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add action=drop chain=input comment=“default configuration” in-interface=
bridge-local
add chain=forward comment=“default configuration” connection-state=
established
add chain=forward comment=“default configuration” connection-state=related
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=VPN passthrough=no
src-address=192.168.88.103
/ip firewall nat

FreeVPN_me not ready

add action=masquerade chain=srcnat log=yes log-prefix=@@@@@@@@@@
out-interface=FreeVPN_me
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=bridge-local
/ip route
add distance=1 gateway=FreeVPN_me routing-mark=VPN
add distance=1 gateway=bridge-local
/ip upnp
set allow-disable-external-interface=no
/lcd
set enabled=no touch-screen=disabled
/lcd interface pages
set 0 interfaces=“sfp1,ether1,ether2,ether3,ether4,ether5,ether6-master-local,
ether7-slave-local,ether8-slave-local,ether9-slave-local,ether10-slave-loc
al”
/snmp
set trap-community=public
/system clock
set time-zone-name=Asia/Hong_Kong
/system identity
set name=MikroTik_AP
/system ntp client
set enabled=yes primary-ntp=223.255.185.2 secondary-ntp=137.189.4.10
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local_

What sort of VPN do you want to use? PPTP? SSTP? OpenVPN? IPSec?
Should the PC_VPN be able to access computers in the 192.168.88.0/24 network?
Should it be able to access internet? Or should all the traffic from that computer be tunneled out through the VPN?

I got this (almost) all sorted out.

I reset the RB2011 back to its original configuration as an AP, and just added a static route between my existing network and the MikroTik. All PCs from two sides can ping each other.

As for VPN, I just followed this excellent advice here to set up Policy Based Routing. It just works like a charm.

http://wiki.mikrotik.com/wiki/Policy_Base_Routing

But now I run into a new problem regarding NFS server:

A NFS Server is running on PC1, PC under the MikroTik cannot see the server, even though they can ping PC1 without problem. What am I missing here?

What ammount of bandwith are we talking about? RB2011 will deal with 200Mb without any problem.
I’ve got a RB951g (less powerfull than yours) with a 200Mb/20Mb and it is allways on holydays …
Did you use a Gb port for the gateway?
Did yo do a bridge with the two inside switches?

RB2011 is wonderful, it’s just that I had fiber to home installed a few weeks ago. Due to its lack of hardware NAT acceleration, it can handle at most 350Mb at times, while Asus AC56U can handle 850Mb or even more.

Did I do a bridge? I did set up static routing on my AC56U, and all PCs from two sides can ping each other. So I guess I did?

A bridge works in layer 2, without routing, in the same subnet. So you’re doing routing, not bridging.
Check if the RB2011 masquerades the 192.168.88.0/24 network, by default it does.

Do you have a 1Gb bandwith ISP?
You’ll need a CCR!
The FTTH are smaller here, usually 100Mb/10Mb.

Can you put your export again?

Thanks for pointing this out. As you can probably tell, I’m just an average home user who is taking a big step up here.

Re masquerades, I didn’t change default configuration, so I think it does. But if you could be kind enough to take a look at export in my reply to the next post, I’d really appreciate.

Yes I do, even though you actually only get 800Mb bandwith or less most of the time.

CCR is good. Some people sugguest getting an EdgeRouter Lite, I’m not too sure sure about that, as commands for Edge is even more CLI based.

Here is my export, thanks!

_#
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] comment=“ether2 to 5 switched from 2” name=
ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local
set [ find default-name=ether4 ] master-port=ether2-master-local
set [ find default-name=ether5 ] master-port=ether2-master-local
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=
ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=
ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=
ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=
ether10-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=
20/40mhz-ht-above distance=indoors l2mtu=2290 mode=ap-bridge ssid=
MikroTik-6B3A0D
/ip neighbor discovery
set ether1-gateway discover=no
set ether2-master-local comment=“ether2 to 5 switched from 2”
/ip pool
add name=default-dhcp ranges=192.168.88.207-192.168.88.210
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/port
set 0 name=serial0
/interface pptp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=
xxx.xxx.com dial-on-demand=no disabled=no keepalive-timeout=30 max-mru=
1450 max-mtu=1450 mrru=1600 name=xxVPN password=xxxxxxxx profile=
default-encryption user=xxxxxxxx
/system logging action
set 2 remember=yes
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment=“default configuration” interface=
bridge-local network=192.168.88.0
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid disabled=
no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment=“default configuration” dns-server=
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=drop chain=forward comment=
"Drop connections when VPN is down " out-interface=ether1-gateway
src-address=192.168.88.207
add action=drop chain=output comment=
“redundant?? Drop connections when VPN is down” dst-address=
192.168.88.207 out-interface=ether1-gateway src-address=192.168.88.207
add action=drop chain=forward comment=
“Drop connections when VPN is down” out-interface=ether1-gateway
src-address=192.168.88.210
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add chain=input comment=“Winbox Remote Access” dst-port=8291 protocol=tcp
add action=drop chain=input comment=“default configuration” in-interface=
ether1-gateway
add chain=forward comment=“default configuration” connection-state=
established
add chain=forward comment=“default configuration” connection-state=related
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting comment=
“Turn on for VPN” new-routing-mark=VPN passthrough=no
src-address=192.168.88.207
add action=mark-routing chain=prerouting comment=“Turn on for VPN”
new-routing-mark=VPN passthrough=no src-address=192.168.88.210
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway
add action=masquerade chain=srcnat out-interface=xxVPN src-address=
192.168.88.207
add action=masquerade chain=srcnat out-interface=xxVPN src-address=
192.168.88.210
/ip route
add distance=1 gateway=xxVPN routing-mark=VPN
/ip upnp
set allow-disable-external-interface=no
/lcd
set enabled=no touch-screen=disabled
/snmp
set trap-community=public
/system clock
set time-zone-name=Asia/Hong_Kong
/system ntp client
set enabled=yes primary-ntp=223.255.185.2 secondary-ntp=137.189.4.10
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
_

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

You are doing NAT with the RB2011, you have to remove this.

You’ll need a static route on the Asus ponting the Mikrotik to the 192.168.88.0/24 subnet.

Don’t use dhcp on the Mikrotik gateway, is better to use static IP instead.

Thanks. Will try removing NAT with the RB2011.

As for the route on the Asus, I think I’ve done it:

You’re right, Mikrotik RB2011 is not big enough to deal with your bandwith, but the Asus can’t do it either, I think.

In my job I’ll use a Juniper SRX240H2 - SRX500 or a Fortigate 100D - 200D to do that.

Maybe a CCR …

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

You are doing NAT with the RB2011, you have to remove this.

You’ll need a static route on the Asus ponting the Mikrotik to the 192.168.88.0/24 subnet.

Don’t use dhcp on the Mikrotik gateway, is better to use static IP instead.

/ip address
add address=192.168.89.254/24 interface=ether1-gateway network=192.168.89.0

The firewall is ok there is no drop rules on the forward chain.

Put a default route on the Mikrotik pointing the Asus.

/ip route
add check-gateway=ping distance=1 gateway=192.168.89.1

And that’s all, you’ll have two routed subnets inside, but you’ll be using ICMP-redirect at the Asus to go from the servers at the 192.168.89.0/24 subnet to the 192.168.88.0/24, and it is not as good idea as it apears to be, because a lot of devices doesn’t accept ICMP-redirect messages and you won’t have a public IP at the Mikrotik to do VPN-Ipsec tunnels gallop through.

Thanks a lot for the explanation. As you can tell, most of the time I don’t know what I’m doing with my network. So this is like an education to me that I really appreciate.

As for the equipment you mention, they might just be a bit costly for me.

I think Asus is doing OK as far as bandwidth is concerned. My ISP here has a little Iperf test for local (within Hong Kong) network speed test.

(Speed on left is upload, right is download.)

The result is the same if I bypass any router and plug directly to my PC.

However, if I use RB2011 at the gateway, the fastest download speed is like 3xxMbps. So this is why I have this funny looking setup.

In the long run, I think I will need to get a router that is more powerful in terms of throughput (=hardware NAT?), configurable like MikroTik, but less costly comapred with the CCR series. Then I can put every PC and media player under one LAN with some sort of VPN Tunnel established.

Any beginners here have experienced using EdgeRouter Lite, is it gonna be another big step up for me from the MikroTik interface?

Sure. Mikrotik should offer a device able to nat with common firewall rules on around one gbit both ways simultaneously. And it should cost no more than rb2011 to be competitive to other producers.