Hello,
We are using a hotspot with PCC for redundancy and we are having issues making it so that guests behind the hotspot are able to connect to their VPNs, and I was wondering if anyone could possibly help.
What I am currently trying to do is to have the mangle rules watch for the protocol/port starts of a VPN tunnel, and then to add that person into an address list. Then in NAT have I have a rule where people that are in that address list will be scr-nat’ed to a different IP range on the MT. However I am not having much success in this regards.
The current specific rules I have are as follows:
/ip firewall nat
add action=src-nat chain=srcnat comment="SCR NAT VPNs ISP" disabled=no \
hotspot=auth out-interface=ether1 src-address-list="VPN Connection" \
to-addresses=x.x.x.6-x.x.x.29
/ip firewall mangle
add action=add-src-to-address-list address-list="VPN Connection" \
address-list-timeout=30s chain=prerouting comment=\
"Add VPNs to an address list" disabled=no dst-port=500 protocol=udp
add action=add-dst-to-address-list address-list="VPN Connection1" \
address-list-timeout=30s chain=prerouting comment=\
"Add VPNs to an address list" disabled=no dst-port=500 protocol=udp
add action=add-src-to-address-list address-list="VPN Connection" \
address-list-timeout=30s chain=prerouting comment="" disabled=no \
dst-port=4500 protocol=udp src-address-list="VPN Connection"
add action=add-src-to-address-list address-list="VPN Connection" \
address-list-timeout=30s chain=prerouting comment="" disabled=no \
dst-port=1723 protocol=tcp
add action=add-src-to-address-list address-list="VPN Connection" \
address-list-timeout=30s chain=prerouting comment="" disabled=no \
protocol=gre
add action=mark-routing chain=prerouting comment="" disabled=no \
hotspot=auth new-routing-mark=outside1_connection passthrough=yes \
src-address-list="VPN Connection"
add action=accept chain=prerouting comment=\
"Stop proceesing the rules for PCC with a VPN" disabled=no hotspot=auth \
in-interface="Guest Network" src-address-list="VPN Connection"
One thing that I am noticing is that when someone is added to the address list and they are being scr-nat’ed instead of hitting the mangle rule, they can no longer pass any traffic until they are removed from the address list. Any assistance in getting this working properly would be greatly appreciated. Thanks.