LT2P VPN

mikronewb20 · February 6, 2021, 9:48am

Hi,

I dont really know all that much about these mikrotik routers, i’ve done some research though and have a RB850G.

My problem is that I had someone help me setup a L2TP VPN, but I only need it to access 3 machines (3 IP addresses). So only that traffic to run over the VPN, but it seems that when I connect from my home to the place where the mikrotik is, it seems to run all traffic through it. Thus meaning that rather than having my 100mb connection, I have a 30mb connection (which is at the mikrotik end) when connected to the VPN as it seems to put all traffic through it.

Is there a way to only put the 3 IP addresses down it so that traffic only runs down it so i can use my own internet connection for everything else rather than being slowed down to a 3rd of my connection speed when connected to the vpn.

bourneagainsh · February 6, 2021, 11:47am

I have asked similar question
http://forum.mikrotik.com/t/l2tp-to-specific-port-on-switch/142367/1

Apparently it’s IPv4 - Firewall - Mangle: rule that will do the job
Searching now how to achieve this

tdw · February 6, 2021, 7:46pm

It depends on how the decision to route traffic via the VPN is going to be made. If there are a small number of destination addresses, e.g. a few company subnets, you can use static routes to direct traffic to those addresses via the VPN.

However if there are a small number of local source addresses, e.g. a couple of PCs, which must send traffic to any address via the VPN you do need mangle rules to mark connections from those source addresses, mark routes from the connection marks, and have additional marked routing table entries. It is similar to multi-WAN setups, but with WAN + VPN destinations rather than WAN1 + WAN2.

mikeeg02 · February 7, 2021, 1:08pm

In the computer you’re using to access the VPN, you can disable use of the VPN for default route in the VPN settings.

bourneagainsh · February 7, 2021, 7:17pm

I am trying it on PC with Debian and Android Mobile phone connected to AP in bridge mode.

bourneagainsh · February 7, 2021, 7:28pm

/interface l2tp-client
add add-default-route=yes allow-fast-path=yes comment="l2tp-out-vpn-hkg" connect-to=xxxxxxx.xxxxxxx.net disabled=no ipsec-secret=vpn name=\
   l2tp-out-HK password=vpn profile=l2tp-out-HK use-ipsec=yes  user=vpn

/ip firewall mangle
add action=mark-routing chain=prerouting comment="l2tp-out-vpn-hkg" log=yes new-routing-mark=l2tp-out-vpn passthrough=yes src-address=192.168.1.52
/ip firewall mangle
add action=mark-routing chain=prerouting comment="l2tp-out-vpn-hkg" log=yes new-routing-mark=l2tp-out-vpn passthrough=yes src-address=192.168.1.10
/ip firewall mangle
add action=mark-routing chain=prerouting comment="l2tp-out-vpn-hkg" log=yes new-routing-mark=l2tp-out-vpn passthrough=yes src-address=192.168.1.5

/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=l2tp-out-VPN-HK src-address=192.168.1.52
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=l2tp-out-VPN-HK src-address=192.168.1.10
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=l2tp-out-VPN-HK src-address=192.168.1.5

/ip route
add distance=1 gateway=l2tp-out-HK routing-mark=l2tp-out-vpn

.
.
#
But it still does not work …

mikeeg02 · February 7, 2021, 11:45pm

If the computer is initiating the vpn connection, then I believe you will need to figure out how to remove the vpn from becoming the default route in that OS. Unless you were to make your AP become the vpn client, in which point you can set the route rules.

bourneagainsh · February 8, 2021, 9:09am

Sorry the PC/Android mobile are slaves, its the MikroTik router that has the L2TP tunnel created and I want “all” the traffic from those 2 devices (PC/Android connected to MikroTik) to be routed via the L2TP.

So when you say static routes, can you give me an example please?
Is
/ip route add distance=1 gateway=l2tp-out-HK routing-mark=l2tp-out-vpn
not sufficient?

.

tdw · February 8, 2021, 12:08pm

You should have add-default-route=no under /interface l2tp-client - this is likely what is causing all your local devices to use the VPN connection.

It would be better to use single mangle rule with an address list rather than having three mangle rules with individual addresses as it reduces the CPU processing. Often marking new connections with a connection mark, and then adding route marks if the connection mark is present is yet more efficient.

Also you can either use the same address list in the NAT rule, or not specify addresses at all as only the marked traffic will be leaving via the out-interface.