Mikrotik to Mikrotik VPN for specific port only

Term · October 29, 2020, 5:46pm

Hello,
have mikrotik at home.
ETH1 = PPPoE to my ISP
ETH10 = cisco switch

I want to connect voip phone to ETH2. Have connected VPN to our company. All I need is traffic thru VPN only for voip phone (eth2). All other devices like computer, laptop, mobile will go thru my ISP, not VPN.

Possible to create this? Can anybody show me how?
Thank you

satman1w · October 30, 2020, 8:26am

of course it is possible.
google “mikrotik split tunnel” and you will find out how to do it!
ok?

Term · December 16, 2020, 6:11pm

Hello,
it worked fine. I reseted MT because of a lot of stuff was there. I created everything again (dhcp, vpn etc). My problem is I can’t found a tutorial how to create VPN only for 1 ethernet…

Any help please?

satman1w · December 17, 2020, 5:45am

Please explain

Term · December 17, 2020, 4:37pm

as I wrote in first post. have RB. eth1 is WAN, eth10 is connected to switch. I have VoIP connected to eth2. That VoIP need to connects to our company through VPN.
Want to use VPN only for eth6. So for example computer will not route through VPN.

aesmith · December 17, 2020, 5:01pm

There might be a simpler solution. If your VoIP phone only communicates with specific hosts at the company, or specific subnets, then you can add routes for those addresses via the VPN. That is easy because the natural behaviour of a router is to forward based on destination address.

It gets more complex if you want to route based on source address. Mikrotik and others use the generic term “Policy Based Routing”. Essentially you create a Mangle rule to recognise your traffic of interest, in this case anything from your VoIP phone, the action is “mark routing” and you give it some meaning full mark like “VoIP-VPN”. You then create a route via your VPN and specify that same “VoIP-VPN” as the routing mark.

Term · December 17, 2020, 5:09pm

thank you. can you be more specific please? really don’t know how to do that..

Attaching small screenshot as visualisation

aesmith · December 17, 2020, 5:12pm

Here’s an example I did for test, I’m matching destination address in the mangle rule whereas you would match by source

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=8.8.4.4 new-routing-mark=FISH passthrough=yes
/ip route
add check-gateway=ping comment="*** ADSL - PBR Test ***" distance=1 gateway=172.17.88.2 routing-mark=FISH

Maybe you’d want to mark the connection first, then mark packets from the connection rather than purely packet-by-packet, this was just a rough and ready test I did.