Hi,
I’m trying to do something similar to what is described here - http://wiki.mikrotik.com/wiki/Policy_Base_Routing The sites in Address List called rcn should go through the VPN, everything else is routed through ether1.
The address list exists and shows proper values:
# LIST ADDRESS TIMEOUT
0 ;;; RCN Blacklist
rcn 195.82.146.214
1 rcn 108.174.10.10
2 rcn 23.22.128.188
But it doesn’t work for me for some reason.
I set up an L2TP VPN client which works fine when I have the “Add default route” option enabled, but in this case everything goes through the VPN interface, of course. If I remove the option, the sites I want to access via VPN become unreachable in a weird way - I can ping them and traceroute shows that packets go through the VPN, but I cannot reach them using the browser.
Here are my settings:
The NAT rules:
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
1 D ;;; upnp 192.168.88.252: Skype UDP at 192.168.88.252:32453 (3611)
chain=dstnat action=dst-nat to-addresses=192.168.88.252 to-ports=32453
protocol=udp dst-address=192.168.100.14 in-interface=ether1
dst-port=32453
2 D ;;; upnp 192.168.88.252: Skype TCP at 192.168.88.252:32453 (3611)
chain=dstnat action=dst-nat to-addresses=192.168.88.252 to-ports=32453
protocol=tcp dst-address=192.168.100.14 in-interface=ether1
dst-port=32453
3 ;;; Masquerade for L2TP
chain=srcnat action=masquerade out-interface=HMA_L2TP log=no
log-prefix=""
The Mangle rules:
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough
3 ;;; Mark for L2TP
chain=prerouting action=mark-routing new-routing-mark=L2TP
passthrough=yes src-address=192.168.88.2-192.168.88.254
dst-address-list=rcn log=yes log-prefix="rcn"
The routing table (the gateway HMA_L2TP is displayed as reachable):
1 A S 0.0.0.0/0 HMA_L2TP 1
2 ADS 0.0.0.0/0 192.168.100.1 1
3 ADC 10.200.24.1/32 10.200.25.3 HMA_L2TP 0
4 ADC 192.168.88.0/24 192.168.88.1 bridge 0
5 ADC 192.168.100.0/24 192.168.100.14 ether1 0
When I enable the “Add default gateway” option, everything works, and the routing table looks like this:
1 ADS 0.0.0.0/0 10.200.24.1 0
2 DS 0.0.0.0/0 192.168.100.1 1
3 ADC 10.200.24.1/32 10.200.25.5 HMA_L2TP 0
4 ADS 72.8.134.120/32 192.168.100.1 0
5 ADC 192.168.88.0/24 192.168.88.1 bridge 0
6 ADC 192.168.100.0/24 192.168.100.14 ether1 0
Like I said, I cannot reach the sites in the address list - they either fail to load after a timeout, or more weirdly, go through ether1 like there’s no VPN.
The log shows that and ACK and SYN are sent properly, through the VPN interface, the Masquerade rule works, but after a minute or so and ACK, RST is sent and everything stops.
The VPN has dynamic IP address, so I cannot just write it down as a static route.
I’m banging my head against the wall already with this, so please help!