Not all traffic is routed through PPTP connection.

pckt · January 6, 2012, 6:10pm

Ok, So I’ve got a PPTP client hooked up on the routerboard and am attempting to push traffic from only one device in a subnet over the VPN.

So, Here is my poorly drawn diagram: http://i.imgur.com/2ClFv.png
The device in this case is an xbox and eth0 is the WAN.

I’ve got 2 subnets now and am blocking communication between them by dropping connections originating from either subnet bound for the other subnet (is there a better way to do this?). So, for VPN configuration I’ve got the PPTP client configured and set up a route to push traffic through when tagged with the routing mark “vpn”. In firewall mangle tagging on both output and prerouting for all traffic destined from the static IP of the device (i tried with MAC but it wasn’t working?) It works great for web traffic, which I tested by using my computers IP in place of the Xbox IP and I can tag the traffic as “vpn” and it gets re-routed. Now, the problem is that not all traffic is being captured. So I’ve got torch open watching the IP of the xbox and can see connections being made on the local (non vpn) network. When I disconnect from the VPN these are staying open. How can I ensure that all traffic is being tunneled through the VPN? I thought I had dropped all traffic not tagged vpn in the firewall that was headed towards the IP but I had it on “reject” (which should be similar anyway?).

I’m guessing I may not be doing the best job explaining this so if I need to export some settings to help better understand just let me know.

perspetolis · January 7, 2012, 4:04pm

hi
please export your ip firewall mangle and ip route and ip address.

pckt · January 8, 2012, 5:42am

/ip firewall mangle
add action=mark-routing chain=prerouting comment="VPN mark" \
    disabled=no new-routing-mark=VPN passthrough=no src-address=\
    192.168.88.192
add action=mark-routing chain=output comment="VPN mark" \
    disabled=no new-routing-mark=VPN passthrough=no src-address=\
    192.168.88.192
add action=mark-connection chain=prerouting comment=http_con disabled=yes \
    dst-port=80 new-connection-mark=http_con packet-mark=http passthrough=yes \
    protocol=tcp
add action=mark-connection chain=prerouting comment="p2p_con mark" disabled=\
    no new-connection-mark=p2p_con p2p=all-p2p passthrough=yes
add action=mark-connection chain=prerouting comment="p2p mark" disabled=no \
    new-connection-mark=p2p p2p=all-p2p passthrough=no
add action=mark-packet chain=prerouting comment="p2p mark" disabled=no \
    new-packet-mark=p2p p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment="http mark" disabled=yes \
    dst-port=80 new-packet-mark=http passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="other Mark" disabled=no \
    new-packet-mark=other passthrough=yes
add action=mark-packet chain=prerouting comment="voip connection" disabled=no \
    dst-address=192.168.88.193 new-packet-mark=voip passthrough=yes
add action=mark-packet chain=prerouting comment="voip connection" disabled=no \
    new-packet-mark=voip passthrough=yes src-address=192.168.88.193
add action=mark-connection chain=prerouting comment="voip connection" \
    disabled=no new-connection-mark=voip passthrough=yes src-address=\
    192.168.88.193
add action=mark-connection chain=prerouting disabled=no dst-port=80 \
    new-connection-mark=http_conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=http_con disabled=no \
    new-packet-mark=http passthrough=no
add action=mark-connection chain=prerouting comment="other_con Mark" \
    disabled=yes new-connection-mark=other_con passthrough=yes
add action=mark-connection chain=prerouting comment="Other Mark" disabled=yes \
    new-connection-mark=other passthrough=no
add action=change-mss chain=forward comment="pptp time change" disabled=no \
    new-mss=1300 passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-routing chain=output comment="VPN" disabled=no \
    new-routing-mark=VPN passthrough=yes protocol=udp src-address=\
    192.168.88.192

/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=no \
    interface=ether2 network=192.168.88.0
add address=192.168.0.1/24 comment="test access phone bo" disabled=yes \
    interface=ether2 network=192.168.0.0
add address=192.168.89.1/24 comment="disappeared at some point" disabled=no \
    interface=ether3 network=192.168.89.0
add address=10.0.0.1/24 comment="vlantest" disabled=\
    yes interface=vlan1 network=10.0.0.0

/ip route
add comment="PPTP" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=192.168.1.235 routing-mark=VPN scope=30 \
    target-scope=10
add comment="attempt to TARGET xbox" disabled=no distance=1 dst-address=\
    192.168.88.192/32 gateway=192.168.1.235 routing-mark=VPN scope=30 \
    target-scope=10
add disabled=no distance=1 dst-address=[PPTP ip removed] gateway=ether1-gateway \
    scope=30 target-scope=10