Policy Based Routing

muffen · August 15, 2012, 9:55am

I am having an issue with policy based routing that I was hoping someone can help me with.

I have a home-office with an ADSL connection and a routerboard 600A.
When I work for certain clients I need to VPN into their network. Since I find it painful to change VPN tunnels constantly, I’ve setup the VPN through the Mikrotik router, and would like the traffic to choose the right path.

I’ve done the following so far, as a test.

I added a new interface (PPTP Client) and setup the VPN to the customer (tunnel is established), called it TestVPN.
As a test, I added a Mangle rule for one of my machines with the following config: Chain=prerouting, Src.Address=My_IP, Action=mark_routing, New Routing Mark=VPN, Passthrough=No.
I added a new route with the following configuration: Dst.Address=0.0.0.0/0, Gateway=TestVPN, Routing Mark=VPN

Enabling this however results in no network connectivity. However, if I establish the PPTP tunnel directly from my system it works just fine.

Any ideas what the problem could be or what I should check for?

Thanks!

greencomputing · August 16, 2012, 10:21am

Hi sir

the rule will route all your internet traffic trough client vpn so you need to specify also the client dst address/network to be sure that only traffic to the client network will be routed trough VPN.

So the idea is, if you know that client private ip/network is CLIENT_IP or CLIENT_NETWORK, to use the following rule :

  
/ip firewall mangle 
add action=mark-routing chain=prerouting dst-address= dst-address-type=!local new-routing-mark=VPN passthrough=no src-address=My_IP  dst-address= CLIENT_NETWORK

or 
/ip firewall mangle 
add action=mark-routing chain=prerouting dst-address= dst-address-type=!local new-routing-mark=VPN passthrough=no src-address=My_IP  dst-address= CLIENT_IP

hoping this will help you
have a nice day

muffen · August 20, 2012, 7:45pm

Hi,

Thanks for the reply, however, it is not working. I am trying to route all traffic through to the customer, once I get it working I can work on tweaking the mangle rules. Right now, I just want all traffic from my computer to go through the customer, this way I can make sure it works.

Any ideas what could be wrong?

StubArea51 · August 21, 2012, 3:20am

Can you post your routing table and a compact export of your mangle rules?

MikroTikIQ · September 4, 2012, 11:08pm

Hi…

To reach each network you need to have specific route to that network..

Let say one of your client have network 10.0.0.0/24 and another one have 10.1.1.0/24 and you just connect to your clients network using vpn,
now you have multi vpn connection on your router and Still your route dont have any idea how to reach 10.0.0.0/24 and 10.1.1.0/24…

So by adding static route you will learn you router how to reach multi network via different path..
i.e

/ip route add dst-address=10.0.0.0/24 gatway=vpn-01
/ip route add dst-address=10.1.1.0/24 gatway=vpn-02

This way you will able to reach all you client network at the same time even if you have multiple vpn conneted..

Just please uncheck option use-as-default-route… this will avoid to make any of that vpn connection ad default route…

Wish you good luck

Please update me if all is work well

Ali Sami