Hello community,
I have a RB493G router which serves a LAN and is connected to the Internet via one PPPoE connection (wan). In our country (Romania) some services from USA aren’t available (netflix, pandora) because of copyright issues. I have found a way to access those services using an USA VPN provider (PureVPN in my case).
I configure the VPN on my laptop and I instantly have access to netflix and pandora. I have 2 devices on my network that I want to access the netflix and pandora services so I thought I’d configure the VPN client on the MT router and using Policy Routing I would route the connections initiated from those two devices via the PureVPN interface (pvpn-us).
Interfaces
Flags: D - dynamic, X - disabled, R - running, S - slave
10 R ;;; Family Local Area Network - LAN.
name="flan" type="bridge" mtu=1500 l2mtu=1520
13 R ;;; RDS Internet connection.
name="wan" type="pppoe-out" mtu=1480
18 R name="pvpn-us" type="pptp-out" mtu=1400
IP Addresses
[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=ether1 actual-interface=ether1
1 ;;; Family network interface.
address=172.21.0.1/24 network=172.21.0.0 interface=flan actual-interface=flan
3 D address=86.126.83.149/32 network=10.0.0.1 interface=wan actual-interface=wan
5 D address=10.3.3.4/32 network=10.3.3.2 interface=pvpn-us actual-interface=pvpn-us
Firewall mangle rules
[admin@MikroTik] > /ip firewall mangle print detail
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=VPN-US passthrough=yes
src-address=172.21.0.65-172.21.0.66
IP Route Rules
[admin@MikroTik] > /ip route rule print detail
Flags: X - disabled, I - inactive
0 dst-address=192.168.88.0/24 action=lookup table=main
1 dst-address=172.21.0.0/24 action=lookup table=main
2 dst-address=172.21.1.0/24 action=lookup table=main
3 routing-mark=VPN-US action=lookup table=VPN-US
IP Routes
[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=10.3.3.2 gateway-status=10.3.3.2 reachable pvpn-us distance=1
scope=30 target-scope=10 routing-mark=VPN-US
1 ADS dst-address=0.0.0.0/0 gateway=10.0.0.1 gateway-status=10.0.0.1 reachable wan distance=1
scope=30 target-scope=10
2 ADC dst-address=10.0.0.1/32 pref-src=86.xx.xxx.x gateway=wan gateway-status=wan reachable
distance=0 scope=10
3 ADC dst-address=10.3.3.2/32 pref-src=10.3.3.4 gateway=pvpn-us gateway-status=pvpn-us reachable
distance=0 scope=10
4 ADC dst-address=172.21.0.0/24 pref-src=172.21.0.1 gateway=flan gateway-status=flan reachable
distance=0 scope=10
5 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=ether1
gateway-status=ether1 unreachable distance=0 scope=200
IP Firewall NAT
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=wan
1 chain=srcnat action=masquerade out-interface=pvpn-us
The firewall is configured to allow all outgoing traffic from the local network. The problem is that I still cannot access the services that aren’t available in my home country from those two devices on my LAN (172.21.0.65 and 172.21.0.66). Attached is the logical network topology simplified. How can I debug this situation further? Did I do something wrong in the configuration of the policy routing?
Thank you,
Vali
VPNDiagram.png
