I have MT RB951 with simple basic configuration with 1 WAN connection where everithing working fine. Then I add VPN connection and configure routing to certain web sites (VK, Yandex, mail.ru) through this connection, but routing work very strange. I can open yandex and mail.ru, but VK work veeery slow and site dont open every time.
My current config
# feb/22/2018 21:28:13 by RouterOS 6.41.2
#
# model = 951-2n
/interface bridge
add arp=proxy-arp fast-forward=no name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-half,100M-full name=\
ether1-gateway
set [ find default-name=ether3 ] name=ether3-top
set [ find default-name=ether5 ] name=ether5-home
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.10-10.0.0.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge-local lease-time=1w name=main
/ppp profile
add name=vpn use-encryption=yes
/interface pptp-client
add allow=chap,mschap1,mschap2 connect-to=*** disabled=no name=VPN \
password=*** profile=vpn user=***
/interface bridge port
add bridge=bridge-local hw=no interface=ether2
add bridge=bridge-local hw=no interface=ether3-top
add bridge=bridge-local hw=no interface=ether4
add bridge=bridge-local hw=no interface=ether5-home
/interface list member
add interface=ether1-gateway list=WAN
add interface=VPN list=WAN
add interface=ether2 list=LAN
add interface=ether3-top list=LAN
add interface=ether4 list=LAN
add interface=ether5-home list=LAN
add interface=wlan1 list=LAN
/ip address
add address=10.0.0.1/24 interface=bridge-local network=10.0.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-gateway \
use-peer-dns=no
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
77.88.8.8,77.88.8.88,77.88.8.7,8.8.4.4,8.8.4.4
/ip firewall address-list
*add my routin adresses xxx.xxx.xxx.xxx/xx
/ip firewall filter
add action=drop chain=input dst-port=21,22,23 in-interface=ether1-gateway \
protocol=tcp
add action=drop chain=input dst-port=21,22,23 in-interface=VPN protocol=tcp
/ip firewall mangle
add action=accept chain=prerouting dst-address=10.0.0.0/24 src-address=\
10.0.0.0/24
add action=mark-connection chain=prerouting in-interface=VPN \
new-connection-mark=vpn-in passthrough=no
add action=mark-routing chain=prerouting comment=\
"route vpn-in through same interface" connection-mark=vpn-in \
new-routing-mark=vpn passthrough=no
add action=mark-routing chain=prerouting comment="route vk through vpn" \
dst-address-list=vk new-routing-mark=vpn passthrough=no src-address=\
10.0.0.0/24
add action=mark-routing chain=prerouting comment="route yandex through vpn" \
dst-address-list=yandex new-routing-mark=vpn passthrough=no src-address=\
10.0.0.0/24
add action=mark-routing chain=prerouting comment="route mail.ru through vpn" \
dst-address-list=mail new-routing-mark=vpn passthrough=no src-address=\
10.0.0.0/24
add action=mark-routing chain=prerouting comment=\
"route kaspersky through vpn" dst-address-list=kaspersky \
new-routing-mark=vpn passthrough=no src-address=10.0.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-gateway to-addresses=\
192.168.88.1
add action=masquerade chain=srcnat out-interface=VPN
/ip route
add check-gateway=ping distance=1 gateway=VPN routing-mark=vpn
I ensure with tracert that requests goes throug vpn, I watched connections, there was issues with connections when they stucked in syn state, but i fixed it by marking incoming from vpn connections and routing marked.
There was issue with routing marked connections on actual version of firmware (If you mark connection at first and then mark routes by connection mark it doesnt work), so i stop marking and filtering connections and now routing everything in mark-route rule.
I tried to play with MTU but it seems like it doesnt help.
I got this king of errors when open routed sites
I ensure that all resources that scripts on websites trying to get routed, IPs are in range and if you trying to open resource in new tab its open.
My investigations lead me to idea that it`s related to https protocol. When I open website in firefox when it stuck I see that it’s trying to iitialize TLS-connection. It’s notisable that everything opens very slow and I can see amoung errors “ERR_TIMED_OUT”, “ERR_CONNECTION_RESET”, “ERR_SPDY_PING_FAILED”.
Has someone had this kind of issues? Or maybe I did something wrong? Help me please i’m frustrated…