problem in using VPN as default gatway?

Hello Mikrotik team,
i was tring to use a client VPN as my gateway but it seems that it fail. that what i want and that what i did:

What i want is

Users -----} VPN -----} Internet
i want to hide my users behinde VPN

what i did for that is

Make a PPTP connection and select add default route check box every thing is ok for this connection it connect well no problems.asi see a new route and a new address when it is connected.

But when checked my web behinde mikrotik i see that still my real ip is available to others not my VPN one. what i miss also do i need to reconnfigure anything else?

Thanks for your help

Please Help i think it is very easy for you to answer this topic.

Need more information about your setup in order to help.

Please supply these commands wrapped in code text.

/ip firewall export
/ip route print detail

Thanks for your help

Here is the results

#
/ip firewall address-list
add address=173.236.103.190 comment="" disabled=no list=PassProxy
add address=173.236.99.211 comment="" disabled=no list=PassProxy
add address=173.236.99.218 comment="" disabled=no list=PassProxy
add address=173.236.99.221 comment="" disabled=no list=PassProxy
add address=173.236.99.214 comment="" disabled=no list=PassProxy
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=5s tcp-close-timeout=5s \
    tcp-close-wait-timeout=5s tcp-established-timeout=10m \
    tcp-fin-wait-timeout=5s tcp-last-ack-timeout=5s tcp-syn-received-timeout=\
    5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=5s \
    udp-stream-timeout=3m udp-timeout=5s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=return chain=forward comment="Ping Replay Rule" disabled=no \
    protocol=icmp
add action=accept chain=forward comment="Yoville Game" disabled=no dst-port=\
    843 protocol=tcp
add action=accept chain=forward comment="" disabled=no dst-port=9339 \
    protocol=tcp
add action=drop chain=forward comment="Block P2P Traffic" disabled=no p2p=\
    all-p2p
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Ping Rule" disabled=no \
    new-packet-mark=Ping passthrough=yes protocol=icmp
add action=mark-packet chain=output comment="Cache Packets Rule" disabled=no \
    dscp=4 new-packet-mark=Cache_Packets out-interface=LAN passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=no out-interface=LAN
add action=accept chain=dstnat comment="PassProxy Rule" disabled=no \
    dst-address-list=PassProxy dst-port=80 protocol=tcp
add action=redirect chain=dstnat comment="Transparent Web Proxy Forward" \
    disabled=no dst-port=80 protocol=tcp to-ports=8080
add action=dst-nat chain=dstnat comment="Samir RDP" disabled=no dst-address=\
    10.0.0.1 dst-port=3389 protocol=tcp to-addresses=10.10.10.240
add action=netmap chain=srcnat comment="VPN Rule" disabled=no src-address=\
    10.10.10.0/23 to-addresses=10.0.0.1
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=yes
set sip disabled=no ports=5060,5061
set pptp disabled=yes
[Admin@MikroTik Maadi Server] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=10.0.0.138 
        gateway-status=10.0.0.138 reachable WAN distance=1 scope=255 
        target-scope=10 

 1 ADC  dst-address=10.0.0.0/24 pref-src=10.0.0.1 gateway=WAN 
        gateway-status=WAN reachable distance=0 scope=10 

 2 ADC  dst-address=10.10.10.0/23 pref-src=10.10.10.250 gateway=LAN 
        gateway-status=LAN reachable distance=0 scope=10

That is without the vpn

I see no default route for the VPN tunnel is the first thing that pops out to me. The router needs to know the route and it needs to have a smaller weight so it will use that by default for all traffic. However I am guessing you don’t want the router itself to use the VPN tunnel as it’s default route, so your setup is going to be a bit more complicated because of this and because you are using the proxy. I also see a hotspot rule in there, so I’m not sure if you are using the hotspot or not.

First of all, when using the proxy, all HTTP requests will be handled by the router, this means that all HTTP traffic leaving the router will be on the output chain. Also the Transparent Proxy only works on HTTP traffic, not HTTPS just to make you aware. Keeping that in mind, here are a couple of steps that should get you started in the right direction.

In the mangle rules in the prerouting chain, set up a rule that will mark connections coming from the LAN subnet that are not destined to a local address, add in it being authorized on the hotspot if you are using that. You will also need another rule in the output chain that will mark connections with a dst-port of 80 with a similar connection mark. Set up one more rule that will mark for routing based off of those connection marks.

Chances are in NAT you are going to have to set up a rule that will NAT the correct IP address on traffic heading out of the router for dst-port 80.

Set up a route that will send traffic out of the VPN when it has the correct routing mark.

I think this here should get you started down the right path at least. This is all of the top of my head and I haven’t ever done a setup quite like this so you will probably have to adjust these a bit more to fit your need and situation.

/ip firewall mangle
add action=mark-connection chain=prerouting comment="" src-address=10.10.10.0/24 new-connection-mark=VPN_connection connection-state=new dst-address-type=!local hotspot=auth
add action=mark-connection chain=output connection-state=new dst-port=80 protocol=tcp new-connection-mark=VPN_connection
add action=mark-routing chain=prerouting connection-mark=VPN_connection new-routing-mark=VPN
add action=mark-routing chain=output connection-mark=VPN_connection new-routing-mark=VPN
/ip firewall nat
add action=src-nat chain=srcnat comment="" connection-mark=VPN_connection disabled=yes dst-port=80 protocol=tcp to-addresses=1.1.1.1
/ip route
add dst-address=0.0.0.0/0 gateway="VPN Tunnel" routing-mark=VPN

Thanks
i am using hotspot and also using mikrotik proxy

i just want to hide my users behinde vpn not important to make mikrotik use the vpn is your code work with my case?

also what is this ip 1.1.1.1 for?

Yes these rules should work even with the Hotspot and Proxy, like I said however, you will probably need to make some adjustments on your part to get it going like you want.

That was just an IP I used as an example, most of the time when you see 1.1.1.1 or 2.2.2.2 it’s just an example and needs to be replaced with whatever IP you need it to be. It needs to be the IP address of the VPN interface on the MikroTik, this is so the traffic leaving that interface will be NATed to the correct IP address and can be routed and handled by the other end of the tunnel correctly.

ok i will do my best and tell you the results

but what if i want all users connections to go via VPN (messengers mail all connections i mean not just port 80)
is there a easy idea for that?

That’s what the first mangle that I posted covers. Any new connections coming from 10.10.10.0/24 that are not destined for a local address to the MikroTik and are authorized on the hotspot get marked to be sent out of the VPN tunnel. The second rule covers the Proxy HTTP requests getting sent out of the VPN tunnel.

Sorry it didn’t work with me maybe for wrong i did please help me to find it
what i miss in this code?

#
/ip firewall address-list
add address=173.236.103.190 comment="" disabled=no list=PassProxy
add address=173.236.99.211 comment="" disabled=no list=PassProxy
add address=173.236.99.218 comment="" disabled=no list=PassProxy
add address=173.236.99.221 comment="" disabled=no list=PassProxy
add address=173.236.99.214 comment="" disabled=no list=PassProxy
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=5s tcp-close-timeout=5s \
    tcp-close-wait-timeout=5s tcp-established-timeout=10m \
    tcp-fin-wait-timeout=5s tcp-last-ack-timeout=5s tcp-syn-received-timeout=\
    5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=5s \
    udp-stream-timeout=3m udp-timeout=5s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=return chain=forward comment="Ping Replay Rule" disabled=no \
    protocol=icmp
add action=accept chain=forward comment="Yoville Game" disabled=no dst-port=\
    843 protocol=tcp
add action=accept chain=forward comment="" disabled=no dst-port=9339 \
    protocol=tcp
add action=drop chain=forward comment="Block P2P Traffic" disabled=no p2p=\
    all-p2p
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Ping Rule" disabled=no \
    new-packet-mark=Ping passthrough=yes protocol=icmp
add action=mark-packet chain=output comment="Cache Packets Rule" disabled=no \
    dscp=4 new-packet-mark=Cache_Packets out-interface=LAN passthrough=no
add action=mark-connection chain=prerouting comment="VPN Connection" \
    connection-state=new disabled=no dst-address-type=!local hotspot=auth \
    new-connection-mark=VPN_connection passthrough=yes src-address=\
    10.10.10.0/23
add action=mark-connection chain=output comment="" connection-state=new \
    disabled=no dst-port=80 new-connection-mark=VPN_connection passthrough=\
    yes protocol=tcp
add action=mark-routing chain=prerouting comment="" connection-mark=\
    VPN_connection disabled=no new-routing-mark=VPN passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=\
    VPN_connection disabled=no new-routing-mark=VPN passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=no out-interface=LAN
add action=accept chain=dstnat comment="PassProxy Rule" disabled=no \
    dst-address-list=PassProxy dst-port=80 protocol=tcp
add action=redirect chain=dstnat comment="Transparent Web Proxy Forward" \
    disabled=no dst-port=80 protocol=tcp to-ports=8080
add action=dst-nat chain=dstnat comment="Samir RDP" disabled=no dst-address=\
    10.0.0.1 dst-port=3389 protocol=tcp to-addresses=10.10.10.240
add action=netmap chain=srcnat comment="Local VPN Server Rule" disabled=no \
    src-address=10.10.10.0/23 to-addresses=10.0.0.1
add action=src-nat chain=srcnat comment="VPN Connection" connection-mark=\
    VPN_connection disabled=no dst-port=80 protocol=tcp to-addresses=10.0.0.2
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=yes
set sip disabled=no ports=5060,5061
set pptp disabled=yes
[Admin@MikroTik Maadi Server] > ip address export 
#
 ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE              
 0   10.10.10.250/23    10.10.10.0      10.10.11.255    LAN                    
 1   10.0.0.1/24        10.0.0.0        10.0.0.255      WAN                    
 2 D 10.0.0.2/32        10.1.1.1        0.0.0.0         l2tp-out1   
/ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          l2tp-out1          1       
 1 A S  0.0.0.0/0                          10.0.0.138         1       
 2  DS  0.0.0.0/0                          10.1.1.1           1       
 3 ADC  10.0.0.0/24        10.0.0.1        WAN                0       
 4 ADC  10.1.1.1/32        10.0.0.2        l2tp-out1          0       
 5 ADC  10.10.10.0/23      10.10.10.250    LAN

First thing to answer is, are you able to ping outside addresses from VPN tunnel using that routing table? With the ping utility either in WinBox or by the CLI you can specify a routing table to be used, this will tell you if you are able to pass traffic over the tunnel and that the route is working right.

Second thing, order of firewall rules is very important. The rules are processed in the order that they appear within the same chain. So if a packet hits a rule that is higher up in the chain, it will not be processed by rules further down in that chain.

Your masquerade rule is a little weird in that you are specifying the out interface as the LAN. Is there any reason for that? If not, then I would modify the rule to remove the out interface and specify the src-address as the LAN subnet you want to go out of the tunnel. This should take care of NATing normal client connections out of the tunnel. By making those changes, it should make it so this rule is no longer needed.

add action=netmap chain=srcnat comment="Local VPN Server Rule" disabled=no \
    src-address=10.10.10.0/23 to-addresses=10.0.0.1

This rule is probably too far down on the list to be hit by anything. I would move it further up the list, probably higher than or just bellow the masquerade rule.

add action=src-nat chain=srcnat comment="VPN Connection" connection-mark=\
    VPN_connection disabled=no dst-port=80 protocol=tcp to-addresses=10.0.0.2

Remember that Torch is your friend. Set it up to watch a specific WAN interface and see if traffic is leaving those interfaces, and if so, what IP address they are being NATed to. Also watch your firewall rules to see if they are incrementing properly when you try and pass traffic, this will tell you if the rules are being hit at all. Connection tracking is a good place to look to see if your connections are being marked properly.