i am planing my new setup and would like to know if it would work like this:
normally the rb is behind a wan-modem (ADSL, fiber or whatever) and has an ip within the range of the wan-modem and on the bridge ports for the clients another ip range.
my idea ist to put also the client range in that ip range of the wan router.
the idea behind ist to have all my home devices in on network and only the televisions and some other devices should use a VPN via the rb and they will have the rb as gateway
for sure i only would activate one DHCP-server - i think the server of the fritzbox maybe…
so something like this:
Fritzbox 192.168.0.1 (connected with lan port 3 to the ubnt switch)
mikrotik rb 192.168.0.11 (with ether1 on lan port 2 on the fritzbox and with bridge-of-rest-ether’s on my ubnt switch)
all normal devices are using the 192.168.0.1 as gateway.. the vpn-using-devices have to use the 192.168.0.11 as gateway
normally this would cause a network loop i think but with activated spanning tree protocol it should be ok, but i dont know whether the rb will do this routing of the vpn due to the same network-ranges…
has anybody experiences, ideas, advises ?
Leaving aside that not all devices in your setup may support STP, there is no reason why you should interconnect the devices in a loop topology - a physical tree topology is sufficient. The current “WAN” of the Mikrotik may remain the only interface actually connected to the network, you just have to reconfigure the firewall so that it would allow forwarding of traffic from the connected subnet. If you need to use the other ports of the Mikrotik as you’ve run out of ports on the other switch, you can remove all IP configuration from ether1, make ether1 another member port of the LAN bridge, and set a static 192.168.0.11 as another IP on the bridge, then reconnect to that IP and remove the previous one.
thanks for the answer. I was thinking about this also for not having to change the ip addresses of the devices.
At the moment i changed the ip addresses of the tv’s to the subnet 192.168.1.0/24 to have them via vpn, but in this way i dont have control anymore of this devices via openhab and i also have the problem that via vpn amazon video es not working. i have to deactive the vpn peer via winbox or the mikrotik-app on my phone… I was looking also for forward / mangel rules based on amazon streaming serveer ip’s to identify and rule this traffic directly and not via vpn.
So first of all i have to make a rule that all traffic coming from or going to the tv ip’s is going via the vpn , except the streaming traffic for amazon…
So this is to much for my scripting and rule knowledge!
If you have an idea/an example..that would be great!
Hi again,
so still i have no solution but i was thinking about it:
first of all its not nice to have the televisions in another subnet, so it would be better to have them also in the range 192.168.0.0/4 like my main router and the openhab instance for my smarthome, to use also samsung smartthings.
So i “only” have to create rules that all traffic from the ip addresses of the TV’s are going via the vpn, except those destination addresses from an addresslist (amazon video , netflix etc… which should go directly via the router).But i hafe no idea how to realize…
Can you help with some examples please?
Look for policy routing (not IPsec policy), there are tens of topics here.
In short, the principle is that you classify the traffic originated by devices on your LAN by its properties known already before the routing has been attempted (like source IP, source port, destination IP, destination port, source interface), and choose a different routing table for for each traffic class. So you can convert the DHCP lease granted to the Samsung TV into a static one (using make-static), then optionally change the IP address to one you like more than the one chosen automatically, and use the IP address of the lease as a criteria (src-address) for an /ip firewal mangle rule assigning a routing-mark such as via-vpn; then you add a default route via the VPN tunnel with the same routing-mark value. Or you can configure the address-lists item of the lease with an address list name like use-vpn, unset the lease’s address parameter, and let the mangle rule refer to src-address-list=use-vpn rather than a particular address if you want to use all the flexibility of RouterOS.
All the above works with any VPN that uses a virtual interface at the Mikrotik end; for bare IPsec with policies and traffic selectors, the approach slightly differs.
thanks for that hints.. will try to find it out… but the vpn is ipsec.
maybe it looks much easier to identify the traffic which had to go via vpn-- the ipstreams… and all browser activities of the smart tv browser.. (because of the usage of foreign mediatheks…) and than let go the rest directly…
i will try this the next days…
if someone has already a working example.. would be great..
If so, your /ip ipsec identity row used to establish the VPN refers to an /ip ipsec mode-config row with r_esponder=no_, and thus your router gets and IP address assignment from the remote peer, and an IPsec policy is dynamically created with that address as src-address and 0.0.0.0/0 as dst-address.
The only thing you need to do is to set, on that /ip ipsec mode-config row, a value of the src-address-list parameter, such as “via-vpn”. If this parameter is set, then whenever the SA is up, RouterOS dynamically creates an /ip firewall nat rule, which will src-nat any connection whose source address matches that address-list to the address assigned by the remote peer, so the policy’s traffic selector will match that connection’s packets and send them via the SA. So any LAN address you add to address-list “via-vpn” will be treated this way. Of course, these host in the LAN subnet must have the Mikrotik as their gateway, not the other router in the same subnet.
If the above is not sufficient, post the export of your current config, I’ll give you those few commands needed to implement the above into it.
i got it! its working this way but i still have the problem that i need the passtrough (not via vpn) of the amazon video urls… i was searching for lots af addresses… i put them in an addresslist “no-vpn” so now i need a rule i think to exclude that traffic from the vpn… i will try a little but i have still no idea..
And regarding the other ports of the rb: i have put now all ports to the bridge so that i can use them also as normal switch ports or is it maybe not a good solution due to performance problems?
Actually, implementing this has several complications:
you want the TV to be in the same subnet like the ISP gateway and the Mikrotik, so normally it should be already the TV that uses a dedicated route via ISP’s gateway for the Amazon destination IPs. But I assume you cannot set up the TV’s routing table from its configuration menu; the only way how to set up more routes than just the default one in the TV itself is to send it a route list using DHCP. The problem is that few consumer electronic products support this method.
Another way is that the Mikrotik will send “better gateway” messages using ICMP whenever it decides that the packet should bypass the VPN, but again, the TV may or may not act up to them (and worse than that - it is even possible that Mikrotik will send these “better gateway available” packets even for packets which should be handled by the VPN, I have never tried such an unusual setup).
Only placing the Mikrotik between the TV and the rest of the world removes this point from the table completely.
it is not a big deal to classify packets by destination address, but it is much more complex to classify them by domain name, and even more complex to find out which additional domain names are related to the one you know - e.g. youtube streams the video from akamai.net domain (if I remember well). So unless the company publishes them on some support pages, you have to use packet sniffing to identify them, and you cannot be sure they won’t change next week
the least complex part is to modify the IPsec configration. Instead of specifying src-address-list on the /ip ipsec mode-config row, you specify a connection-mark; the dynamically created NAT rule will then be matching on the connection-mark, and you can use complex match conditions in mangle rules to assign that connection-mark only to traffic which should be sent via VPN.
thanks for the fast reply… sound all dificult…
i have an ip address list from netflix an amazon server ip’s… a little bit old - dont know if they work actually… but that are over 300 ip-addresse.
This list is called “no-vpn” so if i could route the traffic to this destination addresses from all the devices of the list “via-vpn” (my tv’S) directly into my wan, without using the vpn … that should work!
i will try to read about router config, nat rules etc… but if you have any hint would be great! i think lot of other people are looking for such solutions…
The NAT rule is provided by the IPsec engine, no need to worry about it. Just replace the src-address-list=via-vpn in the /ip ipsec mode-config item by connection-mark=via-vpn (and maybe disable and re-enable the identity although I think the change will restart the connection automatically).
Then, use a mangle rule: /ip firewall mangle add chain=prerouting src-address-list=via-vpn dst-address-list=**!**no-vpn action=mark-connection new-connection-mark=via-vpn
So only connections which come from a proper source-address (the TV) and connect anywhere else than to destinations on your exception list will get the connection mark on which the dynamically created NAT rule matches.
But, as said - these packets (which evade the assignment of connection-mark and thus the src-nat rule matching on it) will be handled only by the regular routing, and in the regular routing, the IP address of Mikrotik’s gateway to internet is in the same subnet like the TV, so the Mikrotik will forward the packet but will send back an ICMP “there’s a better gateway for this destination address” to the sender (this can be switched off if the TV ignores these messages); the wan-modem will send the response directly to the TV, bypassing the Mikrotik.
So you can give it i try, there are just two possibilities, either it will work or not…
Great and many thanks!
it seems working… i had to add a few ip’s / domains… to the list i found here (more than a year old).
I checked the dns cache and all amazon domain names which appears when starting the amazon video app i also put on the novpn list.
its working like this, when adding a domain name to the addresslisst that it is creating the ip automatically so I will check long time this evening!
And when its working i will post it here.
Back again… so it seems that sometimes new amazon ip’s are coming into work!
f.ex. the domain aiv-delivery.net is redirected to severakl diferent othe domains like ns-1542.awsdns-00.co.uk and ns-275.awsdns-34.com etc…
the router is finding all this domains/ip’S but sometime are coming totally new once. so i have to find a way to put this new addresses on the list but its dificult to identify … will check more..