Redirect Gateway

AntmanLFE · August 25, 2017, 12:22am

Since routeros does not support openvpn udp client i have created a vpn gateway on another device on the network.

If i change my gateway from the router (192.168.168.1) to the vpn gateway (192.168.168.11) it works fine.

The issue is i do not want to redirect all traffic through the openvpn gateway only general traffic.
For example i have 2 other VPNs connected on the mikrotik. (1 L2TP server and a PPTP client). If i change the gateway away from the mikrotik i can no longer access these items. Furthermore my custom DNS entries do not work if i change the gateway.

What i would like to do is redirect traffic through the mikrotik to the openVPN gateway.

I have tried creating a prerouting mangle rule and marking the route. Then creating a route that points to the gateway using that routing mark.
eg
chain=prerouting action=mark-routing new-routing-mark=VPN Route passthrough=no protocol=tcp
src-address=192.168.168.101 dst-address=!192.168.168.0/24 dst-port=80 log=no log-prefix=“”

I have tried to mark the connection and then mark the routing in the output chain however i never hit the output chain

0 ;;;
chain=prerouting action=mark-connection new-connection-mark=VPN Gateway passthrough=no
protocol=tcp src-address=192.168.168.101 dst-address=!192.168.168.0/24 dst-port=80 log=no
log-prefix=“”

1 ;;;
chain=output action=mark-routing new-routing-mark=VPN Route passthrough=no
connection-mark=VPN Gateway log=no log-prefix=“”

I have also tried with and without a masquerade to the the openvpn but just cant get it to work.

Any suggestions how i might be able to get this to work?

pukkita · August 25, 2017, 1:27pm

No need for the second mangle on output chain.

This rule alone should be enough:

/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=VPN_Gateway passthrough=no
protocol=tcp src-address=192.168.168.101 dst-address=!192.168.168.0/24 dst-port=80 log=no
log-prefix=""

What you seem to be missing is the proper /ip route entry with matching routing mark:

/ip route
add distance=1 gateway=192.168.168.11 routing-mark=VPN_Gateway

ZeroByte · August 25, 2017, 2:49pm

I didn’t totally ponder this post, but it seems to me that simple static routes should suffice - no mangle + routing table rules required, right?
You have a list of destinations that should be reached through vpn X and a different gateway for that VPN?
Just put them in the main routing table and you’re done.

You only need to use PBR if your decision making process involves some other criteria than the destination IP.

AntmanLFE · August 26, 2017, 6:57am

Hi Pukkita,

Thats pretty much what i have been doing. I have readded those rules but as soon as the new route is enabled i get nothing.

Changing the gateway on my local machine works however it breaks my other routing to other VPNs so isnt a solution