Roadwarrior client router

samwarez · March 16, 2020, 10:50pm

at least I hope that’s what these are called

I am trying to setup a Tik to act as a sort of VPN gateway for local clients. It would be plugged into an existing local network (like at a hotel), any devices that plug into the Tik (or connect via wifi) will be routed through a VPN connection to the remote corporate network (also a Mikrotik, sitting on a public IP), no client configuration needed on the devices.
vpn setup.png
The VPN server is already setup for l2tp/ipsec however I can also enable any protocol that will work (eoip?) as long as the l2tp connections continue to work.
I am guessing I just need to setup the VPN Client in the Tik and then route all traffic through that VPN interface, I have found guides on how to do that. But as the Tik will sit behind an uncontrolled NAT firewall how do I best set this up to that the tunnel gets through and I don’t cause any issues like routing loops?

Sob · March 19, 2020, 1:27am

You don’t need to care about that uncontrolled router, all you need from it is access to internet and your VPN server. Just add VPN client interface, tell it to add default route and you’re almost done. Use firewall filter (chain=forward) to block access from LAN interface to WAN, to make sure that connected devices won’t go to internet directly. Last needed thing may be srcnat on VPN client interface, it depends on your server, if it knows about LAN subnet behind client or not.

frank333 · March 22, 2020, 11:13am

I’m trying to do the same thing by only enabling vpn on an ethernet port.

I added this rule
/ip firewall filter
add action=accept chain=input dst-address=0.0.0.0 in-interface=l2tp-out1 src-address=192.168.42.0/24

but I can only access the tik from the external network

macsrwe · March 22, 2020, 12:19pm

I suspect your problem is that 0.0.0.0 is not the same as 0.0.0.0/0 .

frank333 · March 22, 2020, 12:37pm

ok macsrwe ,
I modified but it doesn’t work, moreover it disappeared ( webfig ) the interface l2tp-out1 even if vpn is up

macsrwe · March 22, 2020, 10:42pm

I’m not surprised it disappeared – 0.0.0.0/0 is the default (“everywhere”).

Your rule is in the input chain. That means that traffic to the router itself (not your network, just the router) will be accepted from those addresses. If you’re trying to get your router to serve this traffic to some other network, it’s the wrong rule. Perhaps you meant the forward chain.

frank333 · March 23, 2020, 12:01am

macsrwe
I’d like to reroute all traffic on ether3 port to vpn ipsec.

samwarez · April 2, 2020, 7:49pm

Thank you, I am giving this another shot now (past week has been absolute chaos), Ideally I would like to avoid a NAT and just let client devices get addresses off the corporate DHCP, do I just leave off the srcnat in that case?

I am sure to have more questions shortly as I am not so great with RouterOS yet and still learning.

samwarez · April 2, 2020, 8:14pm

Ill need to set a route for the VPN servers IP to bypass the default route right? would I just route that to the WAN port (in this case ether1)?

samwarez · April 2, 2020, 8:26pm

I tried routing the VPN IP to ether1 but did not work. I was unable to ping the address from the tik and the l2tp tunnel would not connect. However if I specified the local LAN’s gateway address then it works. Problem is for this setup I my not know the gateway address (and don’t want to have to manually set it even if I did). Why can’t I just push it out that port and let whatever gateway on the other side handle it?

Also is it possible to grab a DHCP address from the far end (corporate network) so I don’t have to deal with NATs?

Zacharias · April 2, 2020, 9:13pm

Can you please post your configuration with hide-sensitive so that we understand what exactly you are doing ?

samwarez · April 2, 2020, 9:41pm

its mostly default value right now while I get this figured out

[admin@MikroTik] > /export hide-sensitive 
# apr/02/2020 15:26:22 by RouterOS 6.46.4
# software id = GP79-QRBX
#
# model = 2011UAS-2HnD
# serial number = 419E020A742D
/interface bridge
add admin-mac=D4:CA:6D:D8:22:FE auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-D82307 wireless-protocol=802.11
/interface l2tp-client
add connect-to=#VPN_SERVER_IP# disabled=no name=l2tp-out1 use-ipsec=yes user=#USERNAME#
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=reject chain=forward disabled=yes dst-address=!#VPN_SERVER_IP# out-interface=ether1 reject-with=icmp-admin-prohibited
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=l2tp-out1
add distance=1 dst-address=#VPN_SERVER_IP#/32 gateway=10.0.0.1
/system clock
set time-zone-name=America/Denver
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Zacharias · April 3, 2020, 10:17am

Why you have this masquerade rule ?
just let it

add action=masquerade chain=srcnat out-interface-list=WAN

Now, if the tunnel does not come up you must check the logs of the Server… Make sure credentials and IPsecret are correct as well…

If you want to route all traffic through the VPN either do it as @Sob suggested or you can even use Policy Routing Rules…

samwarez · April 3, 2020, 3:48pm

The masquerade is just part of the default config I have not striped out yet, but it is disabled.

The setup for the l2tp works, its just that it can’t reach the outside unless I route to the local gateway IP as apposed to just the interface.

I am still trying to figure out the firewall rule for routing all traffic to the VPN and blocking it going to the WAN.

Zacharias · April 3, 2020, 4:55pm

Please, since we talk about networking provide more details…
You cant reach the internet from your PC? From the VPN Client itself?
Do you Reach the Lan on the VPN’s server side ?

All you actually need inside your routing Table is this Roule:
1.

add distance=1 dst-address=Remote LAN gateway=Remote VPN Server IP

That rule will let you reach the Remote LAN..

In case you need to route all your traffic to the Remote VPN server, Internet included, then Default Route must be enabled in your VPN…

add distance=1 gateway=l2tp-out1

After that you must masquerade your out Interface, which is the L2TP..

add action=masquerade chain=srcnat out-interface=L2TP Interface

=====

Now, if you dont want to route all traffic through VPN, do not use the default gateway on your VPN client settings, the masquerade rules must have as out interface your WAN interface,no other masquerade rule is needed, a default route for your actual network and only rule (1) for the VPN…

samwarez · April 3, 2020, 7:10pm

I do want to route all internet through the VPN.

add distance=1 dst-address=Remote LAN gateway=Remote VPN Server IP

this does not work, I try to ping from the router to the vpn server and all I get is “no route to host” and the l2tp client will not connect

If I change it to this:
add distance=1 dst-address=Remote VPN Server IP gateway=Local LAN Gateway
Then the l2tp client connects, I can ping devices on the remote side, everything works, except passing DHCP requests but that’s a separate hurdle. The only problem is that it requires knowledge of the LAN (the Uncontrolled Gateway in my diagram).

Zacharias · April 4, 2020, 9:51am

Then the l2tp client connects

The VPN to get established does not need any route rule…
You answered on your own.. Ofcrose, if you want to reach a Public IP you must have a default route, isnt that obvious ?
The fact that it connecs after that route is normal ofcorse since you do not have any other default route apparently!

So if you only add this

add distance=1 dst-address=Remote LAN gateway=Remote VPN Server IP

YES it will never connect… Maybe you should study a lil more about routing, how it works and also about VPN Tunnels…

Also DHCP is a Layer 2 Protocol… you will need either BCP or EoIP as well…

frank333 · April 4, 2020, 11:36pm

Zacharias ,
to turn the LAN traffic on vpn, using a tik in mode bridge are the same rules that you explained above?
here is my configuration:
http://forum.mikrotik.com/t/how-to-bridge-vpn-client-to-single-lan-port/137812/1

samwarez · April 6, 2020, 4:57pm

Thank you for the information regarding DHCP, That explains a lot.

However, I thing there is some confusion regarding my question. I am familiar with routing, my issues is getting the Tik to use the interface (or the IP learned via dhcp through that interface) as the gateway. One of the objectives of this project is to have this router form a VPN tunnel WITHOUT any prior knowledge of the local LAN. I know its possible from a networking standpoint as I have seen other devices that do it. The question is how to do this with a mikrotik.

Zacharias · April 6, 2020, 5:31pm

One of the objectives of this project is to have this router form a VPN tunnel WITHOUT any prior knowledge of the local LAN

Ofcorse it is possible… You just use the default route and thats it…