route internet from one IP over VPN

Kampfwurst · December 27, 2019, 10:29am

Hi,
I have the following question.
I would like to route the internet traffic from one ip in my network over the vpn.
The router has the the IP 10.10.10.254. The PC whitch I would like to route over the VPN has the IP 10.10.10.150.
I have the following roules in my firewall.

/ip firewall mangle
chain=prerouting action=mark-routing new-routing-mark=PureVPN_SSTP passthrough=yes
src-address=10.10.10.150 dst-address-list=!Local subnet log=no log-prefix=“”

/ip route
add disabled=yes distance=1 gateway=PureVPN-SSTP routing-mark=PureVPN_SSTP

But with this i have no internet on the PC.

maybe someone can help

ingdaka · December 27, 2019, 12:53pm

Yes you cannot have internet because your route is added with disabled=yes
should be disabled=no
Go to IP routes and enable that route!

Also to be sure that you will have internet when VPN is not working you need to add
add disabled=no distance=2 gateway=“your default gateway IP” routing-mark=PureVPN_SSTP

Kampfwurst · December 27, 2019, 12:55pm

Sorry i have enabled the route when I was testing. Its disable because i was exporting it.

CZFan · December 28, 2019, 10:34pm

The info you provided is very limited. With that said, my first suggestion will be to check if you have NAT rule for the VPN connection.
Also noticed you have passthrough as yes, if there are other rout mark rules after that rule, packet might be remarked and not following correct route

Kampfwurst · December 29, 2019, 8:28am

Sorry this are my settings. I hope this helps finding the error

[admin@Core_Router] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes
tcp-flags=syn protocol=tcp out-interface=all-ppp tcp-mss=1301-65535
log=no log-prefix=“”

1 chain=forward action=mark-connection new-connection-mark=con_mark
passthrough=yes in-interface=bridge_ext

2 chain=forward action=mark-packet new-packet-mark=client_download
passthrough=no connection-mark=con_mark out-interface=bridge_intern

3 chain=forward action=mark-packet new-packet-mark=client_upload
passthrough=no connection-mark=con_mark in-interface=bridge_intern

4 chain=prerouting action=mark-routing new-routing-mark=PureVPN_SSTP
passthrough=yes src-address=10.10.10.150 dst-address-list=!Local subnet
in-interface=bridge_intern log=no log-prefix="

and the routes

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 S 0.0.0.0/0 PureVPN-SSTP 1
1 ADS 0.0.0.0/0 80.XXX.XX.1 1
2 ADC 10.10.10.0/23 10.10.10.254 bridge_intern 0
3 ADC 10.11.12.3/32 10.11.12.254 0
4 ADC 10.11.12.4/32 10.11.12.254 <l2tp-Stand… 0
5 A S 10.20.20.0/24 10.11.12.3 1
6 A S 10.20.30.0/24 10.11.12.4 1
7 ADC 80.XXX.XX.0/23 80.XXX.XX.164 bridge_ext 0

and the NAT rules

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Redirect DNS
chain=dstnat action=dst-nat to-addresses=10.10.10.254 to-ports=53
protocol=udp src-address=!10.10.10.250 in-interface=bridge_intern
dst-port=53 log=no log-prefix=“DNS”

1 ;;; Redirect DNS
chain=dstnat action=dst-nat to-addresses=10.10.10.254 to-ports=53
protocol=tcp src-address=!10.10.10.250 in-interface=bridge_intern
dst-port=53 log=no log-prefix=“”

2 ;;; NAT NAS KELLER HTTP
chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=5000
protocol=tcp src-address-list=AT in-interface=bridge_ext dst-port=5000

3 ;;; NAT NAS KELLER HTTPS
chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=5001
protocol=tcp src-address-list=AT in-interface=bridge_ext dst-port=5001

4 ;;; NAT NAS KELLER
chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=443
protocol=tcp src-address-list=AT in-interface=bridge_ext dst-port=443
log=no log-prefix=“”

5 ;;; NAT NAS KELLER CARDAV
chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=8443
protocol=tcp src-address-list=AT in-interface=bridge_ext dst-port=8443

6 ;;; NAT NAS KELLER
chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=80
protocol=tcp src-address-list=AT in-interface=bridge_ext dst-port=80
log=no log-prefix=“”

7 chain=srcnat action=masquerade out-interface=PureVPN-SSTP log=no
log-prefix=“”

8 chain=srcnat action=masquerade out-interface=bridge_ext log=no
log-prefix=“”

Chris

CZFan · December 29, 2019, 4:50pm

what is the problem you are experiencing, total lack of internet access, i.e. unable to ping / trace route to a public IP like 8.8.8.8 or name / domain resolution?

Zacharias · December 29, 2019, 6:14pm

As @czfan suggested, do a trace route and see where the packets go…

Kampfwurst · December 29, 2019, 7:36pm

Hi,
so this is the tracert of 8.8.8.8

1 <1 ms 1 ms <1 ms 10.10.10.254
2 * * * Zeitüberschreitung der Anforderung.
3 151 ms 39 ms 37 ms vlan139.as08.fra4.de.m247.com [192.145.125.81]
4 49 ms 49 ms 38 ms vlan2910.agg1.fra4.de.m247.com [77.243.185.198]
5 38 ms 64 ms 39 ms 37.120.128.148
6 49 ms 41 ms 44 ms 37.120.128.253
7 44 ms 37 ms 48 ms de-cix.fra.google.com [80.81.192.108]
8 46 ms 45 ms 40 ms 108.170.251.129
9 40 ms 44 ms 41 ms 216.239.63.255
10 41 ms 44 ms 37 ms dns.google [8.8.8.8]

Its strange because the ping to the webseites is working but i cant open them in the browser of the route is enabled.
It looks like an routing problem. I think the ping is working because of the connection tracker

Zacharias · December 29, 2019, 8:31pm

What i see is that the packet does not leave the router through your VPN as it should be…
So you dont even reach the remote router…

Kampfwurst · December 29, 2019, 9:46pm

this is not right.

This is the normal tracert

1 <1 ms <1 ms 1 ms 10.10.10.254
2 * * * Zeitüberschreitung der Anforderung.
3 11 ms 12 ms 8 ms 80-XXX-XX-XX.static.upcbusiness.at [80.XXX.XX.XX]
4 25 ms 33 ms 24 ms at-vie01b-rc1-ae-9-2014.aorta.net [84.116.228.13]
5 26 ms 25 ms 35 ms at-vie05b-ri3-ae-4-0.aorta.net [213.46.173.117]
6 30 ms 29 ms 28 ms 213.46.184.50
7 29 ms 30 ms 27 ms 108.170.247.97
8 28 ms 28 ms 30 ms 209.85.252.209
9 44 ms 40 ms 48 ms dns.google [8.8.8.8]

CZFan · December 29, 2019, 9:50pm

if you can ping the IP address, but not browse, then you probably have a name resolution problem, can be tested by using ping www.google.com or trace route to same url.

Suggest you remove the mangle, etc rules created for the policy based routing, ensure the VPN is working 100%. Then follow below example, which is almost exactly what you are trying to achieve

https://wiki.mikrotik.com/wiki/Policy_Base_Routing

Kampfwurst · December 29, 2019, 10:14pm

i can ping also google.com or any other webpage so the name resolution is working.

It seems that a route is not working. Mybe I need a “reverse route” somehow

I disable all the other mangle routes. without succes

CZFan · December 29, 2019, 10:25pm

In short, if you get a ping reply (via VPN connection), the routing is working, and if you can ping the name and get a reply (Via VPN connection), name resolution is also fine.

Then you need to look at firewall rules that might possibly block ports 80/443, etc

Kampfwurst · December 29, 2019, 10:34pm

i had a similar problem some time ago at work. The ping was fine but webpages and other staff was not working. there was a wrong reverse route the problem.

Zacharias · December 29, 2019, 10:44pm

this is not right.

This is the normal tracert

1 <1 ms <1 ms 1 ms 10.10.10.254

10.10.10.254 is the router on your side… when you trace route you are routed through your router…
Instead you should see the IP address of the remote router as your next hop.. as simple as that…
It should go like :

10.10.10.254 ← your router
x.y.z.w ← remote router
…
…
But since as you say i am wrong on that, probably i know less…

jimbobst · December 30, 2019, 7:44am

Symptoms seem similar to ipsec issues - have you tried disabling fastrack in the filter rules?

Sent from my Mi 9T using Tapatalk

Kampfwurst · January 1, 2020, 12:56am

I have no fasttrack rule in the firewall.

[admin@Core_Router] /ip settings> print
ip-forward: yes
send-redirects: yes
accept-source-route: no
accept-redirects: no
secure-redirects: yes
rp-filter: no
tcp-syncookies: no
max-neighbor-entries: 8192
arp-timeout: 30s
icmp-rate-limit: 10
icmp-rate-mask: 0x1818
route-cache: yes
allow-fast-path: yes
ipv4-fast-path-active: no
ipv4-fast-path-packets: 0
ipv4-fast-path-bytes: 0
ipv4-fasttrack-active: no
ipv4-fasttrack-packets: 0
ipv4-fasttrack-bytes: 0

Same problem
http://forum.mikrotik.com/t/problem-with-purevpn-setup-icmp-workls-http-does-not/103786/1

Happy new year

Zacharias · January 1, 2020, 1:13am

The fasttrack has nothing to do with your problem…
As i ve posted earlier you do not ever reach the next hop, remote router…
So your got a routing problem…
Since i do not see your whole config, only parts of it, i would suggest you remove the passthrough from your first mangle rule, you do not need it…
Then for testing, do a trace route and you must see the remote router in the second hop…

Happy new year too…

jimbobst · January 1, 2020, 1:39am

@zacharias he’s shown the 2 different traceroutes with and without vpn. The next hop will not be his own isp as traffic is going through the vpn, as it shows.

Sent from my Mi 9T using Tapatalk

Zacharias · January 1, 2020, 11:33am

Where do you see different trace routes ?
Also, who told you that the packets always choose the same path when you trace route ? Or when they travel the Internet…

The next hop will not be his own isp

The next hop must be the remote router…
Also, i see no traffic through the VPN, i wonder where exactly you see that … since it does not work anyway…
If you take 2 routers and you connect them inside your Lan before the main router, then you do a trace route to 8.8.8.8 from the last one, what will you see?
Hop 1 router 2
Hop 2 router 1
Hop 3 main router
Right? Isnt each router a Hop or you will again say no?
But you insist thet the remote router wont be shown…
Thats why it will not work anyways…