I have a VPN tunnel setup from the router to a commercial VPN provider. It’s easy for me to forward all the packets from a LAN address, e.g., 192.168.0.44 through the tunnel using a src address list in mode-config. I can’t figure out a way to send only some of the traffic over the VPN. I have one site (with a FQDN) that works over one port, either of which I could use to filter the traffic, but probably the port would be easiest.
What’s the best way to do that?
I have played around with the connection mark and mangle, but I couldn’t get it to work - most likely because I am not smart enough to know what I’m doing there.
I don’t use it often, but mode-config has either matching using address list or connection mark. If you choose the latter, you can mark whatever you want to send via tunnel. Something like:
I take from this that I need only some of those three rules, depending on what I wanted to achieved. If I wanted port-based filtering of traffic from one LAN IP address how would I set that up? Should I mark the connections with the matching port number and then let Mode-Config match both connection mark and IP address? I’ve tried a few variants of mode-config settings chain (forward or pre-routing) and marking connections but couldn’t make it work. I’m effectively guessing.
Do you have both connection mark and src address list set in mode config? I never tried that, so I’m not sure if it works as OR or AND. Try only connection mark. Then you need right conditions. For some ports from specific address e.g.:
Yep, that did it. Many many thanks for helping me get it going.
On a related note. I pushed my knowledge even further and tried to set two different VPNs - both from the same VPN provider, but to 2 different countries. This broke them both. Is it possible, using this method, to have multiple VPNs and to use mangle to send the traffic down different routes?
It depends on what local addresses (for your end of tunnel) you get from them. If they are different ones, it should work (most likely). But if it happens to be same address, it wouldn’t work.
The end of tunnel address is different (different country). The tunnels are established, but the setup doesn’t work as I want it to. The difference in the config seems to be that only one VPN route (is that the right term?) has a dynamic NAT entry created, but the other does not. Otherwise, all looks the same in both set-ups, barring the appropriate choices of mode config, mangling, etc.
This does seem to create two working tunnels, but the traffic doesn’t flow as expected.
One issue doing this is that the special mark ipsec can be used to bypass fasttrack. Perhaps you can add two fasttrack filter rules to deal with that, but I haven’t got that far - I just disabled fasttrack to test.
I think it’s the dynamic NAT entry that is the problem. Of the two tunnels created it seems that traffic gets sent over the first one that creates a NAT entry.
Any suggestions? I would guess multiple VPN tunnels must be a common scenario.
It looks like there is, yes = 10.6.0.1 and 10.6.0.6. There are also two dynamic NAT entries that use those addresses.
As far as I can tell the bit that isn’t working is mangling the packets matching a destination address. It doesn’t seem to send anything over the tunnel. Not sure how to troubleshoot…
If you also have two distinct marks (you do, right?), then srcnat conditions should match, source should get changed to one address or another, and then the right IPSec policy should apply. Right now I don’t know what could be the problem. If you export and post your config, maybe someone will see some problem in there.