Route specific traffic through the VPN

Technetium · June 8, 2019, 1:08pm

I have a network (192.168.1.XXX), connected to internet.
To access to an application i have to setup a VPN and route through the VPN tunnel the requests from local devices that are requiring for the VPN network IP (192.180.1.XXX)
How can i route only the requests to 192.180.1.1 through the VPN connection?

sindy · June 8, 2019, 2:12pm

It depends on the VPN type. For most types of VPNs, including something-via-IPsec, you need just another route; for a policy-based IPsec, you need some route for the destination (the default one will do) and an /ip ipsec policy to intercept the packets already routed and deliver them to the destination via the security association.

Technetium · June 8, 2019, 2:38pm

The VPN is a tunnel to reach a server that exposes a webserver, port 80,8080,443.
The client on my network had to digit on browser https://192.180.1.10 to use it.
Is an /ip ipsec policy setup sufficient ?

sindy · June 8, 2019, 2:48pm

I can only repeat my question - what kind of tunnel in particular? Something-over-IPsec or just IPsec? Post the export of the configuration, see my automatic signature for a hint on anonymization.

Technetium · June 8, 2019, 3:49pm

Just an IPSec (IKE -IPSec).

sindy · June 8, 2019, 4:10pm

In that case yes, an /ip ipsec policy is normally enough. At the client side, it will have src-address=the.client.sub.net/mask dst-address=192.180.1.10, and at the server side, these items’ values will be swapped. For a single protocol & port combination it makes sense to add these parameters to the policy; for several ports, it is better to use a policy not restricted to particular ports and if you want to block access to other ports than the listed ones, use regular /ip firewall filter rules for that.

But if you are not the administrator of the VPN “server” side and the server forces a policy to your Mikrotik as you have to use mode-config and policy-generate different from no to obtain an IP address, things may be different.

Technetium · June 8, 2019, 4:13pm

I will try. I’m not the administrator of the server side.
The server side is managed by the company who sell the web application.
The VPN connect my router to them datacenter.

sindy · June 8, 2019, 5:01pm

In that case I’m afraid I’ll need to see the running configuration when the VPN is up - in particular, the result of /ip ipsec policy print. The IKE part (phase 1, the control connection of the IPsec tunnel) may be up but if you haven’t configured the peer/identity (depending on RouterOS version) with mode-config and generate-policy properly, there may be no policy and the server may not accept a policy configured by you. The common issue is that if you connect to a remote network, the address at your side has to be unique in the remote network’s context, which implies that it must be a public one (which should be unique by definition although nothing is impossible) or it must be assigned by them, which in turn makes it potentially conflicting with your network context. So the safest approach is that the server assigns you a public address from its own pool. And if it assigns you an address, you need that it assigns you also a policy to match that assigned address (which may not be the same every time you connect), and your /ip ipsec mode-config row must contain a name of an address-list which will be used in a dynamically added /ip firewall nat rule changing the source address of packets from hosts whose source-address matches that address-list so that the policy could match them and send them down the SA.

tharorris · June 6, 2022, 12:05pm

Hello,

Can I give life to this thread by sharing my problem? I have two Mikrotik devices in different countries and they are connected together through IPsec. I want to route specific traffic (blocked sites) from one country to another country.

This are my settings in the one side.

/interface bridge
add admin-mac=C4:AD:34:D7:15:C2 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1500
set [ find default-name=ether4 ] l2mtu=1500
set [ find default-name=ether5 ] l2mtu=1500
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=v42049471
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
set [ find default=yes ] connection-mark=via-ipsec
/ip ipsec peer
add address=HIDDEN exchange-mode=ike2 local-address=192.168.36.1 \
    name=Athens
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    lifetime=8h pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.36.10-192.168.36.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes interface=bridge lease-time=1h \
    name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.36.1 local-address=192.168.89.1 \
    remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.36.1/24 comment=defconf interface=bridge network=\
    192.168.36.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.36.222 client-id=1:0:11:32:be:e1:ca comment=Synology \
    mac-address=00:11:32:BE:E1:CA server=defconf
add address=192.168.36.221 mac-address=D4:5E:EC:39:D0:8D server=defconf
add address=192.168.36.220 mac-address=AC:D5:64:6C:62:A9 server=defconf
add address=192.168.36.200 client-id=1:9c:93:4e:ac:5e:2d comment=Xerox_VRN \
    mac-address=9C:93:4E:AC:5E:2D server=defconf
add address=192.168.36.100 client-id=1:0:e0:4c:68:1:b8 comment=\
    "Toshiba Click2Pro" mac-address=00:E0:4C:68:01:B8 server=defconf
add address=192.168.36.254 client-id=1:fc:5b:39:7d:b3:d8 comment=CiscoAP \
    mac-address=FC:5B:39:7D:B3:D8 server=defconf
add address=192.168.36.100 client-id=1:0:e0:6c:38:69:82 comment=\
    "Toshiba Click2Pro" disabled=yes mac-address=00:E0:6C:38:69:82 server=\
    defconf
/ip dhcp-server network
add address=192.168.36.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 \
    gateway=192.168.36.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=94.140.14.14
/ip dns static
add address=192.168.36.1 comment=defconf name=router.lan
/ip firewall address-list
add address=HIDDEN list=WAN-IP
add address=wtfismyip.com list=VPN-destinations
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="Mikrotik Management" dst-port=8291 \
    protocol=tcp src-address=192.168.89.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
    192.168.35.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
    dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
    protocol=udp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new disabled=yes dst-address-list=VPN-destinations \
    in-interface-list=LAN new-connection-mark=via-ipsec passthrough=yes \
    src-address-list=192.168.36.0/24
/ip firewall nat
add action=accept chain=srcnat comment="NAT bypass" dst-address=\
    192.168.35.0/24 src-address=192.168.36.0/24
add action=accept chain=srcnat dst-address=192.168.99.0/24 log=yes \
    src-address=192.168.36.0/24
add action=accept chain=srcnat dst-address=192.168.98.0/24 log=yes \
    src-address=192.168.36.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" out-interface=\
    pppoe-out1
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.36.0/24 src-address=192.168.36.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=pppoe-out1 src-address=\
    192.168.36.0/24
add action=dst-nat chain=dstnat comment="Synology Web Management" \
    dst-address-list=WAN-IP dst-port=5000-5001 protocol=tcp to-addresses=\
    192.168.36.222 to-ports=5000-5001
add action=dst-nat chain=dstnat comment="HTTPS Web Server" dst-address-list=\
    WAN-IP dst-port=443 protocol=tcp to-addresses=192.168.36.222 to-ports=443
add action=dst-nat chain=dstnat comment="Synology Cloud Sync" dst-port=6690 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.222 \
    to-ports=6690
add action=dst-nat chain=dstnat comment="Plex Toshiba" dst-port=32401 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.100 \
    to-ports=32400
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment=Plex disabled=yes dst-port=64200 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.222 \
    to-ports=32400
add action=dst-nat chain=dstnat comment="HTTP Web Server" dst-address-list=\
    WAN-IP dst-port=80 protocol=tcp to-addresses=192.168.36.222 to-ports=80
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=Athens
/ip ipsec policy
add dst-address=192.168.35.0/24 level=unique peer=Athens src-address=\
    192.168.36.0/24 tunnel=yes
add dst-address=192.168.98.0/24 level=unique peer=Athens src-address=\
    192.168.36.0/24 tunnel=yes
add dst-address=192.168.99.0/24 level=unique peer=Athens src-address=\
    192.168.36.0/24 tunnel=yes
/ip service
set www disabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=MikroTik_36
/system scheduler
add interval=1m name="Flush SA" on-event=":if ([/ping 192.168.35.1 interface b\
    ridge count=4]<3) do={\r\
    \n  /ip ipsec installed-sa flush;\r\
    \n  :log info \"IPSEC tunnel is down: Flushing Installed SA !!!\"\r\
    \n} else={\r\
    \n\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/08/2021 start-time=12:27:38
add disabled=yes interval=1d name=Reboot on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/17/2021 start-time=05:00:00
/tool graphing interface
add interface=pppoe-out1
add interface=ether1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

On the other side I have double NAT and I don’t know if this is a problem also.

I have followed numerous guides and the bottom line is that I have to create a Address List with specific domains I want them getting through IPsec tunnel, and then mark these packets (Mangle).
Everything failed. Maybe my config is wrong also.

Some sites in Address List resolve to the local ISP IP, since the URL is getting redirected to a page which says “blocked”. How I can parse this specific DNS query also to the other side?

Thank you

sindy · June 6, 2022, 2:32pm

Before a deep dive into your fairly complex configuration, two generic points:

for “vanilla” IPsec, i.e. a “policy based” one, the only way to affect the “routing” by matching an address list is to use src-nat rules matching on that address list. So if you want some devices in country R to connect to some servers via the router in country G, and some devices in country G to connect to other servers via the router in country R, you need to configure IPsec policies 0.0.0.0/0 ↔ G.G.G.G and R.R.R.R ↔ 0.0.0.0/0, and src-nat rules like action=src-nat to-addresses=R.R.R.R dst-address-list=via-G-WAN in country R and action=src-nat to-addresses=G.G.G.G dst-address-list=via-R-WAN in country G, making the traffic matching the respective address lists “visible” for the corresponding policies.
Therefore, a setup that uses IPsec only to encrypt some other type of tunnel (IPIP, GRE, L2TP - each has its own advantages and disadvantages), and normal “policy routing” (multiple routing tables using these “normal” tunnels as WAN interfaces), may be easier to understand.
the address lists where the address item is a domain name have their limits - since they just resolve particular fqdns to lists of IP numbers, you cannot use wildcards in the domain names. And even worse, since many large companies run multiple services with different fqdns on the same servers, it is not possible to treat such domains differently. As an example, you cannot effectively distinguish between google.com and youtube.com, as both are served from the same local caches.

tharorris · June 7, 2022, 5:52am

Thank you for your reply.
I tried and made the changes as you mentioned and now the websites on the address list are failing to load - which is progress in my textbook.

When you say G.G.G.G and R.R.R.R (which is very specific i can say, because letters really depict specific Countries!) I replace with 192.168.35.0/24 and 192.168.36.0/24
Also I add (not replace) the IPsec policy as you said on both Mikrotik devices and the PH2 state is established. But if I move it up to be first, all the remaining tunnels immediately disconnect.

This is the new config.

/interface bridge
add admin-mac=C4:AD:34:D7:15:C2 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1500
set [ find default-name=ether4 ] l2mtu=1500
set [ find default-name=ether5 ] l2mtu=1500
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=v42049471
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
set [ find default=yes ] connection-mark=via-ipsec
/ip ipsec peer
add address=HIDDEN exchange-mode=ike2 local-address=192.168.36.1 \
    name=Athens
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    lifetime=8h pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.36.10-192.168.36.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes interface=bridge lease-time=1h \
    name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.36.1 local-address=192.168.89.1 \
    remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.36.1/24 comment=defconf interface=bridge network=\
    192.168.36.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.36.222 client-id=1:0:11:32:be:e1:ca comment=Synology \
    mac-address=00:11:32:BE:E1:CA server=defconf
add address=192.168.36.221 mac-address=D4:5E:EC:39:D0:8D server=defconf
add address=192.168.36.220 mac-address=AC:D5:64:6C:62:A9 server=defconf
add address=192.168.36.200 client-id=1:9c:93:4e:ac:5e:2d comment=Xerox_VRN \
    mac-address=9C:93:4E:AC:5E:2D server=defconf
add address=192.168.36.100 client-id=1:0:e0:4c:68:1:b8 comment=\
    "Toshiba Click2Pro" mac-address=00:E0:4C:68:01:B8 server=defconf
add address=192.168.36.254 client-id=1:fc:5b:39:7d:b3:d8 comment=CiscoAP \
    mac-address=FC:5B:39:7D:B3:D8 server=defconf
add address=192.168.36.100 client-id=1:0:e0:6c:38:69:82 comment=\
    "Toshiba Click2Pro" disabled=yes mac-address=00:E0:6C:38:69:82 server=\
    defconf
/ip dhcp-server network
add address=192.168.36.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 \
    gateway=192.168.36.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=94.140.14.14
/ip dns static
add address=192.168.36.1 comment=defconf name=router.lan
/ip firewall address-list
add address=HIDDEN list=WAN-IP
add address=wtfismyip.com list=VPN-destinations
add address=facebook.com list=VPN-destinations
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="Mikrotik Management" dst-port=8291 \
    protocol=tcp src-address=192.168.89.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
    192.168.35.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
    dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
    protocol=udp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new disabled=yes dst-address-list=VPN-destinations \
    in-interface-list=LAN new-connection-mark=via-ipsec passthrough=yes \
    src-address-list=192.168.36.0/24
/ip firewall nat
add action=accept chain=srcnat comment="NAT bypass" dst-address=\
    192.168.35.0/24 src-address=192.168.36.0/24
add action=src-nat chain=srcnat comment="NAT bypass" dst-address-list=\
    VPN-destinations to-addresses=192.168.36.0/24
add action=accept chain=srcnat dst-address=192.168.99.0/24 log=yes \
    src-address=192.168.36.0/24
add action=accept chain=srcnat dst-address=192.168.98.0/24 log=yes \
    src-address=192.168.36.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.40.0/24 log=\
    yes src-address=192.168.36.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" out-interface=\
    pppoe-out1
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.36.0/24 src-address=192.168.36.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=pppoe-out1 src-address=\
    192.168.36.0/24
add action=dst-nat chain=dstnat comment="Synology Web Management" \
    dst-address-list=WAN-IP dst-port=5000-5001 protocol=tcp to-addresses=\
    192.168.36.222 to-ports=5000-5001
add action=dst-nat chain=dstnat comment="HTTPS Web Server" dst-address-list=\
    WAN-IP dst-port=443 protocol=tcp to-addresses=192.168.36.222 to-ports=443
add action=dst-nat chain=dstnat comment="Synology Cloud Sync" dst-port=6690 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.222 \
    to-ports=6690
add action=dst-nat chain=dstnat comment="Plex Toshiba" dst-port=32401 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.100 \
    to-ports=32400
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment=Plex disabled=yes dst-port=64200 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.222 \
    to-ports=32400
add action=dst-nat chain=dstnat comment="HTTP Web Server" dst-address-list=\
    WAN-IP dst-port=80 protocol=tcp to-addresses=192.168.36.222 to-ports=80
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=Athens
/ip ipsec policy
add dst-address=192.168.35.0/24 level=unique peer=Athens src-address=\
    192.168.36.0/24 tunnel=yes
add dst-address=192.168.35.0/24 level=unique peer=Athens src-address=\
    0.0.0.0/0 tunnel=yes
add dst-address=192.168.98.0/24 level=unique peer=Athens src-address=\
    192.168.36.0/24 tunnel=yes
add dst-address=192.168.99.0/24 level=unique peer=Athens src-address=\
    192.168.36.0/24 tunnel=yes
/ip service
set www disabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=MikroTik_36
/system scheduler
add interval=1m name="Flush SA" on-event=":if ([/ping 192.168.35.1 interface b\
    ridge count=4]<3) do={\r\
    \n  /ip ipsec installed-sa flush;\r\
    \n  :log info \"IPSEC tunnel is down: Flushing Installed SA !!!\"\r\
    \n} else={\r\
    \n\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/08/2021 start-time=12:27:38
add disabled=yes interval=1d name=Reboot on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/17/2021 start-time=05:00:00
/tool graphing interface
add interface=pppoe-out1
add interface=ether1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

My config is not complex. It’s a PPoE connection, DHCP with some static leases, an IPsec site-to-site VPN, some port forwards and a Hairpin NAT so I can hit some internal devices with their external domain name.
You will definitely find some abnormalities or garbage in the config, since I try different configs - till something work !

Thank you.

sindy · June 7, 2022, 7:15am

I did not have in mind subnets but indeed individual (/32) addresses, as the purpose is to clearly separate the policies used for “site to site” (LAN subnet to LAN subnet) traffic from policies used for “site to internet via the other country” traffic. Therefore, G.G.G.G and R.R.R.R should be private addresses outside any subnet you use at either site, used solely to make the traffic “visible” to the policies. Using the local subnets doesn’t actually break anything, it just makes the overall configuration a bit less clear. There’s also another reason, see below.

The added policies I’ve suggested are just one part of the overall solution; the other part is the action=src-nat rule matching on dst-address-list=VPN-destinations. The way you have configured it, it exempts the traffic towards the VPN destinations from getting masqueraded to the local WAN addresses, which explains why the connections stopped working the normal way; why the connections did not succeed via the remote site’s WAN connection is yet to be resolved.

This sounds strange. By design, the traffic gets matched against the traffic selectors of the policies from the topmost policy to the bottommost one until first match, same like when matching firewall rules, routing rules etc. So a policy x.x.x.0/24 → 0.0.0.0/0 shadows a policy x.x.x.0/24 → y.y.y.0/24 if the “wider” one is placed earlier (higher) in the policy list, but if the “wider” policy works properly, the fact that the “narrower” one is shadowed should not break the traffic that matches the “narrower” one provided that both policies establish their SAs between the same pair of peers.

One of the rare cases where Mikrotik “knows better that the users what the user wants to do” is that an IPsec responder marks policies with dst-address=0.0.0.0/0 as Invalid, or just doesn’t allow them to become active, under some circumstances. This is a “safety precaution” to prevent the users from locking themselves out from the router by misconfiguring IPsec. However, if this was the reason why the connections to “VPN-destinations” fail, the policy should not be shown as Active.

To rule this out, first change the policies so that the G.G.G.G and R.R.R.R are indeed out of any subnet used at the router (because the danger of locking yourself out is real, and you need to access the router via MAC address to revert such misconfiguration, which may not be easy if the remote site is unattended), and then split the policy into two, one with dst-address=0.0.0.0/1 and the other one with dst-address=128.0.0.0/1 (and correspondingly for src-address at the other peer)

G.G.G.G and R.R.R.R need not be assigned to any interface on any of the routers, they are just used by the src-nat rules and the policies.

tharorris · June 7, 2022, 9:22am

The whole reason I am trying to do this, is that clients on any subnet should be able to reach banned webpages through the other IPsec connected subnet.
192.168.36.0/24 is the R subnet
192.168.35.0/24 is the G subnet
Example: facebook.com is included in the address list.

Nowadays if I want to reach Facebook (or any banned site), I have to open on my device a VPN connection to another site (OpenVPN). But since I have this IPsec, I want to see if it is possible with Mikrotik.
It is ridiculously easy on other firewalls (pfSense, Watchguard, Fortigate), either by NAT rules or SD-Wan policy.
I understand the mentality to do it, I just don’t freaking understand how to translate this to Mikrotik.

I think I should:

create address list with websites I want to route
mark packets (Mangle)
Create NAT / Filter rules

I follow some guides regarding NordVPN, “adjusted” to my settings but no dice.
http://forum.mikrotik.com/t/nordvpn-ipsec-mikrotik-routing/140159/1
http://forum.mikrotik.com/t/nordvpn-ipsec-ikev2-killswitch-for-ros6/144817/1

I love Mikrotik devices, they do stuff that other firewalls don’t, the power they consume is minimal and I want to learn to program them so as to assist others learn this world.

Another idea is to create a separate OpenVPN connection (interface) pointing to a Watchguard device and route address list through there but I don’t want to put extra load since there is a connection already.

Thank you.

sindy · June 7, 2022, 10:58am

No need to explain this. I was a bit surprised you want the functionality to be bi-directional, as if some sites were banned in G and you needed to access them via WAN in R, but technically that’s not a big deal.

It is. There must be some minor issue somewhere.

All correct, although since you use IPsec rather than “normal” routing to route the traffic via the tunnel, you can skip the packet marking phase and use matching against the dst-address-list (normally used to choose packets to get a routing mark) in the src-nat rules.

But IPsec policies need more thinking than normal routes, that’s why I have suggested to use some “normal” tunnel and just use IPsec to encrypt it, even using one of the already existing policies. Such as /interface ipip add local-address=192.168.36.1 remote-address=192.168.35.1 in R, and /interface ipip add local-address=192.168.35.1 remote-address=192.168.36.1 in G. Then, you would add routing tables via-R (in G) and via-G (in R), both consisting of a single route default route with gateway=ipip1, and use action=mark-routing dst-address-list=VPN-destinations new-routing-mark=via-X to make the traffic to VPN destinations be routed via the tunnel. For the responses, you have to add routes to 192.168.3x.0/24 via ipip1 to the main routing table, as the policy 192.168.35.0/24 ↔ 192.168.36.0/24 will ignore these responses.

When sticking with IPsec policies, the thing is that e.g. a policy 192.168.0.0/24 ↔ 0.0.0.0/0 will match also on packets between the router’s own address in 192.168.0.0/24 and any host connected to that subnet. So it will prevent hosts in this subnet from managing the router and/or using it as DNS. So you either need to put a policy 192.168.0.0/24 ↔ 192.168.0.0/24 action=none above it to shadow the wider one, or you have to use something else than 192.168.0.0/24 for the “wide” policy to avoid that conflict completely. That’s why I keep insisting that G.G.G.G and R.R.R.R should be addresses reserved solely for the purpose of sending the traffic for the “remote WAN”. /32 addresses are sufficient because at the remote end, all these connections will be src-nat’ed to the single WAN address anyway. And since you have 3 subnets in Athens, the order of policies would be extremely important if you wanted to keep using 192.168.35.0/24 and 192.168.36.0/24 as G.G.G.G and R.R.R.R, such as

src-address=192.168.35.0/24 dst-address=192.168.36.0/24 action=encrypt peer=Moscow
src-address=192.168.98.0/24 dst-address=192.168.36.0/24 action=encrypt peer=Moscow
src-address=192.168.99.0/24 dst-address=192.168.36.0/24 action=encrypt peer=Moscow
src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=none
src-address=192.168.0.0/16 dst-address=0.0.0.0/0 action=encrypt peer=Moscow
src-address=0.0.0.0/0 dst-address=192.168.0.0/16 action=encrypt peer=Moscow

The first three policies would be the already existing “real” policies, the fourth one would prevent traffic between local subnets from getting “kidnapped” to R, and the fifth and sixth policy would provide the “remote WAN” operation. Instead of the first 4 policies, you’d have to use 9 ones with action=none to prevent all local traffic from being kidnapped to R (35<=>35, 98<=>98, 99<=>99, 35<=>98, 98<=35, 35<=>99, 99<=35, 99<=>98, 98<=99).

Plus there is the thing with the likely need to split 0.0.0.0/0 into halves to work around the safety measure of Mikrotik.

tharorris · June 7, 2022, 11:57am

The thing with 3 subnets … just forget it and I am sorry that I confused you!
The 192.168.35.0/24 is the one I am using (LAN) and trying to implement changes.

192.168.99.1 is the internet gateway (WAN - as I said, double NAT) and I add it just for the sake to be able to configure ISP equipment remotely through IPsec (port forwarding, restart equipment etc). Because in Greece, SMB internet equipment don’t support trunk and DMZ is locked…
192.168.98.1 is a second 4G / voice gateway (WAN#2) in case .99.1 fails. I haven’t implement yet a dual WAN failover configuration, but it’s the next thing I will focus on, when I find solution for this problem.

Can you please tell me the extra commands I should input, and I will do it one by one to check how it behave?
I already revert back to the original config I sent in the first place.

Thank you.

sindy · June 7, 2022, 12:12pm

Which way you want, pure policy-based IPsec or the IPIP tunnel encrypted using an existing policy? In any case, I need the export from the router in Athens as well as it will require a configuration modification too.

tharorris · June 7, 2022, 2:36pm

I don’t even know the pros / cons of each case. What is the simplest way for easy troubleshoot?

36 site

/interface bridge
add admin-mac=C4:AD:34:D7:15:C2 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1500
set [ find default-name=ether4 ] l2mtu=1500
set [ find default-name=ether5 ] l2mtu=1500
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=v42049471
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
set [ find default=yes ] connection-mark=via-ipsec
/ip ipsec peer
add address=HIDDEN exchange-mode=ike2 local-address=192.168.36.1 \
    name=Athens
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    lifetime=8h pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.36.10-192.168.36.254
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes interface=bridge lease-time=1h \
    name=defconf
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.36.1/24 comment=defconf interface=bridge network=\
    192.168.36.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.36.222 client-id=1:0:11:32:be:e1:ca comment=Synology \
    mac-address=00:11:32:BE:E1:CA server=defconf
add address=192.168.36.221 mac-address=D4:5E:EC:39:D0:8D server=defconf
add address=192.168.36.220 mac-address=AC:D5:64:6C:62:A9 server=defconf
add address=192.168.36.200 client-id=1:9c:93:4e:ac:5e:2d comment=Xerox_VRN \
    mac-address=9C:93:4E:AC:5E:2D server=defconf
add address=192.168.36.100 client-id=1:0:e0:4c:68:1:b8 comment=\
    "Toshiba Click2Pro" mac-address=00:E0:4C:68:01:B8 server=defconf
add address=192.168.36.254 client-id=1:fc:5b:39:7d:b3:d8 comment=CiscoAP \
    mac-address=FC:5B:39:7D:B3:D8 server=defconf
add address=192.168.36.100 client-id=1:0:e0:6c:38:69:82 comment=\
    "Toshiba Click2Pro" disabled=yes mac-address=00:E0:6C:38:69:82 server=\
    defconf
/ip dhcp-server network
add address=192.168.36.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 \
    gateway=192.168.36.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=94.140.14.14
/ip dns static
add address=192.168.36.1 comment=defconf name=router.lan
/ip firewall address-list
add address=HIDDEN list=WAN-IP
add address=wtfismyip.com list=VPN-destinations
add address=facebook.com list=VPN-destinations
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="Mikrotik Management" dst-port=8291 \
    protocol=tcp src-address=192.168.89.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
    192.168.35.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
    dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
    protocol=udp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new disabled=yes dst-address-list=VPN-destinations \
    in-interface-list=LAN new-connection-mark=via-ipsec passthrough=yes \
    src-address-list=192.168.36.0/24
/ip firewall nat
add action=accept chain=srcnat comment="NAT bypass" dst-address=\
    192.168.35.0/24 src-address=192.168.36.0/24
add action=src-nat chain=srcnat comment="NAT VPN" disabled=yes \
    dst-address-list=VPN-destinations to-addresses=192.168.36.0/24
add action=accept chain=srcnat dst-address=192.168.99.0/24 log=yes \
    src-address=192.168.36.0/24
add action=accept chain=srcnat dst-address=192.168.98.0/24 log=yes \
    src-address=192.168.36.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.40.0/24 log=\
    yes src-address=192.168.36.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" out-interface=\
    pppoe-out1
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.36.0/24 src-address=192.168.36.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=pppoe-out1 src-address=\
    192.168.36.0/24
add action=dst-nat chain=dstnat comment="Synology Web Management" \
    dst-address-list=WAN-IP dst-port=5000-5001 protocol=tcp to-addresses=\
    192.168.36.222 to-ports=5000-5001
add action=dst-nat chain=dstnat comment="HTTPS Web Server" dst-address-list=\
    WAN-IP dst-port=443 protocol=tcp to-addresses=192.168.36.222 to-ports=443
add action=dst-nat chain=dstnat comment="Synology Cloud Sync" dst-port=6690 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.222 \
    to-ports=6690
add action=dst-nat chain=dstnat comment="Plex Toshiba" dst-port=32401 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.100 \
    to-ports=32400
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment=Plex disabled=yes dst-port=64200 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.222 \
    to-ports=32400
add action=dst-nat chain=dstnat comment="HTTP Web Server" dst-address-list=\
    WAN-IP dst-port=80 protocol=tcp to-addresses=192.168.36.222 to-ports=80
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=Athens
/ip ipsec policy
add dst-address=192.168.35.0/24 level=unique peer=Athens src-address=\
    192.168.36.0/24 tunnel=yes
add dst-address=192.168.35.0/24 level=unique peer=Athens src-address=\
    0.0.0.0/0 tunnel=yes
add dst-address=192.168.98.0/24 level=unique peer=Athens src-address=\
    192.168.36.0/24 tunnel=yes
add dst-address=192.168.99.0/24 level=unique peer=Athens src-address=\
    192.168.36.0/24 tunnel=yes
/ip service
set www disabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp profile
set *FFFFFFFE dns-server=192.168.36.1 local-address=192.168.89.1 \
    remote-address=*2
/ppp secret
add name=vpn
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=MikroTik_36
/system scheduler
add interval=1m name="Flush SA" on-event=":if ([/ping 192.168.35.1 interface b\
    ridge count=4]<3) do={\r\
    \n  /ip ipsec installed-sa flush;\r\
    \n  :log info \"IPSEC tunnel is down: Flushing Installed SA !!!\"\r\
    \n} else={\r\
    \n\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/08/2021 start-time=12:27:38
add disabled=yes interval=1d name=Reboot on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/17/2021 start-time=05:00:00
/tool graphing interface
add interface=pppoe-out1
add interface=ether1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

35 site

/interface bridge
add admin-mac=48:8F:5A:82:D3:17 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=HIDDEN exchange-mode=ike2 local-address=192.168.99.50 \
    name=Russia
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    lifetime=8h pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.35.200-192.168.35.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=WAN
add interface=ether5 list=WAN
add interface=sfp1 list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.35.1/24 comment=defconf interface=bridge network=\
    192.168.35.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.35.4 client-id=1:fc:ec:da:37:42:84 comment=\
    "Ubiquity Access Point" mac-address=FC:EC:DA:37:42:84 server=defconf
add address=192.168.35.5 client-id=1:44:b2:95:31:3a:48 comment=\
    "Camera Entrance" mac-address=44:B2:95:31:3A:48 server=defconf
add address=192.168.35.221 client-id=1:ec:5c:68:c0:62:cb comment=\
    "Sony TV Wireless" mac-address=EC:5C:68:C0:62:CB server=defconf
add address=192.168.35.3 client-id=1:4c:78:97:0:9a:f4 comment=\
    "Home Security Alarm" mac-address=4C:78:97:00:9A:F4 server=defconf
add address=192.168.35.221 client-id=1:cc:98:8b:e6:f3:cb comment=\
    "Sony TV Wired" disabled=yes mac-address=CC:98:8B:E6:F3:CB server=defconf
/ip dhcp-server network
add address=192.168.35.0/24 comment=defconf gateway=192.168.35.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.35.1 comment=defconf name=router.lan
/ip firewall address-list
add address=wtfismyip.com list=VPN-destinations
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Mikrotik Management" dst-port=8291 \
    protocol=tcp src-address=192.168.40.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
    192.168.89.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
    192.168.36.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
    192.168.35.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="Block Camera to Internet" src-address=\
    192.168.35.5
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
    dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
    protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
    protocol=udp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
/ip firewall nat
add action=accept chain=srcnat comment="NAT bypass" dst-address=\
    192.168.36.0/24 src-address=192.168.35.0/24
add action=src-nat chain=srcnat comment="NAT bypass" dst-address-list=\
    VPN-destinations to-addresses=192.168.35.0/24
add action=accept chain=srcnat dst-address=192.168.36.0/24 src-address=\
    192.168.98.0/24
add action=accept chain=srcnat dst-address=192.168.36.0/24 src-address=\
    192.168.99.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT " disabled=yes \
    out-interface=ether1
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.35.0 src-address=192.168.35.0
add action=accept chain=srcnat disabled=yes dst-address=192.168.40.0/24 \
    src-address=192.168.35.0/24
add action=dst-nat chain=dstnat dst-port=10050-11000 in-interface=ether5 \
    protocol=udp to-addresses=192.168.35.10 to-ports=10050-11000
add action=dst-nat chain=dstnat dst-port=35060-35061 in-interface=ether5 \
    protocol=tcp to-addresses=192.168.35.10 to-ports=35060-35061
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=masquerade chain=srcnat out-interface=ether5 src-address=\
    192.168.35.0/24
/ip firewall service-port
set sip disabled=yes ports=35060,35061
/ip ipsec identity
add peer=Russia
/ip ipsec policy
add dst-address=192.168.36.0/24 level=unique peer=Russia src-address=\
    192.168.35.0/24 tunnel=yes
add dst-address=192.168.36.0/24 level=unique peer=Russia src-address=\
    192.168.98.0/24 tunnel=yes
add dst-address=192.168.36.0/24 level=unique peer=Russia src-address=\
    192.168.99.0/24 tunnel=yes
add dst-address=0.0.0.0/0 level=unique peer=Russia src-address=\
    192.168.35.0/24 tunnel=yes
/ip route
add distance=2 gateway=192.168.98.1
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=MikroTik_35
/system scheduler
add interval=1m name="Flush SA" on-event=":if ([/ping 192.168.36.1 interface b\
    ridge count=4]<3) do={\r\
    \n  /ip ipsec installed-sa flush;\r\
    \n  :log info \"IPSEC tunnel is down: Flushing Installed SA !!!\"\r\
    \n} else={\r\
    \n\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/08/2021 start-time=11:26:42
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

As I said earlier, some sites in address list resolute in the local ISP “banned” page. How it can pass DNS queries from specific sites from the other site?

Thank you.

sindy · June 7, 2022, 4:01pm

An IPsec-encrypted tunnel uses headers of both IPsec and the inner tunnel, so less space is left in each packet for the payload. This is not the case if you use transport mode of IPsec and IPIP (=ipencap) as the inner tunnel, but to simplify the start, we’ll reuse the existing SAs in tunnel mode as suggested earlier. “Vanilla IPsec” with policy matching has its advantages too but only for simple setups.

After years, Mikrotik has added a possibility to use regular expression matching on fqdns to choose a DNS server.

I’ll send you the scripts for both topics later.

sindy · June 7, 2022, 5:11pm

So the bare minimum is as follows.

36:
/ip ipsec policy remove [find src-address=0.0.0.0/0 peer=Athens]
/interface ipip add name=ipip-Athens local-address=192.168.36.1 remote-address=192.168.35.1
/ip route
add dst-address=192.168.35.0/24 gateway=ipip-Athens
add gateway=ipip-Athens routing-mark=via-Athens
/ip firewall filter
set [find action=fasttrack-connection] connection-mark=no-mark
add chain=input place-before=[find action=drop chain=input in-interface-list=“!LAN”] protocol=udp dst-port=53 in-interface=via-Athens
/ip firewall mangle
add chain=prerouting src-address=192.168.36.0/24 dst-address-list=VPN-destinations action=mark-routing new-routing-mark=via-Athens
add chain=forward connection-state=!new action=accept
add chain=forward in-interface=ipip-Athens action=mark-connection new-connection-mark=prevent-fasttrack
add chain=forward out-interface=ipip-Athens action=mark-connection new-connection-mark=prevent-fasttrack
/ip dhcp-server network set [find] dns-server=192.168.36.1
/ip dns static
add regexp=“google\.com$” forward-to=192.168.35.1

35:
/ip ipsec policy remove [find dst-address=0.0.0.0/0 peer=Russia]
/interface ipip add name=ipip-Russia local-address=192.168.35.1 remote-address=192.168.36.1
/ip route
add dst-address=192.168.36.0/24 gateway=ipip-Russia
add gateway=ipip-Russia routing-mark=via-Russia
/ip firewall filter
set [find action=fasttrack-connection] connection-mark=no-mark
add chain=input place-before=[find action=drop chain=input in-interface-list=“!LAN”] protocol=udp dst-port=53 in-interface=via-Russia
/ip firewall mangle
add chain=prerouting src-address=192.168.35.0/24 dst-address-list=VPN-destinations action=mark-routing new-routing-mark=via-Russia
add chain=forward connection-state=!new action=accept
add chain=forward in-interface=ipip-Athens action=mark-connection new-connection-mark=prevent-fasttrack
add chain=forward out-interface=ipip-Athens action=mark-connection new-connection-mark=prevent-fasttrack
/ip dhcp-server network set [find] dns-server=192.168.35.1
/ip dns static
add regexp=“\.[rs]u$” forward-to=192.168.36.1

Try that and let me know the outcome. You have to let the LAN hosts re-request the IP settings via DHCP (or wait until they do that automatically once the lease time is at 1/2) so that their DNS server setting would change to the Mikrotik, so that the query forwarding could work.

tharorris · June 8, 2022, 8:25am

Thank you for the config.

On .36 I paste your commands on the Terminal and I got errors. I try to manually input starting with the /ip/route> add gateway=ipip-Athens routing-mark=via-Athens
but there is no “routing-mark” option. Only routing Table.

This is the output of Terminal.

[admin@MikroTik_36] > /ip ipsec policy remove [find src-address=0.0.0.0/0 peer=Ath
ens]
[admin@MikroTik_36] > /interface ipip add name=ipip-Athens local-address=192.168.3
6.1 remote-address=192.168.35.1
[admin@MikroTik_36] > /ip route
[admin@MikroTik_36] /ip/route> add dst-address=192.168.35.0/24 gateway=ipip-Athens

[admin@MikroTik_36] /ip/route> add gateway=ipip-Athens routing-mark=via-Athens
expected end of command (line 1 column 25)
[admin@MikroTik_36] /ip/route> /ip firewall filter
[admin@MikroTik_36] /ip/firewall/filter> set [find action=fasttrack-connection] co
nnection-mark=no-mark
[admin@MikroTik_36] /ip/firewall/filter> add chain=input place-before=[find action
=drop chain=input in-interface-list=“!LAN”] protocol=udp dst-port=53 in-interface=
via-Athens
input does not match any value of interface
[admin@MikroTik_36] /ip/firewall/filter> /ip firewall mangle
[admin@MikroTik_36] /ip/firewall/mangle> add chain=prerouting src-address=192.168.
36.0/24 dst-address-list=VPN-destinations action=mark-routing new-routing-mark=via
-Athens
input does not match any value of new-routing-mark
[admin@MikroTik_36] /ip/firewall/mangle> add chain=forward connection-state=!new a
ction=accept
[admin@MikroTik_36] /ip/firewall/mangle> add chain=forward in-interface=ipip-Athen
s action=mark-connection new-connection-mark=prevent-fasttrack
[admin@MikroTik_36] /ip/firewall/mangle> add chain=forward out-interface=ipip-Athe
ns action=mark-connection new-connection-mark=prevent-fasttrack
[admin@MikroTik_36] /ip/firewall/mangle> /ip dhcp-server network set [find] dns-se
rver=192.168.36.1
[admin@MikroTik_36] /ip/firewall/mangle> /ip dns static
[admin@MikroTik_36] /ip/dns/static> add regexp=“google\.com$” forward-to=192.168
.35.1

Do I need to upgrade firmware to enable this option?