Routing all traffic of specific IP(or MAC) to VPN gateway is very slow.

getfeus · May 28, 2023, 12:38pm

Hello.

I am trying to routing specific devices’s all traffic to VPN gateway.

I have l2tp server(Mikrotik router) on my office and my business PC(With windows OS) is connect to office l2tp using windows VPN connect function.
Yesterday, I add mangle for prerouting for my business PC. Like next code.

/routing table
add disabled=no fib name=OfficeVPN

add action=mark-routing chain=prerouting comment="Business Laptop prerouting" \
    dst-address=!192.168.0.0/16 new-routing-mark=BusinessVPN passthrough=yes \
    src-mac-address=3C:F0:XX:XX:XX:XX

add comment="Mangle Routing(Business)" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=l2tp-out-Office pref-src=0.0.0.0 routing-table=OfficeVPN \
    scope=30 suppress-hw-offload=no target-scope=10

I can found that I can ping to office hosts. But it is extremely slow (even if CPU usage is not high) and connecting to VPN using windows l2tp client is faster than these settings.

How can I fix this problem? Thanks for reading. Best regards.

own3r1138 · May 28, 2023, 1:20pm

Do you have Fasttrack enabled on MT?

anav · May 28, 2023, 3:19pm

Perhaps since this is a single IP it may be possible to avoid mangling and use a routing rule…
Would need to see full config /export file=anynameyouwish ( minus router serial # and any public WANIP info, keys etc. )

getfeus · May 28, 2023, 10:13pm

Thanks for reading. Maybe disabled. I will upload full settings. Thank you.

getfeus · May 28, 2023, 10:15pm

Thans for replying.

I attach full exported files. I have replace some sensitive informations.

# may/28/2023 21:31:22 by RouterOS 7.9rc3
# software id = SENSITIVE
#
# model = CRS326-24G-2S+
# serial number = SENSITIVE
/caps-man channel
add band=2ghz-b/g/n extension-channel=disabled frequency=2412,2432 name=2.4G \
    tx-power=13
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5180 name=5G
/interface pptp-client
add connect-to=SENSITIVE.sn.mynetname.net dial-on-demand=yes disabled=no \
    max-mru=1500 max-mtu=1500 name=pptp-out-OFFICE user=Japan_mikrotik
add connect-to=SENSITIVE.sn.mynetname.net dial-on-demand=yes name=\
    pptp-out-OFFICE2 user=Japan_Mikrotik
/interface bridge
add admin-mac=SENSITIVE arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
set [ find default-name=ether2 ] arp=proxy-arp
set [ find default-name=ether3 ] arp=proxy-arp
set [ find default-name=ether4 ] arp=proxy-arp
set [ find default-name=ether5 ] arp=proxy-arp
set [ find default-name=ether6 ] arp=proxy-arp
set [ find default-name=ether7 ] arp=proxy-arp
set [ find default-name=ether8 ] arp=proxy-arp
set [ find default-name=ether9 ] arp=proxy-arp
set [ find default-name=ether10 ] arp=proxy-arp
set [ find default-name=ether11 ] arp=proxy-arp
set [ find default-name=ether12 ] arp=proxy-arp
set [ find default-name=ether13 ] arp=proxy-arp
set [ find default-name=ether14 ] arp=proxy-arp
set [ find default-name=ether15 ] arp=proxy-arp
set [ find default-name=ether16 ] arp=proxy-arp
set [ find default-name=ether17 ] arp=proxy-arp
set [ find default-name=ether18 ] arp=proxy-arp
set [ find default-name=ether19 ] arp=proxy-arp
set [ find default-name=ether20 ] arp=proxy-arp
set [ find default-name=ether21 ] arp=proxy-arp
set [ find default-name=ether22 ] arp=proxy-arp
set [ find default-name=ether23 ] arp=proxy-arp
set [ find default-name=ether24 ] arp=proxy-arp
set [ find default-name=sfp-sfpplus1 ] arp=proxy-arp
set [ find default-name=sfp-sfpplus2 ] arp=proxy-arp
/interface l2tp-client
add allow-fast-path=yes connect-to=SENSITIVE.sn.mynetname.net disabled=no \
    name=l2tp-out-OFFICE use-ipsec=yes user=Japan_mikrotik_l2tp
add allow=mschap1,mschap2 allow-fast-path=yes connect-to=\
    8a7708ca56c4.sn.SENSITIVE.net disabled=no name=l2tp-out-OFFICE2 \
    use-ipsec=yes user=Japan_Mikrotik
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
    datapath1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1
/caps-man configuration
add channel=2.4G datapath=datapath1 datapath.local-forwarding=yes \
    multicast-helper=full name=config_2.4G security=security1 ssid=\
    Getfeus_2.4G
add channel=5G datapath=datapath1 multicast-helper=full name=config_5G \
    security=security1 ssid=Getfeus_5G
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.0.51-192.168.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=dhcp1
/ipv6 dhcp-server
add address-pool=dhcpv6-1 interface=bridge name=server1
/ipv6 pool
add name=dhcpv6-1 prefix=2a03:7900:6::/48 prefix-length=56
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE change-tcp-mss=default dns-server=8.8.8.8 local-address=\
    192.168.0.1 remote-address=dhcp wins-server=8.8.4.4
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=OFFICE
add disabled=no fib name=OFFICE2
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac,a,an \
    master-configuration=config_5G
add action=create-dynamic-enabled hw-supported-modes=b,gn,g \
    master-configuration=config_2.4G
/interface bridge port
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
    interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether11
add bridge=bridge comment=defconf ingress-filtering=no interface=ether12
add bridge=bridge comment=defconf ingress-filtering=no interface=ether13
add bridge=bridge comment=defconf ingress-filtering=no interface=ether14
add bridge=bridge comment=defconf ingress-filtering=no interface=ether15
add bridge=bridge comment=defconf ingress-filtering=no interface=ether16
add bridge=bridge comment=defconf ingress-filtering=no interface=ether17
add bridge=bridge comment=defconf ingress-filtering=no interface=ether18
add bridge=bridge comment=defconf ingress-filtering=no interface=ether19
add bridge=bridge comment=defconf ingress-filtering=no interface=ether20
add bridge=bridge comment=defconf ingress-filtering=no interface=ether21
add bridge=bridge comment=defconf ingress-filtering=no interface=ether22
add bridge=bridge comment=defconf ingress-filtering=no interface=ether23
add bridge=bridge comment=defconf ingress-filtering=no interface=ether24
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 enabled=yes use-ipsec=\
    yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.0.1/24 interface=bridge network=192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.0.171 mac-address=SENSITIVE server=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add comment=watcha.com list=host_watcha
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add chain=input port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add action=drop chain=input comment="Prevent DNS Open Resolver Attack" \
    dst-port=53 protocol=udp src-address=!192.168.0.0/16
add action=drop chain=input comment="Prevent DNS Open Resolver Attack" \
    connection-state=new dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Prevent DNS Open Resolver Attack" \
    connection-state=new dst-port=53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Accept Perfect Dark TCP 54158" \
    dst-port=54158 protocol=tcp
add action=accept chain=input comment="Accept Winbox Port from OFFICE" \
    dst-port=8291 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=input comment="Accept Winbox Port from OFFICE2" \
    dst-port=8291 protocol=tcp src-address=192.168.2.0/24
add action=accept chain=input comment="Accept Winbox TCP 8291" dst-port=8291 \
    protocol=tcp
add action=accept chain=input comment="Accept 1723(PPTP)" dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="Accept 1723(PPTP)" dst-port=1723 \
    protocol=udp
add action=accept chain=input comment="Accept 1723(PPTP)" protocol=gre
add action=accept chain=input comment="Accept 47(PPTP)" dst-port=47 protocol=\
    tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input comment="CAPsMAN self" dst-port=5246,5247 \
    protocol=udp src-address=127.0.0.1
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=VPN port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="Block Winbox Port from Internet" \
    dst-port=8291 protocol=tcp src-address=!192.168.0.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment="HP Note-OFFICE2" \
    dst-address=!192.168.0.0/16 new-routing-mark=OFFICE2 passthrough=yes \
    src-mac-address=SENSITIVE
add action=mark-routing chain=prerouting comment=Desktop-OFFICE disabled=yes \
    dst-address=!192.168.0.0/16 new-routing-mark=OFFICE passthrough=yes \
    src-mac-address=SENSITIVE
add action=mark-routing chain=prerouting comment=MiPad5-OFFICE2 disabled=yes \
    dst-address=!192.168.0.0/16 new-routing-mark=OFFICE2 passthrough=yes \
    src-address=192.168.0.73
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0 src-address=\
    192.168.1.0
add action=dst-nat chain=dstnat dst-port=54158 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.254 to-ports=54158
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=pptp-out-OFFICE
add action=masquerade chain=srcnat out-interface=l2tp-out-OFFICE2
add action=netmap chain=dstnat dst-address=192.168.0.254 dst-port=9 protocol=\
    udp to-addresses=192.168.0.253 to-ports=9
/ip route
add comment="PPTP OFFICE" disabled=no distance=1 dst-address=192.168.1.0/24 \
    gateway=l2tp-out-OFFICE pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="PPTP OFFICE2" disabled=no dst-address=192.168.2.0/24 gateway=\
    l2tp-out-OFFICE2
add comment="Mangle Routing(OFFICE2)" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=l2tp-out-OFFICE2 pref-src=0.0.0.0 routing-table=OFFICE2 \
    scope=30 suppress-hw-offload=no target-scope=10
add comment="Mangle Routing(OFFICE)" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=l2tp-out-OFFICE pref-src="" routing-table=OFFICE scope=\
    30 suppress-hw-offload=no target-scope=10
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether2 type=internal
add interface=ether3 type=internal
add interface=ether4 type=internal
add interface=ether5 type=internal
add interface=ether6 type=internal
add interface=ether7 type=internal
add interface=ether8 type=internal
add interface=ether9 type=internal
add interface=ether10 type=internal
add interface=ether11 type=internal
add interface=ether12 type=internal
add interface=ether13 type=internal
add interface=ether14 type=internal
add interface=ether15 type=internal
add interface=ether16 type=internal
add interface=ether17 type=internal
add interface=ether18 type=internal
add interface=ether19 type=internal
add interface=ether20 type=internal
add interface=ether21 type=internal
add interface=ether22 type=internal
add interface=ether23 type=internal
add interface=ether24 type=internal
add interface=sfp-sfpplus1 type=internal
add interface=sfp-sfpplus2 type=internal
add interface=ether1 type=external
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 request=address
/ipv6 nd
add interface=bridge managed-address-configuration=yes other-configuration=\
    yes
/ipv6 nd prefix
add autonomous=no interface=bridge
/ppp secret
add name=OFFICE-mikrotik profile=default-encryption
add name=SENSITIVE-01 profile=default-encryption
add name=SENSITIVE-02 profile=default-encryption
add local-address=192.168.2.1 name=OFFICE2-mikrotik profile=\
    default-encryption
add name=Japan_Auto1
/system clock
set time-zone-name=Asia/Tokyo
/system identity
set name=Shed-CRS326
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os
/system script
add dont-require-permissions=no name=resolvehostnames owner=admin policy=\
    read,write source="# define variables\r\
    \n:local list\r\
    \n:local comment\r\
    \n:local newip\r\
    \n:local oldip\r\
    \n\r\
    \n# Loop through each entry in the address list.\r\
    \n:foreach i in=[/ip firewall address-list find] do={\r\
    \n\r\
    \n# Get the first five characters of the list name\r\
    \n  :set list [:pick [/ip firewall address-list get \$i list] 0 5]\r\
    \n\r\
    \n# If they're 'host_', then we've got a match - process it\r\
    \n  :if (\$list = \"host_\") do={\r\
    \n\r\
    \n# Get the comment for this address list item (this is the host name to u\
    se)\r\
    \n    :set comment [/ip firewall address-list get \$i comment]\r\
    \n    :set oldip [/ip firewall address-list get \$i address]\r\
    \n\r\
    \n:log info \"Variable \$address\"\r\
    \n\r\
    \n# Resolve it and set the address list entry accordingly.\r\
    \n    : if (\$newip != \$oldip) do={:set newip [:resolve \$comment]\r\
    \n    /ip firewall address-list set \$i address=\$newip}\r\
    \n    }\r\
    \n  }"

own3r1138 · May 28, 2023, 10:40pm

1 - You leaked out your device SN in your export.
2 - You have a Fasttrack rule with no disabled=yes, which can be the source of your issue. You can use /routing/rules as @Anav mentioned or use connection-mark=no-mark in your Fasttrack filter rule.

anav · May 29, 2023, 12:35am

(1) Your firewall rules are a godly mess, out of order and stepping all over each other, especially the input chain.
Put the chains together and you can see issues more clearly and troubleshoot later

(2) Well I dont understand your DNS input chain setup or fears..
_add action=drop chain=input comment=“Prevent DNS Open Resolver Attack”
dst-port=53 protocol=udp src-address=!192.168.0.0/16
add action=drop chain=input comment=“Prevent DNS Open Resolver Attack”
connection-state=new dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment=“Prevent DNS Open Resolver Attack”
connection-state=new dst-port=53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=_

The first rule you drop everything heading to port 53 not from your LAN, nothing wrong with that!
So why the need to drop everything from WAN…

In the last rule you then open up your entire router to the WAN, which is a big no no.
Highly recommend something a bit more logical and understandable with two simple rules.

add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“drop all else”

Basically allow LAN access to the router including DNS etc.
Block everything else.

If you want more granular control as an admin then simply change this to
add action=accept chain=input in-interface-list=Authorized src-address-list=AdminAccess
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”

This approach allows the admin only full access to the router,
THen allows LAN users to access DNS.
This is the most common setup.
All you need to do is make a firewall address list of all the admin IPs, ( desktop, laptop, smartphone, and even L2TP

Also you can then get rid of silly winbox port rule too… clear, clean, readable.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(3) I dont understand the rules you have made at all… Two of them use the same source address for two different routing marks ???

/ip firewall mangle
add action=mark-routing chain=prerouting comment=“HP Note-OFFICE2”
dst-address=!192.168.0.0/16 new-routing-mark=OFFICE2 passthrough=yes
src-mac-address=SENSITIVE
add action=mark-routing chain=prerouting comment=Desktop-OFFICE disabled=yes
dst-address=!192.168.0.0/16 new-routing-mark=OFFICE passthrough=yes
src-mac-address=SENSITIVE
add action=mark-routing chain=prerouting comment=MiPad5-OFFICE2 disabled=yes
dst-address=!192.168.0.0/16 new-routing-mark=OFFICE2 passthrough=yes
src-address=192.168.0.73

What you can do to avoid mangling and by the way the mangle rules would need work if you wanted to use them…

You already have the tables
You already have the routes
Delete mangles and add Routing Rules.
add src-address=IPofPC-1 that needs to go out VPN1 action=lookup table=office
add src-address=IPofPC-2 that needs to go out VPN2 action=lookup table=office2

Note; If you want the user to be able to access LOCAL WAN if the VPN is working you are good to go.
If you do not WANT the pc user to be able to access LOCAL WAN ever, then change action to
action=lookup-only-in-table.