After using V6.49 for a long time, I finally decided to upgrade to V7.9. However, it’s not working as it was supposed to. I spent a few hours trying to fix it, but couldn’t find the solution, so I figured I would ask for help here.
What I want to achieve is to use an interface (L2TP/L2TPv3 or OVPN) as a VPN to route the traffic of some of my devices. There is an address list called “individual-VPN” for that purpose, and all the traffic from or to those devices should go through the VPN interface. The rest, which are not on the address list, should bypass it. There’s also another address list called “excluded-addresses,” which are some public IP addresses that I want to bypass the VPN interface, even if the connection is being made from the devices in the “individual-VPN” address list.
I’m also using the “Use peer DNS” option of the VPN interface, which is a local IP “172.69.85.0” from the VPN server for my router and devices.
All of these were working fine on V6.49.7, but I’m having a hard time setting it up on V7.9.
Any help would be highly appreciated.
Routing is no different from an IPSEC setting perspective from what I gather ( not conversant in IPSEC ),
Where it makes a difference besides deeper nuances is
a. mangling for routes
b. routing rules for routes
c. tables for routes
d. recursive routing.
Thanks @anav@holvoetn
I’ve tried these but only success was in routing traffic thorough VPN interface and the IPs in “excluded-addresses” didn’t bypass the VPN interface and also the other devices that they weren’t in “individual-VPN” address list couldn’t access the internet at all.
In v7 it is not possible to turn off synchronization with IGP routes (the network will be advertised only if the corresponding IGP route is present in the routing table).
Get rid of the bloatware and start from a standard default firewall ruleset and then add the traffic flow you need without all the extra blocking stuff.
Otherwise one cannot see the forest from the trees.
Would love to help but I wouldnt know where to begin,
Stick to standard settings not sure why you are mangling inside ipsec rules…
I’m sorry for that confusing config, let me put my request this way:
Can you give me the code to route all the traffic of local IPs in address-list called “VPN11” containing “192.168.1.11,192.168.1.12,192.168.1.13” inside L2TP_V3 interface which is not using IPsec (It’s “l2tpv3 ip”) and then route IPs in address-list called “noVPN11” containing “15.24.16.48,16.48.152.145,132.156.185.15” out of that interface (Or directly send to WAN) when if the connection where made from IPs in address-list “VPN11”.
For now this will do the job then I will work on DNS part.
I notice something strange about DNS on V7, I have VM on my ESXi server running pihole as DNS server on V6 I entered the IP address of that VM on /ip dns of mikrotik and use the router IP as DNS server on client but now on V7 it’s not working, if I set that VM IP on the clients devices it will work but if I set that IP on router and then use router on clients devices it’s not gonna work.