Routing traffic from specific src addresses through specific VPN gateways

RouterOS Beginner Basics
1

Hello everyone,

I have rather unqiue setup, i couldn’t find something similar on these forums or maybe i didn’t know how to perform a valid search. Basically, i have following setup

LAN: 192.168.0.0/24
WAN: 92.105.70.80

There are two PPTP Clients enabled in MT.

This is routing table
[admin@mtodoric-mt] > /ip route print

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.0.1               1
 1 A S  10.0.0.0/16                        VPN1                      2
 2 ADC  10.0.11.1/32       10.0.11.12      VPN1                      0
 3 A S  10.8.0.0/16                        VPN1                      2
 4 A S  77.32.0.0/24                      VPN2                      2
 5 A S  77.32.32.0/24                     VPN2                      2
 6 A S  77.32.36.0/22                     VPN2                      2
 7 ADC  192.168.0.0/24     192.168.0.3     bridge                    0
 8 ADC  192.168.54.109/32  192.168.54.57   VPN2                      0

Addresses 77.32.0.0/24; 77.32.32.0/24; 77.32.36.0/22 are public IP’s, but due to some policies on them, i would like to reach those IP’s from VPNs gateways, specifically VPN2. But only if source IP is on my “Trusted” address list. If it’s not on trusted list, go through default gateway.
I believe i need to do some mangle and possibly NAT them.

I also currently have these NAT rules:

[admin@mtodoric-mt] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=bridge log=no log-prefix="" ipsec-policy=out,none

 1    chain=srcnat action=masquerade src-address-list=Trusted out-interface=VPN2 log=no log-prefix=""

 2    chain=srcnat action=masquerade src-address-list=Trusted out-interface=VPN1 log=no log-prefix=""

But these will basically allow IPs from Trusted address list to access those addresses but if anyone else tries, it will fail since it’s not NATted.

How am i to accomplish this?

2

Hey

You should consider nat independent of routing: route decides how traffic should be forwarded, nat specifies if traffic leaving a particular interface should be changed.

In your case:
Routing
/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark … passthrough=yes
mark connections from trusted address list to destination range with specific connection mark
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark= routing-mark=

Ensure you have a routing table named .

Then nat any traffic leaving over vpn1/vpn2/…

3

I knew some mangle needed to be done i just can’t figure out what!
I’ve performed something, so far seems alright !
However, when connection is established it’s TERRIBLY slow when compared to previous setup when i was just using NAT.

I’ve done some troubleshooting and it seems to be slow because of fasttrack filter rule?
When i say it’s terribly slow. I mean i will connect via SSH to target host that is behind VPN from IP that is in Trusted address list. And response between me sending command and server responding can be up to 2 seconds. If i start htop which is constantly sending updates to screen, i can not even exit it because how much it is slow.
If i add routes mentioned in first post to address list named, let’s say “VPN-COMPANY” and edit fasttrack so it doesn’t apply to those addresses, like this:

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related dst-address-list=!VPN-COMPANY src-address=192.168.0.0/24

It will work exceptionally fine. Why is this happening? Btw, my fasttrack includes src-address because i have Guest WiFi and i want fasttrack only on local subnet, not on guest subnet, because they are also rate limited.

Firewall rules are these:

/ip firewall address-list
add address=192.168.0.100 list=Trusted
add address=192.168.0.101 list=Trusted
add address=192.168.0.102 disabled=yes list=Trusted
add address=192.168.0.103 list=Trusted
add address=192.168.0.104 list=Trusted
add address=192.168.0.105 list=Trusted
add address=192.168.0.10 list=Kamere
add address=192.168.0.11 list=Kamere
add address=192.168.0.30 list=Trusted
add address=192.168.0.200 list=Trusted
add address=192.168.0.0/24 list=LAN
add address=192.168.0.3 list=Trusted
add address=77.32.32.0/24 list=VPN-COMPANY
add address=77.32.0.0/24 list=VPN-COMPANY
add address=10.0.0.0/16 list=VPN-COMPANY
add address=10.8.0.0/16 list=VPN-COMPANY
add address=77.32.36.0/22 list=VPN-COMPANY
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related dst-address-list=!VPN-COMPANY src-address=\
    192.168.0.0/24
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Do not allow cameras to go online" out-interface=bridge src-address-list=Kamere
add action=drop chain=forward comment="Do not allow guest WiFi to LAN" dst-address=192.168.0.0/24 src-address=10.10.10.0/24
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Trusted IPs to VPN" connection-mark=no-mark dst-address-list=VPN-COMPANY new-connection-mark=\
    trusted-to-vpn passthrough=yes src-address-list=Trusted
add action=mark-routing chain=prerouting connection-mark=trusted-to-vpn new-routing-mark=trusted-to-vpn passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=bridge
add action=masquerade chain=srcnat comment="NAT Trusted" out-interface=VPN1 src-address-list=Trusted
add action=masquerade chain=srcnat comment="NAT Trusted" out-interface=VPN2 src-address-list=Trusted

Routing table:

/ip route
add distance=1 dst-address=10.0.0.0/16 gateway=VPN1 routing-mark=trusted-to-vpn
add distance=1 dst-address=10.8.0.0/16 gateway=VPN1 routing-mark=trusted-to-vpn
add distance=1 dst-address=77.32.0.0/24 gateway=VPN2 routing-mark=trusted-to-vpn
add distance=1 dst-address=77.32.32.0/24 gateway=VPN2 routing-mark=trusted-to-vpn
add distance=1 dst-address=77.32.36.0/22 gateway=VPN2 routing-mark=trusted-to-vpn
add distance=1 gateway=192.168.0.1
4

Nice investiation - analysis - solution track. Congrats

The answer to your question: when a connection is fasttrack-ed, some of it’s packets are bypassing among others mangling, and in your case the special routing. The packets arriving at the destination are then discarded as coming from an unknown sender → retransmit → … Ever now and then packets part of fasttrack are processed in full (to refresh conntrack stats) and that’s when it does get to it’s destination: works but slow due to packet loss.

5

This is actually awesome explanation! Thanks a lot for everything!
Really makes it easier for me to understand the whole mange and fasttrack concept. I have never dealt with it before.
I am familiar with Linux iptables firewall so i do know little more than basics but as I’ve said, I’ve never worked with mangle and fasttrack, as well as routing in general so i still have a lot to learn. But this helps a bunch.

So far this works great. I have yet to do a lot of investigation and analyse, to determine possible performance drops and impacts but so far this is great.
I am doing this on hAP ac^2 so I’m counting on this puppy to handle cpu load and handle everything with great performance as it has 4 cores and all.
But i am more than satisfied for now for my purchase. Up until now, I’ve dealt with MikroTik as a RouterOS installed on a VM inside libvirt with basic free licence. This is huge boost, i yet get to play around with all the features ! :slight_smile: