[Solved] Route wlan3 through vpn (pptp) - Help!

zhup · August 15, 2016, 7:35pm

Hello,

I am trying to configure a solution to route users connected to wlan3 through vpn (pptp).
I created the second bridge, all users connected to wlan3 have separate addresses (192.168.89.0/24) with additional dhcp server.
It does not work and I do not know where the problem is?
Below you can find my config.

[admin15@MikroTik] > export
# aug/15/2016 21:00:33 by RouterOS 6.36
# software id = QPY4-EXUD
#
/interface bridge
add admin-mac=E4:8D:8C:D7:0A:54 auto-mac=no comment=defconf name=bridge
add name=bridge2
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=xxx use-peer-dns=yes user=xxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=plecak2 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=plecak5 wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:D7:0A:58 master-interface=wlan2 multicast-buffering=disabled name=wlan3 ssid=wlan3 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface pptp-client
add connect-to=x.com.eu disabled=no max-mru=1400 max-mtu=1400 mrru=1600 name=vpn password=xxx user=xxx
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys wpa-pre-shared-key=xxx wpa2-pre-shared-key=xxx
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pool2 ranges=192.168.89.10-192.168.89.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=6h name=defconf
add address-pool=pool2 disabled=no interface=bridge2 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge2 interface=wlan3
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=192.168.88.0
add address=192.168.89.1/24 interface=wlan3 network=192.168.89.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.246 client-id=1:38:ea:a7:a3:2b:f mac-address=38:EA:A7:A3:2B:0F server=defconf
add address=192.168.88.226 mac-address=00:21:5A:6F:00:CB server=defconf
add address=192.168.88.245 client-id=1:f8:b1:56:b0:e0:3 mac-address=F8:B1:56:B0:E0:03 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.89.0/24 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.89.1 name=router
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1
/ip firewall mangle
add action=mark-routing chain=prerouting log-prefix="" new-routing-mark=vpn passthrough=yes src-address=192.168.89.10-192.168.89.254
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=pppoe-out1
add action=masquerade chain=srcnat log-prefix="" out-interface=pppoe-out1
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 log-prefix="" out-interface=bridge src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.88.226 dst-address-type=local dst-port=8888 log-prefix="" protocol=tcp to-addresses=192.168.88.226 to-ports=8888
add action=dst-nat chain=dstnat dst-address=!192.168.88.226 dst-address-type=local dst-port=12000 log-prefix="" protocol=tcp to-addresses=192.168.88.226 to-ports=12000
add action=masquerade chain=srcnat log-prefix="" out-interface=vpn
/ip route
add distance=1 gateway=vpn routing-mark=vpn
/system clock
set time-zone-name=Europe/Warsaw
/system routerboard settings
set cpu-frequency=650MHz init-delay=0s protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge

zhup · August 16, 2016, 4:05pm

After I connected to wlan3 my ping goes through vpn. My public IP is IP of vpn server (nslookup myip.opendns.com. resolver1.opendns.com), but I am not able to open any website.
Where is the problem?

zhup · August 16, 2016, 7:58pm

Could you please help me with this topic?

kujo · August 17, 2016, 4:14am

Try modify masquerade rules, set src address in vpn rule and in pppoe rule, remove duplicate pppoe rule

Have a good day!

zhup · August 17, 2016, 7:01pm

Are you sure that masquerade rule for pppoe needs the src-address? The internet connection through pppoe works without src-address as below.
I added the src-address (wlan3 users addresses) to the masquerade rule for vpn but internet connection of wlan3 through vpn still does not work.

add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix="" out-interface=pppoe-out1
add action=masquerade chain=srcnat log-prefix="" out-interface=vpn src-address=192.168.89.0/24

kujo · August 17, 2016, 7:02pm

Ok, move vpn masquerade rule to the first position

Have a good day!

zhup · August 17, 2016, 7:49pm

Still does not work, but after I connected to wlan3 my ping goes through vpn. My public IP is IP of vpn server (nslookup myip.opendns.com. resolver1.opendns.com), but I am not able to open any website.

zhup · August 18, 2016, 7:25am

Coud someone please check why the routing wlan3 through vpn (pptp) does not work?

/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge2 interface=wlan3

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=192.168.88.0
add address=192.168.89.1/24 interface=bridge2 network=192.168.89.0

/ip firewall nat
add action=masquerade chain=srcnat log-prefix="" out-interface=vpn
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix="" out-interface=pppoe-out1
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 log-prefix="" out-interface=bridge src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.88.226 dst-address-type=local dst-port=8888 log-prefix="" protocol=tcp to-addresses=192.168.88.226 to-ports=8888
add action=dst-nat chain=dstnat dst-address=!192.168.88.226 dst-address-type=local dst-port=12000 log-prefix="" protocol=tcp to-addresses=192.168.88.226 to-ports=12000

/ip firewall mangle
add action=mark-routing chain=prerouting log-prefix="" new-routing-mark=vpnmark passthrough=yes src-address=192.168.89.2-192.168.89.254

/ip route
add distance=1 gateway=vpn routing-mark=vpnmark

/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1

zhup · August 21, 2016, 8:37am

Solution:
If you want to use the pptp or l2tp is good to turn off the fasttrack in firewall filter rules. You can try to also exclude vpn protocols from fasttrack.