SSTP interface redirection

RouterOS General
1

Hello,

I’m looking for a way to redirect SSTP VPN service related traffic to interface which is not working as default gateway.

I have a Mikrotik router CCR 2004 with firmware 7.20.6 installed. In my setup:

  • Ether 1 - works as a default gateway,

  • Ether 2 - should be use only for remote users access.

SSTP service has been configured successfully on Mikrotik. It works when user public IP address will be added manually to route table and as a defult route ether 2 will be set. Without such route SSTP answers instead of ether 2 are redirected to ether 1.

Some time ago I found similar topic on this forum but I cannot find it now. What could be best option to solve this?

I’ve tried with associating ether2 interface to other VRF. Routing here works correctly, but other problems appeared where Mikrotik stopped establishing SSL session. TCP 3 way handshake completes successfully. Howeverr server don’t respond for client SSL Hello packets. Maybe some additional configuration should be done here?

2

Let me rephrase your post to check whether I get the scenario properly. Both ether1 and ether2 are WANs (internet uplinks), and you want the SSTP server on the Mikrotik itself to communicate via ether2 while all the other traffic would flow through ether1.

If so, you indeed need an extra routing table that contains a default route via ether2, but since it doesn’t seem to be possible to make the SSTP server listen in any other VRF than main(at least as of 7.20.6), you have to use mangle rules or routing rules to make the SSTP transport traffic use that table.

The most generic solution is described in Static Default Route - I'm missing something - #9 by sindy (start reading from the last paragraph to get the context), but if you only need to make the SSTP server use ether2, a simpler solution exists:

/routing/table/add name=use-ether2 fib
/ip/route/add routing-table=use-ether2 gateway=gw.ip.of.ether2
/routing/rule/add src-address=ip.of.eth.er2 action=lookup-only-in-table table=use-ether2

That’s all - all TCP servers have no choice but to send their responses from the IP address at which they have received the corresponding requests, and the routing rule makes sure that whatever is sent from the address associated to ether2 will use the corresponding routing table.

3

I had a feeling that will be something simple, but wasn’t sure how to implement this on Mikrotik. Anyway thank you very much for help. This is what I need. Problem solved :slight_smile: