I have read every guide out there but unfortunately I could not find a solution. I simply want to connect my Chateau LTE18 ax which runs RouterOS V7 to my SSTP VPN connection and direct all my internet traffic through my VPN connection.
But now on V7 I cannot make my VPN to work and all the guides are for V6. When I get to Step 14 in my providers guide, there is no unicast option and I have tried everything, I even made a new table since I could not type a new routing mark section. Traffic will not get routed at all.
Can anyone please give me a step by step instruction as I am not a professional and I simply want to route all my traffic through my SSTP VPN connection.
Some things have moved around for “ip route” for v6 versus v7.
The other options besides ‘unicast’ for that TYPE answer nr 41 are ‘blackhole, prohibit and unreachable’ … all 3 are forms of stopping or discarting the traffic.
In V7, I only see an option ‘blackhole’ that could be checkmarked lower in the panel.
Blackhole, something that is not needed in your case.
Just a quick note. I got a reply from the two largest SSTP VPN providers, CactusVPN and Hide.me and they both confirmed with me that SSTP support has been broken in V7. Can anyone please confirm that this is the case as I have purchased 5 Chateau routers for SSTP specifically.
Havent heard that… But WHY SSTP, what is the use case, what do you need to accomplish??
Nothing stands out immediately.
How do you get regular internet, I dont see a manual route but I also dont see IP DCHP CLIENT settings??
I am using an SSTP client on ver7.9rc2 without any issue??
Can you confirm that the router makes a dynamic route to your SSTP interface some address gateway=sstpinterfaceNAME
I just put my sim card in and regular internet works without any issue. The only protocol that works where I live is SSTP, Softether and V2Ray. All other protocols are blocked and everything is blocked and censored like whatsapp, youtube…basically everything so we use VPN to access the free internet.
I’m not an expert, just a home user. Got these routers because I had older Mikrotik devices that worked perfect with SSTP on V6 but speed was slow due to the old CPU. I’m trying to avoid using VPN on my devices like my phone as it drains the batteries very quick.
If you or anyone can guide me on how to set up the Chateau out of the box to route all traffic through the SSTP client, it would be a huge help.
The main difference from v6 is that the routing table must be added to the /routing table menu before actually referencing it anywhere in the configuration. And fib parameter should be specified if the routing table is intended to push routes to the FIB.
.
So you need to make that table first and add it to FIB, that will exist besides the main default table. (ADD “l2tp_Cactus” route table, can be called VPN, no problem with that
“main” table routes, set by the WAN interface DHCP client (not configured yet?), should be defined for finding the CactusVPN website and SSTP-server.
BWPL if you look at the config he already has a table for SSTP traffic.
My concern was to ensure that the router was creating a DAC route for SSTP.
Trying to figure out how to track an outgoing SSTP attempt to join his provider…
Havent seen the SSTP settings but assuming the basics The setup is not all that signifcant…
such as name=sstp-out1
Connect TO: URL address provided.
Port: 443
Proxy Port: 443
Certificate: None ( depends on type of service offered )
TLS Version: ONLY 1.2
No checkboxes used (depends on service offered )
UserName: Provided
password: Provided’
Allws MSCHAP2
Yep @anav: VPN table is correct. But as they follow the CactusVPN screenshots in absolute detail, and I expected the main table also in the config export, what did not appear because it was empty, I tought wrongly the main table had just been renamed.
The path to the SSTP server is dynamic (DAC route) and as such is not in the config. Needs a DHCP client somewhere for the WAN AFAIK.
His internet I think is buy Cellular SIM CARD?? Not familiar with that…
He has a route to the VPN for all traffic, associated with the Table VPN, that is correct.
Not sure what else you want to see??
Personally with flat subnet, I wouldnt mangle. Keep the table
Keep the route
Add Routing Rule add src-address=192.168.88.0/24 action=lookup table=VPN
And for mangling as an afterthought he should have disabled his fasstrack rule ( another reason to use routing rule method instead ) add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
I added the routing rule you mentioned but still no internet. as soon as I disable the SSTP interface I get normal internet back with no VPN obviously. The fasttrack code you mentioned, I copied and pasted your code into terminal but got a “bad command name” error.
I also tried ticking the “Add Default Route” in the sstp-out1 interface which made no difference so turned it off again.
Attached is my config now after adding the routing rule as you mentioned. config.cfg.rsc (7.11 KB)
Yes but you need to disable or remove the mangle rule !!!
When the SSTP connection is available the subnet will go out SSTP.
If the connection is NOT available the router will revert back to the main table and will find the LTE connection.
IF you NEVER want the subnet to have the backup to main table then change action to… add action=lookup-only-in-table
You sir are a hero! I deleted the mangle rule and got internet but couldn’t access websites and services except for google.com, i removed the DNS servers which I had added in the DNS section which was 8.8.8.8 and 8.8.4.4 and instead went to DHCP Server section then Networks, selected the defconf and added the DNS servers over there and now it works beautifully!
Shall I disable the fasttrack rule in the firewall section with this method or keep enabled?
Got it. Thank you again sir. Just two questions please…
With this method I can no longer access the webfig through 192.168.88.1. I use the webfig to switch celluar bands on the go with my phone. Can you please guide me on how to set up access again with the VPN being on and all traffic routed?
I have tested the SSTP setup it for a good 24 hours now, the only issue is sometimes the speed becomes very slow which will get resolved either by disabling and enabling the SSTP connection or restarting the system. I have confirmed that it is not my VPN server and it is not the ISP. It is the Mikrotik that is causing it. Can you please be kind enough to take a look at my config to make sure I have not done anything foolish? If you have any other tips for me based on my config please do tell.
I really appreciate your time and if there is anyway to donate for your time please do let me know. configsstp.txt.rsc (7.37 KB)
So you are saying you connect with your phone via WIFI using the IP address of the LAN gateway on the router (while on router wifi),??
Strange I didnt think a routing rule would override that but its possible.
Thus delete the current routing rule because we need to add one more as a first rule, to get the order right. add action=lookup-only-in-table src-address=adminIP (desktop PC) dst-address=192.168.88.0/24 table=main { so you can use webconfig from desktop }
add action=lookup-only-in-table src-address=adminIP (smartphone) dst-address=192.168.88.0/24 table=main { so you can use webconfig from wifi connected device }
add action=lookup-only-in-table src-address=192.168.88.0/24 table=VPN
I finally got it working by first adding a first rule but since I wanted any device to be able to access to webconfig, I left the source address empty and in the dst-address, I had to add 192.168.88.1/32. Now any device that enters 192.168.88.1 into it’s browser can access the webconfig. Did I do this correctly?
And one thing that I could not figure out which is also different in RouterOs V7, I have a address list in the firewall section which I want these addresses to not go through the VPN and into the main table, I tried prerouting using mangle but the speed is very slow that make sit impossible to use. Can you please tell me how to route my address list outside the VPN correctly?
