Good day, I’m Quite new to Router OS. I’m currently busy setting up a RB 2011. I want to set the router up to route traffic through my Windows PC which is also managed by the 2011. The reason for not setting up the vpn client directly on the 2011 is that I can’t seem to get the open VPN protocol to function correctly on the Router. I however am able to configure sstp, l2tp pptp client on the 2011 but these types of vpn connections do not offer sufficient speeds from my VPN Provider (Express VPN). So I guess what i’m asking is if there’s a way to send traffic to my computer with the vpn client installed on it and back out and through the network again.
If the internet uplink is connected to the 2011, what you need is called policy routing. So the 2011 must send almost everything to the PC except the PC’s traffic towards the UDP (supposingly) port 1194 of ExpressVPN’s servers.
A much more challenging (read: possibly impossible) task will be to convince the PC to do what you want. Windows do support routing between network interfaces but in its very specific way called “internet connection sharing”. So one network interface is declared as the internet uplink, and a number of other interfaces are declared as ones to which clients are connected. It may be possible to tell the PC that the OpenVPN interface is the internet uplink and the Ethernet one is the LAN one for client connections, but I’m not sure whether it will accept a route to the ExpressVPN servers via the LAN interface. So with two Ethernet interfaces on the PC, both connected to the Mikrotik, the task would be much easier.
Thank you very much for your feedback, I’m quite familiar with routing on the Windows side, How exactly would such a routing policy look that sends all traffic to the computer except for the computer’s traffic itself.
Policy routing is based on several routing tables (lists of routes) - the default one, which can be referred to by name (“main”), and up to 255 other ones which are referred to by a freely chosen name (except for some reserved values) called routing-mark. The routing-mark is a parameter of each individual route; if it is missing, the route belongs to the default table.
The routing-mark can be assigned to a packet (or, in another words, a routing table can be chosen for that packet) in two ways: using action=mark-routing rules in /ip firewall mangle, in most cases chain=prerouting is the most appropriate one for that, and using /ip route rule items. For both /ip firewall rules and /ip route rule items, order matters - they are checked from the top to the bottom and if a rule matches, its action is taken on the packet and further rules in the same chain are skipped. /ip route rule items can use and/or change a routing-mark previously assigned in /ip firewall mangle.
If a packet has a routing-mark assigned, a route for it is first searched for among routes with that routing-mark. Only if no route at all can be found in that table, another attempt is taken among routes with no routing-mark (i.e. in the default routing table). This second attempt can be disabled using /ip route rule with action=lookup-only-in-table.
Dynamically added routes are only added to the default routing table. This means that if you assign a routing-mark to a packet with dst-address in of connected subnets, instead of being delivered on LAN, such packet takes the route specified by a matching routing table for that dst-address, which in most typical scenarios sends it to a WAN gateway.
So in your case, where you want the default route to go to the PC with address 192.168.137.1 in subnet 192.168.137.0/24, and only packets sent by the PC itself to be sent via the WAN gateway of the Mikrotik which may be assigned dynamically, I would take the following approach:
/ip route
add routing-mark=via-pc dst-address=0.0.0.0/0 gateway=192.168.137.1
/ip route rule
add dst-address=192.168.137.1/32 action=lookup-only-in-table table=main comment="an exception for packets towards the PC itself"
add dst-address=192.168.88.0/24 action=lookup-only-in-table table=main comment="an exception for packets towards devices in the default LAN subnet"
add dst-address=ip.of.vpn.server action=lookup-only-in-table table=main comment="an exception for OpenVPN transport packets towards the server"
add dst-address=0.0.0.0/0 action=lookup-only-in-table table=via-pc comment="everything but the exceptions above"
This configuration assumes that the PC is connected using a single Ethernet interface removed from the default bridge and with an /ip dhcp-client attached to it with add-default-route=no and that you can do the magic to make the PC send the packets towards the OpenVPN server to the address of the Mikrotik.
But in the meantime I’ve realized that in your specific scenario you can actually use a much simpler trick instead of all the above - you may disable the /ip dhcp-server on the default bridge and immediately attach an /ip dhcp-client with add-default-route=no to it (if the lease expires or if you disconnect the cable before you activate the dhcp-client, you will have to use Winbox to connect to Mikrotik’s MAC address). That way, if you connect any port of the bridge to the PC’s interface with internet connection sharing, all devices connected to other interfaces of the default bridge will get their IP configuration including the default route from the PC, while the Mikrotik itself will receive an IP address and mask but not the default route. So Mikrotik’s default route will remain the WAN one, and if the PC sends an OpenVPN transport packet to the Mikrotik via its 192.168.137.x as a gateway, Mikrotik will deliver that packet via WAN and return the response.
The idea behind is that as you want all devices to send everything via the VPN, if the PC goes down, there is no point in having a backup route to the internet for any of the devices.
Thank You very much for your feedback, The vpn is currently up and running. Have a Good Day #