This is my first post and I am rather new to networking.
Here is what I’m trying to do:
I have access to a VPN server and would like to share that VPN connection with various devices on my network. The goal is to connect my router to this VPN, and then route some traffic (using connection marks) through that VPN.
Here is how far I’ve come:
Currently I managed to configure the VPN in /ip ipsec, and get the “PH2 State established”. I can also mark the traffic I want to route through the VPN, but I cannot get any internet connection for that marked traffic, my browser just times out. The unmarked traffic works fine (showing my device has internet access besides the VPN).
Note:
I do not need any site-to-site network access with this VPN, it will be used solely to tunnel some internet traffic.
It seems like this tutorial is closest to what I want to do, but I can’t seem to make it work..
Here-attached is a link to my /export hide-sensitive that I also skimmed of some sections that seemed useless to me.
You will see some IGMP stuff I use for my TV multicast as well as a bunch of firewall rules I found on tutorials around the web. Everything else seems to be working fine this far, I just really wish I got that VPN to work aswell.
Just gonna use this thread as a “thinking out loud” conversation with myself until hopefully someone joins in and points me forward =)
Let’s start with more information. We want to establish an IPSEC tunnel and route somne marked traffic through this tunnel to the internet:
A couple interesting things happening on the Mikrotik:
It seems that most people use policies with a source address L.L.L.L/24 in their LAN and a destination address X.X.X.X/24 in the IPSEC server’s LAN, but I don’t know X.X.X.X/24 and I’m not interested in connecting to the server’s LAN. So what should I use as destination address ? If I want to route internet traffic through the tunnel I’m tempted to say 0.0.0.0/0 ?
For now, if I set a policy template with source 0.0.0.0/0 to destination 0.0.0.0/0, PH2 establishes and I can see a dynamic address D.D.D.D (belonging to D.D.D.D/16) in the “Active Peers” tab. It is noteworthy to mention that I get a similar address when connecting with the CISCO Anyconnect client on my PC, so it all seems on the right track.
The established policy then has a source address D.D.D.D and a destination of 0.0.0.0/0.The SA src address is my WAN IP W.W.W.W and the SA dst address is the IPSEC’s server address S.S.S.S.
With this tunnel up I can see a new entry with address D.D.D.D/23, network D.D.D.0 and interface sfp under “/ip addresses”.
In “/ip routes” I also see an added route dst address D.D.D.0/23, gateway “sfp reachable”, distance 0 and pref source D.D.D.D.
If I manually add a dst address 0.0.0.0/0 with gateway D.D.D.1 (the WAN GW), I can see it is reachable by sfp, but I get disconnected from WinBox and my clients all loose internet access, so there’s something wrong with that and I leave it untouched (so using the default gateway on my WAN W.W.W.1.
Now in my “/firewall mangle” I have a rule in my prerouting chain with source address list L.L.L.L/24 (my LAN clients), content some_content, action “mark connection”, new connection mark “marked_traffic”, passthrough and also logged as marked_traffic. This corresponds to my “/ip ipsec mode config” entry that uses the same source address list and connection mark.
In “/firewall nat” I can see a rule :::ipsec mode-config in chain srcnat with connection markj: marked_traffic, src address L.L.L.L/24 and destination address !L.L.L.L/24, action src-nat, to address D.D.D.D. I can see the packets increase when I generate marked traffic.
When I generate some marked traffic in my browser client, I get an error: ERR_NAME_NOT_RESOLVED. I also see the packets increase in this mangle rule, and logs like:
marked_traffic prerouting: in bridge out:(unknown 0), src-mac “some_mac”, proto UDP, L.L.L.L:xxx->“ip:53”, NAT (L.L.L.L:xxx->D.D.D.D:xxx)->“ip:53”, len 61
If I try to ping that same ip from a terminal on my lan client I get “ping request could not find host”, it’s like I have no DNS for that marked traffic. If I ping “google.com” all is fine.
Now I have a hard time knowing what is happening and I don’t have experience to know what should be happening..
You mean content= option? If so, what exactly is that? Isn’t it something like content=somewebsite.com, as an attempt to route one website through VPN? Because that wouldn’t work very well. Although it doesn’t match your description exactly, because DNS would be one thing that would work, unlike the rest.
Thank you for your reply. To make matters simpler I changed that mangle rule to just anything from one specific LAN client. The result is all websites now give me the “ERR_NAME_NOT_RESOLVED” error.
What I do see though is that with this new mangle rule, when running a “tracert 8.8.8.8” on my LAN client’s terminal, I see a different route then my usual ISP and a “ping 8.8.8.8” is taking 130ms. Without that rule that same “ping 8.8.8.8” is about 11ms. So something is happening, it seems the ping and tracert go the right way, but somehow I still can’t resolve DNS addresses as a “ping google.com” fails.
Looking at my “/ip dns” settings I can see the DNS servers from the IPSEC tunnel that seem correct.
Any clues what’s happening with that DNS ? On my windows client I still see the same DNS server address as before.. Could it be some other DNS setting or firrewall rules ?
Now for some reason my LAN client still had the previous DNS server address that is private and was not accessible to traffic going through the tunnel. Manually changing that DNS in windows made it work ! I now see my public IP as the one given by the IPSEC server. Okay so that part is good.
Now I will look for a way to set a different DNS server for that marked traffic.
If possible I’d like to keep my ISP’s DNS server for my usual traffic, and set a different DNS server for the marked traffic. I’m not sure if it is possible to change a client’s DNS server on the fly, but maybe there is a way to rerout the DNS requests. I will investigate this.
