Windows Client Routing

dinger1986 · September 19, 2018, 11:04am

Hello,

I am trying to create routing rules over a Mikrotik SSTP VPN, I have disabled the default route on windows so it doesnt push all the traffic over the VPN.

We do want to route some traffic to certain websites over the VPN, how would we do this? I have read that RIP might work? I dont want to have to add the routes manually on the laptops.

Thanks,
Dinger1986

Anumrak · September 19, 2018, 11:32am

Why can’t you use static routing in Windows?

dinger1986 · September 19, 2018, 3:52pm

I can but isnt it possible to control the routing via the Mikrotik?

It routes fine to my local networks on a 192 range and also a remote network over a IPSec VPN but cant access my DMZ on the 10 range.

Sob · September 19, 2018, 10:03pm

Unfortunately, routing for VPNs is not as easy as you’d expect it to be. You’d think that it’s something everyone needs and therefore must work great, but no. In short, interoperability sucks.

But using RIP is an interesting idea and quick test says that it does work with Windows SSTP client and RIP Listener service installed. Downside is that it’s not installed by default and I’m not sure if there’s any way to limit it only to SSTP interface.

dinger1986 · September 20, 2018, 6:06am

Thanks Sob

Is that the only way then? I’ll install the RIP listener service.

I don’t actually know how to setup rip I can look into it but what would I do to add a route to 10.0.45.0/24?

Thanks!

Anumrak · September 20, 2018, 12:57pm

You can advertise static routes via dhcp options, but not from ROS. I succeeded with that in StrongSwan + dhcpd in ubuntu linux. I mean, you can advertise those through pure dhcp traffic, but you can’t push bootp protocol over ipsec tunnel or pptp in ROS.

dinger1986 · September 20, 2018, 2:44pm

Thanks Anumrak,

We need it to work with ROS, can script the install of RIP in windows if anyone can help me setup the rules in RIP?

Regards.

Sob · September 21, 2018, 12:32am

I don’t normally use RIP either, so I don’t have much experience with it. You need to select interface(s) and network range on which it should operate and select what routes should be distributed (static, connected, …). Network would be what’s used by VPN clients. Interfaces may be tricky, it doesn’t seem possible to target dynamic ones, so you would either need to make them static or use bridged config (at least I hope it works, it’s in PPP profile, but I don’t think I’ve ever used it). If you want only specific routes, it’s possible using prefix list.

Start here, you’ll figure it out: https://wiki.mikrotik.com/wiki/Manual:Routing/RIP

dinger1986 · September 21, 2018, 8:01am

I have had a look but its not working very well, still the routing to the 192 subnets work fine but not to the 10.

I am wondering if I setup DHCP on my NAS (Synology) and used DHCP relay if it would pass the static options through from there?

Just an idea!

thanks

Anumrak · September 21, 2018, 9:19am

DHCP options written in dhcp packets, so you can’t push those to vpn client in ROS. Sad as it is.

It will work only if you have layer 2 VPN between relay and host. Before the packets pass relay, they should touch it from layer 2. And after the relay they should touch the server with relay source IP address as unicast packets.