I have been playing around with my Mikrotik for some time and have been able to do some amazing things with it (at least I think so

It provides me with a rocksolid connection and great wifi. I have created a wifi guest account for everyone to access and a wifi account for my own familty, guest account can not access the internal network, but can access the internet

I have been able to completely bypass the router my provider has given me (which sucks..).

I have been able to setup incomming VPN (IPSEC based) to access my network.

I have been able to setup outgoing VPN for specific connection types (based on ports, specifically nntp and bittorent).

I have tried to setup QOS using queues and I think I have succeeded.

I basically have two challenges:

(1)
The way I would it like to work is have ALL my outgoing internet traffic go thru vpn (so not based on protocol/port), if I set this up however I get into conflict with my incomming vpn connection, I am able to connect but cannot reach anything in my network. I need some way to tell the system to send everything over the outgoing vpn EXCEPT for traffic that is initiated by the incomming VPN connection..

(2)
I have done a lot of stuff here by combining google searches with some basic knowledge.. Although everything appears to be ok I am fully confident that stuff could be setup better. I would have no problem in paying someone to spend an our or so on my configuration to check, adapt and make better (learning me something in the progress).

(1) is the priority one, but (2) is something I feel like I need to do..

Typical... Just after entering the message I figured out something wrt (1) ..

I have added a mangle "accept" rule (actually two, one for IN and one for OUT) based on the IP address that is dhcp'd to the incomming vpn device... It appears to work..

Some more infomration is needed to be able to help much more, but here are some things that might point you in the direction that you want to go.

Depending on the type of VPN you have setup (L2TP/IPSec, pure IPSec, ect) will determine what you are trying to do. Since RouterOS does not support VTI for IPsec, what it encrypts is controlled by the policies. You can set the policy to only encrypt things from a given network segment, so you could narrow it down by IP. Or if you use another tunnel and encrypt that with IPSec, you can assign IP addresses and setup routing. The extra tunnel does add overhead to the overall setup, but does give you a lot more flexibility on how to control traffic.

As far as number 2, if there is something you are looking for specific feedback on, you can always post a specific question, along with the relivant parts of an export of your config for comment/tweaking. The more specific the question, the better and more specific answer you will get, a general question without specifics of what you are looking to do usually nets an general answer that doesn't really address what you are looking for.

Thanks for your response, I actually solved my own issue 5 minutes after I wrote this post.. Figures... It must still be in moderation.. What I did / do is the following:

1) I have an outgoing VPN connection (ExpressVPN), it is L2TP/IPSEC
2) I have an incomming VPN server configured on the microtic (L2TP/IPSEC)

The incomming VPN is used by myself only to access my own intranet

The outgoing VPN is triggered by traffic from one specific machine in my network. I am using a prerouting mangle rule to place a routing mark on that traffic. I have a route configured for that routing mark, it is pointing to the gateway "expressvpn" that basically dials on demand.

This works great.

Issues arose when I VPNéd into my own network and wanted to access this one specific machine, communication was not possible. My theory was that the traffic back to me (over the incomming VPN) was actually sent over the outgoing VPN and getting lost.

I had been trying to create a mangle rule to catch that traffic before the routing mark for outgoing vpn was added, I could not get this to work, I was doing it based on the interface, that failed however since that interface does nog exist when there is no traffic.

The brainwave I had was doing basically that but differentiating based on IP address, so I now did the following (and this is working):

BEFORE the mangle rule that gives the outgoing VPN routing mark I have now placed another prerouting mangle rule that is triggered on the used IP address, if that IP address is out of the pool that my Mikrotik is giving to the incomming VPN connection the traffic gets an ACCEPT (therefor stopping processing the other Mangle rule and never placing the outgoing VPN routing mark).

I am basically doing all of this using a mix of common sense and google Issue is (and this goes back to my point 2) that I know it works, but I do not know if its also the best way to do it..

Did I do this in an ok fashion ?

In your given situation, that is probably how I would have gone about it.

Thanks !

I have hit another roadblock..

Now I have my outgoing VPN and incomming VPN both working (explained above how), I am now trying to make an exception for specific application running on the system that is routed over the vpn..

To be specific, I have Plex running on the system that is routed over the VPN. My initial thought was to place a mangle rule -above- the rule that tags the traffic with the specifc routing mark and giving it an except (just like I had succesfully done with the incomming VPN as explained above).

Plex network traffic uses port 32400, so I created the mangle accept rule with that port number, unfortunately it does not seem to work.. Plex still thinks it is communicating over the VPN..

Anyone any idea where I should look ?

Is the rule incrementing? Is the traffic TCP or UDP? Is that the src or dst port? Do you have the rule set to match those things specifically?

I have made two Mangle rules specific for Plex:

prerouting, dst.address 192.168.1.13, tcp, 32400 -> accept
prerouting, src address 192.168.1.13, tcp, 32400 -> accept

(in that order)

the lines after that give the routing mark for external vpn by means of 2 more mangle rules:

prerouting, src address 192.168.1.13, tcp -> mark routing VpnOUT (passthru)
prerouting, dst address 192.168.1.13, tcp -> mark routing VpnOUT (passthru)


The weird thing is when I change the second plex rule to not have a port nummer, so:

prerouting, src address 192.168.1.13, tcp -> accept

then plex works.. But ofcourse then all my tcp traffic is no longer sent over the outgoing vpn.

Now as far as I can logically think that would mean that plex is using another address then 32400 .. But I know for a fact that this isn't the case.. (or whole of google is wrong).. So it must be something on my side..

The mind boggles..

# feb/11/2016 20:47:22 by RouterOS 6.34.1
# software id = 599S-QR5L
#
/ip firewall address-list
add address=192.168.1.13 list=VpnOut
add address=192.168.1.36 list=VpnOut
/ip firewall filter
add chain=input in-interface=pppoe protocol=icmp
add chain=input connection-state=related
add chain=input connection-state=established
add chain=input dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=input dst-port=500,1701,4500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=32400 log=yes log-prefix="Incoming plex connection" protocol=tcp
add action=drop chain=input in-interface=pppoe protocol=tcp
add action=drop chain=input in-interface=pppoe protocol=udp
add action=drop chain=input dst-address=192.168.11.0/24 src-address=192.168.1.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=192.168.11.0/24
add chain=input in-interface=pppoe protocol=icmp
add chain=input connection-state=related
add chain=input connection-state=established
add chain=input dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=input dst-port=500,1701,4500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=32400 log=yes log-prefix="Incoming plex connection" protocol=tcp
add action=drop chain=input in-interface=pppoe protocol=tcp
add action=drop chain=input in-interface=pppoe protocol=udp
add action=drop chain=input dst-address=192.168.11.0/24 src-address=192.168.1.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=192.168.11.0/24
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=NET1-CM src-address=192.168.1.0/24
add action=mark-packet chain=forward connection-mark=NET1-CM new-packet-mark=NET1-PM
add chain=prerouting comment="Incomming VPN bypassing outgoing VPN" protocol=0 src-address=192.168.1.248
add chain=prerouting comment="Traffic towards VPN device bypasses outgoing VPN" dst-address=192.168.1.248
add chain=prerouting comment="Plex traffic bypasses external VPN" dst-address=192.168.1.13 dst-port=32400 protocol=tcp
add chain=prerouting comment="Plex traffic bypasses external VPN" protocol=tcp src-address=192.168.1.13 src-port=32400
add action=mark-routing chain=prerouting comment="Routing server traffic to outgoing VPN" new-routing-mark=StrongVPN protocol=tcp src-address=\
192.168.1.13
add action=mark-routing chain=prerouting comment="Routing server traffic to outgoing VPN" dst-address=192.168.1.13 new-routing-mark=StrongVPN protocol=\
tcp
add action=mark-routing chain=prerouting comment="Route all spotweb traffic thru vpn" new-routing-mark=StrongVPN src-address=192.168.1.70
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe src-address=192.168.0.0/16 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ExpressVPN
add action=dst-nat chain=dstnat dst-port=32400 log=yes protocol=tcp to-addresses=192.168.1.13 to-ports=32400
add action=dst-nat chain=dstnat dst-port=32400 log=yes protocol=udp to-addresses=192.168.1.13 to-ports=32400
add action=dst-nat chain=dstnat dst-address=86.91.203.132 dst-port=51414 protocol=tcp to-addresses=192.168.1.53 to-ports=51414
add action=masquerade chain=srcnat src-address=192.168.11.0/24
add action=masquerade chain=srcnat out-interface=pppoe src-address=192.168.0.0/16 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ExpressVPN
add action=dst-nat chain=dstnat dst-port=32400 log=yes protocol=tcp to-addresses=192.168.1.13 to-ports=32400
add action=dst-nat chain=dstnat dst-port=32400 log=yes protocol=udp to-addresses=192.168.1.13 to-ports=32400
add action=dst-nat chain=dstnat dst-address=86.91.203.132 dst-port=51414 protocol=tcp to-addresses=192.168.1.53 to-ports=51414
add action=masquerade chain=srcnat src-address=192.168.11.0/24

Is that the only port it uses to communicate? You could use the torch tool to view the communiactions and narrow down the rules and see what is going on. The second option is to use connection marks to catch both sides of the connection (assuming the first rule is incramenting). Something like this maybe.

I moved the chain of the plex to forward since mangle prerouting happens before dst-nat, and looking at your NAT rules you are forwarding to the plex server. This should catch the incoming connections, and then the reply connections should not be subject to the VPN.
Packet Flow Diagram:
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow

I tried the second option, but unfortunately that gives no change in results.. I have been trying to use torch to see the traffic but cannot get the hang of what I should look at..

Is the first rule incrementing at all and catching traffic?

As far as torch goes, it is one of the greatest tools on RouterOS. When you open it through WinBox, I usually disable Src and Dst. Address6, set the interface to the one I want to watch, and enable port and protocol. Then let it run and watch the traffic/connections. Once you get a feel for the traffic going across, you can then narrow things down by specifying specific addresses, protocols and ports.

If my incrementing you mean if packets and bytes are growing, no.. It does not look like the rule does anything.. as were mine..

I looked at torch again but cannot get the hang of it.. I am not sure what interface I should look at..

I might just bring up a second virtual machine to run plex in.. That way it will have a different ip address and I can still get it to work...

Ok, where are the connections to the plex server coming from, are they using the NAT rules from the outside? A local machine, or something else? The interface that you want to look at for torch is the interface of the router facing the plex server.

Plex is running on 192.168.1.13 ..

The outside server is... the plex cloud ? No idea where that thing is pointing towards..

With "the interface pointing towards the plex server" you mean my uplink to my internet connection ? I think that is ether1-gateway ?

So it is 192.168.1.13 (client) connecting TO an outside server. That does make a difference to the rule setup. For some reason I was thinking you had a plex server locally and were trying to use that.
A client in most cases will pick a random src-port when making a connection. It's the destination port that will usually be static, so that is what you are looking for. If the traffic is coming from the client on the LAN interface, then it will see the 192.168.1.13 connections. Since the client is local and not the server, you do not need to catch both parts of the connection to prevent them from traversing the VPNs.

Just tried this, unfortunately the same result.. I see no traffic getting "caught" by this rule ( I placed it above the rule giving the vpn routing mark).. It seems to go thru it, get the vpn routing mark and getting routed over the vpn..

Then use the Torch tool to see what is going on traffic wize when you try and connect to the plex server.

Set the interface to your LAN, the one facing the plex client. Specify the Src.Adress of 192.168.1.13 and try and connect to the plex service. You will be able to watch the various connections coming from that IP address and it should help you narrow down and figure out what is going on.

Thanks a lot for your help, just tried that again for an hour... Don't understand it at all.. I see numerous ports comming thru, they also change.. I'll solve it another way ! You cant win them all.

Hi there

I have looked (and not found) setup guides for Mikrotik and ExpressVPN that work. I have tried to follow guides by other vpn providers, but nothing seems to work for me, I tried PPTP, L2PT and OpenVPN.

Please can you let me know how you got the VPN connection to establish?

Thanks