Community discussions

MikroTik App
 
dad2312
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Sun Nov 17, 2019 12:55 pm

How to use vpn only for incoming connexion ?

Thu Oct 15, 2020 5:57 pm

Hello

I use LTE connexion with LHGLTE6 in passtrough with hapac2 and i want to use my vpn on hapac2 just for incoming connexion from outside and all other connexion from LAN have to go trough wan ( lte provider) connexion.


if my distance route vpn is the first (distance =1) all works but of course all trafic from lan go trough VPN

if i put my distance route vpn to 2 and distance route to lte provider to 1 : then all trafic go trough lte provider but i can't incoming with my vpn ip..

what i missing ?

thank for your help
 
Sob
Forum Guru
Forum Guru
Posts: 6096
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to use vpn only for incoming connexion ?

Fri Oct 16, 2020 3:20 am

It's basically like dual-WAN config. VPN is secondary, but default route uses LTE, so if new connection comes in via VPN, response is send out via LTE and it doesn't work. To fix it, router need a little help. Add new default route that uses VPN interface and put it in separate routing table (parameter routing-mark). Then mark new incoming connections from VPN. And finally mark routing for responses that have previously assigned connection mark, to use the new routing table.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
dad2312
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Sun Nov 17, 2019 12:55 pm

Re: How to use vpn only for incoming connexion ?

Fri Oct 16, 2020 2:09 pm

Thank Sob, i tried several things without success. I use ROS 7.1 beta2.

i try this :
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VPN

/ip vrf
add list=all name=main
add list=LAN name=LAN
add list=VPN name=VPN

/ip firewall mangle
add action=accept chain=input in-interface=ovpn-out1
add action=mark-connection chain=prerouting in-interface=ovpn-out1 \
new-connection-mark=VPN-CONN passthrough=yes
add action=mark-routing chain=output connection-mark=VPN-CONN passthrough=no <= New routing mark=VPN
route.JPG
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 6096
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to use vpn only for incoming connexion ?  [SOLVED]

Fri Oct 16, 2020 2:42 pm

This should be it:
/routing table
add fib name=vpn
/ip route
add dst-address=0.0.0.0/0 gateway=212.58.77.1 routing-table=vpn
/ip firewall mangle
add chain=prerouting in-interface=ovpn-out1 connection-state=new action=mark-connection new-connection-mark=VPN-CONN passthrough=no
add chain=output connection-mark=VPN-CONN action=mark-routing new-routing-mark=vpn passthrough=no
Based on https://help.mikrotik.com/docs/display/ ... g+Examples, and simple test works here.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
dad2312
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Sun Nov 17, 2019 12:55 pm

Re: How to use vpn only for incoming connexion ?

Fri Oct 16, 2020 6:11 pm

Thank You Sob works !!

question : we can't make theses rules via winbox only via terminal ?

/routing table
add fib name=vpn

/ip route
add dst-address=0.0.0.0/0 gateway=212.58.77.1 routing-table=vpn
 
Sob
Forum Guru
Forum Guru
Posts: 6096
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to use vpn only for incoming connexion ?

Fri Oct 16, 2020 6:50 pm

In WinBox it's currently a little unfinished, it's known problem.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.

Who is online

Users browsing this forum: Baidu [Spider], Google [Bot], gumilev and 44 guests