Community discussions

MikroTik App
 
User avatar
archerious
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Force Guest VLAN to go through VPN client?

Fri Feb 12, 2021 4:04 am

Looking to force VLAN500 to go through a VPN client, because some lousy person went and torrented on the guest network. Don't want to get any DMCA notices.

Since I have a VPS with 4TB monthly bandwidth running wireguard and ipsec, I'd like to just force all traffic on VLAN500 to output to the VPN.

Do I have to run the VPN client on the RB4011? Is it possible to run it on say a KVM VPS on my proxmox node, then just forward/masquerade all traffic from their to the VPN using wireguard/openvpn?

I ask because with pfSense in the past I had OpenVPN client then simply forced the gateway for the Guest vlan to use openvpn.

VLAN500 = 172.16.0.0/24

Thank you for reading and your time, it's very appreciated :).
RB4011 Former: UDM-Pro, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
archerious
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Force Guest VLAN to go through VPN client?

Sat Feb 13, 2021 9:54 pm

I managed to figure it out.

https://wiki.mikrotik.com/wiki/Manual:I ... figuration

Followed the Mikrotik client guide, and used https://github.com/hwdsl2/setup-ipsec-vpn on my VPS to make the Road Warrior setup using IKEv2 with RSA authentication.

Worked like a charm, but some things the wiki left out is that I had to import the cert (.p12) twice in order to get the private key and the user cert.

However after that it worked like a charm, just had to go and set a final rule, ip --> ipsec --> mode configs --> change ike2-rw settings to have a src address list called local, then go to ip --> firewall --> src address list, add the ip range of VLAN500 (in my situation).

That was it, other than opening ports 500, 4500, and 1701 in input chain, everything worked.

The guest VLAN now is being VPN'd.

Only thing left to figure out is how to kill switch the guest VLAN if the VPN is down.
RB4011 Former: UDM-Pro, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
archerious
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Force Guest VLAN to go through VPN client?

Sat Feb 13, 2021 10:42 pm

This guide was perfect: viewtopic.php?t=169273

That's it, everything is now working with killswitch tested.

MikroTik is fantastic, so many excellent resources on this forum.
RB4011 Former: UDM-Pro, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png

Who is online

Users browsing this forum: Bing [Bot] and 66 guests