My use case is to route specific traffic by source through a VPN server (Mikrotik CHR), But I can not make it work can someone help me, please.
The connection is established and transmits data without any receive.
My config Based on post by @erkexzcx Specific traffic (by source)
viewtopic.php?t=169273
Config export
Code: Select all
[admin@MikroTik] > export hide-sensitive
# aug/08/2021 10:28:50 by RouterOS 6.47.10
# model = RB941-2nD
# serial number = D0550CA3337A
/interface bridge
add name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country= disabled=no mode=ap-bridge ssid=MikroTik wps-mode=disabled
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=ether1 \
name=pppoe-out1 service-name=MCI
/interface list
add name=WAN
add name=LAN
add name=LOC
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys supplicant-identity=\
MikroTik
/ip ipsec mode-config
add connection-mark=under_vpn name="VPN mode config" responder=no
/ip ipsec policy group
add name=VPN
/ip ipsec profile
add enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name="VPN profile"
/ip ipsec peer
add address=ike.domain.com exchange-mode=ike2 name="VPN server" profile=\
"VPN profile"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-128-cbc name=\
"VPN proposal" pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.5-192.168.88.245
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=wlan1
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge list=LAN
add interface=ether1 list=LOC
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.1.2 interface=ether1 network=192.168.1.1
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.245 client-id= mac-address=\ server=dhcp
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1,8.8.8.8 domain=home.lan \
gateway=192.168.88.1 netmask=24 ntp-server=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=,8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 name=home.lan
/ip firewall address-list
add address=192.168.88.245 list=under_vpn
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=under_vpn \
passthrough=yes src-address-list=under_vpn
add action=change-mss chain=forward connection-mark=under_vpn new-mss=1360 \
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 \
out-interface-list=LOC
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=\
cert_export_milad-ike.domain.com.p12_0 generate-policy=port-strict \
mode-config="VPN mode config" peer="VPN server" policy-template-group=VPN
/ip ipsec policy
add group=VPN proposal="VPN proposal" template=yes
/ip ipsec settings
set xauth-use-radius=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=****
set api-ssl disabled=yes
add topics=ipsec,!packet
/system package update
set channel=long-term
Log Connection
Route