Community discussions

MikroTik App
 
matpan
just joined
Topic Author
Posts: 5
Joined: Sun Aug 11, 2019 12:00 pm

Hap Mini - All traffic over VPN

Tue Aug 24, 2021 12:10 am

Hi

I have a Hap Mini configured as a simple switch (so eth1 connected to ISP router with eth2 and eth3 connected to other devices) and wireless AP with routing and DHCP handled by ISP router. I've also set up a L2TP VPN Client which connects successfully. As a starting point, i'm now trying to get all traffic that goes through the Hap Mini (i.e. eth2, eth3 and wireless) to go through the VPN tunnel. I tried to adapt the tutorial here (https://www.youtube.com/watch?v=gXBXTWy62X8) for the case of not using a connection mark or routing mark and only a single VPN tunnel as opposed to a list as i assumed that since i want to send all traffic through the VPN, connection and routing mark aren't needed but the traffic doesn't seem to go over the tunnel. Below is the configuration without a connection mark and routing mark:
# aug/24/2021 00:00:16 by RouterOS 6.42.7
# software id = BKEZ-U2KK
#
# model = RB931-2nD
# serial number = ZZZZZZZZZZ
/interface bridge
add fast-forward=no name=bridge1
/interface l2tp-client
add connect-to=XXX.XXX.XXX.XXX disabled=no name=l2tp-out1 password=XXXXXX user=XXXXXXX
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=profile1 \
    supplicant-identity="" wpa-pre-shared-key=XXXXXXXXXXX wpa2-pre-shared-key=XXXXXXXXXXXXX
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=2447 mode=ap-bridge security-profile=profile1 ssid=MikroTikvpn
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan1
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=l2tp-out1
/ip route
add distance=1 gateway=l2tp-out1
/system routerboard settings
set silent-boot=no

When that didn't work i also tried with what seemed to be default connection and routing marks but again no luck! Below is the configuration with connection/routing mark:

# aug/23/2021 23:57:17 by RouterOS 6.42.7
# software id = BKEZ-U2KK
#
# model = RB931-2nD
# serial number = ZZZZZZZZZZ
/interface bridge
add fast-forward=no name=bridge1
/interface l2tp-client
add connect-to=XXX.XXX.XXX.XXX disabled=no name=l2tp-out1 password=XXXXXX user=XXXXXXX
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=profile1 \
    supplicant-identity="" wpa-pre-shared-key=XXXXXXXXXXX wpa2-pre-shared-key=XXXXXXXXXXXXX
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=2447 mode=ap-bridge security-profile=profile1 ssid=MikroTikvpn
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan1
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge1
/ip firewall nat
add action=masquerade chain=srcnat connection-mark=no-mark out-interface=l2tp-out1 routing-mark=main
/ip route
add distance=1 gateway=l2tp-out1
/system routerboard settings
set silent-boot=no

Can anyone please help with what the issue might be? Is it the firewall NAT and routes? or maybe something else?

Thanks!
 
jakir69
just joined
Posts: 12
Joined: Mon Feb 06, 2017 9:00 am

Re: Hap Mini - All traffic over VPN

Tue Aug 24, 2021 10:06 am

As you are trying to pass all traffic over vpn. No need to mark packets. Skip the marking part.

Configure as follows

1. Create l2tp client interface and connect

2 Go to IP>Firewall>Nat
create add chain=srcnat src-address=your lan ip pool out-interface=vpn_interface action=masquerade
 
matpan
just joined
Topic Author
Posts: 5
Joined: Sun Aug 11, 2019 12:00 pm

Re: Hap Mini - All traffic over VPN

Tue Aug 24, 2021 10:19 am

That didn't work unfortunately! I modified the NAT entry as suggested and included the local IP of the device from which i am testing this as follows:
add action=masquerade chain=srcnat log=yes out-interface=l2tp-out1 src-address=192.168.0.76

Full config below WITHOUT route:

# aug/24/2021 10:12:39 by RouterOS 6.42.7
# software id = BKEZ-U2KK
#
# model = RB931-2nD
# serial number = ZZZZZZZZZZ
/interface bridge
add fast-forward=no name=bridge1
/interface l2tp-client
add connect-to=XXX.XXX.XXX.XXX disabled=no name=l2tp-out1 password=XXXXXXXXXX user=XXXXXXXXXX
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=profile1 supplicant-identity="" wpa-pre-shared-key=\
    XXXXXXXXXX wpa2-pre-shared-key=XXXXXXXXXX
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=2447 mode=ap-bridge security-profile=profile1 ssid=MikroTikvpn
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan1
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge1
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=l2tp-out1 src-address=192.168.0.76
/system routerboard settings
set silent-boot=no
Output of /ip route print WITHOUT route set up:
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.0.1               1
 1 ADC  192.168.0.0/24     192.168.0.65    bridge1                   0
 2 ADC  192.168.222.1/32   10.194.112.230  l2tp-out1                 0

Full config below WITH route:

# aug/24/2021 10:27:31 by RouterOS 6.42.7
# software id = BKEZ-U2KK
#
# model = RB931-2nD
# serial number = ZZZZZZZZZZ
/interface bridge
add fast-forward=no name=bridge1
/interface l2tp-client
add connect-to=XXX.XXX.XXX.XXX disabled=no name=l2tp-out1 password=XXXXXXXXXX user=XXXXXXXXXX
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=profile1 supplicant-identity="" wpa-pre-shared-key=\
    XXXXXXXXXX wpa2-pre-shared-key=XXXXXXXXXX
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=2447 mode=ap-bridge security-profile=profile1 ssid=MikroTikvpn
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan1
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge1
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=l2tp-out1 src-address=192.168.0.76
/ip route
add distance=1 gateway=l2tp-out1
/system routerboard settings
set silent-boot=no
Output of /ip route print WITH route set up:
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.0.1               1
 1   S  0.0.0.0/0                          l2tp-out1                 1
 2 ADC  192.168.0.0/24     192.168.0.65    bridge1                   0
 3 ADC  192.168.222.1/32   10.194.112.230  l2tp-out1                 0
 
matpan
just joined
Topic Author
Posts: 5
Joined: Sun Aug 11, 2019 12:00 pm

Re: Hap Mini - All traffic over VPN

Wed Oct 27, 2021 8:02 pm

Unfortunately i still can't get this to work having returned to it after some time - Can anyone please advise? Thanks
 
wormik
just joined
Posts: 6
Joined: Sun Oct 10, 2021 1:48 am

Re: Hap Mini - All traffic over VPN

Tue Nov 02, 2021 12:37 am

Hi,
I've tested following advice on my setup - it works. I assume your router is connecting to a L2TP VPN server which has a public IP address.


First, change the Distance on your Internet default route to some higher number*:
  • dst-address=0.0.0.0/0 | gateway=<ISP gateway> | distance=3

Second, set up static route for public IP of L2TP VPN Server, make sure you use lower number for Distance, e.g.:
  • dst-address=<public IP of the VPN server> | gateway=<ISP gateway> | distance=1

Third, ADD new default static route, make sure you use in-between number for Distance, e.g.:
  • dst-address=0.0.0.0/0 | gateway=l2tp-out1 | distance=2


*if you use DHCP on WAN interface, you can change the distance in DHCP Client > Interface > Default Route Distance:
ip dhcp-client set interface=ether1 default-route-distance=X


In order for this to work, you need to have Masquerade NAT set up for L2TP traffic:
  • chain=srcnat | action=masquerade | out-interface=l2tp-out1
 
spynappels
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Oct 25, 2021 12:32 pm
Location: Northern Ireland
Contact:

Re: Hap Mini - All traffic over VPN

Tue Nov 02, 2021 6:36 pm

If you are using the hAP purely as a switch, your clients will all be getting their routes and IPs from the ISP router, and will send all their traffic via that route.

What you will need to do is use the routing capabilities of the hAP, having ether1 as the WAN interface, getting an IP from the ISP router, and the switch with ether2, ether3 and wlan sending all their traffic to the hAP, for it to route via the VPN.

Also make sure you have a route to the VPN server IP going through the ISP gateway if you set the VPN end point as the default router.

Who is online

Users browsing this forum: No registered users and 28 guests