Selective VPN tunnel

JamesHarrison · Thu May 03, 2012 1:27 pm

Hi,

I'm trying to set up a PPTP VPN tunnel to route some, but not all traffic, that would otherwise go out over a local internet connection.

I've set up the PPTP client and all appears to be well. I'm now trying to figure out how to set up NAT and routing so that I can direct traffic based on mangle rules (L7 and dst/src ports) to use that connection instead of the modem connection.

My first attempt I set up masquerade on the srcnat chain of the PPTP client, added a new route which has the gateway set to the PPTP client with a routing mark of 'vpn' and added mangle rules to set that routing mark on that traffic. However I only got traffic leaving the interface, never any traffic incoming, and this clearly didn't work. Am I missing something bleedin' obvious here?

cbrown · Thu May 03, 2012 3:26 pm

What exactly are you trying to achieve? If you can explain what you are doing there might be an easier way.

JamesHarrison · Thu May 03, 2012 3:33 pm

What exactly are you trying to achieve? If you can explain what you are doing there might be an easier way.

I'm trying to direct internet traffic (not gaming traffic, though) through a VPN for the purposes of encrypting traffic where I may be using the router on a monitored/shared connection. I'm specifically looking for a technique I can use which is opt-in (ie selectively putting traffic through the VPN) rather than opt-out (selectively making stuff -not- use the VPN) because I'm not looking for strong protection, just crypto on web traffic, email, etc where SSL isn't always available. The VPN onwards is effectively a trusted network.

cbrown · Thu May 03, 2012 3:40 pm

If I am understanding correctly you will need to do policy routing. Either route the traffic out the unprotected network or route the traffic out the PPTP based on the type of traffic. Here is a link to policy routing. You will obviously need to adapt this to fit your needs.

http://wiki.mikrotik.com/wiki/Manual:PCC#Policy_routing

CelticComms · Thu May 03, 2012 4:08 pm

So you have:

Mangle rule marking routing to "VPN" ?
Routing table entry with routing mark "VPN" ?
NAT rule masquerading traffic leaving the VPN interface ?

If you are not seeing return traffic I would double check the masquerade settings. Perhaps try a NAT rule which masquerades specifically on the VPN interface as the out interface while "VPN" routing mark is set and push that rule to the top of the list.

JamesHarrison · Thu May 03, 2012 4:21 pm

I've implemented the general gist of the policy routing tutorial and now have connections being marked properly and routing marks being set properly as a result, on prerouting mostly, the output chain routing markers are barely doing anything (~100mb+92k packets on prerouting, 5kb+34 packets on output). I can see traffic hitting the Tx on the PPTP client but not a single thing coming back from it. Masquerade srcnat rule is set for the interface and is at the top of the list, 848kb+9k packets.

CelticComms · Thu May 03, 2012 5:40 pm

Can you upload the Mangle & NAT rules and the routing table?

JamesHarrison · Thu May 03, 2012 6:40 pm

[admin@Aquinas] > /ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 X S  0.0.0.0/0                          pptp                        1
 1 ADS  0.0.0.0/0                          81.97.252.1               0
 2   S  0.0.0.0/0                          modem                     1
 3  DS  0.0.0.0/0                          10.0.0.1                  1
 4 ADC  10.0.0.0/24        10.0.0.2        guest-lan-eoip            0
 5 ADC  10.0.0.1/32        192.168.0.1     pptp                       0
 6 ADC  81.97.252.0/23     81.97.253.248   modem                     0
 7 ADC  192.168.0.0/24     192.168.0.1     local_bridge              0
 8 ADC  192.168.100.2/32   192.168.100.2   modem                     0

/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    pptp routing-mark=vpn scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    modem scope=30 target-scope=10

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pptp \
    routing-mark=vpn
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    no out-interface=modem
... (whole bunch of rules to forward ports, set up as the following)
add action=dst-nat chain=dstnat dst-port=3000 protocol=tcp \
    to-addresses=192.168.0.124 to-ports=3000

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    no in-interface=modem new-connection-mark=modem-conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    no in-interface=pptp new-connection-mark=pptp-conn passthrough=\
    yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    no dst-address-type=!local in-interface=local_bridge new-connection-mark=\
    modem-conn passthrough=yes per-connection-classifier=both-addresses:2/0 \
    src-address-type=""
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    no dst-address-type=!local in-interface=local_bridge new-connection-mark=\
    pptp-conn passthrough=yes per-connection-classifier=both-addresses:2/1 \
    src-address-type=""
add action=mark-routing chain=prerouting connection-mark=modem-conn disabled=\
    no in-interface=local_bridge new-routing-mark=main passthrough=yes
add action=mark-routing chain=prerouting connection-mark=pptp-conn disabled=\
    no in-interface=local_bridge new-routing-mark=vpn passthrough=yes
add action=mark-routing chain=output connection-mark=modem-conn disabled=no \
    new-routing-mark=main passthrough=yes
add action=mark-routing chain=output connection-mark=pptp-conn disabled=no \
    new-routing-mark=main passthrough=yes

CelticComms · Thu May 03, 2012 7:11 pm

On this entry:

add action=masquerade chain=srcnat disabled=no out-interface=pptp \
    routing-mark=vpn

Could you tempoarily remove the routing mark requirement and see if it behaves differently? The symptoms sound like a lack of masquerade.

JamesHarrison · Thu May 03, 2012 7:16 pm

On this entry:
Code: Select all
add action=masquerade chain=srcnat disabled=no out-interface=pptp \
    routing-mark=vpn
Could you tempoarily remove the routing mark requirement and see if it behaves differently? The symptoms sound like a lack of masquerade.

Done, no change - I only added that requirement in response to an earlier post who suggested it might help. No change with it applied.

CelticComms · Thu May 03, 2012 7:46 pm

If you do tracert so say one of Google's DNS servers 8.8.8.8 from a PC set to use the VPN what do you get? The default route using the PPTP connection is flagged as disabled in your earlier post....

JamesHarrison · Thu May 03, 2012 8:05 pm

If you do tracert so say one of Google's DNS servers 8.8.8.8 from a PC set to use the VPN what do you get? The default route using the PPTP connection is flagged as disabled in your earlier post....

Disabled because it doesn't work, and having it enabled at present just makes half the new connections to the outside fail!

Mangled a machine to route to the VPN all the time and it hits the router and gets no further.

james@perfidy:~$ traceroute eveonline.com
traceroute to eveonline.com (87.237.39.92), 30 hops max, 60 byte packets
1 aquinas (192.168.0.1) 0.721 ms 0.638 ms 1.740 ms
2 * * *

Potentially something up with the VPN connection? It all looks to be working...

Edit: Doh. Okay, VPN was in fact not happy, and having fixed it, all is well. I'm now connected fine and have set up appropriate mangle rules now to route things to the right place. Thanks for all the input guys!

cbrown · Thu May 03, 2012 8:53 pm

Can you try to remove the routing mark from your NAT rule. That should not be necessary they way you are specifying "out-interface". Also, this might be a crazy question but does the internet work through your VPN connection?

EDIT: After seeing your edit, I will make and edit and say congratulations.

tedd77 · Tue Oct 16, 2012 2:39 am

Hello,
I have a similar situation where I only need certain IP from my network to go over the VPN and the rest to go over the regular internet connection.
My lan network is 192.168.88.0/24
My VPN client interface name is : pptp_out
I needed 192.168.88.20/24 and 192.168.88.250/24 to go over the VPN.
on my firewall I set the nat : /ip firewall nat add action=masquerade chain=srcnat disabled=no out-interface=pptp_out
Mangle : /ip firewall mangle add action=mark-routing chain=prerouting disabled=no new-routing-mark=only_vpn passthrough=yes src-address=192.168.88.20
/ip firewall mangle add action=mark-routing chain=prerouting disabled=no new-routing-mark=only_vpn passthrough=yes src-address=192.168.88.250

Route: /ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pptp_out routing-mark=only_vpn

The issue is that when I add the route my VPN start going offline / online. if I remove the route line the VPN becomes normal but no traffic is traversing it.

When the VPN goes up, a dynamic route is created that is conflicting with the static route I added.

Could someone help me fix this issue?

Selective VPN tunnel

Selective VPN tunnel

Re: Selective VPN tunnel

Re: Selective VPN tunnel

Re: Selective VPN tunnel

Re: Selective VPN tunnel

Re: Selective VPN tunnel

Re: Selective VPN tunnel

Re: Selective VPN tunnel

Re: Selective VPN tunnel

Re: Selective VPN tunnel

Re: Selective VPN tunnel

Re: Selective VPN tunnel

Re: Selective VPN tunnel

Re: Selective VPN tunnel

Who is online