Hi Gurus,

the question must have been asked a thousand times, so if one can point me in the right direction, I would be grateful. Here we go...

I am planing to purchase a MikroTik Router to harness its VPN awesomness (among other things). What I would like to do is automatically route entire network traffic to certain sites through a VPN Connection. So regardless of the source of the request (be that my Desktop, Laptop or PS3), I would like to push entire traffic to Netflix/Hulu-likes via a US VPN.

Can it be done? And if so, can anyone help me with that? I would be much obliged...

Regards,
Krzysztof

Hi Kryzstof. I have same need for my Xbox I found this, but it is not working for me (I do not know why). http://wiki.hidemyass.com/Mikrotik_Rout ... L2TP_Setup

Did you solved this already?

A few minutes on Google will get you the network blocks that those companies own. You can use those address ranges to tag and route the traffic to them through the VPN,

A few minutes on Google will get you the network blocks that those companies own. You can use those address ranges to tag and route the traffic to them through the VPN,

I have VPN account at ibVPN. I also have my own company VPN. I did setup for PPTP client (login successful). But routing is not working and I do not now why. I was asking Mr. Google a lot, tried it several times but no success

I was using this: http://wiki.hidemyass.com/Mikrotik_Rout ... L2TP_Setup

After the connection to the VPN server has been established you will be given an IP-address and a new route to a new host. It will look like this (please note entry DAC / 77.xxx.xxx.xxx with distance 0): Depending on your VPN you could even get more routes than a single one to a lone host, though.

All you need to do is setup routes for that new peer. For example, I've configured my RouterBoard drive traffic to 0.0.0.0/0 (all possible IPs) through my VPN. That's done in line 2 — please ignore the »routing mark« for now.

ros code

/ip route
add gateway=77.xxx.xxx.xxx distance=1 check-gateway=ping routing-mark=MyFirstVPN

I assume you've come so far — and all your traffic will still be not directed through the VPN. That's because the first longest prefix to match a destination address will determine which route its packets will chose. Except if you have assigned routing marks, that is. Routes for them are being looked up first.

You can assign routing marks to packets like this:

ros code

/ip firewall nat
add action=masquerade chain=srcnat out-interface=MyFirstVPN

/ip firewall mangle
# entry 1
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/22 \
    new-routing-mark=MyFirstVPN src-address=192.168.0.111
# entry 2
add action=mark-routing chain=prerouting comment="DSCP=1 is YourApp.exe" dscp=1 \
    dst-address=!192.168.0.0/22 new-routing-mark=MyFirstVPN

»Entry 1« results in that all packets from host 192.168.0.111 will go through the VPN. Except if they're meant for your local network, 192.168.0.0/22.

»Entry 2« requires that your application (or operating systems) assigns DSCP=1 to packets send by a set of programs. No matter which host sends them, as soon as DSCP is 1 everything goes through the VPN. That could be Firefox which you want to automatically go through your VPN for, say, Hulu or Netflix.

Whenever your VPN connection goes down the gateway (77.xxx.xxx.xxx in my example) becomes unreachable and the default route through the regular gateway is taken. If you do not want that then remember to create a new rule for that:

ros code

/ip firewall filter
# for entry 1 (permits NTP and PPTP, though)
add action=drop chain=forward dst-address=!192.168.0.0/22 dst-port=!53,1723 out-interface=\
    ether1-gateway protocol=tcp src-address=192.168.0.111
add action=drop chain=forward dst-address=!192.168.0.0/22 dst-port=!53 out-interface=\
    ether1-gateway protocol=udp src-address=192.168.0.111
# for entry 2
add action=drop chain=forward comment="YourApp.exe via VPN only" dscp=1 out-interface=ether1-gateway

––––
Using Windows you can assign DSCP values to applications using the »group policy editor«. Hit Win+R, enter »gpedit.msc«. Computer Configuration → Windows Settings → Policy-based…

You need to add this to your registry to have Windows actually send DSCP values:

plain code

# Windows to send DSCP.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\QoS]
"Do not use NLA"="1"

To get you started, an excerpt from the rules I've collected:

plain code

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\QoS\PuTTY (AF4)]
"Version"="1.0"
"Application Name"="putty.exe"
"Protocol"="TCP"
"Local Port"="*"
"Local IP"="*"
"Local IP Prefix Length"="*"
"Remote Port"="*"
"Remote IP"="*"
"Remote IP Prefix Length"="*"
"DSCP Value"="56"
"Throttle Rate"="-1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\QoS\Firefox for Hulu]
"Version"="1.0"
"Application Name"="firefox.exe"
"Protocol"="TCP"
"Local Port"="*"
"Local IP"="*"
"Local IP Prefix Length"="*"
"Remote Port"="*"
"Remote IP"="*"
"Remote IP Prefix Length"="*"
"DSCP Value"="2"
"Throttle Rate"="-1"

As I understand it well. If I will not add Entry2 it will work for every application yes?

As I understand it well. If I will not add Entry2 it will work for every application yes?

Yes, entry 1 alone will route everything originating from host 192.168.0.111 via the VPN. ›Always‹ as in no-matter-which application.

Thank you very much, it works well and I also understand it with your great explanation! Thank you!!!

How can I stream full Blu-ray rips from a little NAS/media server, to my TV? preferably without having to buy a set-top box, but honestly at this point, whatever works.
It needs to support FLAC (or PCM, it's converted cousin) and full bitrate blu-rays.

Thanks Marc for your nice explanations. Your approach of using QoS to tag application specific communication to be routed in very clever ! This brings me one step closer to a perfect install but as krzyhoo I am looking for a solution that would work from any device internally (being appletv, ps3, ipads, pcs...) and ideally this should only route specific requests. In your proposal, firefox would get all of its traffic routed not only the hulu's ones ...
Do you have any idea to use layer7 filtering to route only selected traffic ? I tried obvisouly the solution of MCT but the issue is that many of these geotagged content providers are using behind generic hosting like amazon and trying to catch all possible networks ends up in routing much more than catchup tv traffic ...
Thanks!
Loic

I know that this is a very late reply, but I have made a route list for Netflix that seems to work very well at present:
http://binaryheartbeat.blogspot.com/201 ... outes.html

After the connection to the VPN server has been established you will be given an IP-address and a new route to a new host. It will look like this (please note entry DAC / 77.xxx.xxx.xxx with distance 0):

route-list.png

Depending on your VPN you could even get more routes than a single one to a lone host, though.

All you need to do is setup routes for that new peer. For example, I've configured my RouterBoard drive traffic to 0.0.0.0/0 (all possible IPs) through my VPN. That's done in line 2 — please ignore the »routing mark« for now.

ros code

/ip route
add gateway=77.xxx.xxx.xxx distance=1 check-gateway=ping routing-mark=MyFirstVPN

I assume you've come so far — and all your traffic will still be not directed through the VPN. That's because the first longest prefix to match a destination address will determine which route its packets will chose. Except if you have assigned routing marks, that is. Routes for them are being looked up first.

You can assign routing marks to packets like this:

ros code

/ip firewall nat
add action=masquerade chain=srcnat out-interface=MyFirstVPN

/ip firewall mangle
# entry 1
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/22 \
    new-routing-mark=MyFirstVPN src-address=192.168.0.111
# entry 2
add action=mark-routing chain=prerouting comment="DSCP=1 is YourApp.exe" dscp=1 \
    dst-address=!192.168.0.0/22 new-routing-mark=MyFirstVPN

»Entry 1« results in that all packets from host 192.168.0.111 will go through the VPN. Except if they're meant for your local network, 192.168.0.0/22.

»Entry 2« requires that your application (or operating systems) assigns DSCP=1 to packets send by a set of programs. No matter which host sends them, as soon as DSCP is 1 everything goes through the VPN. That could be Firefox which you want to automatically go through your VPN for, say, Hulu or Netflix.

Whenever your VPN connection goes down the gateway (77.xxx.xxx.xxx in my example) becomes unreachable and the default route through the regular gateway is taken. If you do not want that then remember to create a new rule for that:

ros code

/ip firewall filter
# for entry 1 (permits NTP and PPTP, though)
add action=drop chain=forward dst-address=!192.168.0.0/22 dst-port=!53,1723 out-interface=\
    ether1-gateway protocol=tcp src-address=192.168.0.111
add action=drop chain=forward dst-address=!192.168.0.0/22 dst-port=!53 out-interface=\
    ether1-gateway protocol=udp src-address=192.168.0.111
# for entry 2
add action=drop chain=forward comment="YourApp.exe via VPN only" dscp=1 out-interface=ether1-gateway

––––
Using Windows you can assign DSCP values to applications using the »group policy editor«. Hit Win+R, enter »gpedit.msc«. Computer Configuration → Windows Settings → Policy-based…

You need to add this to your registry to have Windows actually send DSCP values:

plain code

# Windows to send DSCP.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\QoS]
"Do not use NLA"="1"

To get you started, an excerpt from the rules I've collected:

plain code

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\QoS\PuTTY (AF4)]
"Version"="1.0"
"Application Name"="putty.exe"
"Protocol"="TCP"
"Local Port"="*"
"Local IP"="*"
"Local IP Prefix Length"="*"
"Remote Port"="*"
"Remote IP"="*"
"Remote IP Prefix Length"="*"
"DSCP Value"="56"
"Throttle Rate"="-1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\QoS\Firefox for Hulu]
"Version"="1.0"
"Application Name"="firefox.exe"
"Protocol"="TCP"
"Local Port"="*"
"Local IP"="*"
"Local IP Prefix Length"="*"
"Remote Port"="*"
"Remote IP"="*"
"Remote IP Prefix Length"="*"
"DSCP Value"="2"
"Throttle Rate"="-1"

Awesome post thanks!! Enabled me to do exactly what I needed!