Hello everybody,

we just started to use the Mikrotik devices in order to provide Wifi in refugee accomodations.
The devices are great, however i have one issue.

Due to the german law, we have to make sure that all Traffic gets routed over a VPN to the datacenter of the organisation which provides the Internet access.

For that, each accomodation gets a dedicated VDSL internet connection with a normal VDSL router. The Mikrotik is configured as a open-vpn client and establishs a tunnel to the VPN server in the datacenter, that´s working so far.

Here is the setup in details:

DSL Router --> 192.168.178.1 connected to Eth1 of MikroTik - IP address is 192.168.178.10
MikroTik Client IP Address Subnet = 192.168.13.0/24 - connected on Eth2
OpenVPN IP address 192.168.77.20 (VPN Server has 192.168.77.1)

What i try to achieve:

Clients from 192.168.13.0/24 (connected over Wifi) should forward ALL internet traffic over the tunnel interface of the OpenVPN and NOT over the DSL Router.
I tried several configurations, added routes, configured mangle etc. nothing worked, whenever i do a traceroute, the first hop is always the DSL Router with the 192.168.178.1 IP.

Can someone give some detailed instructions with commands how to achieve the forwarding?

Thanks and Best Regards!

Marcel

1.
Add route to 0.0.0.0 over 192.168.77.1 gateway (VPN)
Change distance by +1 for your default route (that is 0.0.0.0 over 192.168.178.1)
The distance of you eth1 route should be higher, than you ppp route
Note: if you get an ip address for your eth1 by DHCP, you should change the distance in your dhcp client settings for eth1 interface.

2.
Add src-nat for your outgoing ppp interface to masquerade
External networks don't have routes to your private networks like 192.168.13.0/24. So let your router msqrd your private addresses.

3. Make an accept rule for your forward traffic from 192.168.13.0/24 to VPN interface.
Note: be sure that you have an accept rule for incoming packets with established & related connection state. Otherwise you your router will filter incoming traffic that is inside an established connection. This is already enabled if you did not reset your default config in first few "defconf" rules of your firewall.

Thanks Tarkin!

What do you mean by "ppp route"? Sorry, maybe i am just too stupid... It is the eth1 Interface which is connected to the DSL Router?

And to Point 2 - how can i exacetly achieve that? What command do i Need?

Sorry for the stupid questions!

Again - thank you very much!

Hey,

just tried this:

.
Add route to 0.0.0.0 over 192.168.77.1 gateway (VPN)
Change distance by +1 for your default route (that is 0.0.0.0 over 192.168.178.1)
The distance of you eth1 route should be higher, than you ppp route
Note: if you get an ip address for your eth1 by DHCP, you should change the distance in your dhcp client settings for eth1 interfa

however, if i add the new route for the VPN the default role will be disabled?

What do i wrong?

Hey,

however, if i add the new route for the VPN the default role will be disabled?

What do i wrong?

If you have two (or more) routes to 0.0.0.0 with different distances, the active route is the route with lowest distance. Another route becomes active when a gateway for your primary route becomes unreachable.
In you way it means:
1. When your router starts, it is trying to make a VPN connection using the only one active route with distance 2 (over ether1). The VPN route with distance 1 is inactive at this moment (not disabled, but INACTIVE)
Whe
2. When the VPN connection estableshed, the VPN route becomes active and used to pass traffic over VPN gateway.
Is it clear. This basics of static routing, not only in Mikrotik ROS =)

Thanks Tarkin!
1.
What do you mean by "ppp route"?

2.
And to Point 2 - how can i exacetly achieve that? What command do i Need?

1. "ppp route" i mean the route thru your VPN gateway 1a. 2. Where ppp1-out is the name of your vpn interface.

1.
Add a new route to dst. addr 0.0.0.0/0 over 192.168.77.1 gateway (VPN)
Change distance by +1 for your default route (that is 0.0.0.0 over 192.168.178.1)
The distance of you eth1 route should be higher, than you ppp route
Note: if you get an ip address for your eth1 by DHCP, you should change the distance in your dhcp client settings for eth1 interface.

2.
Add src-nat for your outgoing ppp interface to masquerade
External networks don't have routes to your private networks like 192.168.13.0/24. So let your router msqrd your private addresses.

3. Make an accept rule for your forward traffic from 192.168.13.0/24 to VPN interface.
Note: be sure that you have an accept rule for incoming packets with established & related connection state. Otherwise you your router will filter incoming traffic that is inside an established connection. This is already enabled if you did not reset your default config in first few "defconf" rules of your firewall.

Like the Original Poster of this thread, I want to route all the (internet) traffic through a VPN client (be it PPTP, L2PT or OpenVPN).
I'm using a Router Board 750GL, that runs RouterOS 6.41 with the default configuration (the classical config that you get after a reset).
I believe I understood what you meant with the first two steps... However, the third step is unclear to me. I tried something but is not working.

Here's what I did.. steps 1) and 2)




3) Step 3.. this is what I've done (and is not working..). What did he meant with this ? :
Make an accept rule for your forward traffic from 192.168.13.0/24 to VPN interface.
Note: be sure that you have an accept rule for incoming packets with established & related connection state.
Otherwise you your router will filter incoming traffic that is inside an established connection.
This is already enabled if you did not reset your default config in first few "defconf" rules of your firewall


Although I've seen another way to do this "route all traffic through a VPN client"
( https://support.hidemyass.com/hc/en-us/ ... ient-Setup ),
I like Tarikin's approach {when the router starts, the only available gateway is at the distance 2 because the
distance 1 offered by the VPN is not yet active (it takes time for the vpn client to connect..); but after a few seconds,
the VPN client connects and it becomes the preferred gateway (distance 1) for all traffic}
more.. So please help me finish this!