Community discussions

MUM Europe 2020
 
swisspol
newbie
Topic Author
Posts: 26
Joined: Thu Mar 10, 2016 5:46 am

How to redirect all traffic from a specific host on LAN through an IP tunnel and access WAN on other side?

Sun Sep 17, 2017 5:15 am

Hi,

I have a RouterOS router at home in the US and another one in another country. They are connected over WAN using an IP tunnel with IPSec. Home LAN is 192.168.1.0/24 and other LAN is 192.168.88.0/24. The tunnel itself is 10.0.0.0/30 with 10.0.0.1 at home and 10.0.0.2 in other country. I added a custom IP route in both routers so traffic can go between LANs. Everything works perfectly and from each LAN you can access the computers in the other one.

Now here's what I'd like to achieve: for some specific devices on my home network, say my Apple TV, I want *all* its traffic to be routed to through the IP tunnel to the router in the other country and exit there (hint: the Netflix selection over there is much better!). This would include traffic to the router itself e.g. DNS requests, which would have to be redirected to the router in the other country.
In practice: Apple TV (192.168.1.200) -> home router (192.168.1.1) -> foreign country router (192.168.88.1) -> ISP router in foreign country through WAN interface -> Internet

There are probably multiple ways to achieve this but I don't know where to start?

Thanks in advance!
Last edited by swisspol on Sun Sep 17, 2017 9:21 pm, edited 2 times in total.
 
darkprocess
Member Candidate
Member Candidate
Posts: 255
Joined: Fri Mar 20, 2015 1:16 pm

Re: How to redirect all traffic from a specific host on LAN through an IP tunnel and access WAN on other side?

Sun Sep 17, 2017 11:56 am

What i've done.
Created an address list of the ip addresses i want to redirect.
Mangle rule to mark frames of this adress list.
Create a nat masquerade of your vpn connection
Create a route using the vpn connection and from frames marked previously
 
swisspol
newbie
Topic Author
Posts: 26
Joined: Thu Mar 10, 2016 5:46 am

Re: How to redirect all traffic from a specific host on LAN through an IP tunnel and access WAN on other side?

Sun Sep 17, 2017 5:49 pm

Thanks for your suggestion!
Create a nat masquerade of your vpn connection
You mean on the home router or foreign country one? Can you be more specific?
Create a route using the vpn connection and from frames marked previously
How do you create a route that only affects some packets?
 
swisspol
newbie
Topic Author
Posts: 26
Joined: Thu Mar 10, 2016 5:46 am

Re: How to redirect all traffic from a specific host on LAN through an IP tunnel and access WAN on other side?

Sun Sep 17, 2017 9:11 pm

For the record, I found this wiki page, and tried a similar setup but trying to load websites from the target device on the home network just hangs:
https://wiki.mikrotik.com/wiki/Policy_Base_Routing

Maybe it's because my configuration is using an IP tunnel to the foreign country router instead of a VPN and I need to set configure something in a specific way in the routing table / firewall on the foreign country router?
 
 
darkprocess
Member Candidate
Member Candidate
Posts: 255
Joined: Fri Mar 20, 2015 1:16 pm

Re: How to redirect all traffic from a specific host on LAN through an IP tunnel and access WAN on other side?

Sun Sep 17, 2017 9:17 pm

My setup is similar at this example but instead of using a range i use adress list in the mangle rules.
 
swisspol
newbie
Topic Author
Posts: 26
Joined: Thu Mar 10, 2016 5:46 am

Re: How to redirect all traffic from a specific host on LAN through an IP tunnel and access WAN on other side?

Sun Sep 17, 2017 9:18 pm

Thanks for the link, but I'd like to use an IP tunnel, not a VPN as I want to have the 2 LANs be able to talk to each other both ways. It's also better for my education and understanding how all of this works :)
 
darkprocess
Member Candidate
Member Candidate
Posts: 255
Joined: Fri Mar 20, 2015 1:16 pm

Re: How to redirect all traffic from a specific host on LAN through an IP tunnel and access WAN on other side?

Sun Sep 17, 2017 9:54 pm

Just add the good route pointing the marked packets to the other router ip adress
 
swisspol
newbie
Topic Author
Posts: 26
Joined: Thu Mar 10, 2016 5:46 am

Re: How to redirect all traffic from a specific host on LAN through an IP tunnel and access WAN on other side?

Mon Sep 18, 2017 12:25 am

I have this set up but like I said above loading web pages hangs so I’m suspecting something is wrong on the other side of the IP tunnel when trying to reach WAN from over there...
 
darkprocess
Member Candidate
Member Candidate
Posts: 255
Joined: Fri Mar 20, 2015 1:16 pm

Re: How to redirect all traffic from a specific host on LAN through an IP tunnel and access WAN on other side?

Mon Sep 18, 2017 1:26 am

What is the config of the other router? Can you export it?
 
swisspol
newbie
Topic Author
Posts: 26
Joined: Thu Mar 10, 2016 5:46 am

Re: How to redirect all traffic from a specific host on LAN through an IP tunnel and access WAN on other side?

Mon Sep 18, 2017 2:13 am

Here's the config of the home router (the 3 items with "TEMP" comment are what I added when trying to make this work):
/interface bridge
add admin-mac=E4:8D:8C:A4:5D:E0 arp=proxy-arp auto-mac=no name=LAN

/interface ethernet
set [ find default-name=ether1 ] name=WAN

/interface ipip
add allow-fast-path=no ipsec-secret=<REDACTED> !keepalive local-address=<REDACTED> name=ipip-lausanne remote-address=<REDACTED>

/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.200
add name=vpn ranges=172.16.1.100-172.16.1.200

/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=LAN lease-time=1h name=default

/interface bridge port
add bridge=LAN interface=ether2-laundry
add bridge=LAN interface=wlan1

/ip settings
set rp-filter=strict

/ip address
add address=192.168.1.1/24 interface=LAN network=192.168.1.0
add address=10.0.0.1/30 interface=ipip-lausanne network=10.0.0.0

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN use-peer-dns=no use-peer-ntp=no

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24

/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=8.8.8.8,8.8.4.4

/ip firewall address-list
add address=10.0.0.0/8 comment=RFC6890 list=NOT_PUBLIC
add address=100.64.0.0/10 comment=RFC6890 list=NOT_PUBLIC
add address=127.0.0.0/8 comment=RFC6890 list=NOT_PUBLIC
add address=169.254.0.0/16 comment=RFC6890 list=NOT_PUBLIC
add address=172.16.0.0/12 comment=RFC6890 list=NOT_PUBLIC
add address=192.0.0.0/24 comment=RFC6890 list=NOT_PUBLIC
add address=192.0.2.0/24 comment=RFC6890 list=NOT_PUBLIC
add address=192.168.0.0/16 comment=RFC6890 list=NOT_PUBLIC
add address=192.88.99.0/24 comment=RFC3068 list=NOT_PUBLIC
add address=198.18.0.0/15 comment=RFC6890 list=NOT_PUBLIC
add address=198.51.100.0/24 comment=RFC6890 list=NOT_PUBLIC
add address=203.0.113.0/24 comment=RFC6890 list=NOT_PUBLIC
add address=224.0.0.0/4 comment=RFC4601 list=NOT_PUBLIC
add address=240.0.0.0/4 comment=RFC6890 list=NOT_PUBLIC
add address=0.0.0.0/8 comment=RFC6890 list=NOT_PUBLIC

/ip firewall filter
add action=accept chain=input comment="Accept established and related connections" connection-state=established,related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=drop chain=input comment="Drop packets which are not destined to router's interfaces" dst-address-type=!local
add action=accept chain=input comment="Accept packets from LAN" in-interface=LAN
add action=accept chain=input comment="Accept packets from PPP" in-interface=all-ppp
add action=accept chain=input comment="Allow packets from IPIP tunnel" in-interface=ipip-lausanne
add action=drop chain=input comment="Drop packets from WAN which should not exist in public network" in-interface=WAN log=yes log-prefix=\
    FROM_WAN_NOT_PUBLIC src-address-list=NOT_PUBLIC
add action=accept chain=input comment="Allow IPSec (IKE) from WAN" dst-port=500 in-interface=WAN protocol=udp
add action=accept chain=input comment="Allow IPSec (NAT-Traversal) from WAN" dst-port=4500 in-interface=WAN protocol=udp
add action=accept chain=input comment="Allow IPSec (ESP) from WAN" in-interface=WAN protocol=ipsec-esp
add action=accept chain=input comment="Allow L2TP over IPSec from WAN" dst-port=1701 in-interface=WAN ipsec-policy=in,ipsec log-prefix=L2TP \
    protocol=udp
add action=accept chain=input comment="Allow IPIP from WAN" in-interface=WAN protocol=ipencap src-address-list=<REDACTED>
add action=drop chain=input comment="Drop everything else" log-prefix=WAN_DROP
add action=fasttrack-connection chain=forward comment="FastTrack established and related connections" connection-state=established,related
add action=accept chain=forward comment="Accept established and related connections" connection-state=established,related
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=drop chain=forward comment="Drop new connections from WAN which are not dst-natted" connection-nat-state=!dstnat connection-state=\
    new in-interface=WAN log=yes log-prefix=NOT_DST_NATTED
add action=drop chain=forward comment="Drop packets from LAN which does not have local network address" in-interface=LAN log=yes log-prefix=\
    LAN_NOT_LOCAL src-address=!192.168.1.0/24
add action=drop chain=forward comment="Drop packets to WAN which should not exist in public network" dst-address-list=NOT_PUBLIC log=yes \
    log-prefix=TO_WAN_NOT_PUBLIC out-interface=WAN

/ip firewall mangle
add action=mark-routing chain=prerouting comment=TEMP disabled=yes new-routing-mark=lausanne passthrough=no src-address=192.168.1.197

/ip firewall nat
add action=masquerade chain=srcnat comment=TEMP disabled=yes dst-address=!192.168.88.0/24 out-interface=ipip-lausanne src-address=192.168.1.197
add action=dst-nat chain=dstnat comment=TEMP disabled=yes dst-address=192.168.1.1 in-interface=LAN src-address=192.168.1.197 to-addresses=\
    192.168.88.1
add action=masquerade chain=srcnat comment="Masquerade everything to WAN" out-interface=WAN
add action=redirect chain=dstnat comment="Redirect DNS Requests" dst-port=53 in-interface=LAN log-prefix=DNS_REDIRECT protocol=udp
add action=redirect chain=dstnat dst-port=53 in-interface=LAN protocol=tcp

/ip route
add comment=TEMP disabled=yes distance=1 gateway=ipip-lausanne routing-mark=lausanne
add distance=1 dst-address=192.168.88.0/24 gateway=ipip-lausanne pref-src=192.168.1.1
This might also be relevant:
[admin@MikroTik] > /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                
 0   192.168.1.1/24     192.168.1.0     LAN                                                                                                      
 1   10.0.0.1/30        10.0.0.0        ipip-lausanne                                                                                            
 2 D <REDACTED>/22   <REDACTED>     WAN                                                                                                      

[admin@MikroTik] > /ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 X S  ;;; TEMP
        0.0.0.0/0                          ipip-lausanne             1
 1 ADS  0.0.0.0/0                          <REDACTED>               1
 2 ADC  10.0.0.0/30        10.0.0.1        ipip-lausanne             0
 3 ADC  <REDACTED>     <REDACTED>   WAN                       0
 4 ADC  192.168.1.0/24     192.168.1.1     LAN                       0
 5 A S  192.168.88.0/24    192.168.1.1     ipip-lausanne             1
And the config of the remote router:
/interface bridge
add admin-mac=64:D1:54:3C:DE:1A arp=proxy-arp auto-mac=no name=LAN

/interface ethernet
set [ find default-name=ether1 ] name=WAN

/interface ipip
add allow-fast-path=no ipsec-secret=<REDACTED> !keepalive local-address=<REDACTED> name=ipip-home remote-address=<REDACTED>

/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.200
add name=vpn ranges=172.16.88.100-172.16.88.200

/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=LAN lease-time=1h name=default

/interface bridge port
add bridge=LAN interface=ether2-master
add bridge=LAN interface=wlan1
add bridge=LAN interface=wlan2

/ip settings
set rp-filter=strict

/ip address
add address=192.168.88.1/24 interface=LAN network=192.168.88.0
add address=10.0.0.2/30 interface=ipip-home network=10.0.0.0

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN use-peer-dns=no use-peer-ntp=no

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=8.8.8.8,8.8.4.4

/ip firewall address-list
add address=10.0.0.0/8 comment=RFC6890 list=NOT_PUBLIC
add address=100.64.0.0/10 comment=RFC6890 list=NOT_PUBLIC
add address=127.0.0.0/8 comment=RFC6890 list=NOT_PUBLIC
add address=169.254.0.0/16 comment=RFC6890 list=NOT_PUBLIC
add address=172.16.0.0/12 comment=RFC6890 list=NOT_PUBLIC
add address=192.0.0.0/24 comment=RFC6890 list=NOT_PUBLIC
add address=192.0.2.0/24 comment=RFC6890 list=NOT_PUBLIC
add address=192.168.0.0/16 comment=RFC6890 list=NOT_PUBLIC
add address=192.88.99.0/24 comment=RFC3068 list=NOT_PUBLIC
add address=198.18.0.0/15 comment=RFC6890 list=NOT_PUBLIC
add address=198.51.100.0/24 comment=RFC6890 list=NOT_PUBLIC
add address=203.0.113.0/24 comment=RFC6890 list=NOT_PUBLIC
add address=224.0.0.0/4 comment=RFC4601 list=NOT_PUBLIC
add address=240.0.0.0/4 comment=RFC6890 list=NOT_PUBLIC
add address=0.0.0.0/8 comment=RFC6890 list=NOT_PUBLIC

/ip firewall filter
add action=accept chain=input comment="Accept established and related connections" connection-state=established,related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=drop chain=input comment="Drop packets which are not destined to router's interfaces" dst-address-type=!local
add action=accept chain=input comment="Accept packets from LAN" in-interface=LAN
add action=accept chain=input comment="Accept packets from PPP" in-interface=all-ppp
add action=accept chain=input comment="Allow packets from IPIP tunnel" in-interface=ipip-home
add action=drop chain=input comment="Drop packets from WAN which should not exist in public network" in-interface=WAN log=yes log-prefix=\
    FROM_WAN_NOT_PUBLIC src-address-list=NOT_PUBLIC
add action=accept chain=input comment="Allow IPSec (IKE) from WAN" dst-port=500 in-interface=WAN protocol=udp
add action=accept chain=input comment="Allow IPSec (NAT-Traversal) from WAN" dst-port=4500 in-interface=WAN protocol=udp
add action=accept chain=input comment="Allow IPSec (ESP) from WAN" in-interface=WAN protocol=ipsec-esp
add action=accept chain=input comment="Allow L2TP over IPSec from WAN" dst-port=1701 in-interface=WAN ipsec-policy=in,ipsec log-prefix=L2TP \
    protocol=udp
add action=accept chain=input comment="Allow IPIP from WAN" in-interface=WAN protocol=ipencap src-address-list=<REDACTED>
add action=drop chain=input comment="Drop everything else" log-prefix=WAN_DROP
add action=fasttrack-connection chain=forward comment="FastTrack established and related connections" connection-state=established,related
add action=accept chain=forward comment="Accept established and related connections" connection-state=established,related
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=drop chain=forward comment="Drop new connections from WAN which are not dst-natted" connection-nat-state=!dstnat connection-state=\
    new in-interface=WAN log=yes log-prefix=NOT_DST_NATTED
add action=drop chain=forward comment="Drop packets from LAN which does not have local network address" in-interface=LAN log=yes log-prefix=\
    LAN_NOT_LOCAL src-address=!192.168.88.0/24
add action=drop chain=forward comment="Drop packets to WAN which should not exist in public network" dst-address-list=NOT_PUBLIC log=yes \
    log-prefix=TO_WAN_NOT_PUBLIC out-interface=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade everything to WAN" out-interface=WAN
add action=redirect chain=dstnat comment="Redirect DNS Requests" dst-port=53 in-interface=LAN log-prefix=DNS_REDIRECT protocol=udp
add action=redirect chain=dstnat dst-port=53 in-interface=LAN protocol=tcp

/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=ipip-home pref-src=192.168.88.1
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                
 0   192.168.88.1/24    192.168.88.0    LAN                                                                                                      
 1   10.0.0.2/30        10.0.0.0        ipip-home                                                                                                
 2 D <REDACTED>/21   <REDACTED>    WAN                                                                                                      

[admin@MikroTik] > /ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          <REDACTED>              1
 1 ADC  10.0.0.0/30        10.0.0.2        ipip-home                 0
 2 ADC  46.126.216.0/21    <REDACTED>   WAN                       0
 3 A S  192.168.1.0/24     192.168.88.1    ipip-home                 1
 4 ADC  192.168.88.0/24    192.168.88.1    LAN                       0
 
darkprocess
Member Candidate
Member Candidate
Posts: 255
Joined: Fri Mar 20, 2015 1:16 pm

Re: How to redirect all traffic from a specific host on LAN through an IP tunnel and access WAN on other side?

Mon Sep 18, 2017 2:25 am

What is the config of the other router? Can you export it?
 
swisspol
newbie
Topic Author
Posts: 26
Joined: Thu Mar 10, 2016 5:46 am

Re: How to redirect all traffic from a specific host on LAN through an IP tunnel and access WAN on other side?

Mon Sep 18, 2017 2:27 am

They are both above :)
 
crislesov
just joined
Posts: 4
Joined: Sun Jan 21, 2018 11:08 am

Re: How to redirect all traffic from a specific host on LAN through an IP tunnel and access WAN on other side?

Sun Jan 21, 2018 2:08 pm

I guess this ^^ is not the only way it can be done...
Do you know where I can find more tutorials about how to route all traffic (or just some) through a VPN ?

Who is online

Users browsing this forum: No registered users and 140 guests