Community discussions

MikroTik App
 
jacauc
just joined
Topic Author
Posts: 16
Joined: Sun Jan 30, 2011 3:49 am

VPN Killswitch

Sat Feb 03, 2018 12:24 pm

I have Policy Based Routing set up on my Mikrotik to Mangle certain packets and send those to a VPN connection using Routing Marks.

The problem I have though, is that if the VPN disconnects, these packets will end up on the unencrypted link (failover to the default route)
My intent however, is to completely drop VPN packets if the VPN link is disconnected and avoid failover to the default route to prevent traffic on an unencrypted connection unbeknownst to the user.
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=capped new-connection-mark=capped passthrough=yes
add action=mark-routing chain=output connection-mark=capped new-routing-mark=capped passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=[REDACTED] new-connection-mark=[REDACTED] passthrough=yes
add action=mark-routing chain=output connection-mark=[REDACTED] new-routing-mark=[REDACTED] passthrough=no
add action=mark-routing chain=prerouting comment="First Mark All Packets" new-routing-mark=capped passthrough=yes src-address=192.168.1.0/24
add action=mark-routing chain=prerouting comment="Afterwards, add exceptions for other routing marks. 192.168.1.15 goes via VPN Tunnel" new-routing-mark=[REDACTED] passthrough=yes port=!80,443 protocol=tcp src-address=192.168.1.15

/ip route
add check-gateway=ping comment="DEFAULT ROUTE" distance=1 gateway=capped scope=255
add check-gateway=ping distance=2 gateway=capped routing-mark=capped
add check-gateway=ping distance=2 gateway=[REDACTED] routing-mark=[REDACTED]
Any suggestions on how I can achieve this?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1797
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: VPN Killswitch

Sat Feb 03, 2018 3:41 pm

Hi

You should add a blackhole route to your route table as last entry, so it wouldn't fallback into main route table.
add distance=10 routing-mark=[REDACTED] type=blackhole
 
jacauc
just joined
Topic Author
Posts: 16
Joined: Sun Jan 30, 2011 3:49 am

Re: VPN Killswitch

Sun Feb 04, 2018 4:07 am

Exactly what I needed, thanks!
Wasn't aware of the blackhole capability

Appreciate the help
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 724
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: VPN Killswitch

Sun Feb 04, 2018 4:25 pm

I used to do this in firewall, but routing makes it even simpler. Thanks for the hint.
I use type=unreachable, though.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
ronal01
just joined
Posts: 13
Joined: Thu Jan 31, 2019 10:40 pm

Re: VPN Killswitch

Thu Nov 19, 2020 1:47 pm

what I did for my kill switch on the client was to activate the nat only to the range of addresses of the tuner, only to mask everything that comes out through the VPN and a static route, 0.0.0.0 gateway L2TP Distance 1, when the VPN fails it stays without internet the router

Who is online

Users browsing this forum: Bing [Bot], McFlyPL, mixig, mkx, rodpp, storrgie, yreks and 205 guests