MikroTik

Hi,i have setup my VPN with L2TP following this https://www.rapidvpn.com/setup-vpn-l2tp-mikrotik-router
and also use killswith found here in forum on viewtopic.php?t=121096
everything works ok,killswitch works ok,network gets disabled when VPN goes offline.
I use ip range 192.168.1.2-192.168.1.255 to go through VPN.
Ok,but i have a problem,if i want use VPN only with range 192.168.1.101-192.168.1.255 then
range 192.168.1.2-192.168.1.100 goes offline,but i want this range not to use VPN
How to do that?
thank you

Limit the "killswitch" (a totally inappropriate name) rule to the LAN subnet which should only be allowed to access internet via VPN by adding src-address=the.subnet.to.be.blocked/mask_len[/i ] to it. So adresses from other LAN subnets will not match the killswitch rule, and will have internet access through WAN.

can you be more specific,i dont quite understand what i need to to

I cannot as you are not

I can only modify your killswitch rule if you state to which source and/or destination addresses that rule should be narrowed.

If it is a single source subnet, just add that subnet as the value of the src-address item of the rule. If it is a list of addresses and/or subnets, create a named list of these addresses and subnets, like (example)
and refer to that address list in the killswitch rule itself, by setting its name as the value of the src-address-list item of the rule.

can you be more specific,i dont quite understand what i need to to

I cannot as you are not

I can only modify your killswitch rule if you state to which source and/or destination addresses that rule should be narrowed.

If it is a single source subnet, just add that subnet as the value of the src-address item of the rule. If it is a list of addresses and/or subnets, create a named list of these addresses and subnets, like (example)

Code: Select all

/ip firewall address-list
add list=vpn-only address=1.2.3.4
add list=vpn-only address=192.168.1.0/24

and refer to that address list in the killswitch rule itself, by setting its name as the value of the src-address-list item of the rule.

Thank you for answering,sorry, i try to explain better.
Now i have all this IP range 192.168.1.3-192.168.1.255 use VPN (go through VPN)
I have DHCP Server Range 192.168.1.3-192.255.255.254
but what i want is IP-s range 192.168.1.3-192.168.1.100 not use VPN (go through WAN)
and IP range after that 192.168.1.101-192.168.1.255 use VPN (go through VPN)
but also need killswitch function when VPN goes offline then WAN goes offline too

i try to explain better.
...
what i want is IP-s range 192.168.1.3-192.168.1.100 not use VPN (go through WAN)
and IP range after that 192.168.1.101-192.168.1.255 use VPN (go through VPN)

Sorry, I haven't understood your OP properly. For this, you don't need any killswitch rule (and your mentioning it has sent me off-track as I started looking up what you mean by killswitch rule so I haven't read the rest carefully) but something commonly called policy routing, where you choose one of several different routing tables depending on some criteria - in your case, the criteria is the source address range. So in the routing table used for 192.168.1.3-192.168.1.100, the default route will use the gateway on WAN, while in the routing table used for 192.168.1.101-192.168.1.254 (255 cannot be used as a client address in a /24 subnet), the default route will use the gateway on the VPN. One of many explanations how to do that is here.

but also need killswitch function when VPN goes offline then WAN goes offline too

If you have in mind that if VPN goes down, the clients with addresses in the 192.168.1.101-192.168.1.254 range will not be able to use WAN instead, either the killswitch rule will take care of it if completed with src-address=192.168.1.101-192.168.1.254, or a type=blackhole default route in the routing table for that source address range can be used instead of that rule. The default route via VPN would have distance=1, the blackhole default route would have distance=2. So as long as the VPN is up, the route with distance=1 is used; when the VPN goes down, that route becomes unavailable, so the blackhole route is used instead, rather than the default route in the default routing table which would otherwise kick in.

Thank you sindy,finally got it working like i need

what I did for my kill switch on the client was to activate the nat only to the range of addresses of the tuner, only to mask everything that comes out through the VPN and a static route, 0.0.0.0 gateway L2TP Distance 1, when the VPN fails it stays without internet the router