Policy based routing and vpn

shafiqrahman · Wed Dec 11, 2019 7:15 am

I want to route a specific traffic through a vpn, prefrebably sstp (MS-sstp configuration from vpn gate). I was successfully able to connect to the vpn server, but my traffic not routing through the vpn. I followed this https://wiki.mikrotik.com/wiki/Policy_Base_Routing . Any help will be highly appreciated.

skylark · Wed Dec 11, 2019 8:28 am

Without configuration export, we can only guess why it is not working. Post exported configuration and provide us the information about from which source IP address communication does not work?

shafiqrahman · Wed Dec 11, 2019 1:51 pm

Code: Select all

# dec/11/2019 15:53:51 by RouterOS 6.45.7

# software id = BM4W-X3GK

#

# model = RouterBOARD 962UiGS-5HacT2HnT

# serial number = xxxxxxxxx

/interface bridge

add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge

/interface ethernet

set [ find default-name=ether3 ] advertise=\

    100M-half,100M-full,1000M-half,1000M-full

set [ find default-name=sfp1 ] disabled=yes

/interface pppoe-client

add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \

    password=xxxxx user=xxxxx

/interface l2tp-client

add allow=chap,mschap2 connect-to=101.99.74.214 disabled=no ipsec-secret=123 \

    name=l2tp-out password=321 use-ipsec=yes user=456

/interface wireless

set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \

    disabled=no distance=indoors frequency=auto installation=indoor mode=\

    ap-bridge ssid=xxx wireless-protocol=802.11 wps-mode=disabled

set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\

    20/40/80mhz-XXXX disabled=no frequency=5765 installation=outdoor mode=\

    ap-bridge ssid=xxx wireless-protocol=802.11 wps-mode=disabled

/interface list

add comment=defconf name=WAN

add comment=defconf name=LAN

/interface wireless security-profiles

set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \

    mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\

    xxxxxxx wpa2-pre-shared-key=xxxxxxx

/ip hotspot profile

set [ find default=yes ] html-directory=flash/hotspot

/ip pool

add name=dhcp ranges=192.168.88.10-192.168.88.254

/ip dhcp-server

add address-pool=dhcp disabled=no interface=bridge name=defconf

/interface bridge port

add bridge=bridge comment=defconf interface=ether2

add bridge=bridge comment=defconf interface=ether3

add bridge=bridge comment=defconf interface=ether4

add bridge=bridge comment=defconf interface=ether5

add bridge=bridge comment=defconf interface=sfp1

add bridge=bridge comment=defconf interface=wlan1

add bridge=bridge comment=defconf interface=wlan2

/ip neighbor discovery-settings

set discover-interface-list=none

/ip settings

set rp-filter=loose

/interface detect-internet

set detect-interface-list=all

/interface list member

add comment=defconf interface=bridge list=LAN

add comment=defconf interface=ether1 list=WAN

add interface=pppoe-out1 list=WAN

/ip address

add address=192.168.88.x/24 comment=defconf interface=bridge network=\

    192.168.88.0

/ip cloud

set update-time=no

/ip dhcp-client

add comment=defconf dhcp-options=hostname,clientid interface=ether1

/ip dhcp-server lease

add address=192.168.xx.xx client-id=xx:xx:xx:xx:xx:xx:xx mac-address=\

    xx:xx:xx:xx:xx:xx server=defconf

add address=192.168.xx.xx client-id=\

    xx:x:xx:xx:xx:x:x:x:x:xx:xx:xx:xx:xx:xx:xx:xx:xx:x mac-address=\

    xx:xx:xx:xx:xx:xx server=defconf

/ip dhcp-server network

add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns

set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1

/ip dns static

add address=192.168.88.1 name=router.lan

/ip firewall address-list

add address=192.168.88.2-192.168.88.254 list=allowed_to_router

add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet

add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet

add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet

add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet

add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet

add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet

add address=224.0.0.0/4 comment=Multicast list=not_in_internet

add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet

add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet

add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet

add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet

add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet

add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet

add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet

add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\

    not_in_internet

/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related" \

    connection-state=established,related

add action=drop chain=input comment="defconf: drop invalid" connection-state=\

    invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="Allow ADMIN to Router" \

    in-interface-list=LAN src-address-list=allowed_to_router

add action=accept chain=input in-interface-list=LAN port=xx protocol=tcp

add action=accept chain=input in-interface-list=LAN port=xx protocol=udp

add action=drop chain=input

add action=accept chain=forward comment="defconf: accept in ipsec policy" \

    ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" \

    ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \

    connection-state=established,related

add action=accept chain=forward comment="defconf: accept established,related" \

    connection-state=established,related

add action=drop chain=forward comment="defconf: drop invalid" \

    connection-state=invalid

add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \

    connection-nat-state=dstnat connection-state=new in-interface-list=WAN

add action=drop chain=forward comment="Block iMac1" disabled=yes \

    src-mac-address=xx:xx:xx:xx:xx:xx time=\

    15h30m-19h,sun,mon,tue,wed,thu,fri,sat

add action=drop chain=forward comment="Block iMac 2" disabled=yes \

    src-mac-address=xx:xx:xx:xx:xx:xx time=\

    15h30m-19h,sun,mon,tue,wed,thu,fri,sat

add action=drop chain=forward comment="Block iPhone" disabled=yes \

    src-mac-address=xx:xx:xx:xx:xx:xx time=\

    15h30m-19h,sun,mon,tue,wed,thu,fri,sat

add action=drop chain=forward comment="Block HTC" disabled=yes \

    src-mac-address=xx:xx:xx:xx:xx:xx time=\

    15h30m-19h,sun,mon,tue,wed,thu,fri,sat

add action=drop chain=forward comment="Block TV 1" disabled=yes \

    src-mac-address=xx:xx:xx:xx:xx:xx time=\

    15h30m-19h,sun,mon,tue,wed,thu,fri,sat

add action=drop chain=forward comment="Block TV 2" disabled=yes \

    src-mac-address=xx:xx:xx:xx:xx:xx time=\

    15h30m-19h,sun,mon,tue,wed,thu,fri,sat

add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\

    bridge out-interface-list=WAN

add action=drop chain=forward comment="Drop All Else"

add action=drop chain=forward dst-port=xx in-interface-list=WAN protocol=tcp

add action=drop chain=forward dst-port=xx in-interface-list=WAN protocol=udp

/ip firewall mangle

add action=add-dst-to-address-list address-list=YouTube address-list-timeout=\

    none-dynamic chain=prerouting comment=YouTube content=youtube.com

add action=add-dst-to-address-list address-list=YouTube address-list-timeout=\

    10m chain=prerouting comment=YouTube-googlevideo.com content=\

    googlevideo.com

add action=add-dst-to-address-list address-list=Netflix address-list-timeout=\

    none-dynamic chain=prerouting comment=Netflix content=netflix.com

add action=mark-routing chain=prerouting content=reddit.com new-routing-mark=\

    vpn passthrough=yes src-address=192.168.88.0/24

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" \

    ipsec-policy=out,none out-interface-list=WAN

add action=dst-nat chain=dstnat comment="Plex Media Server" dst-address=\

    0.0.0.0 dst-port=xxxx in-interface-list=WAN protocol=tcp to-addresses=\

    192.168.88.xxx to-ports=xxxx

add action=dst-nat chain=dstnat comment="Resilio Sync (UDP)" dst-address=\

    0.0.0.0 dst-port=xxxx in-interface-list=WAN protocol=udp to-ports=xxxx

add action=masquerade chain=srcnat out-interface=l2tp-out src-address=\

    192.168.88.0/24

/ip route

add distance=1 gateway=l2tp-out routing-mark=vpn

/ip service

set telnet disabled=yes

set ftp disabled=yes

set ssh port=xxxx

set www-ssl address=192.168.88.0/24

set api disabled=yes

set winbox address=192.168.88.0/24

set api-ssl disabled=yes

/ip ssh

set forwarding-enabled=remote strong-crypto=yes

/ip upnp

set enabled=yes

/ip upnp interfaces

add interface=bridge type=internal

add interface=ether1 type=external

/system clock

set time-zone-name=Asia

/system logging

add topics=wireless,debug

/system ntp client

set enabled=yes server-dns-names=\

    0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org

/tool bandwidth-server

set enabled=no

/tool mac-server

set allowed-interface-list=none

/tool mac-server mac-winbox

set allowed-interface-list=none

/tool mac-server ping

set enabled=no

/Codebox]

shafiqrahman · Thu Dec 19, 2019 7:13 am

Anyone wiling to help please?

skylark · Thu Dec 19, 2019 9:34 am

As I see you are trying to match packets with content parameter:

content - Match packets that contain specified text

So, are you sure that every packet when you browse consists of string reddit.com? I don't think so.

I would suggest you to configure it differently, for example, use tls-host matcher or firewall address-lists.

shafiqrahman · Wed Dec 25, 2019 9:00 am

Can you please elaborate it a bit more?

msatter · Wed Dec 25, 2019 1:55 pm

These days we use encrypted connections (HTTPS://) and you are allowed to see where the traffic is heading by SNI and translates to using tls-host matching instead of using the content field.

add action=add-dst-to-address-list address-list=Netflix address-list-timeout=\
none-dynamic chain=prerouting comment=Netflix content=netflix.com

becomes

add action=add-dst-to-address-list address-list=Netflix address-list-timeout=\
none-dynamic chain=prerouting comment=Netflix tls-host=netflix.com

shafiqrahman · Thu Dec 26, 2019 9:38 am

Like this?
Mangle rule:

chain=preoruting action=add-dst-to-address-list protocol=tcp address-list=reddit 
      address-list-timeout=none-dynamic log=no log-prefix="" tls-host=reddit.com

NAT rule:

chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address-list=reddit out-interface=l2tp 
      log=no log-prefix="" 
/code]

pe1chl · Thu Dec 26, 2019 1:48 pm

It is impossible to change the routing of TCP packets based on their content (like tls-host or l7 filter)!
This is because first TCP sets up the connection (SYN, SYN ACK, ACK) and then the first packets are sent which you then trap and you change the output interface.
But this will not affect the first packets! The connection will die because you suddenly have changed endpoint IP address.

Now, with the address list you may have a little more luck as the first connection attempt will add it to the address list and then the connection will die, but the second attempt to the same address will be immediately routed correctly.
I don't know how well that will work out, it depends on how many addresses there are for the service and how often they change.

shafiqrahman · Wed Jan 01, 2020 10:03 am

so, there is no working solution for that ?

pe1chl · Wed Jan 01, 2020 11:12 am

When the "solution" based on adding the destination to an address list "sort of works" in that it will catch the 2nd and subsequent connection and route that correctly, but the first one is always going to be stuck. There is no way to solve that.

Of course when you know the exact domainnames of the destinations you want to route via vpn (not *.reddit.com but like www.reddit.com) you can add them to your address list before.

Policy based routing and vpn

Policy based routing and vpn

Re: Policy based routing and vpn

Re: Policy based routing and vpn

Re: Policy based routing and vpn

Re: Policy based routing and vpn

Re: Policy based routing and vpn

Re: Policy based routing and vpn

Re: Policy based routing and vpn

Re: Policy based routing and vpn

Re: Policy based routing and vpn

Re: Policy based routing and vpn

Who is online