at least I hope that's what these are called
I am trying to setup a Tik to act as a sort of VPN gateway for local clients. It would be plugged into an existing local network (like at a hotel), any devices that plug into the Tik (or connect via wifi) will be routed through a VPN connection to the remote corporate network (also a Mikrotik, sitting on a public IP), no client configuration needed on the devices.
The VPN server is already setup for l2tp/ipsec however I can also enable any protocol that will work (eoip?) as long as the l2tp connections continue to work.
I am guessing I just need to setup the VPN Client in the Tik and then route all traffic through that VPN interface, I have found guides on how to do that. But as the Tik will sit behind an uncontrolled NAT firewall how do I best set this up to that the tunnel gets through and I don't cause any issues like routing loops?
Roadwarrior client router
You do not have the required permissions to view the files attached to this post.
Re: Roadwarrior client router
You don't need to care about that uncontrolled router, all you need from it is access to internet and your VPN server. Just add VPN client interface, tell it to add default route and you're almost done. Use firewall filter (chain=forward) to block access from LAN interface to WAN, to make sure that connected devices won't go to internet directly. Last needed thing may be srcnat on VPN client interface, it depends on your server, if it knows about LAN subnet behind client or not.
Re: Roadwarrior client router
I'm trying to do the same thing by only enabling vpn on an ethernet port.
I added this rule
/ip firewall filter
add action=accept chain=input dst-address=0.0.0.0 in-interface=l2tp-out1 src-address=192.168.42.0/24
but I can only access the tik from the external network
I added this rule
/ip firewall filter
add action=accept chain=input dst-address=0.0.0.0 in-interface=l2tp-out1 src-address=192.168.42.0/24
but I can only access the tik from the external network
Re: Roadwarrior client router
I suspect your problem is that 0.0.0.0 is not the same as 0.0.0.0/0 .
Re: Roadwarrior client router
ok macsrwe ,
I modified but it doesn't work, moreover it disappeared ( webfig ) the interface l2tp-out1 even if vpn is up
I modified but it doesn't work, moreover it disappeared ( webfig ) the interface l2tp-out1 even if vpn is up
Re: Roadwarrior client router
I'm not surprised it disappeared -- 0.0.0.0/0 is the default ("everywhere").
Your rule is in the input chain. That means that traffic to the router itself (not your network, just the router) will be accepted from those addresses. If you're trying to get your router to serve this traffic to some other network, it's the wrong rule. Perhaps you meant the forward chain.
Your rule is in the input chain. That means that traffic to the router itself (not your network, just the router) will be accepted from those addresses. If you're trying to get your router to serve this traffic to some other network, it's the wrong rule. Perhaps you meant the forward chain.
Re: Roadwarrior client router
macsrwe
I'd like to reroute all traffic on ether3 port to vpn ipsec.
I'd like to reroute all traffic on ether3 port to vpn ipsec.
Re: Roadwarrior client router
Thank you, I am giving this another shot now (past week has been absolute chaos), Ideally I would like to avoid a NAT and just let client devices get addresses off the corporate DHCP, do I just leave off the srcnat in that case?You don't need to care about that uncontrolled router, all you need from it is access to internet and your VPN server. Just add VPN client interface, tell it to add default route and you're almost done. Use firewall filter (chain=forward) to block access from LAN interface to WAN, to make sure that connected devices won't go to internet directly. Last needed thing may be srcnat on VPN client interface, it depends on your server, if it knows about LAN subnet behind client or not.
I am sure to have more questions shortly as I am not so great with RouterOS yet and still learning.
Re: Roadwarrior client router
Ill need to set a route for the VPN servers IP to bypass the default route right? would I just route that to the WAN port (in this case ether1)?
Re: Roadwarrior client router
I tried routing the VPN IP to ether1 but did not work. I was unable to ping the address from the tik and the l2tp tunnel would not connect. However if I specified the local LAN's gateway address then it works. Problem is for this setup I my not know the gateway address (and don't want to have to manually set it even if I did). Why can't I just push it out that port and let whatever gateway on the other side handle it?
Also is it possible to grab a DHCP address from the far end (corporate network) so I don't have to deal with NATs?
Also is it possible to grab a DHCP address from the far end (corporate network) so I don't have to deal with NATs?
Re: Roadwarrior client router
Can you please post your configuration with hide-sensitive so that we understand what exactly you are doing ?
Re: Roadwarrior client router
its mostly default value right now while I get this figured out
Code: Select all
[admin@MikroTik] > /export hide-sensitive
# apr/02/2020 15:26:22 by RouterOS 6.46.4
# software id = GP79-QRBX
#
# model = 2011UAS-2HnD
# serial number = 419E020A742D
/interface bridge
add admin-mac=D4:CA:6D:D8:22:FE auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-D82307 wireless-protocol=802.11
/interface l2tp-client
add connect-to=#VPN_SERVER_IP# disabled=no name=l2tp-out1 use-ipsec=yes user=#USERNAME#
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=reject chain=forward disabled=yes dst-address=!#VPN_SERVER_IP# out-interface=ether1 reject-with=icmp-admin-prohibited
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=l2tp-out1
add distance=1 dst-address=#VPN_SERVER_IP#/32 gateway=10.0.0.1
/system clock
set time-zone-name=America/Denver
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Roadwarrior client router
Why you have this masquerade rule ?
just let it
If you want to route all traffic through the VPN either do it as @Sob suggested or you can even use Policy Routing Rules...
just let it
Now, if the tunnel does not come up you must check the logs of the Server... Make sure credentials and IPsecret are correct as well...add action=masquerade chain=srcnat out-interface-list=WAN
If you want to route all traffic through the VPN either do it as @Sob suggested or you can even use Policy Routing Rules...
Re: Roadwarrior client router
The masquerade is just part of the default config I have not striped out yet, but it is disabled.
The setup for the l2tp works, its just that it can't reach the outside unless I route to the local gateway IP as apposed to just the interface.
I am still trying to figure out the firewall rule for routing all traffic to the VPN and blocking it going to the WAN.
The setup for the l2tp works, its just that it can't reach the outside unless I route to the local gateway IP as apposed to just the interface.
I am still trying to figure out the firewall rule for routing all traffic to the VPN and blocking it going to the WAN.
Re: Roadwarrior client router
Please, since we talk about networking provide more details...
You cant reach the internet from your PC? From the VPN Client itself?
Do you Reach the Lan on the VPN's server side ?
All you actually need inside your routing Table is this Roule:
1.
That rule will let you reach the Remote LAN..
In case you need to route all your traffic to the Remote VPN server, Internet included, then Default Route must be enabled in your VPN...
After that you must masquerade your out Interface, which is the L2TP..
=====
Now, if you dont want to route all traffic through VPN, do not use the default gateway on your VPN client settings, the masquerade rules must have as out interface your WAN interface,no other masquerade rule is needed, a default route for your actual network and only rule (1) for the VPN...
You cant reach the internet from your PC? From the VPN Client itself?
Do you Reach the Lan on the VPN's server side ?
All you actually need inside your routing Table is this Roule:
1.
Code: Select all
add distance=1 dst-address=Remote LAN gateway=Remote VPN Server IP
In case you need to route all your traffic to the Remote VPN server, Internet included, then Default Route must be enabled in your VPN...
Code: Select all
add distance=1 gateway=l2tp-out1After that you must masquerade your out Interface, which is the L2TP..
Code: Select all
add action=masquerade chain=srcnat out-interface=L2TP Interface=====
Now, if you dont want to route all traffic through VPN, do not use the default gateway on your VPN client settings, the masquerade rules must have as out interface your WAN interface,no other masquerade rule is needed, a default route for your actual network and only rule (1) for the VPN...
Re: Roadwarrior client router
I do want to route all internet through the VPN.
If I change it to this:
add distance=1 dst-address=Remote VPN Server IP gateway=Local LAN Gateway
Then the l2tp client connects, I can ping devices on the remote side, everything works, except passing DHCP requests but that's a separate hurdle. The only problem is that it requires knowledge of the LAN (the Uncontrolled Gateway in my diagram).
this does not work, I try to ping from the router to the vpn server and all I get is "no route to host" and the l2tp client will not connectadd distance=1 dst-address=Remote LAN gateway=Remote VPN Server IP
If I change it to this:
add distance=1 dst-address=Remote VPN Server IP gateway=Local LAN Gateway
Then the l2tp client connects, I can ping devices on the remote side, everything works, except passing DHCP requests but that's a separate hurdle. The only problem is that it requires knowledge of the LAN (the Uncontrolled Gateway in my diagram).
Re: Roadwarrior client router
The VPN to get established does not need any route rule...Then the l2tp client connects
You answered on your own.. Ofcrose, if you want to reach a Public IP you must have a default route, isnt that obvious ?
The fact that it connecs after that route is normal ofcorse since you do not have any other default route apparently!
So if you only add this
YES it will never connect... Maybe you should study a lil more about routing, how it works and also about VPN Tunnels...add distance=1 dst-address=Remote LAN gateway=Remote VPN Server IP
Also DHCP is a Layer 2 Protocol... you will need either BCP or EoIP as well...
Re: Roadwarrior client router
Zacharias ,
to turn the LAN traffic on vpn, using a tik in mode bridge are the same rules that you explained above?
here is my configuration:
viewtopic.php?f=13&t=158995&p=781073#p781073
to turn the LAN traffic on vpn, using a tik in mode bridge are the same rules that you explained above?
here is my configuration:
viewtopic.php?f=13&t=158995&p=781073#p781073
Re: Roadwarrior client router
Thank you for the information regarding DHCP, That explains a lot.
However, I thing there is some confusion regarding my question. I am familiar with routing, my issues is getting the Tik to use the interface (or the IP learned via dhcp through that interface) as the gateway. One of the objectives of this project is to have this router form a VPN tunnel WITHOUT any prior knowledge of the local LAN. I know its possible from a networking standpoint as I have seen other devices that do it. The question is how to do this with a mikrotik.
However, I thing there is some confusion regarding my question. I am familiar with routing, my issues is getting the Tik to use the interface (or the IP learned via dhcp through that interface) as the gateway. One of the objectives of this project is to have this router form a VPN tunnel WITHOUT any prior knowledge of the local LAN. I know its possible from a networking standpoint as I have seen other devices that do it. The question is how to do this with a mikrotik.
Re: Roadwarrior client router
Ofcorse it is possible... You just use the default route and thats it...One of the objectives of this project is to have this router form a VPN tunnel WITHOUT any prior knowledge of the local LAN
Re: Roadwarrior client router
And what I am trying to say is that the default route alone does not work.Ofcorse it is possible... You just use the default route and thats it...One of the objectives of this project is to have this router form a VPN tunnel WITHOUT any prior knowledge of the local LAN
Code: Select all
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 l2tp-out1 1
1 DS 0.0.0.0/0 10.0.0.1 1
2 ADC 10.0.0.0/8 10.0.50.216 ether1 0
3 ADC 192.168.10.2/32 192.168.10.33 l2tp-out1 0
4 ADC 192.168.88.0/24 192.168.88.1 bridge 0
5 X S #VPNSERVER#/32 10.0.0.1 1
[admin@MikroTik] > ping 192.168.10.90
SEQ HOST SIZE TTL TIME STATUS
0 192.168.10.33 84 64 0ms host unreachable
1 192.168.10.33 84 64 0ms host unreachable
2 192.168.10.33 84 64 0ms host unreachable
3 192.168.10.33 84 64 0ms host unreachable
4 192.168.10.33 84 64 0ms host unreachable
sent=5 received=0 packet-loss=100%
Code: Select all
[admin@MikroTik] > /ip route enable 5
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 S 0.0.0.0/0 l2tp-out1 1
1 ADS 0.0.0.0/0 10.0.0.1 1
2 ADC 10.0.0.0/8 10.0.50.216 ether1 0
3 ADC 192.168.88.0/24 192.168.88.1 bridge 0
4 A S #VPNSERVER#/32 10.0.0.1 1
[admin@MikroTik] > ping 192.168.10.90
SEQ HOST SIZE TTL TIME STATUS
0 192.168.10.90 56 127 42ms
1 192.168.10.90 56 127 39ms
2 192.168.10.90 56 127 40ms
3 192.168.10.90 56 127 49ms
sent=4 received=4 packet-loss=0% min-rtt=39ms avg-rtt=42ms max-rtt=49ms