Hi all - Looking for some help with a routing issue.
Mikrotik RB1100AHx4 RouterOS Version 6.45.7

Client PC's have a default PPTP windows VPN adapter with "Use GW on Remote network" checked and I have everything working fine. The PPTP profile assigns the remote DNS and wins server such that the client PC can resolve server names and such on the remote network.

My issue is: How can I route only traffic destine for the remote network over the VPN and all other traffic over the normal client PC gw? (right now ALL traffic goes over the VPN regardless) and still be able to resolve internal remote network using the internal DNS servers?

Scenario: (how I want it to work)
User goes to Speedtest.net: Internal DNS server resolves the query but Traffic goes goes over client router GW, not VPN
User goes to DC01 in file explorer > All traffic goes over VPN.

I can see to make this work, all DNS queries will have to go over VPN for resolution...then if it resolves to a 10.1.10.x address then the traffic will have to go over VPN, if it does not resolve to a 10.1.10.x address, the traffic will need to be routed over the client gw (not the VPN)

Any ideas how to make a Mikrotik work this way??

Thanks in advance.

It's client side config. First obvious step is to uncheck "Use GW on Remote network", because that's what's sending all traffic to server. Next steps depend on exact subnets you use, how many are on server side, what addresses, what address the client gets, etc.

The simple case is if you have only 10.x.x.x subnet(s) on server side (doesn't matter how many) and client also gets address from 10.x.x.x range. If you uncheck the gateway option and do not check the other one to disable class based route, client will add route to 10.0.0.0/8 and everything will work.

If that's a problem for any reason, you'll have to add routes manually on client side. For example, if client gets address from different range like 192.168.x.x, or server side has another subnet like that, or because you need to connect to another VPN at the same time, and it also uses something in 10.x.x.x, so it can't be all routed to first VPN. If you have Windows 10, then there's a PowerShell command I don't remember (but I'm sure you'll find it) that can be used to add route(s) for selected VPN connection.

Hey Sob, thanks for responding.

For this one, only 10.1.10.0/24 subnet is on the server side.

If I turn off the "use remote gw" box, it won't use the remote DNS server to resolve.
The client gets an IP from this pool: add name=vpn ranges=192.168.89.2-192.168.89.255 (Remote and local)

Here is the profile:
/ppp profile
add dns-server=10.1.10.12 local-address=vpn name=PPTP remote-address=vpn \
wins-server=10.1.10.12

I am hoping to do this without having to adjust settings on the 50 remote client machines...if possible

The problem is that client only adds route to 192.168.89.0/24. Client can get other routes from server using DHCP, but RouterOS doesn't support that. So that's kind of bad news for you, you'll have to change all clients and give them additional route to 10.1.10.0/24. But you already have to change clients to disable VPN as gateway, so it's only one extra step. Good news is that it can be done using simple command, see:

https://docs.microsoft.com/en-us/powers ... w=win10-ps

Assuming I have enough IP space headroom...would it be easier to assign them IP's from within the 10.1.10.0/24 subnet?

I was playing with adding a route...but what would the gw be since the gw is dynamic on the client side? Should I give everyone the same local address so I can add the route to all the PC's by the same cmd?

route add 10.1.10.0 MASK 255.255.255.0 <what would the GW be?> Metric 50

If you'd use same subnet as on server side, you'd additionally need proxy arp. I think it's better to keep separate subnets.

But you can use anything else from 10.x.x.x, and Windows will add route to whole 10.0.0.0/8. It's ok if you're sure that clients don't need any other 10.x.x.x elsewhere. Otherwise not so much.

Or use the route, local-address in ppp profile can be IP address and same for all clients. But you need that only when you have older Windows. If you have Windows 10, it's better to use the PowerShell command, because it adds the route only to specified VPN connection.