Community discussions

MikroTik App
  4. RouterOS
  5. General

LT2P VPN

Post Reply
 
mikronewb20
just joined
Topic Author
Posts: 11
Joined: Fri Nov 13, 2020 11:03 am

LT2P VPN

Sat Feb 06, 2021 11:48 am

Hi,

I dont really know all that much about these mikrotik routers, i've done some research though and have a RB850G.

My problem is that I had someone help me setup a L2TP VPN, but I only need it to access 3 machines (3 IP addresses). So only that traffic to run over the VPN, but it seems that when I connect from my home to the place where the mikrotik is, it seems to run all traffic through it. Thus meaning that rather than having my 100mb connection, I have a 30mb connection (which is at the mikrotik end) when connected to the VPN as it seems to put all traffic through it.

Is there a way to only put the 3 IP addresses down it so that traffic only runs down it so i can use my own internet connection for everything else rather than being slowed down to a 3rd of my connection speed when connected to the vpn.
Top
 
bourneagainsh
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Thu May 21, 2020 7:41 pm

Re: LT2P VPN

Sat Feb 06, 2021 1:47 pm

I have asked similar question
https://forum.mikrotik.com/viewtopic.php?f=13&t=165260

Apparently it's IPv4 - Firewall - Mangle: rule that will do the job :)
Searching now how to achieve this :)
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1855
Joined: Sat May 05, 2018 11:55 am

Re: LT2P VPN

Sat Feb 06, 2021 9:46 pm

It depends on how the decision to route traffic via the VPN is going to be made. If there are a small number of destination addresses, e.g. a few company subnets, you can use static routes to direct traffic to those addresses via the VPN.

However if there are a small number of local source addresses, e.g. a couple of PCs, which must send traffic to any address via the VPN you do need mangle rules to mark connections from those source addresses, mark routes from the connection marks, and have additional marked routing table entries. It is similar to multi-WAN setups, but with WAN + VPN destinations rather than WAN1 + WAN2.
Top
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: LT2P VPN

Sun Feb 07, 2021 3:08 pm

In the computer you're using to access the VPN, you can disable use of the VPN for default route in the VPN settings.
You do not have the required permissions to view the files attached to this post.
Top
 
bourneagainsh
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Thu May 21, 2020 7:41 pm

Re: LT2P VPN

Sun Feb 07, 2021 9:17 pm

In the computer you're using to access the VPN, you can disable use of the VPN for default route in the VPN settings.
I am trying it on PC with Debian and Android Mobile phone connected to AP in bridge mode.
Top
 
bourneagainsh
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Thu May 21, 2020 7:41 pm

Re: LT2P VPN

Sun Feb 07, 2021 9:28 pm

It depends on how the decision to route traffic via the VPN is going to be made. If there are a small number of destination addresses, e.g. a few company subnets, you can use static routes to direct traffic to those addresses via the VPN.

However if there are a small number of local source addresses, e.g. a couple of PCs, which must send traffic to any address via the VPN you do need mangle rules to mark connections from those source addresses, mark routes from the connection marks, and have additional marked routing table entries. It is similar to multi-WAN setups, but with WAN + VPN destinations rather than WAN1 + WAN2.
Code: Select all
/interface l2tp-client
add add-default-route=yes allow-fast-path=yes comment="l2tp-out-vpn-hkg" connect-to=xxxxxxx.xxxxxxx.net disabled=no ipsec-secret=vpn name=\
   l2tp-out-HK password=vpn profile=l2tp-out-HK use-ipsec=yes  user=vpn

/ip firewall mangle
add action=mark-routing chain=prerouting comment="l2tp-out-vpn-hkg" log=yes new-routing-mark=l2tp-out-vpn passthrough=yes src-address=192.168.1.52
/ip firewall mangle
add action=mark-routing chain=prerouting comment="l2tp-out-vpn-hkg" log=yes new-routing-mark=l2tp-out-vpn passthrough=yes src-address=192.168.1.10
/ip firewall mangle
add action=mark-routing chain=prerouting comment="l2tp-out-vpn-hkg" log=yes new-routing-mark=l2tp-out-vpn passthrough=yes src-address=192.168.1.5

/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=l2tp-out-VPN-HK src-address=192.168.1.52
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=l2tp-out-VPN-HK src-address=192.168.1.10
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=l2tp-out-VPN-HK src-address=192.168.1.5

/ip route
add distance=1 gateway=l2tp-out-HK routing-mark=l2tp-out-vpn
.
.
#
But it still does not work .....
Top
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: LT2P VPN

Mon Feb 08, 2021 1:45 am

In the computer you're using to access the VPN, you can disable use of the VPN for default route in the VPN settings.
I am trying it on PC with Debian and Android Mobile phone connected to AP in bridge mode.
If the computer is initiating the vpn connection, then I believe you will need to figure out how to remove the vpn from becoming the default route in that OS. Unless you were to make your AP become the vpn client, in which point you can set the route rules.
Top
 
bourneagainsh
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Thu May 21, 2020 7:41 pm

Re: LT2P VPN

Mon Feb 08, 2021 11:09 am

In the computer you're using to access the VPN, you can disable use of the VPN for default route in the VPN settings.
I am trying it on PC with Debian and Android Mobile phone connected to AP in bridge mode.
If the computer is initiating the vpn connection, then I believe you will need to figure out how to remove the vpn from becoming the default route in that OS. Unless you were to make your AP become the vpn client, in which point you can set the route rules.
Sorry the PC/Android mobile are slaves, its the MikroTik router that has the L2TP tunnel created and I want "all" the traffic from those 2 devices (PC/Android connected to MikroTik) to be routed via the L2TP.

So when you say static routes, can you give me an example please?
Is
/ip route add distance=1 gateway=l2tp-out-HK routing-mark=l2tp-out-vpn
not sufficient?

.
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1855
Joined: Sat May 05, 2018 11:55 am

Re: LT2P VPN

Mon Feb 08, 2021 2:08 pm

You should have add-default-route=no under /interface l2tp-client - this is likely what is causing all your local devices to use the VPN connection.

It would be better to use single mangle rule with an address list rather than having three mangle rules with individual addresses as it reduces the CPU processing. Often marking new connections with a connection mark, and then adding route marks if the connection mark is present is yet more efficient.

Also you can either use the same address list in the NAT rule, or not specify addresses at all as only the marked traffic will be leaving via the out-interface.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot], jaclaz and 238 guests
  4. RouterOS
  5. General