Community discussions

MikroTik App
 
User avatar
noorhamed
just joined
Topic Author
Posts: 5
Joined: Sat Mar 27, 2021 2:45 pm

Forward all traffic on local device to vpn connection

Wed Sep 08, 2021 10:21 pm

Hi Everyone!
Please tell me how can I preroute all traffics on local device to VPN connection?
for example my device IP: 192.168.1.95
I want all the packets sent and received by this device to be done through VPN
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Forward all traffic on local device to vpn connection

Thu Sep 09, 2021 1:55 pm

Good Morning,

what kind of VPN are you using ?
Can you Post your Config ?
 
User avatar
noorhamed
just joined
Topic Author
Posts: 5
Joined: Sat Mar 27, 2021 2:45 pm

Re: Forward all traffic on local device to vpn connection

Thu Sep 09, 2021 4:53 pm

Good Morning,

what kind of VPN are you using ?
Can you Post your Config ?

I'm using an L2TP client and I want route all traffic of 192.168.1.95 through VPN.
there is no config. I want to know what should I do. I don't know if I should use Mangal and Mark or simple route will work
thanks a bunch
 
User avatar
noorhamed
just joined
Topic Author
Posts: 5
Joined: Sat Mar 27, 2021 2:45 pm

Re: Forward all traffic on local device to vpn connection

Fri Sep 10, 2021 9:38 pm

Hello, Anybody there ?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Forward all traffic on local device to vpn connection

Fri Sep 10, 2021 9:47 pm

/ip firewall nat
add chain=srcnat out-interface=l2tp-out1 action=masquerade

/ip route
add gateway=l2tp-out1 routing-mark=via-l2tp

/ip route rule
add src-address=192.168.1.95 action=lookup-only-in-table table=via-l2tp


Depending on your current configuration, you may need to place the firewall rule and the routing rule to a proper position among the other rules in the respective tables and chains.

You could use /ip firewall mangle rules as well, but it would be a bit slower and a bit more complex. So it only makes sense to use mangle rules to assign routing-marks when you need to be able to take into account finer details, like protocol and port, or when you need address lists, or when you need to distribute the traffic among several paths.
 
User avatar
noorhamed
just joined
Topic Author
Posts: 5
Joined: Sat Mar 27, 2021 2:45 pm

Re: Forward all traffic on local device to vpn connection

Fri Sep 10, 2021 10:01 pm

/ip firewall nat
add chain=srcnat out-interface=l2tp-out1 action=masquerade

/ip route
add gateway=l2tp-out1 routing-mark=via-l2tp

/ip route rule
add src-address=192.168.1.95 action=lookup-only-in-table table=via-l2tp


Depending on your current configuration, you may need to place the firewall rule and the routing rule to a proper position among the other rules in the respective tables and chains.

You could use /ip firewall mangle rules as well, but it would be a bit slower and a bit more complex. So it only makes sense to use mangle rules to assign routing-marks when you need to be able to take into account finer details, like protocol and port, or when you need address lists, or when you need to distribute the traffic among several paths.

First of all, thank you for your help
I did what you said, but it didn't work. Look at the picture below

Image
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Forward all traffic on local device to vpn connection

Fri Sep 10, 2021 10:18 pm

Looking at the masquerade rule counters, I'd say the setup works, but the VPN provider checks TTL of packets and drops them if the TTL is too low, which indicates that the L2TP client is a router, not a computer.

Open a commandline window using the [Terminal] button, make it as wide as your screen allows, and run /tool sniffer quick interface=VPN ip-protocol=icmp in it while pinging something like 9.9.9.9 from the 192.168.1.95; if it shows the ping requests to be sent from 172.31.x.x to 9.9.9.9 but no responses to come back, it is likely to be the case, and you'll need a mangle rule to adjust the TTL. To use mangle rules, you have to prevent the traffic that needs to be modified by them from getting fasttracked. Or maybe the responses do come but with TTL reduced to 1 so the router drops them rather than forwarding them - this can also be overcome with a mangle rule.
 
vbn2020
just joined
Posts: 4
Joined: Sun May 29, 2022 10:11 pm

Re: Forward all traffic on local device to vpn connection

Sun May 29, 2022 10:22 pm

/ip firewall nat
add chain=srcnat out-interface=l2tp-out1 action=masquerade

/ip route
add gateway=l2tp-out1 routing-mark=via-l2tp

/ip route rule
add src-address=192.168.1.95 action=lookup-only-in-table table=via-l2tp
Sindy, thanks a lot for these commands! It was the only solution that worked for me among others.

Would you assist with another problem please? What is the simplest way to exclude a domain from being routed through VPN here?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Forward all traffic on local device to vpn connection

Mon May 30, 2022 12:26 am

What is the simplest way to exclude a domain from being routed through VPN here?
If you mean something like *.domain.com, I'm afraid there is even no reliable one, let alone simple. It is quite common that multiple services using different domains use same IP addresses. So e.g. it is not possible to treat youtube differently from google search.

You can add a domain name as the address column to an address list, the router then resolves the domain name to the IP address or multiple ones and adds them as dynamic items to the address list. But incomplete domain names cannot be treated this way, plus there's the danger mentioned above if you use complicated methods of searching in DNS cache for IP addresses to treat specifically.

Looking for the domain part of an url into the payload of the TCP requests cannot be used to choose a route because the TCP connection needs to be established before this payload becomes available.
 
vbn2020
just joined
Posts: 4
Joined: Sun May 29, 2022 10:11 pm

Re: Forward all traffic on local device to vpn connection

Mon May 30, 2022 9:24 am

Thanks sindy! Domain.com would be enough. Even without subdomains. Not important if that website shares IP with other sites, e.g. like with Cloudflare. Just want to understand it that is possible with the help of address lists or routes.

Another option would be to forward traffic to non-VPN interface based on direct IP match instead of domain.

If there is a command in terminal for that? It would be very helpful.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Forward all traffic on local device to vpn connection

Mon May 30, 2022 10:01 am

/ip firewall address-list add list=bypass-vpn address=domain.com - that's the simple part. The complicated part is that you cannot use just /ip route rule items any more to define which traffic to send via the L2TP tunnel because these rules cannot match on address lists, so you have to use /ip firewall mangle rules instead to assign the routing-mark (routing table name) and only use the /ip route rule items to prevent the traffic that should use the L2TP tunnel from falling back to routing table main when the L2TP tunnel is down.

/ip firewall mangle
add chain=prerouting src-address=192.168.1.95 dst-address-list=!bypass-vpn action=mark-routing new-routing-mark=via-l2tp

/ip route rule
add routing-mark=via-l2tp action=lookup-only-in-table table=via-l2tp
remove [find where src-address~"192.168.1.95"]


And you have to make sure that the traffic that should go via the L2TP will not be fasttracked, as fasttracking bypasses mangle. So either disable the fasttracking rule completely, or engage connection marks.
 
vbn2020
just joined
Posts: 4
Joined: Sun May 29, 2022 10:11 pm

Re: Forward all traffic on local device to vpn connection

Mon May 30, 2022 9:44 pm

Thanks sindy, it didn't work at a first attempt, but I will try again
 
soulassassino
just joined
Posts: 21
Joined: Thu Aug 04, 2022 3:34 pm

Re: Forward all traffic on local device to vpn connection

Tue Nov 07, 2023 11:13 pm

Looks easy, but not working for me. Internet is gone at device. :(
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forward all traffic on local device to vpn connection

Tue Nov 07, 2023 11:15 pm

Second time dude, why dont you start your own thread if you are having issues ( viewtopic.php?p=1034426#p1034426 ).............. Slow learner???

Every scenario may seem the same but they all have some variances and differences so a solution for one particular situation is not necessarily what is needed in another.
Start a new thread with a complete explanation of your network (diagram), full config export, and the r equirements of traffic flow.
 
soulassassino
just joined
Posts: 21
Joined: Thu Aug 04, 2022 3:34 pm

Re: Forward all traffic on local device to vpn connection

Wed Nov 08, 2023 12:12 pm

Okay, I will do it homie.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], ccrsxx, Google [Bot], GoogleOther [Bot], nichky, nickhoulton, onnyloh, outtahere and 61 guests