Community discussions

MikroTik App
 
ramirez
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Sun May 12, 2013 9:48 pm

Internet traffic and VPN

Fri Sep 17, 2021 1:20 pm

Greetings to all!

Can some please help with the following?

On the client side that a single device is connected on the WiFi, I am looking to traffic all internet through the server’s side.

That device is the 192.168.100.2

The MT is connected via ethernet on the ISP’s modem and a DHCP client is running to receive a LAN address (this is important).

In a close scenario elsewhere, I have successfully run internet traffic (from the Server) to any device I wish, by using the IP/Firewall/Mangle tab, through the L2TP/IPsec link. But that setup does not include a DHCP client and a DHCP server running on the client side (it is just one subnet).

The L2TP/IPSEC link is active and stable but, obviously, somewhere the configuration is wrong.

Many Thanks in advance

# sep/17/2021 by RouterOS 6.48.4
# software id = 
#
# model = RBmAPL-2nD
# serial number =
/interface l2tp-client
add connect-to=SERVER.ddns.net disabled=no max-mru=1400 max-mtu=1400 name=l2tp-out2 user=T
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=profile1 supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] country= disabled=no distance=indoors frequency=auto installation=indoor max-station-count=1 mode=ap-bridge security-profile=\
    profile1 ssid="T" wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface wireless nstreme
set wlan1 enable-nstreme=yes
/ip ipsec peer
add address=SERVER.ddns.net exchange-mode=ike2 name=T
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-128 prf-algorithm=sha1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc pfs-group=modp2048
add enc-algorithms=aes-128-cbc name=LNproposal pfs-group=modp2048
/ip pool
add name=dhcp_pool0 ranges=192.168.100.2
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=wlan1 lease-time=1d name=dhcp1
/ip address
add address=192.168.100.1/24 interface=wlan1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=10.0.0.0/8 list="Local Subnet"
add address=172.16.0.0/12 list="Local Subnet"
add address=192.168.0.0/16 list="Local Subnet"
/ip firewall filter
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid disabled=yes
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=output connection-state=established,related,untracked
add action=drop chain=output connection-state=invalid
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=Traffic_for_vpn passthrough=yes src-address=192.168.100.2
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=192.168.100.2 src-address=X.X.X.X/24
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wlan1
/ip ipsec identity
add peer=T
/ip ipsec policy
add dst-address=X.X.X.X/32 peer=T proposal=LNproposal src-address=192.168.20.4/32
/ip route
add distance=1 gateway=192.168.91.1 routing-mark=Traffic_for_vpn
add distance=1 dst-address=X.X.X.X/24 gateway=192.168.91.1
/ip service
set telnet disabled=yes
/system clock
set time-zone-name=
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
[admin@MikroTik] > 
 
ramirez
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Sun May 12, 2013 9:48 pm

Re: Internet traffic and VPN

Fri Sep 17, 2021 5:33 pm

UPDATE :

In case anyone has the same issue in the future:

The problem was choosing "mark connection" instead of "mark routing" in mangle tab. Due to speed I had entered the wrong value...

Who is online

Users browsing this forum: anton425425, Google [Bot], jacobbailey, Pincha3 and 103 guests