Community discussions

MikroTik App
 
giotecno
just joined
Topic Author
Posts: 7
Joined: Sun Sep 04, 2022 5:29 pm

devices on VPN access to local subnet

Sun Sep 04, 2022 5:39 pm

Guys, first post, so be gentle. I managed to set up my network with ISP Modem>MikroTik Router>HP Procurve Switch>Eero Wifi AP in Bridge Mode. Took me awhile but getting the hang of this slowly but I still have the problem below with VPN and local subnet access.

I have 4 VLANS, 192.168.10.xx, 192.168.20.xx,192.168.30.xx. and 192.168.88.xx for the MikroTik Router

.10 VLAN used for my usual LAN devices, .20 is used for the wireless, .30 is used to tunnel VPN through to Mullvad VPN. ports on the switch correspond to these VLANS.

My problem is I have a Apple TV in the .30 subnet which is going to MullVad VPN which works great as I am able to use my IPTV services which is the reason I set this up because ISP blocks.

However I have a Synology NAS on the .10 subnet which has my movie library. Since Apple TV is going through the VPN I am unable to playback the videos located on the local LAN in the .10 subnet.

Not sure what would be the best way to keep the VPN in place but have the Apple TV also have LAN access to 192.168.10 subnet to stream the local movies.

Any ideas?

My config below:


# sep/04/2022 15:25:22 by RouterOS 7.5
#
# model = RB750Gr3
/interface bridge
add name=local
/interface wireguard
add listen-port=6561 mtu=1420 name=mullvad-upstream
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether2 name="Internal (VLAN 10)" vlan-id=10
add interface=ether2 name="Wifi (VLAN 20)" vlan-id=20
add interface=ether2 name=mullvad vlan-id=30
/interface list
add name=listBridge
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.10.4-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.4-192.168.20.254
add name=dhcp_pool3 ranges=192.168.30.4-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=local name=dhcp1
add address-pool=dhcp_pool1 interface="Internal (VLAN 10)" name=dhcp2
add address-pool=dhcp_pool2 interface="Wifi (VLAN 20)" name=dhcp3
add address-pool=dhcp_pool3 interface=mullvad name=dhcp4
/port
set 0 name=serial0
/routing table
add fib name=mullvad
add fib name=mullvad
/interface bridge port
add bridge=local interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface list member
add interface=local list=listBridge
add interface=ether2 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key="BmV3wi7rcHuU9Kv9K3v7XEdcUwkb5ufWVoRBu9k0XQ0="
add allowed-address=192.168.100.3/32 interface=wireguard1 public-key="BgFGVTDedLMCRJDyyoSkMmWOjyy7OdDNVH9ok7XMUSw="
add allowed-address=192.168.100.4/32 interface=wireguard1 public-key="IzwGDI5XRMbq6VGYCq2Nlk0ARS1XSC10Z3WjBD3JgXI="
add allowed-address=0.0.0.0/0,::/0 endpoint-address=185.195.232.66 endpoint-port=51820 interface=mullvad-upstream public-key=\
    "VZwE8hrpNzg6SMwn9LtEqonXzSWd5dkFk62PrNWFW3Y="
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
add address=192.168.10.1/24 interface="Internal (VLAN 10)" network=192.168.10.0
add address=192.168.20.1/24 interface="Wifi (VLAN 20)" network=192.168.20.0
add address=192.168.30.1/24 interface=mullvad network=192.168.30.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=10.66.197.130 interface=mullvad-upstream network=10.124.1.16
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.10.252 client-id=1:0:11:32:15:fe:bd mac-address=00:11:32:15:FE:BD server=dhcp2
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.88.1,8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.88.1,8.8.8.8 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.88.1,8.8.8.8 gateway=192.168.30.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=192.168.100.0/24
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 port=22 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=ether1
add action=accept chain=forward connection-mark=under_nordvpn
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=\
    new in-interface=ether1
add action=accept chain=input protocol=udp
add action=accept chain=forward protocol=udp
add action=accept chain=input protocol=igmp
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=mullvad new-routing-mark=mullvad
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether1 protocol=tcp to-addresses=192.168.10.252 to-ports=25
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat in-interface=ether1 port=3389 protocol=tcp to-addresses=192.168.88.254
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat out-interface=mullvad-upstream
/ip route
add dst-address=0.0.0.0/0 gateway=10.124.1.16 routing-table=mullvad
/ipv6 route
add dst-address=::/0 gateway=fc00:bbbb:bbbb:bb01::1%mullvad routing-table=mullvad
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.10.0/24,192.168.20.0/24,192.168.30.0/24
/ipv6 address
add address=fc00:bbbb:bbbb:bb01::3:c581 interface=*B
/ipv6 firewall filter
# no interface
add action=drop chain=input in-interface=*B
# no interface
add action=drop chain=forward connection-state=new in-interface=*B
/ipv6 firewall mangle
# in/out-interface matcher not possible when interface (ether2) is slave - use master instead (local)
add action=mark-routing chain=prerouting in-interface=ether2 new-routing-mark=mullvad passthrough=no
/ipv6 firewall nat
# no interface
add action=masquerade chain=srcnat out-interface=*B
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=ether1 upstream=yes
add interface=ether2
/routing rule
add action=lookup-only-in-table routing-mark=mullvad table=mullvad
add action=lookup-only-in-table routing-mark=mullvad table=mullvad
/system clock
set time-zone-name=Europe/London
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
 
giotecno
just joined
Topic Author
Posts: 7
Joined: Sun Sep 04, 2022 5:29 pm

Re: devices on VPN access to local subnet

Tue Sep 06, 2022 12:51 am

I ended up using a raspberry pi with Plex pass to stream from outside. Probably not the best method but still waiting for someone to assist with the mikrotik config... ;)
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: devices on VPN access to local subnet

Wed Sep 07, 2022 2:47 pm

Place a routing rule dst-address=192.168.0.0/16 action=lookup table=main before (above) the existing routing rules. And you may remove one of the two identical existing rules.
 
giotecno
just joined
Topic Author
Posts: 7
Joined: Sun Sep 04, 2022 5:29 pm

Re: devices on VPN access to local subnet

Fri Sep 09, 2022 1:08 pm

Hi sindy

Is this under Routing/Rules or do I place this in IP/Firewall/Filter Rules?

or do you know what command I can enter into the terminal Instead?

Which identical rules are you referring to.

Apologies for the noob questions.
Place a routing rule dst-address=192.168.0.0/16 action=lookup table=main before (above) the existing routing rules. And you may remove one of the two identical existing rules.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: devices on VPN access to local subnet

Fri Sep 09, 2022 1:18 pm

Under Routing/Rules.

Current state as per your config export:
/routing rule
add action=lookup-only-in-table routing-mark=mullvad table=mullvad
add action=lookup-only-in-table routing-mark=mullvad table=mullvad


Target state:
/routing rule
add action=lookup dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table routing-mark=mullvad table=mullvad
 
giotecno
just joined
Topic Author
Posts: 7
Joined: Sun Sep 04, 2022 5:29 pm

Re: devices on VPN access to local subnet

Fri Sep 09, 2022 7:12 pm

Hi sindy

I added the routing rule but from the Apple TV 30.0 subnet (VLN Subnet) still can't see the .10 (internal subnet) I tired VLC and it doesn't seem to see local NAS? or any other app any ideas? I did place the rule above the others one and deleted the repeated rule.
Under Routing/Rules.

Current state as per your config export:
/routing rule
add action=lookup-only-in-table routing-mark=mullvad table=mullvad
add action=lookup-only-in-table routing-mark=mullvad table=mullvad


Target state:
/routing rule
add action=lookup dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table routing-mark=mullvad table=mullvad
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: devices on VPN access to local subnet

Fri Sep 09, 2022 8:57 pm

Sorry, I have missed that you run RouterOS 7.5, where the routing mark assigned by mangle rules cannot be overridden by routing rules.

So remove the routing rule I have suggested, and instead add dst-address=!192.168.0.0/16 to the action=mark-routing mangle rule.
 
giotecno
just joined
Topic Author
Posts: 7
Joined: Sun Sep 04, 2022 5:29 pm

Re: devices on VPN access to local subnet

Fri Sep 09, 2022 9:48 pm

Hi sindy

what would the terminal command be to do that. is there a chain?

Thx
Sorry, I have missed that you run RouterOS 7.5, where the routing mark assigned by mangle rules cannot be overridden by routing rules.

So remove the routing rule I have suggested, and instead add dst-address=!192.168.0.0/16 to the action=mark-routing mangle rule.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: devices on VPN access to local subnet  [SOLVED]

Fri Sep 09, 2022 10:43 pm

Taking advantage of the fact that you've currently got just a single mangle rule, the command is
/ip firewall mangle set [find] dst-address=!192.168.0.0/16
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: devices on VPN access to local subnet

Sat Sep 10, 2022 4:28 am

on thing strange i found on your config.

/interface vlan
add interface=ether2 name="Internal (VLAN 10)" vlan-id=10
add interface=ether2 name="Wifi (VLAN 20)" vlan-id=20
add interface=ether2 name=mullvad vlan-id=30

/interface bridge port
add bridge=local interface=ether2


the correct one should be:

/interface vlan
add interface=local name="Internal (VLAN 10)" vlan-id=10
add interface=local name="Wifi (VLAN 20)" vlan-id=20
add interface=local name=mullvad vlan-id=30

/interface bridge port
add bridge=local interface=ether2
 
giotecno
just joined
Topic Author
Posts: 7
Joined: Sun Sep 04, 2022 5:29 pm

Re: devices on VPN access to local subnet

Sat Sep 10, 2022 11:36 am

Sindy you're the best thank you. This did the trick. I can now access the internet through the VPN tunnel and the device can see local resources internally. Which is just what I wanted. This forums amazing.
Taking advantage of the fact that you've currently got just a single mangle rule, the command is
/ip firewall mangle set [find] dst-address=!192.168.0.0/16
 
giotecno
just joined
Topic Author
Posts: 7
Joined: Sun Sep 04, 2022 5:29 pm

Re: devices on VPN access to local subnet

Sat Sep 10, 2022 11:37 am

Nichky do you suggest I change all the interface from local to ether2? It all seems to work at the moment.

Thx
on thing strange i found on your config.

/interface vlan
add interface=ether2 name="Internal (VLAN 10)" vlan-id=10
add interface=ether2 name="Wifi (VLAN 20)" vlan-id=20
add interface=ether2 name=mullvad vlan-id=30

/interface bridge port
add bridge=local interface=ether2


the correct one should be:

/interface vlan
add interface=local name="Internal (VLAN 10)" vlan-id=10
add interface=local name="Wifi (VLAN 20)" vlan-id=20
add interface=local name=mullvad vlan-id=30

/interface bridge port
add bridge=local interface=ether2
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: devices on VPN access to local subnet

Sat Sep 10, 2022 12:39 pm

Nichky do you suggest I change all the interface from local to ether2? It all seems to work at the moment.
Not exactly. Since ether2 is a member port of a bridge, the /interface vlan that are currently attached directly to ether2 should be attached to the bridge (local) instead. As it is now, it works, but it is not correct and may cause some unexpected surprises. But it is totally unrelated to the policy routing issues you had.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], Google [Bot], karlisi, patrikg, VinceKalloe and 95 guests