Community discussions

MikroTik App
 
h2desk
just joined
Topic Author
Posts: 12
Joined: Wed May 24, 2023 8:11 pm

traffic from MK system to VPN

Wed May 31, 2023 8:59 pm

First of all. Thanks for your time in reading.

I'm running some tests and evaluating my rules.

I have an IPsec connection, it's working.

I would like to make the RouterOS system refer to the DNS that is on the other side VPN. But his internal traffic does not reach the VPN. It must not be hanging out with my local network.

I believe that it is with a mangle rule that I would be able to change the snat, in the output. Unfortunately I am not able to.

Any suggestions or explanations on how to proceed?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: traffic from MK system to VPN

Wed May 31, 2023 11:26 pm

I use WG for this tunnel. However, the principle is the same.
.
/ip firewall mangle add action=mark-connection chain=prerouting comment="DNS VIA VPN" dst-port=53 log=yes new-connection-mark=dns-via-vpn passthrough=no protocol=tcp src-address="192.168.88.5-VPN-CLIENT"
/ip firewall mangle add action=mark-connection chain=prerouting dst-port=53 log=yes new-connection-mark=dns-via-vpn passthrough=no protocol=udp src-address="192.168.88.5-VPN-CLIENT"
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=dns-via-vpn new-routing-mark=via-vpn passthrough=no
/ip firewall nat add action=dst-nat chain=dstnat connection-mark=dns-via-vpn log=yes to-addresses="172.18.3.1-DNS-SERVER-OVER-VPN"
2023-05-31_23-47-35.jpg
2023-05-31_22-48-09.jpg
2023-05-31_22-47-47.jpg
You do not have the required permissions to view the files attached to this post.
 
h2desk
just joined
Topic Author
Posts: 12
Joined: Wed May 24, 2023 8:11 pm

Re: traffic from MK system to VPN

Thu Jun 01, 2023 12:39 am

Thanks for the sugestion. They were helpful.
As I understand it, you direct the clients that go through routerOS. Right?
When is the Mikrotik itself that needs to do this query? Would it work?

Imagine that Mikrotik would need to query the DNS names of my network, for any type of validation. Then in the routerOS DNS server settings, the VPN DNS server address would be placed.

I'm more in favor of DNS names than using IP addresses.

I'm sure Mikrotik doesn't do this query because I'm not specifying the source IP of my LAN which is allowed in the vpn policy. This in IPsec.

As it is a system resource, I have to do something in the firewall to get it to exit correctly. At least that I imagine.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: traffic from MK system to VPN

Thu Jun 01, 2023 12:52 am

Thanks for the suggestion. They were helpful.
Right? YES
Would it work? NO

Imagine that Mikrotik would need to query the DNS names of my network, for any type of validation. Then in the RouterOS DNS server settings, the VPN DNS server address would be placed.
Rephrase, please.
Export your config minus sensitive data.

IPsec Tunnel, DNS query from the router itself via IPsec, and clients marked with connection mark.
.
/ip firewall mangle add action=mark-connection chain=prerouting comment="IKE-30" new-connection-mark=via-30-ike passthrough=no src-address=192.168.88.5
/ip firewall mangle add action=mark-connection chain=output dst-address=172.18.2.0/24 new-connection-mark=via-30-ike passthrough=no src-address-list="SELF" comment="SELF=WAN Interface IP"
1.jpg
2.jpg
3.jpg
4.jpg
5.jpg
You do not have the required permissions to view the files attached to this post.
 
h2desk
just joined
Topic Author
Posts: 12
Joined: Wed May 24, 2023 8:11 pm

Re: traffic from MK system to VPN

Sat Jun 03, 2023 12:21 am

I apologize for the delay. I need to sort out some personal stuff.

Unfortunately I'm not in my home lab at the moment to send the settings. I'll do it as soon as possible. I really appreciate your time.

I will try to be better in the explanations. I was wrong not to talk about my environment. A study environment.

My setup is as follows:

RT
WAN: 192.168.1.0/24
LAN: 192.168.100.0/24

RT B
WAN: 192.168.2.0/24
LAN: 192.168.200.0/24

Mikrotik A talks to another Mikrotik B, via ipsec site to site.

I don't have a lot of rules. I use Mikrotik's default, I just added scrnat to not mask the LAN network addresses as allowed in IPsec policies and forward to release communication between them.

I started doing tests like ping, ssh... from Mikrotik itself.
Working but always specifying the src-address.
So I decided to test name resolutions but private DNS on the other side of the VPN.
I set in Mikrotik B the IP of a DNS server that would be behind Mikrotik A.
That's when I realized that the traffic generated by itself cannot consult, because it does not reach the destination. Because it would need to leave with the LAN address.

I'm not facing a problem. I'm just simulating things and I thought if you need to make the Mikrotik query a DNS on the other side of the VPN.


I understood your last messages, it seems that this was MK's roadwarrior, I didn't do it that way but I'll try to do it because it seems that it can work even though mine is S2S.


Thank you very much for your willingness and help.

Who is online

Users browsing this forum: Bing [Bot], johnson73, miks and 76 guests