I have a setup where a Mikrotik RB951 forwards traffic in a vrf between two links, one link is the ethernet link towards the customer ether2, the other link is an openvpn tunnel ovpn1 on the ethernet link ether1 going to a not-by-me-controlled router with Internet access. I want to isolate traffic flowing from the openvpn tunnel to the customer as strict as possible from traffic coming untunneled from the not-by-me-controlled router as I really don't know what's happening there.
For troubleshooting reasons, it would be nice to have traceroute working as expected.
At the moment, the traceroute from the customers smartphone or laptop (from the right side of the scheme above to the left) looks like this:
Code: Select all
Traceroute 10.179.1.2 1: 10.179.1.25 avg:37.926ms last:35.883ms loss:0% sent:3 2: ?? avg:0.000ms last:0.000ms loss:100% sent:3 3: 10.179.1.2 avg:69.130ms last:69.321ms loss:0% sent:3
Hop 1 10.179.1.25 is the Ubuntu-OpenVPN-Server
Hop 3 10.179.1.2 is the customer-device
So I miss the Mikrotik router responding as Hop 2.
I sniffed with /tools sniffing quick and found out that the ICMP time exceeded packet created by the Mikrotik router has a source address of ether1 (192.168.1.235) instead of ovpn1 (10.179.1.18) which causes the unexpected behaviour.
Is there a configuration which does what I expect or is this a missing feature in Mikrotik or is it even a bug in Mikrotik?
I'm working with 6.38.7 (bugfix) as there is an openvpn bug in 6.39.3 (in topology net30, the network mask of ifconfig-push is configured as IP address of the opposite tunnel end instead of taking it as a network mask, see also viewtopic.php?f=21&t=126694#p624297)
My configuration on the Mikrotik right now:
Code: Select all
/interface ovpn-client add connect-to=<domain-of-ubuntu-openvpn-server> name=ovpn1 (...more options) /ip address add address=10.179.1.1/29 interface=ether2 add address=192.168.1.235/24 interface=ether1 /ip firewall mangle add action=mark-routing chain=output connection-mark=CONN-CUST1 new-routing-mark=VPN-CUST1 passthrough=no add action=mark-connection chain=prerouting connection-mark=!CONN-CUST1 new-connection-mark=CONN-CUST1 passthrough=no routing-mark=VPN-CUST1 /ip route add dst-address=10.179.1.0/24 gateway=ovpn1 pref-src=10.179.1.18 routing-mark=VPN-CUST1 add dst-address=0.0.0.0/0 gateway=192.168.1.1 /ip route vrf add interfaces=ether2,ovpn1 routing-mark=VPN-CUST1
I'm not sure but if I have a look at https://wiki.mikrotik.com/wiki/Manual:Packet_Flow it seems that I'm using what's described as Routing adjustment "this is a workaround that allows to set-up policy routing in mangle chain output" and that it is a missing feature or a bug that only the routing is policed means changed, but not the source address of the packet?
Many thanks in advance for every help possible!