Community discussions

MikroTik App
 
jaxed8
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Tue Jul 27, 2021 8:25 pm

Route site or ip out of the VPN

Mon Oct 11, 2021 7:23 pm

Hello everyone
I want to route some websites or at least their IPs out of my VPN, with my current configuration I believe all of the traffics would go trough VPN and I want to keep it this way except for few websites.
This is my configuration:
config export.txt
You do not have the required permissions to view the files attached to this post.
 
User avatar
ingdaka
Member
Member
Posts: 405
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: Route site or ip out of the VPN

Mon Oct 11, 2021 7:26 pm

Add a new rule at mangle with action accept and set destination IP and put those rules at top of others!
Those are mine:
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=accept chain=prerouting dst-address=public-ip-of-website
add action=mark-routing chain=prerouting new-routing-mark=to-vpn passthrough=yes src-address=192.168.1.0/24
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE | MTCWE | RIPE NCC Certified Professional
 
jaxed8
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Tue Jul 27, 2021 8:25 pm

Re: Route site or ip out of the VPN

Mon Oct 11, 2021 8:19 pm

Add a new rule at mangle with action accept and set destination IP and put those rules at top of others!
Those are mine:
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=accept chain=prerouting dst-address=public-ip-of-website
add action=mark-routing chain=prerouting new-routing-mark=to-vpn passthrough=yes src-address=192.168.1.0/24
Thanks but it didn't worked, and just made that ip inaccessible.
 
sindy
Forum Guru
Forum Guru
Posts: 7898
Joined: Mon Dec 04, 2017 9:19 pm

Re: Route site or ip out of the VPN  [SOLVED]

Mon Oct 11, 2021 9:43 pm

Thanks but it didn't worked, and just made that ip inaccessible.
It's because Ilir probably hasn't noticed that you've got no srcnat rule except the one for out-interface=L2TP_XXXX.

So you can e.g. copy that rule and change out-interface=L2TP_XXXX to out-interface=ether10 in the copy. Or instead you can just remove the matching on out-interface, as the rule only acts on packets sent from 192.168.1.0/24 anyway.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
jaxed8
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Tue Jul 27, 2021 8:25 pm

Re: Route site or ip out of the VPN

Tue Oct 12, 2021 2:54 pm

It's because Ilir probably hasn't noticed that you've got no srcnat rule except the one for out-interface=L2TP_XXXX.

So you can e.g. copy that rule and change out-interface=L2TP_XXXX to out-interface=ether10 in the copy. Or instead you can just remove the matching on out-interface, as the rule only acts on packets sent from 192.168.1.0/24 anyway.
Thanks man it worked.
So with this only that website gonna access my actual ip not any other website? I mean it's not leaking my ip in this way?
 
jaxed8
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Tue Jul 27, 2021 8:25 pm

Re: Route site or ip out of the VPN

Wed Oct 13, 2021 6:41 pm

up up
 
sindy
Forum Guru
Forum Guru
Posts: 7898
Joined: Mon Dec 04, 2017 9:19 pm

Re: Route site or ip out of the VPN

Wed Oct 13, 2021 8:01 pm

So with this only that website gonna access my actual ip not any other website? I mean it's not leaking my ip in this way?
That's a complex topic.

First, you can choose whether to establish a connection via VPN or directly depending on the destination IP address, but multiple sites apparently unrelated to each other may run on the same IP address, and vice versa, the same site may be hosted at multiple IP addresses. You don't expect a high profile site like www.google.com to be served from a single server to all the clients in the world, do you? And vice versa, e.g. www.google.com and www.youtube.com are often served from the same IP to the same client.

Second, your IP address may leak via DNS unless you make sure that DNS queries are also sent via VPN. And e.g. Windows 10 used to send the DNS queries through all interfaces through which any route existed, ignoring the actual routing table.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
jaxed8
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Tue Jul 27, 2021 8:25 pm

Re: Route site or ip out of the VPN

Fri Oct 15, 2021 9:39 pm

So with this only that website gonna access my actual ip not any other website? I mean it's not leaking my ip in this way?
That's a complex topic.

First, you can choose whether to establish a connection via VPN or directly depending on the destination IP address, but multiple sites apparently unrelated to each other may run on the same IP address, and vice versa, the same site may be hosted at multiple IP addresses. You don't expect a high profile site like www.google.com to be served from a single server to all the clients in the world, do you? And vice versa, e.g. www.google.com and www.youtube.com are often served from the same IP to the same client.

Second, your IP address may leak via DNS unless you make sure that DNS queries are also sent via VPN. And e.g. Windows 10 used to send the DNS queries through all interfaces through which any route existed, ignoring the actual routing table.
Thanks man, but how to route the DNS via VPN?
My DNS settings:
Screenshot 2021-10-15 220811.jpg
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot], brg3466 and 9 guests