Community discussions

MikroTik App
 
Hamo61
just joined
Topic Author
Posts: 9
Joined: Tue Apr 19, 2022 11:56 am

Block internet when VPN is lost

Wed Apr 20, 2022 2:29 pm

Hi,
I have a question. I want to know how to block the router going to the internet if there is no vpn connection or the connection is lost.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block internet when VPN is lost

Wed Apr 20, 2022 2:32 pm

What kind of VPN? And blocking the router is not a requirement, its a dumb piece of equipment with no needs.
Do you mean you send all the LAN users out to the internet via some third party VPN.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block internet when VPN is lost

Wed Apr 20, 2022 2:38 pm

Simply do not set routes or NAT that point on public interface
Last edited by rextended on Wed Apr 20, 2022 2:42 pm, edited 2 times in total.
 
Hamo61
just joined
Topic Author
Posts: 9
Joined: Tue Apr 19, 2022 11:56 am

Re: Block internet when VPN is lost

Wed Apr 20, 2022 2:39 pm

I have two routers in two different locations. One is the VPN server in location A and the other one is the VPN client in location B. I use L2TP/IPSec.

if the vpn client can't build the connection or it looses it, i want to block the connected devices using the local internet. So the traffic should only work if a vpn connection is available.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block internet when VPN is lost

Wed Apr 20, 2022 2:42 pm

If you do not understand my post, for example
ether1 WAN Public IP 6.6.6.2/30 (assuming the other side is 6.6.6.1/30)
[if the WAN IP is obtained by DHCP, pptp, pppoe, etc. select "do not add default route"]
bri-local (ether2+3+4, etc.) LAN Private IP 192.168.88.1/24
VPN (no matter what type, is just an example) Private IP 172.16.88.2/30 (other side 172.16.88.1/30)
Static routes:
ip.of.other.vpn.side -> 6.6.6.1
0.0.0.0/0 -> 172.16.88.1
NAT
Only from 192.168.88.0/24 to VPN

If internet/VPN do not work, internal LAN do not go out.
 
Hamo61
just joined
Topic Author
Posts: 9
Joined: Tue Apr 19, 2022 11:56 am

Re: Block internet when VPN is lost

Wed Apr 20, 2022 5:40 pm

If you do not understand my post, for example
ether1 WAN Public IP 6.6.6.2/30 (assuming the other side is 6.6.6.1/30)
[if the WAN IP is obtained by DHCP, pptp, pppoe, etc. select "do not add default route"]
bri-local (ether2+3+4, etc.) LAN Private IP 192.168.88.1/24
VPN (no matter what type, is just an example) Private IP 172.16.88.2/30 (other side 172.16.88.1/30)
Static routes:
ip.of.other.vpn.side -> 6.6.6.1
0.0.0.0/0 -> 172.16.88.1
NAT
Only from 192.168.88.0/24 to VPN

If internet/VPN do not work, internal LAN do not go out.
Thanks for the answer. Could you explain to me how to set it up? I'm totally new at this and I don't have much expiriences :(
I also have wlan. Not only lan
 
qorka
just joined
Posts: 1
Joined: Thu Jun 02, 2022 12:43 pm

Re: Block internet when VPN is lost

Thu Jun 02, 2022 12:46 pm

I have the same question (if I understand it correctly). Let me rephrase it.

I configure VPN connection on my Mikrotik router (as a client).
For security reasons in case if VPN server gets down, I would like to suppress all the traffic to avoid IP leak.
Basically, I am looking for option (VPN or none), no VPN -> no internet traffic
 
kevinds
Long time Member
Long time Member
Posts: 638
Joined: Wed Jan 14, 2015 8:41 am

Re: Block internet when VPN is lost

Tue Jun 07, 2022 2:06 am

Basically, I am looking for option (VPN or none), no VPN -> no internet traffic
Have the 0.0.0.0/0 route use the VPN as the gateway. Set a static route for the VPN's IP to use the 'normal' gateway.

Who is online

Users browsing this forum: 0xAA55, madstupid, Semrush [Bot] and 33 guests