Routing specific port to VPN connection

pinomat · Sat Sep 03, 2022 11:20 pm

Hello,

I am trying to solve the following the problem : route specific traffic though my VPN (debian server with a VPN client) : IP 192.168.60.100 + all port except 16754,443,80 . The rest of the traffic should be internal using main table or using my ISP connection. The main router is a CHR installed on a proxmox with ip. Only ports tcp 16754, 443, 80 are forwarded from Internet ISP to NAS. All outgoing connections from Synology (Proxy, https, ftp, ...) should be forwardr to Internet VPN.
I use a debian server with a VPN client (192.168.50.80) which take care about masquerading and some specific rules that worked previously with a pfsense server which I replaced (or want to definitely replaced by a mikrotik CCR).
I tried to solve in a lot of ways
- routing table + routing rule + mangle routing mark
- routing table + routing rule + mangle routing mark + mangle connection mark
- routing table + routing rule + masquerading...
or . I know that a lot of people already had the same sort of problems and I already had a look to dozens of posts which did not solved my problem. I want to forward my traffic through my VPN
- I used advanced firewall recommandation

/routing table
add disabled=no fib name=rtab-VPN

/ip firewall filter
add action=fasttrack-connection chain=forward comment="Fasttrack connections" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept established/related/untracked sessions" connection-state=established,related,untracked
add action=accept chain=forward dst-address=192.168.60.100
add action=accept chain=forward src-address=192.168.60.100
add action=drop chain=forward comment="Drop invalid sessions" connection-state=invalid
..... a lot of personal rules here
add action=drop chain=forward comment="Drop all from WAN not NATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all other packets from LAN to LAN" in-interface-list=ALL_LAN out-interface-list=ALL_LAN

add action=accept chain=input comment="Accept established/related sessions" connection-state=established,related
add action=drop chain=input comment="Drop invalid sessions" connection-state=invalid
add action=accept chain=input comment="Accept ICMP from HOME_LAN" in-interface-list=HOME_LAN protocol=icmp
add action=accept chain=input comment="Accept tcp DNS from ALL_LAN" dst-port=53 in-interface-list=ALL_LAN protocol=tcp
add action=accept chain=input comment="Accept udp DNS from ALL_LAN" dst-port=53 in-interface-list=ALL_LAN protocol=udp
add action=accept chain=input comment="Accept SSH/HTTPS/Winbox from ADMIN_LAN" dst-port=22,443,8291 in-interface-list=ADMIN_LAN protocol=tcp
add action=accept chain=input comment="Accept HTTP (unsecure) from ADMIN_LAN" dst-port=80 in-interface-list=ADMIN_LAN protocol=tcp
add action=drop chain=input comment="Drop all other packets to the router"

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/16 dst-port=443 new-routing-mark=rtab-VPN passthrough=no protocol=tcp src-address=192.168.60.100

/ip firewall nat
add action=masquerade chain=srcnat comment="Accept masquerade from LAN" out-interface=br-wan

/ip firewall raw
add action=accept chain=prerouting comment="Accept DHCP from ALL_LAN" dst-address=255.255.255.255 dst-port=67 in-interface-list=ALL_LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="Drop bad source packets" src-address-list=def_bad_ipv4
add action=drop chain=prerouting comment="Drop bad destination packets" dst-address-list=def_bad_ipv4
add action=drop chain=prerouting comment="Drop bad source packets" src-address-list=def_bad_src_ipv4
add action=drop chain=prerouting comment="Drop bad destination packets" dst-address-list=def_bad_dst_ipv4
add action=drop chain=prerouting comment="Drop bad source packets from WAN" in-interface-list=WAN src-address-list=def_not_global_ipv4
add action=drop chain=prerouting comment="Drop bad udp packets" port=0 protocol=udp
add action=accept chain=prerouting comment="Accept all the rest from ALL_LAN network" in-interface-list=ALL_LAN
add action=accept chain=prerouting comment="Accept all the rest from WAN OrangeIGMP network" in-interface-list=WAN
add action=drop chain=prerouting comment="Drop all other packets to the router" disabled=yes

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.50.80 routing-table=rtab-VPN suppress-hw-offload=no

/ipv6 firewall raw
add action=drop chain=prerouting

/routing rule
add action=lookup-only-in-table disabled=no routing-mark=rtab-VPN table=rtab-VPN

The schema below

purevpn_vm.jpg

Thank you

pinomat · Mon Sep 05, 2022 12:53 pm

Finally, I found the problem (packets from the VPN was not forwarded by the router). Now it works like a charm.
So here is my solution.

Create a routing table fib “rtVPN”
Create a route to the VPN server 0.0.0.0/0 via gateway 192.168.50.80 using “rtVPN” routing table
Mark packet in mangle prerouting table from 192.168.60.100 to not 192.168.0.0/16 (exclude local traffic) and not from source tcp 16754,443,80 with new-packet-mark “pkVPN”
Mark routing in mangle prerouting table all marked packet “pkVPN” in step 3 with new-routing-mark "rtVPN"
Mark packet in mangle prerouting table from all established,related with in-interface Network (VPN interface) / destination 192.168.60.100 / source not 192.168.50.80 (to avoid tagging DNS traffic).
You can safely disable passthrough (spare some CPU as the packet will not pass all following mangle rules)
Create a routing rule look-only-in-table "rtVPN" for packet with routing-marked "rtVPN"
Accept forward in filter table of packet marked “pkVPN” from in-interface Network (VPN interface)

Routing specific port to VPN connection [SOLVED]

Routing specific port to VPN connection

Re: Routing specific port to VPN connection [SOLVED]

Who is online