Community discussions

MikroTik App
  4. RouterOS
  5. General

redirecting Bridge Internet traffic to local gateway and not over VPN

Post Reply
 
pchott
newbie
Topic Author
Posts: 44
Joined: Tue Apr 29, 2014 11:15 am
Location: Holzkirchen, Germany

redirecting Bridge Internet traffic to local gateway and not over VPN

Fri Sep 09, 2022 12:03 pm

Status: clients have static IP and gateway configuration on remote location where main network is accessed over VPN where is main gateway.

Problem: On remote location we want to filter internet traffic that should go throught local gateway and send it directly to internet. Main problem is here how to pull traffic from "bridge". Somehow i cannot manage to properly configure "use-ip-firewall" option.

## Client config
* IP: 10.22.11.2/16
* GW: 10.22.1.1
* DNS: 10.22.1.1

## Main location
IP: 10.22.1.1/16

## REMOTE location (where Problem is)
Config export:
Code: Select all
# jan/02/1970 03:01:43 by RouterOS 7.5
# software id = 2SDY-BY0I
#
# model = RB5009UG+S+
# serial number = EC190FA98E0E
/interface bridge
add fast-forward=no name=LOCAL protocol-mode=none
/interface eoip
add local-address=192.168.99.9 mac-address=02:C9:94:90:D4:E7 name=eoip-tunnel1  remote-address=192.168.99.1 tunnel-id=534
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1 private-key="AL2VEB22IIEuF9K+GtaEKJhjF87lXZEL9C3Dj/Q4sEQ="
/interface bridge port
add bridge=LOCAL hw=no interface=ether8
add bridge=LOCAL hw=no interface=ether7
add bridge=LOCAL hw=no interface=ether6
add bridge=LOCAL hw=no interface=ether5
add bridge=LOCAL interface=eoip-tunnel1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set accept-redirects=yes accept-source-route=yes allow-fast-path=no route-cache=no secure-redirects=no tcp-syncookies=yes
/interface wireguard peers
add allowed-address=192.168.99.0/24 endpoint-address=123,234.234.234 endpoint-port=9876 interface=wireguard1 public-key="gdZXfmvAYK6TELJUr/A/MeNnnRvXGOyeB7a82xc+5BU="
/ip address
add address=10.22.11.1/16 interface=LOCAL network=10.22.0.0
add address=192.168.99.9/24 interface=wireguard1 network=192.168.99.0
/ip dhcp-client
add interface=ether1
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=10.22.1.1 new-connection-mark=conn_gw passthrough=yes
add action=mark-packet chain=prerouting connection-mark=conn_gw new-packet-mark=pack_gw passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
My first gool to get some traffic on connection and package marking failed, counters all 0 :(

Does anyone have idea how to properly redirect "internet traffic" to local gateway? Thanks for any tips&tricks :?: :idea:
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: redirecting Bridge Internet traffic to local gateway and not over VPN

Fri Sep 09, 2022 12:57 pm

Are we talking an entire subnet, are we talking 2 -10 users, are we talking 50 users etc..........
Top
 
pchott
newbie
Topic Author
Posts: 44
Joined: Tue Apr 29, 2014 11:15 am
Location: Holzkirchen, Germany

Re: redirecting Bridge Internet traffic to local gateway and not over VPN

Mon Sep 12, 2022 9:21 am

Hi anav,

we are talking about 10 users. sadly not the same all the time. Main problem is that is this some industry devices that i cannot just simple change gateway IP everytime they are on remote location and DHCP is not supported on some devices :((

... i am kind of stuck
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: redirecting Bridge Internet traffic to local gateway and not over VPN

Mon Sep 12, 2022 10:12 am

Somehow i cannot manage to properly configure "use-ip-firewall" option.
That's because use-ip-firewall has a different purpose. You need something else - bridge nat rules.

Assuming you want traffic towards private addresses to use the remote gateway and traffic towards public ones to get routed by the Mikrotik, the rules would like somehow like this:
/interface bridge nat
add chain=dstnat in-interface=etherX mac-protocol=ip dst-address=10.0.0.0/8 action=accept
add chain=dstnat in-interface=etherX mac-protocol=ip dst-address=172.16.0.0/12 action=accept
add chain=dstnat in-interface=etherX mac-protocol=ip dst-address=192.168.0.0/16 action=accept
add chain=dstnat in-interface=etherX mac-protocol=ip action=redirect

etherX is the bridge port to which the device is connected. If the Mikrotik itself is not the actual gateway to the Internet, use action=dst-nat to-dst-mac-address=mac:of:the:actual:gw.
Top
Post Reply

Who is online

Users browsing this forum: CedrikAlton, Irish9 and 94 guests
  4. RouterOS
  5. General