Community discussions

MikroTik App
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Routing specific IP only via the VPN (routing-mark doesn't work)

Sat Mar 12, 2022 7:02 pm

Hi,
I have my MT configured as Wireguard client which works fine. Now I'd like to route specific device (FireTV Stick) in my home network to use this VPN connection. I found this how-to:
https://superuser.com/a/999549
but the problem is that routing-mark is broken or no longer supported in ROS 7.1.3:
[admin@MikroTik] > /ip route add dst-address=0.0.0.0/0 distance=1 gateway=192.168.102.1 routing-mark=vpn
expected end of command (line 1 column 70)
Other tutorials in the internet are based on the same routing-mark method, any idea how can I do this now?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sat Mar 12, 2022 7:45 pm

You need to define routing table first (in /routing/table) and route's parameter is now named routing-table. And instead of using mangle rule, you can use routing rule:
/routing rule
add src-address=x.x.x.x/32 action=lookup-only-in-table table=vpn
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sat Mar 12, 2022 8:34 pm

You need to define routing table first (in /routing/table) and route's parameter is now named routing-table. And instead of using mangle rule, you can use routing rule:
/routing rule
add src-address=x.x.x.x/32 action=lookup-only-in-table table=vpn
ok, so that doesn't work:
> /routing/table/add name=pve-vpn
> /ip route add dst-address=0.0.0.0/0 distance=1 gateway=192.168.102.1 routing-table=pve-vpn
> /ip firewall nat add chain=srcnat out-interface=wireguard-client-pve action=masquerade
> /routing/rule/add src-address=192.168.1.105/32 action=lookup-only-in-table table=pve-vpn
input does not match any value of table

> /routing/table/print 
Flags: D - dynamic; X - disabled, I - invalid; U - used 
 0 D   name="main" fib 

 1     name="pve-vpn" 
EDIT:
Adding route table with FIB enabled made it available in the last command however the IP (192.168.1.105) lost access to the internet so it doesn't work in this way.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sat Mar 12, 2022 9:18 pm

There's nothing clearly wrong here. You added new routing table with default gateway and told router that 192.168.1.105 should use it. So if 192.168.102.1 is reachable (you have some address/mask on WG interface where the subnet contains 192.168.102.1), if it's not blocked by local or remote firewall, tunnel works, etc... it should work.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sat Mar 12, 2022 10:16 pm

There's nothing clearly wrong here. You added new routing table with default gateway and told router that 192.168.1.105 should use it. So if 192.168.102.1 is reachable (you have some address/mask on WG interface where the subnet contains 192.168.102.1), if it's not blocked by local or remote firewall, tunnel works, etc... it should work.
VPN is up and running, from MT:
[admin@MikroTik] > ping 192.168.102.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                                                                                     
    0 192.168.102.1                              56  64 85ms198us 
    1 192.168.102.1                              56  64 37ms710us 
    2 192.168.102.1                              56  64 37ms67us  
    3 192.168.102.1                              56  64 37ms442us 
    sent=4 received=4 packet-loss=0% min-rtt=37ms67us avg-rtt=49ms354us max-rtt=85ms198us 
From my desktop (not 192.168.1.105):
❯ mtr 192.168.102.1 --report
Start: 2022-03-12T20:07:45+0000
HOST: k-desktop                   Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 192.168.1.1                0.0%    10    0.4   0.4   0.3   0.5   0.0
  2.|-- 192.168.102.1              0.0%    10   37.3  37.0  36.7  37.3   0.2
or to my mobile connected to the same VPN:
❯ mtr 192.168.102.3 --report
Start: 2022-03-12T20:15:29+0000
HOST: k-desktop                   Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 192.168.1.1                0.0%    10    0.3   0.4   0.3   0.5   0.1
  2.|-- 192.168.102.1              0.0%    10   37.4  37.3  37.0  37.8   0.3
  3.|-- 192.168.102.3              0.0%    10  107.5 113.5  76.1 165.6  30.5
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sat Mar 12, 2022 10:22 pm

And ping from 192.168.1.105 to 192.168.102.1? Or anything else from 192.168.1.105, do you see it on wireguard-client-pve interface using Tools->Torch?
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sat Mar 12, 2022 10:33 pm

And ping from 192.168.1.105 to 192.168.102.1? Or anything else from 192.168.1.105, do you see it on wireguard-client-pve interface using Tools->Torch?
I can't ping anything except 192.168.1.x hosts from .105
❯ ping 192.168.102.1   
PING 192.168.102.1 (192.168.102.1) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=3 Destination Net Unreachable

❯ ping 1.1.1.1      
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Net Unreachable
From 192.168.1.1 icmp_seq=2 Destination Net Unreachable
so it looks like routing is missing somewhere.

also there is nothing in Torch for this interface.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sat Mar 12, 2022 10:41 pm

removed
Last edited by anav on Sun Mar 13, 2022 4:25 am, edited 1 time in total.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sat Mar 12, 2022 11:00 pm

Did you use a systematic approach?
viewtopic.php?p=906311#p906311

Please post entire config
/export file=anynameyouwish
Config attached. I am pretty sure I've done everything that is mentioned in the above link for my particular needs.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sat Mar 12, 2022 11:32 pm

I see route, but not in pve-vpn table.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 12:06 am

I see route, but not in pve-vpn table.
ok, so I am lost now. How can I display then add it? What I am looking at here:
[admin@MikroTik] > ip/route/print where routing-table 
Flags: D - DYNAMIC; A - ACTIVE; c, s, v, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS        GATEWAY               DISTANCE
  DAv 0.0.0.0/0          pppoe-out1                   0
  DAc 38.242.191.252/32  pppoe-out1                   0
  DAc 192.168.1.0/24     bridge1                      0
  DAc 192.168.102.0/24   wireguard-client-pve         0
0  As 0.0.0.0/0          192.168.102.1                1

[admin@MikroTik] > routing/route/print 
Flags: A - ACTIVE; c, s, v, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
    DST-ADDRESS           GATEWAY               AFI   DISTANCE  SCOPE  TARGET-SCOPE  IMMEDIATE-GW        
Av  0.0.0.0/0             pppoe-out1            ip4          0     30            10  pppoe-out1          
Ac  38.242.191.252/32     pppoe-out1            ip4          0     10                pppoe-out1          
Ac  192.168.1.0/24        bridge1               ip4          0     10                bridge1             
Ac  192.168.102.0/24      wireguard-client-pve  ip4          0     10                wireguard-client-pve
As  0.0.0.0/0             192.168.102.1         ip4          1     30            10  wireguard-client-pve
Ac  fe80::%ether1/64      ether1                ip6          0     10                ether1              
Ac  fe80::%bridge1/64     bridge1               ip6          0     10                bridge1             
A H ether1                                      link         0                                           
A H ether2-master                               link         0                                           
A H ether3                                      link         0                                           
A H pppoe-out1                                  link         0                                           
A H bridge1                                     link         0                                           
A H wireguard-client-pve                        link         0                    
is there equivalent of Linux "ip r s" command in MikroTik?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 12:13 am

"/ip/route/print detail" shows more info, including routing table. But since in /routing/route/print it points to wireguard-client-pve, it looks like you have the right one. But then you posted older config (routing rule is missing there too).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 12:26 am

removed
Last edited by anav on Sun Mar 13, 2022 4:25 am, edited 4 times in total.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 12:29 am

"/ip/route/print detail" shows more info, including routing table. But since in /routing/route/print it points to wireguard-client-pve, it looks like you have the right one. But then you posted older config (routing rule is missing there too).
I removed that rule:
/routing/rule/add src-address=192.168.1.105/32 action=lookup-only-in-table table=pve-vpn
because if it is in place then that IP can't access anything except 192.168.102.0/24 (VPN) and 192.168.1.0/24 (local) networks.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 12:32 am

Well its not clear to me what is at the other end of the wireguard tunnel, another MT device, a third party VPN?
It is not clear to me what other uses of the wireguard tunnel are currently in place,,,, are there any other local users on that tunnel? Is it for inbound traffic reaching your subnets or internet?
A clear picture is very helpful to ensure the config covers everything......
It is Wireguard installed on Debian. There are two clients configured on it. My MT router at home and my mobile phone for test purposes. With my mobile connected to it I can access anything I want routed via the VPN. From MT (client) I can ping Wireguard server IP (192.168.102.1), I don't know though how can I run traceroute from MT using other than default gw. for example 192.168.102.1
EDIT:
[admin@MikroTik] > tool/traceroute interface=wireguard-client-pve 1.1.1.1
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV, STATUS
#  ADDRESS        LOSS  SENT  LAST   AVG  BEST  WORST  STD-DEV  STATUS                             
1  192.168.102.2  0%       3  0.4ms  0.4  0.3   0.5    0.1      host unreachable from 192.168.102.2
2                 0%       0  0ms               

[admin@MikroTik] > tool/traceroute interface=wireguard-client-pve 192.168.102.1
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
#  ADDRESS        LOSS  SENT  LAST    AVG   BEST  WORST  STD-DEV
1  192.168.102.1  0%       6  36.4ms  44.7  36.4  84.2   17.7 
102.1 is remote server, 102.2 is MT client IP.
Last edited by horizn on Sun Mar 13, 2022 12:37 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 12:37 am

removed
Last edited by anav on Sun Mar 13, 2022 4:26 am, edited 1 time in total.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 12:48 am

Okay your explanation is not clear but I will try to make sense of it.

A. You have a wireguard Server Debian OS WHERE? On WHAT?
Not sure if I understand, but it is installed on bare metal Dell server in Poland in my dad's company if that make sense.

B. YOu have two wireguard clients that connect to the Debian Device, a MT device at home, and a smart phone (mobile)
correct

The smart phone connects to the debian only for internet and anything else?
internet only, I don't need to access remote LAN network.

The smart phone connects to the debian and then enters another tunnel and connects to the MT for internet? or anything else?
No, it just connects to Wireguard on Debian and then access the internet routed through it. This is for test purposes to verify if VPN itself works as expected.

the MT (user(s) connects to the debian for internet ?
No, MT has just a tunnel to Debian, the purpose is to configure single client/IP in MT local network to go through that tunnel. Rest clients should access Internet as normal via the MT pppoe.

The MT (user(s) connects to the debian for accessing a subnet or server?
Internet only routed via Debian for single IP behind the MT. Don't need to access remote (Debian) LAN.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 12:55 am

Image
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 1:09 am

......................
Last edited by anav on Sun Mar 13, 2022 4:26 am, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 1:11 am

.....................
Last edited by anav on Sun Mar 13, 2022 4:26 am, edited 1 time in total.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 1:43 am

Easy peasy. Looks like most is done!

(1) remove IP address for wg interface
(2) add necessary route for regular traffic (done already)
(3) add 'forcing' route for single IP out wg interface

dst-address=0.0.0.0/0 gwy=WANIP gateway table=main {this should already exist as you have checked off add IP route - YES at the pppoe client setup!}
dst-address=0.0.0.0/0 gwy=wireguard-client-pve table=pve-vpn
It doesn't make any sense:
[admin@MikroTik] > ip/address/print 
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS            NETWORK         INTERFACE           
;;; defconf
0   192.168.1.1/24     192.168.1.0     ether2-master       
1 D x.x.x.x/32  38.242.191.252  pppoe-out1          
2   192.168.102.2/24   192.168.102.0   wireguard-client-pve
[admin@MikroTik] > ip/address/remove numbers=2
now the tunnel between Debian and MT is down.

What is the full command of this?
dst-address=0.0.0.0/0  gwy=WANIP gateway table=main   {this should already exist as you have checked off  add IP route - YES at the pppoe client setup!}
dst-address=0.0.0.0/0 gwy=wireguard-client-pve table=pve-vpn
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 1:50 am

It doesn't make any sense:
It sometimes happens with @anav's advices. :lol: They are mostly fine, but he has this personal "quest against addresses" and that one doesn't always work very well.

Btw, I found the problem, you have allowed-address=192.168.102.0/24 for peer, so that's the only subnet you'll be able to access. It you want access to anything on internet, you need allowed-address=0.0.0.0/0.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 2:08 am

It doesn't make any sense:
It sometimes happens with @anav's advices. :lol: They are mostly fine, but he has this personal "quest against addresses" and that one doesn't always work very well.

Btw, I found the problem, you have allowed-address=192.168.102.0/24 for peer, so that's the only subnet you'll be able to access. It you want access to anything on internet, you need allowed-address=0.0.0.0/0.
I've changed it to:
add allowed-address=0.0.0.0/0 endpoint-address=46.x.x.x \
    endpoint-port=8443 interface=wireguard-client-pve public-key=\
    "XXXX"
then added rule again:
/routing/rule/add src-address=192.168.1.105/32 action=lookup-only-in-table table=pve-vpn
...and cut this IP from the internet again.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 2:13 am

Since allowed-address explains why this didn't work, try it again.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 2:19 am

Since allowed-address explains why this didn't work, try it again.
it didn't make any difference. I can't ping Debian Wireguard IP (192.168.102.1), I can only ping local MT Wireguard IP (102.2) and local network IPs from 192.168.1.0 network. So unlikely this was a problem.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 2:26 am

It should. You have route, you have srcnat, firewall doesn't block it. It's possible that access to internet wouldn't work because of something on server side. But at least ping to 192.168.102.1 must work, if it works from router itself.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 2:35 am

It should. You have route, you have srcnat, firewall doesn't block it. It's possible that access to internet wouldn't work because of something on server side. But at least ping to 192.168.102.1 must work, if it works from router itself.
I agree that it should but it doesn't
I can access both Debian and MT Wireguard IPs from any device in my local network:
❯ mtr 192.168.102.1 --report
Start: 2022-03-13T00:32:52+0000
HOST: k-desktop                   Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 192.168.1.1                0.0%    10    0.5   0.5   0.4   0.5   0.0
  2.|-- 192.168.102.1              0.0%    10   37.1  37.0  36.7  37.1   0.1
it doesn't matter if:
add allowed-address=192.168.102.0/24 endpoint-address=46.x.x.x \
    endpoint-port=8443 interface=wireguard-client-pve public-key=\
    "XXXX"
is set to 192.168.102.0/24 or 0.0.0.0/0

Then I can't access Debian WG IP address or internet when I issue a:
/routing/rule/add src-address=192.168.1.39/32 action=lookup-only-in-table table=pve-vpn
1.39 is my desktop pc but it can any other IP in my local network. (192.168.1.0)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 2:48 am

Is it same "From 192.168.1.1 icmp_seq=3 Destination Net Unreachable" as before or something else? And the route, in export it was:
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.102.1
but it was either some export error or old config and it definitely has routing-table=pve-vpn now, correct?
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)  [SOLVED]

Sun Mar 13, 2022 3:06 am

Is it same "From 192.168.1.1 icmp_seq=3 Destination Net Unreachable" as before or something else? And the route, in export it was:
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.102.1
but it was either some export error or old config and it definitely has routing-table=pve-vpn now, correct?
ok, got it working now.
ip/route/add dst-address=0.0.0.0/0 routing-table=pve-vpn gateway=wireguard-client-pve
/routing/rule/add src-address=192.168.1.39/32 action=lookup-only-in-table table=pve-vpn
without second command traffic goes vie the normal route after second command it goes via the VPN for this IP only.
There is something I don't understand. In the UI in IP/Routes DST address for WG is still 192.168.102.0/24 not sure if this is a bug or I am looking the wrong place.
However thanks for your help guys!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 3:11 am

There's dynamic route to 192.168.102.0/24, which is created by the address 192.168.102.2/24 that you have on wireguard-client-pve. That's correct.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 4:08 am

....................
Last edited by anav on Sun Mar 13, 2022 4:27 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Sun Mar 13, 2022 4:13 am

...........................
 
User avatar
BrianRS
newbie
Posts: 28
Joined: Thu May 12, 2022 1:57 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Thu Jan 26, 2023 12:50 pm

Hey everyone,

So I'm having the same difficulty trying to route all traffic for one LAN client from one site via the WG tunnel to the other site.
Both sites have MikroTik routers and I can ping across the sites both ways, so that bit I'm happy with.
But trying to force ALL TRAFFIC for just one LAN client from one site to the other via the WG tunnel is not happening, I suspect my routing rule is incorrect?
****@MikroTik] > /ip/route/print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded; + - ecmp 
 0  Xs   dst-address=0.0.0.0/0 routing-table=to_WAN02 pref-src="" gateway=eth5 - WAN2 (4G) check-gateway=ping distance=2 scope=255 target-scope=10 suppress-hw-offload=no 

 1  Xs   dst-address=0.0.0.0/0 routing-table=to_WAN01 pref-src="" gateway=PPPoE - ZEN check-gateway=ping distance=1 scope=255 target-scope=10 suppress-hw-offload=no 

   D d   dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=10.241.127.182 immediate-gw=10.241.127.182%eth5 - WAN2 (4G) distance=2 scope=30 target-scope=10 vrf-interface=eth5 - WAN2 (4G) suppress-hw-offload=no 

   DAv   dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=PPPoE - ZEN immediate-gw=PPPoE - ZEN distance=1 scope=30 target-scope=10 vrf-interface=PPPoE - ZEN suppress-hw-offload=no 

   DAc   dst-address=10.241.127.180/30 routing-table=main gateway=eth5 - WAN2 (4G) immediate-gw=eth5 - WAN2 (4G) distance=0 scope=10 suppress-hw-offload=no local-address=10.241.127.181%eth5 - WAN2 (4G) 

   DAc   dst-address=51.148.77.133/32 routing-table=main gateway=PPPoE - ZEN immediate-gw=PPPoE - ZEN distance=0 scope=10 suppress-hw-offload=no local-address="my public IP"%PPPoE - ZEN 

   DAc   dst-address=172.16.10.0/23 routing-table=main gateway=BRIDGE immediate-gw=BRIDGE distance=0 scope=10 suppress-hw-offload=no local-address=172.16.11.1%BRIDGE 

 2  As   dst-address=192.168.11.0/24 routing-table=main pref-src="" gateway=WG-MikroTik-GB immediate-gw=WG-MikroTik-GB distance=1 scope=30 target-scope=10 suppress-hw-offload=no 

   DAc   dst-address=192.168.88.0/24 routing-table=main gateway=WG-MikroTik-GB immediate-gw=WG-MikroTik-GB distance=0 scope=10 suppress-hw-offload=no local-address=192.168.88.2%WG-MikroTik-GB 

 3  As   dst-address=0.0.0.0/0 routing-table=WG pref-src="" gateway=192.168.88.1 immediate-gw=192.168.88.1%WG-MikroTik-GB check-gateway=ping distance=1 scope=30 target-scope=10 suppress-hw-offload=no 
Any ideas?

Many thanks,
B
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Thu Jan 26, 2023 2:53 pm

Yes, you could start a new thread but since that one is old, and has bad memories I am loathe to help....... J/K

Yes post your config and all will be fixed.

/export file=anynameyouwish ( minus router serial# and any public WANIP information, keys etc. )
 
User avatar
BrianRS
newbie
Posts: 28
Joined: Thu May 12, 2022 1:57 pm
Location: UK

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Thu Jan 26, 2023 4:14 pm

Opened viewtopic.php?p=980280 as requested, with all the required info.
Thanks @anav
 
marcinx
just joined
Posts: 5
Joined: Wed Jan 25, 2023 1:54 pm

Re: Routing specific IP only via the VPN (routing-mark doesn't work)

Thu Jan 26, 2023 8:11 pm

I have added a post about my problem, but for some unknown reason it is not publicly available

Hi

I am trying to configure a Mikrotik router as follows:
- I have Internet connected to ether1 port where I get an IP address using DHCP client.
On the router, configure the VPN client (ovpn) - interface (ovpn-out1)
I'm adding an interface (ovpn-out1) to the masquerade
ip firewall nat add chain=srcnat out-interface=ovpn-out1 action=masquerade
At this point I am able to select ether1 or ovpn1 link (outgoing IP address) for all devices on the network without any problem by manipulating the "Default Route Distane" value in DHCP client for ether1 interface
Choosing the ovpn-out1 interface
ip dhcp-client set wlan1 default-route-distance=10
Choosing the ether1 interface ip dhcp-client set wlan1 default-route-distance=1 Currently, I need to make a modification so that the choice of link depends on which ether2 or ether3 interface the computer connects to
I tried to do it as follows
I remove the ether3 interface from the bridge, create a new bridge2 to which I add the ether3 interface
Next
routing table add name=mark_WAN1 fib
routing table add name=mark_VPN fib
ip firewall mangle add chain=prerouting in-interface=bridge action=mark-routing new-routing-mark=mark_WAN1 passthrough=no
ip firewall mangle add chain=prerouting in-interface=bridge2 action=mark-routing new-routing-mark=mark_VPN passthrough=no
ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=mark_WAN1
at this point, access to the router using the IP address fails, after the MAC address, I can still get in ip route add dst-address=0.0.0.0/0 gateway=10.8.0.1 routing-table=mark_VPN After these steps, when I connect the computer to ether2, I exit with the ether1 interface, while when I connect the computer to ether3, I exit with the ovpn-out1 interface.
So everything works fine, the only problem is that I do not have access to the router using the IP address, I have access only via MAC.

Who is online

Users browsing this forum: Bing [Bot], nescafe2002 and 74 guests