Community discussions

 
PhoenixHawk
just joined
Topic Author
Posts: 16
Joined: Mon Jun 26, 2017 7:35 pm

Route traffic from one port via VPN

Sun Jul 02, 2017 9:05 pm

Hello,

this is my current config of my hAP lite.
As you see the config is pretty basic. I have another router in my network (192.168.178.1) that does DHCP and provides internet connectivity.
The ether1 is the uplink to this router.
All devices connected to ether2, ether3 and the wlan should be in the network as if they were just connected via a normal switch.

This works, but the config might not be optimal for that. If I can do better, please advise.

The device on ether4 should also be available in the network, and should also be able to access all other devices on the network as normal, however when the device connected at ether4 wants to access the internet (= i.e. make DNS requests to or sends traffic via the default gateway 192.168.178.1), this traffic should be re-routed and be sent via the VPN instead. The default gateway of the VPN is dynamically assigned (its the l2tpclient interface named my-vpn) and currently has the ip 10.9.9.1.

As you can probably tell I tried that with the firewall mangle rule, but that did not work.
What do I need to remove / change / add to make this work?

Cheers,

Sebastian
# jul/02/2017 19:49:03 by RouterOS 6.39.2
/interface bridge
add admin-mac=AA:BB:CC:AA:BB:CC auto-mac=no comment=defconf fast-forward=no \
    name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=germany disabled=no \
    frequency=auto mode=ap-bridge ssid=test wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
/interface l2tp-client
add connect-to=some.vpn.com disabled=no name=my-vpn password=\
    test user=test
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
    group-ciphers=tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm \
    wpa-pre-shared-key=test wpa2-pre-shared-key=test
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=wlan1
add bridge=bridge interface=ether4
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    bridge
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
/ip firewall mangle
add action=route chain=prerouting dst-address=192.168.178.1 log=yes \
    log-prefix=test passthrough=yes route-dst=10.9.9.1
/system clock
set time-zone-name=Europe/Berlin
 
Sob
Forum Guru
Forum Guru
Posts: 4808
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route traffic from one port via VPN

Mon Jul 03, 2017 2:34 am

IP firewall mangle does not see bridged packets. But you can use bridge filter to redirect selected packets to router and then you can process them:
/interface bridge nat
add action=redirect chain=dstnat dst-address=!192.168.178.0/24 in-interface=ether4 mac-protocol=ip
Gateway on L2TP does not need IP address, it can be interface. But I'm not sure if action=route can take route-dst=<interface> and I'm too lazy to test it. If it doesn't work, you can always create default route in new routing table and mark routing instead (action=mark-routing new-routing-mark=<your table>).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
PhoenixHawk
just joined
Topic Author
Posts: 16
Joined: Mon Jun 26, 2017 7:35 pm

Re: Route traffic from one port via VPN

Mon Jul 03, 2017 10:12 am

Hello Sob,

Thanks for your answery, but I'm afraid I'm still missing a piece of the puzzle.
I have your bridge entry in place, but that only seems to be the first step. You said 'and then you can process them'. This is probably the step I'm struggling with the most.

How do I process them now, after I have this brige / nat entry in place? How can I tell the packets caught by this filter to actually go through my vpn interface instead?
 
Sob
Forum Guru
Forum Guru
Posts: 4808
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route traffic from one port via VPN

Tue Jul 04, 2017 3:38 am

Your problem was packets not going to IP firewall and that rule fixed it. Now you can work with them:
/ip route
add dst-address=0.0.0.0/0 gateway=<l2tp interface> routing-mark=vpn
/ip firewall mangle
add chain=prerouting <see below for another option> dst-address=!192.168.178.0/24 \
    action=mark-routing new-routing-mark=vpn
/ip firewall nat
add chain=srcnat out-interface=<l2tp interface> action=masquerade
The only problem is how to correctly identify source packets for mangle rule. The simplest way would be if device connected to ether4 had static address, then you can use src-address=192.168.178.x. Second option is to use in-interface=bridge1, but anything coming to router from any interface which is part of bridge will have bridge1 as source interface. But nothing matching dst-address=!192.168.178.0/24 should actually come to router, so it should be fine. Or there's a third option, to first mark packet before redirecting it:
/interface bridge nat
add chain=dstnat dst-address=!192.168.178.0/24 in-interface=ether4 mac-protocol=ip \
    action=mark-packet new-packet-mark=to-vpn
And then you can use packet-mark=to-vpn in mangle rule.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
PhoenixHawk
just joined
Topic Author
Posts: 16
Joined: Mon Jun 26, 2017 7:35 pm

Re: Route traffic from one port via VPN

Tue Jul 04, 2017 9:46 am

Ah, thank you a lot. I suppose I now understand what happens here.

For the marking and the actual routing to work, I had to change something, though.
I now have the bridge NAT rule that redirects all from ether4 to !192.168.178.0/24 (everthing not in my local network).
However to actually mark the packet, I had to add a bridge FILTER rule and not a NAT rule. It is basically the same rule, just in the filter tab, that marks all outbound packets from ether4 with the route-to-vpn mark. Not sure why that matters, though.

Thanks again for your help. I really appreciate that. I think I also learned a bit more about routing in general, if my comments in the config are correct :)

Cheers,

Sebastian

So this is my config, that is now working:
# jul/04/2017 08:39:38 by RouterOS 6.39.2
#
/interface bridge
add admin-mac=AA:BB:CC:DD:EE:FF auto-mac=no fast-forward=no name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=germany disabled=no \
    frequency=auto mode=ap-bridge ssid=myWifi wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-ciphers=tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm \
    wpa-pre-shared-key=mywifikey wpa2-pre-shared-key=mywifikey
/interface l2tp-client
add allow=chap,mschap2 allow-fast-path=yes comment="outgoing VPN connection" \
    connect-to=my.vpn-server.com disabled=no ipsec-secret=secret name=myvpn \
    password=password profile=default user=username
/interface bridge filter
add action=mark-packet chain=input comment=\
    "mark packets that are outbound to go through vpn" dst-address=\
    !192.168.178.0/24 in-interface=ether4 mac-protocol=ip new-packet-mark=\
    route-to-vpn
/interface bridge nat
add action=redirect chain=dstnat comment=\
    "make sure packets go through IP firewall" dst-address=!192.168.178.0/24 \
    in-interface=ether4 mac-protocol=ip
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=wlan1
add bridge=bridge interface=ether4
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "marked packets should go to actual routing" new-routing-mark=vpn \
    packet-mark=route-to-vpn passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade all traffic that goes t\
    hrough VPN, so that responses are returned correctly" out-interface=myvpn
/ip route
add comment="tell routing that everything is addressable behind the vpn\?" \
    distance=1 gateway=myvpn routing-mark=vpn
/system clock
set time-zone-name=Europe/Berlin
 
Sob
Forum Guru
Forum Guru
Posts: 4808
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route traffic from one port via VPN

Tue Jul 04, 2017 5:50 pm

I don't play with bridge filters very often, so I can make a mistake, but I did test this part and it worked. When you had both in dstnat, you did put packet marking rule before redirect one, not the other way around, right?

Regarding comments and your understanding, I'd use (not that it says anything completely different):
"make sure packets go through IP firewall" -> "take packets from bridge and redirect them to router"
"marked packets should go to actual routing" -> "mark routing for marked packets that should be redirected to vpn"
"tell routing that everything is addressable behind the vpn\?" -> "alternative default route via vpn"
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 23 guests