Community discussions

 
eazy1504
just joined
Topic Author
Posts: 5
Joined: Sat May 26, 2018 3:42 pm

VPN setup with L2TP for specific IP range only

Wed Jun 13, 2018 3:46 pm

Hi,i have setup my VPN with L2TP following this https://www.rapidvpn.com/setup-vpn-l2tp-mikrotik-router
and also use killswith found here in forum on viewtopic.php?t=121096
everything works ok,killswitch works ok,network gets disabled when VPN goes offline.
I use ip range 192.168.1.2-192.168.1.255 to go through VPN.
Ok,but i have a problem,if i want use VPN only with range 192.168.1.101-192.168.1.255 then
range 192.168.1.2-192.168.1.100 goes offline,but i want this range not to use VPN
How to do that?
thank you
 
sindy
Forum Guru
Forum Guru
Posts: 2454
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN setup with L2TP for specific IP range only

Wed Jun 13, 2018 11:09 pm

Limit the "killswitch" (a totally inappropriate name) rule to the LAN subnet which should only be allowed to access internet via VPN by adding src-address=the.subnet.to.be.blocked/mask_len[/i ] to it. So adresses from other LAN subnets will not match the killswitch rule, and will have internet access through WAN.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
eazy1504
just joined
Topic Author
Posts: 5
Joined: Sat May 26, 2018 3:42 pm

Re: VPN setup with L2TP for specific IP range only

Thu Jun 14, 2018 4:45 am

Limit the "killswitch" (a totally inappropriate name) rule to the LAN subnet which should only be allowed to access internet via VPN by adding src-address=the.subnet.to.be.blocked/mask_len[/i ] to it. So adresses from other LAN subnets will not match the killswitch rule, and will have internet access through WAN.


Hi,can you be more specific,i dont quite understand what i need to to,did all this config by following vpn guide with pictures,can you do step by step guide what i need change?.
i already tried different ways,but when i got it working,then kill switch not worked anymore and when vpn got offline it switched to my wan and then is no point to vpn at all.(dont have that much knowledge to make it working like i need)

below are firewall rules i have right now

This first firewall rule in picture blocks all traffic when vpn goes off
Image
and has following settings
Image
Image
 
sindy
Forum Guru
Forum Guru
Posts: 2454
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN setup with L2TP for specific IP range only

Thu Jun 14, 2018 5:53 pm

can you be more specific,i dont quite understand what i need to to
I cannot as you are not :-)

I can only modify your killswitch rule if you state to which source and/or destination addresses that rule should be narrowed.

If it is a single source subnet, just add that subnet as the value of the src-address item of the rule. If it is a list of addresses and/or subnets, create a named list of these addresses and subnets, like (example)
/ip firewall address-list
add list=vpn-only address=1.2.3.4
add list=vpn-only address=192.168.1.0/24
and refer to that address list in the killswitch rule itself, by setting its name as the value of the src-address-list item of the rule.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
eazy1504
just joined
Topic Author
Posts: 5
Joined: Sat May 26, 2018 3:42 pm

Re: VPN setup with L2TP for specific IP range only

Thu Jun 14, 2018 7:42 pm

can you be more specific,i dont quite understand what i need to to
I cannot as you are not :-)

I can only modify your killswitch rule if you state to which source and/or destination addresses that rule should be narrowed.

If it is a single source subnet, just add that subnet as the value of the src-address item of the rule. If it is a list of addresses and/or subnets, create a named list of these addresses and subnets, like (example)
/ip firewall address-list
add list=vpn-only address=1.2.3.4
add list=vpn-only address=192.168.1.0/24
and refer to that address list in the killswitch rule itself, by setting its name as the value of the src-address-list item of the rule.

Thank you for answering,sorry, i try to explain better.
Now i have all this IP range 192.168.1.3-192.168.1.255 use VPN (go through VPN)
I have DHCP Server Range 192.168.1.3-192.255.255.254
but what i want is IP-s range 192.168.1.3-192.168.1.100 not use VPN (go through WAN)
and IP range after that 192.168.1.101-192.168.1.255 use VPN (go through VPN)
but also need killswitch function when VPN goes offline then WAN goes offline too
 
sindy
Forum Guru
Forum Guru
Posts: 2454
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN setup with L2TP for specific IP range only  [SOLVED]

Thu Jun 14, 2018 11:58 pm

i try to explain better.
...
what i want is IP-s range 192.168.1.3-192.168.1.100 not use VPN (go through WAN)
and IP range after that 192.168.1.101-192.168.1.255 use VPN (go through VPN)
Sorry, I haven't understood your OP properly. For this, you don't need any killswitch rule (and your mentioning it has sent me off-track as I started looking up what you mean by killswitch rule so I haven't read the rest carefully) but something commonly called policy routing, where you choose one of several different routing tables depending on some criteria - in your case, the criteria is the source address range. So in the routing table used for 192.168.1.3-192.168.1.100, the default route will use the gateway on WAN, while in the routing table used for 192.168.1.101-192.168.1.254 (255 cannot be used as a client address in a /24 subnet), the default route will use the gateway on the VPN. One of many explanations how to do that is here.

but also need killswitch function when VPN goes offline then WAN goes offline too
If you have in mind that if VPN goes down, the clients with addresses in the 192.168.1.101-192.168.1.254 range will not be able to use WAN instead, either the killswitch rule will take care of it if completed with src-address=192.168.1.101-192.168.1.254, or a type=blackhole default route in the routing table for that source address range can be used instead of that rule. The default route via VPN would have distance=1, the blackhole default route would have distance=2. So as long as the VPN is up, the route with distance=1 is used; when the VPN goes down, that route becomes unavailable, so the blackhole route is used instead, rather than the default route in the default routing table which would otherwise kick in.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
eazy1504
just joined
Topic Author
Posts: 5
Joined: Sat May 26, 2018 3:42 pm

Re: VPN setup with L2TP for specific IP range only

Fri Jun 15, 2018 11:45 am

Thank you sindy,finally got it working like i need :D

Who is online

Users browsing this forum: Google [Bot], mkx, redalg and 35 guests