Hello
I had a laptop that was already in the UAE and connected to a private network with a pptp Vpn connection.
But now it's in the UK, and I want to first connect the laptop to a Mikrotik router in UAE and then connect to that private network with a VPN connection.
I have a Mikrotik router in the UAE.
First, I placed the router in the PPTP Client mode and connected to VPN, and then put the Mikrotik into the PPTP SERVER mode so that my laptop in the UK would connect to Mikrotik with a PPTP Client VPN connection and get the UAE's IP address.
How can I use Mangle now to send this local IP traffic (my labtop in Uk With UAE IP address) to the private network?
Is using Mangle the right one?
Is my scenario correct?
-
-
masoudpayment24
just joined
- Posts: 3
- Joined:
- Location: Iran
Re: Route Specific Local IP Address ( that from Vpn connetion)
There are two ways to achieve what you want:
The common part is
/ip route add dst-address=0.0.0.0/0 gateway=pptp-out1 routing-mark=via-pptp-client
The individual part is
/ip route rule
add action=lookup-only-in-table table=via-pptp-client src-address=the.ip.assigned.to.the.pc
or
/ip firewall mangle
add action=mark-routing new-routing-mark=via-pptp-client chain=prerouting src-address=the.ip.assigned.to.the.pc
/ip route add dst-address=0.0.0.0/0 type=blackhole routing-mark=via-pptp-client distance=2
The additional route is necessary to prevent packets from the PC to use the default routing table (called main) if pptp-out1 is down. With /ip route rule, it is not necessary because action=lookup-only-in-table prevents packets from being routed using the table main (i.e. the one consisting of routes without any routing-mark).
If you need the address of the laptop assigned by the VPN to be accessible as a server to other hosts in the UAE's network as clients, the solution will be a bit more complex.
And one remark regarding terminology, a "local address" is one of device's own ones. The address of your laptop assigned by Mikrotik acting as PPTP server is "an address from a connected subnet" from the perspective of the Mikrotik, not a "local" one. It seems unimportant till the moment you start using a match address-type=local in firewall rules and it does something else than what you expected.
- to use a rule in /ip firewall mangle to assign a routing-mark (which is in fact a name of a routing table)
- to use rules in /ip route rule for the same purpose.
The common part is
/ip route add dst-address=0.0.0.0/0 gateway=pptp-out1 routing-mark=via-pptp-client
The individual part is
/ip route rule
add action=lookup-only-in-table table=via-pptp-client src-address=the.ip.assigned.to.the.pc
or
/ip firewall mangle
add action=mark-routing new-routing-mark=via-pptp-client chain=prerouting src-address=the.ip.assigned.to.the.pc
/ip route add dst-address=0.0.0.0/0 type=blackhole routing-mark=via-pptp-client distance=2
The additional route is necessary to prevent packets from the PC to use the default routing table (called main) if pptp-out1 is down. With /ip route rule, it is not necessary because action=lookup-only-in-table prevents packets from being routed using the table main (i.e. the one consisting of routes without any routing-mark).
If you need the address of the laptop assigned by the VPN to be accessible as a server to other hosts in the UAE's network as clients, the solution will be a bit more complex.
And one remark regarding terminology, a "local address" is one of device's own ones. The address of your laptop assigned by Mikrotik acting as PPTP server is "an address from a connected subnet" from the perspective of the Mikrotik, not a "local" one. It seems unimportant till the moment you start using a match address-type=local in firewall rules and it does something else than what you expected.
-
-
masoudpayment24
just joined
- Posts: 3
- Joined:
- Location: Iran
Re: Route Specific Local IP Address ( that from Vpn connetion)
HiThere are two ways to achieve what you want:Using a mangle rule, you can assign the routing mark based on in-interface or src-address or src-address-list and even some other properties of the packets; ip route rules match only on source and destination addresses or subnets but don't interfere with fasttracking which may be a significant advantage if the Mikrotik's CPU is weak.
- to use a rule in /ip firewall mangle to assign a routing-mark (which is in fact a name of a routing table)
- to use rules in /ip route rule for the same purpose.
The common part is
/ip route add dst-address=0.0.0.0/0 gateway=pptp-out1 routing-mark=via-pptp-client
The individual part is
/ip route rule
add action=lookup-only-in-table table=via-pptp-client src-address=the.ip.assigned.to.the.pc
or
/ip firewall mangle
add action=mark-routing new-routing-mark=via-pptp-client chain=prerouting src-address=the.ip.assigned.to.the.pc
/ip route add dst-address=0.0.0.0/0 type=blackhole routing-mark=via-pptp-client distance=2
The additional route is necessary to prevent packets from the PC to use the default routing table (called main) if pptp-out1 is down. With /ip route rule, it is not necessary because action=lookup-only-in-table prevents packets from being routed using the table main (i.e. the one consisting of routes without any routing-mark).
If you need the address of the laptop assigned by the VPN to be accessible as a server to other hosts in the UAE's network as clients, the solution will be a bit more complex.
And one remark regarding terminology, a "local address" is one of device's own ones. The address of your laptop assigned by Mikrotik acting as PPTP server is "an address from a connected subnet" from the perspective of the Mikrotik, not a "local" one. It seems unimportant till the moment you start using a match address-type=local in firewall rules and it does something else than what you expected.
Please briefly describe one of the methods with command.
tnx
Re: Route Specific Local IP Address ( that from Vpn connetion)
That's what I already did.Please briefly describe one of the methods with command.
The common part (i.e. the one you have to use regardless which method you choose) is to create a specific routing table consisting of a single (default) route, and the command was given there:
/ip route add dst-address=0.0.0.0/0 gateway=pptp-out1 routing-mark=via-pptp-client
What to do next depends on method chosen, that's why I've given it in the form
list-of-commands-for-method-1
or
list-of-commands-for-method-2
What other commands do you ask for?
-
-
masoudpayment24
just joined
- Posts: 3
- Joined:
- Location: Iran
Re: Route Specific Local IP Address ( that from Vpn connetion)
No need NAT ?That's what I already did.Please briefly describe one of the methods with command.
The common part (i.e. the one you have to use regardless which method you choose) is to create a specific routing table consisting of a single (default) route, and the command was given there:
/ip route add dst-address=0.0.0.0/0 gateway=pptp-out1 routing-mark=via-pptp-client
What to do next depends on method chosen, that's why I've given it in the form
list-of-commands-for-method-1
or
list-of-commands-for-method-2
What other commands do you ask for?
Re: Route Specific Local IP Address ( that from Vpn connetion)
In general you do need NAT so that packets sent via the "outer" VPN would be sent from the address assigned by that VPN, but it is not clear whether you need a separate rule for it and if you do, where exactly to put it. It depends on your overall firewall configuration which you haven't posted, so I cannot give you the proper command.
Re: Route Specific Local IP Address ( that from Vpn connetion)
Hi all,
one question :
- how to make it work in RouterOS v7.
Ivan
one question :
- how to make it work in RouterOS v7.
Ivan