Hi,
I am not a network engineer, but I am a relatively savvy tech user.
I have a simple (for you guys) configuration I need to set up and would greatly appreciate some help.

Setup:
I have a MikroTik CCR1009 and a CISCO SG200-50
I have NetInstalled the MikroTik with 6.47.10 and set up some basic firewall rules.
I purchased 2 SFP modules and connected the devices with fiber
The two devices will eventually be in separate locations linked by the fiber (approx 100m apart) but are currently in the same rack.
I am connecting the MikroTik to the internet using the Eth1 port as WAN

This all works nicely. I enabled DHCP and I can connect and manage the device. I also have access to the internet from both the Cisco Switch and MikroTik router.

I have also set up an IPSec VPN mostly using this guide although the provider is not NordVPN:
https://support.nordvpn.com/Connectivit ... ordVPN.htm
I have since deleted the VPN config as I hacked it to pieces and wanted to start again fresh, which brings me to my question:

I would like create 2 VLANS on the devices and assign the VLANs to different physical ports on both the Cisco and MikroTik.
I would like to send all traffic from VLAN_PRIVATE through the VPN and have the other traffic VLAN_PUBLIC (and also untagged traffic?) go to the internet directly.
If the VPN is down I want to make sure that VLAN_PRIVATE traffic does not go out to the local internet.

I am the sort of degenerate developer who cuts and pastes code and muddles through...
...but am well aware that when dealing with security and privacy it is rather crucial to know what one is doing!
Hence I am asking for advice and tips to get this right...

I have looked around and am lost here between beginner and advanced. Beginner guides don't go this far. Advanced guides assume too much knowledge.
e.g. I know I need to set a mangle rule to route the traffic to a black hole... but I don't know how one would go about doing this!

I think the steps are:
1 - create VLANs
2 - setup trunk through SFP with rules for VLANs
3 - Setup VPN (I have successfully done this once)
4 - Configure NAT rules or Mangle rules (not sure which) to route traffic through the VPN or directly to the internet
5 - Test to ensure traffic goes through the VPN

If anybody knows some guides that can walk me through this, that would be great!
Or, additionally, if someone has the patience to consult in enough detail that I can follow instructions, I would be more than happy to reimburse for time and coffee spent!

Many thanks in advance for any help.
2oby

Good Morning 2oby,

If you don't have a lot of experience setting up VLAN's and VPN's ...
I would recommend to segregate the configuration Process.

-> Setup WAN-Interfaces (no VPN)
Step 1: Setup Firewall & secure Router
Step 2: Setup DNS
Step 3: Setup NAT/Masquerade
Step 4: Setup DHCP-Client and Gateway
Step 5: Check if Router as Internet =)
----------------------------------------------------------

-> Configure Basic Network and VLANs (No VLAN-Filtering, No VPN)
Step 6: Create ONE Bridge on the Mikrotik-Device
Step 7: Assign all needed Interfaces to the Bridge
Step 8: Create VLAN on Bridge-Interface (for exemple Private= vlan101 & Public= vlan102)
Step 9: Assign IP-Address on VLAN's-Interfaces
Step 10: Create DHCP-Server for Private and Public
Step 11: Check if the Clients have Internet.
- Assign you Computer the Private-VLAN Tag and check if you get an IP and have access to the Internet.
- Assign you Computer the Public -VLAN Tag and check if you get an IP and have access to the Internet.

--------------------------------------------------------

-> Create and Configure VPN
Step 12: Create an AddressList with IP-Range of Private-Network
For Exemple : Step 13: Create IPSEC-VPN
Create and Configure VPN like the Guide says, but make sure to select your Address-List
For Exemple : Step 14: Check if the Clients of VLAN-Private have Internet via the VPN.
- Assign you Computer the Private-VLAN Tag and check if you have access to the Internet.
----------------------------------------------------------
-> Configure Firewall
Step 15: Configure Firewall to limit access between Network (Private & Public)
----------------------------------------------------------
-> Configure VLAN-Filtering
Look at the Mikrotik-Wiki and the Forums VLAN guide (viewtopic.php?t=143620)
----------------------------------------------------------

Hi Conny,
Many thanks for your reply.
This is very useful. I think a key piece of information I was missing was:

Step 9: Assign IP-Address on VLAN's-Interfaces
Step 10: Create DHCP-Server for Private and Public
Step 12: Create an AddressList with IP-Range of Private-Network

these steps assign traffic to the VPN right? I had expected to be able to say something like:
"everything tagged 'VLAN_101' send to VPN"
...but instead I understand I need to assign an address range to each VLAN and then route from these sources addresses through the VPN?. Am I correct here?

Thanks again!

I'm glad I could help =)

Step 9 and Step 10 provides the necessary L3-infrastructure.
They provide an IP-Address and a Gateway for each Client on both Networks (Public and Privat).
So when a Client on the Network wants to communicate with a device outside the VLAN it will go to the Gateway.
The Gateway (aka. Your mikrotik-Router) in return decides "how" or "if" the Traffic should be routed.

The "IF" is usually determined via the Firewall
The "HOW" is a bit more complicated.
Step 12 is one way to do it for IPSEC-VPN
Another way is to mangle the Connections you want to route via the VPN.

'Another way is to mangle the Connections you want to route via the VPN'.
OK, I think I'm getting it slowly... do you happen to have a link to mangling? I hear about it a lot but don't really get the concept.
I tend to think like a [bad] programmer, so I am looking for IF / THEN statements but the paradigm here is different...

You will find the Mangel-Rules under "/ip firewall mangle"
In the case of IPSec-VPN you can use mangel to easily identify and "Tag" specific traffic.

Some basic Exemples to help :

------------------------------------------------------------------------------------------------------------------------------
Exemple 0: Send Traffic from vlan101 thru VPN
------------------------------------------------------------------------------------------------------------------------------
Exemple 1: Only send Traffic from 192.168.178.55 thru VPN
------------------------------------------------------------------------------------------------------------------------------
Exemple 2: Only send TCP 3389 (aka RDP) from any Client Traffic thru VPN
------------------------------------------------------------------------------------------------------------------------------
Exemple 3: Send any Traffic from any Client with destination 8.8.8.8 thru VPN
------------------------------------------------------------------------------------------------------------------------------
Exemple 4: Send Traffic from any Client with an IP of 192.168.178.0/24 thru VPN

sorry to be dumb, but I seem to be missing some crucial concept here.
I understand the following to be 'marking the connection' that comes in from 'vlan101' with the 'mark' 'VPN'

>> "/ip firewall mangle add action=mark-connection chain=prerouting in-interface="vlan101 (Privat)" new-connection-mark=VPN"

From your examples (and from the docs) I don't see how this 'mark' actually sends the traffic to the VPN though. I see is the connection being labeled with a 'tag' that contains the string "VPN" and assume there must be something else that does the routing?

We are reaching the edge of my knowledge ...
IPsec has its own Packet Flow (https://wiki.mikrotik.com/wiki/Manual:P ... w#Overview)
But cant really explain it

Maybe someone else in the Forum can provide an "Easy" explanation.

No problem. Many thanks for the help so far. I am getting closer.

Cheers!

No need to mangle anything.

Just add another route

0.0.0.0/0 gateway=192.168.55.1 route-mark=USEVPN (assuming 192.168.55.1 is the vlan gateway of that subnet).
Then create a route rule
Interface=VPN interface (or source address 192.168.55.0/24)
action: look up only in table
table: USEVPN

Just to be clear the private VPN will not be able to use the regular internet and will not be able to talk to other VLANs on the router.

Thanks @anav

Many thanks for the additional information.
Just to help me understand, is the config you added the equivalent of step 12? or is this in addition?

and... if you haven't had enough of the dumb questions already, how would I have achieved this with the mangling method? I do get that mangling 'tags' packets or connections, but I am missing the bit where something uses those tags to send packets one way or another...

If your asking me the routing is separate from the IPSEC VPN settings so has nothing to do with step 12.
Yes, no mangling required.
By the way I am gainfully employed so am not available to fulfil your advert for employment.