Community discussions

MikroTik App
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

VPN just for one of the LAN devices when the whole router is using IPSec

Tue Nov 23, 2021 4:58 pm

Hello everyone
Is it possible to route the traffic of one device (192.168.11.94) with VPN (PPTP client(I know it's not safe just for example)) while the whole router is connected to the IKEV2/IPSec?
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Tue Nov 23, 2021 8:33 pm

I added:

/interface pptp-client
add allow=mschap2 connect-to=XXXXXX name=PPTP_YD password=XXXXXX \
user=XXXXX

/ip firewall mangle
add action=mark-routing chain=prerouting comment=PPTP_YD disabled=no \
new-routing-mark=PPTP_YD passthrough=yes src-address=\
192.168.11.94

/ip firewall nat
add action=masquerade chain=srcnat comment=PPTP_YD disabled=no \
out-interface=PPTP_YD src-address=192.168.11.94

/ip route
add disabled=no distance=1 gateway=PPTP_YD routing-mark=\
PPTP_YD

But still not working, what I missed?
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Thu Nov 25, 2021 12:21 am

Is it possible?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Thu Nov 25, 2021 4:25 am

Probably yes, but it can possibly conflict with the other vpn, if it's the "route everything elsewhere" kind. If I remember correctly, it adds some dynamic rules, so maybe it's necessary to work around that in some way.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Thu Nov 25, 2021 10:33 am

Is it possible?
Definitely yes, but without seeing the IPsec part, it is impossible to tell you what exactly overrides your policy routing setup. Most likely the IP address assigned to the PPTP tunnel matches to an IPsec policy, but it is not the only possibility. See my automatic signature below for further steps.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Thu Nov 25, 2021 10:45 am

 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Sat Nov 27, 2021 3:29 am

Thanks for the replies I'm sorry couldn't answer sooner, Happy holiday and thanks giving everybody.
Probably yes, but it can possibly conflict with the other vpn, if it's the "route everything elsewhere" kind. If I remember correctly, it adds some dynamic rules, so maybe it's necessary to work around that in some way.
It is the "route everything elsewhere (inside the VPN)" kind. yeah it will add a dynamic rule but I got a scheduler which can move the rules around so that dynamic rule is not a problem.
Definitely yes, but without seeing the IPsec part, it is impossible to tell you what exactly overrides your policy routing setup. Most likely the IP address assigned to the PPTP tunnel matches to an IPsec policy, but it is not the only possibility. See my automatic signature below for further steps.
PPTP and IPsec servers are totally different and assigned IPs are very different too.
IPsec=192.168.43.1 (192.168.43.0/24)
PPTP=172.19.19.227 (172.19.19.1)
My configurations:
gl.rsc
You do not have the required permissions to view the files attached to this post.
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Sat Nov 27, 2021 2:36 pm

It's doable: viewtopic.php?t=169273
Thanks man I'm looking for a PPTP or L2TP solution.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Sat Nov 27, 2021 4:04 pm

My configurations:
Wow, what an amount of creativity wasted (I have in mind the script moving your static masquerade rule before the one dynamically created by IPsec).

You've missed some points unfortunately:
  1. only the initial packet of each connection is handled by the /ip firewall nat rules, and the resulting handling is stored in the context of that connection in the connection tracking module, so that subsequent packets belonging to that connection could be handled accordingly (e.g. in case of src-nat, subsequent downstream packets are src-nated and upstream packets are un-src-nated symmetrically).
  2. if no route at all is available in the routing table indicated by the routing-mark value, that packet is normally routed using routing table main; to prevent that, you need to use an /ip route rule
  3. you can configure the /ip ipsec mode-config row not only to let the dynamically created action=src-nat rule match on a src-address-list but also to let it match on a connection-mark value, including the reserved one of no-mark.
However, it is not clear to me what exactly goes wrong in your case, I can only tell what may go wrong.

If the 192.168.11.94 attempts to create a connection while the PPTP_YD interface is down, the default route via PPTP_YD marked with routing-mark PPTP_YD is not active, hence the initial packet of the connection is routed via the default route in main, so it doesn't match the out-interface=PPTP_YD condition in the action=masquerade rule, so gets caught either by the dynamic action=src-nat rule generated by IPsec or by the action=masquerade out-interface=ether10 rule, or maybe skip both of them which may make the PPTP server drop it later when the PPTP tunnel goes up and the subsequent retransmission of that packet reaches the PPTP server.

Another thing that may theoretically go wrong is that if RouterOS eventually selects the LAN IP (192.168.11.111) as a source one for the PPTP transport packets (no idea why it should do that, but we're looking for something unexpected here, don't we), the transport packets might match the dynamic src-nat rule added by IPsec and be sent down the IPsec tunnel.

So I would recommend you to add the connection-mark=no-mark setting to the /ip ipsec mode-config row, which will allow you to assign any other connection-mark value to any traffic you want to avoid the dynamic rule added by IPsec using mangle rules. I.e. you'll replace the action=masquerade dst-address-list=excluded-addresses rule in nat/srcnat by an action=mark-connection new-connection-mark=avoid-ipsec dst-address-list=excluded-addresses rule in nat/prerouting and/or nat/output and retire the scheduled script.

To make sure that traffic that should leave via the PPTP tunnel doesn't leak (and possibly get src-nated to a wrong address as a consequence) using another routing table if the PPTP_YD interface is down, add a routing rule:

/ip route rule
add routing-mark=PPTP_YD action=lookup-only-in-table table=PPTP_YD


Once you perform these changes, check existing connections, you may have to remove some of them to be able to test whether it helped (see point 1 in the list above).
 
pierrot
just joined
Posts: 2
Joined: Thu Nov 25, 2021 11:51 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Mon Nov 29, 2021 12:13 am

hello,
please need some help , i cannot ping my sxt connected to ether2 of my mikrotik on site while i am connected l2tpvpn to the mikrotik.
ip of sxt 10.1.10.1
below is the config
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Uplink
set [ find default-name=ether2 ] arp=proxy-arp name=ether2-ToSwitch
set [ find default-name=ether3 ] name=ether3
set [ find default-name=ether4 ] name=ether4
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-Uplink name=pppoe-out1 \
password=test user=test
/interface l2tp-server
add name=l2tp-in1 user=vpn
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
/ip pool
add name=dhcp_pool0 ranges=192.168.5.2-192.168.5.254
add name=ppptp-pool ranges=192.168.50.1-192.168.50.10
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=ppptp-pool \
name=pptp-profile remote-address=ppptp-pool use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=ether2-swtich
/interface l2tp-server server
set enabled=yes ipsec-secret=secret use-ipsec=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=pptp-profile
/ip address
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0
add address=10.1.10.10/24 interface=ether2-ToSwitch network=10.1.10.0
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.5.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=\
192.168.50.0/24
/ppp secret
add name=testvpn password=vpn profile=pptp-profile service=l2tp
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Mon Nov 29, 2021 3:24 pm

i cannot ping my sxt connected to ether2 of my mikrotik on site while i am connected l2tpvpn to the mikrotik.
My wild guess is that no routing is set at the SXT, hence it does not know that the route to 192.168.50.x (the L2TP clients) goes via 10.1.10.10.

To get to the SXT via VPN, add another masquerade rule to the beginning of the chain on the router whose configuration you've shown:
/ip firewall nat print
/ip firewall nat add action=masquerade src-address=192.168.50.1-192.168.50.10 out-interface=ether2 place-before=0


Then, fix the issue at the SXT, and then you can remove that src-nat rule again (and log in to the SXT again if necessary).

Also there is no firewall in your configuration and all the management services of the router are enabled, so unless there is an external firewall, your router may be hosting some malware by now.

Last, please do not piggyback to a loosely related topics, open your own one.
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Sun Dec 05, 2021 6:40 am

Wow, what an amount of creativity wasted (I have in mind the script moving your static masquerade rule before the one dynamically created by IPsec).
:smile:
Thanks for the nice explanation and sorry for the late reply.
I added connection-mark=no-mark to IP IPsec Mode-config and also add a rule to IP route rule like you said and made another scheduler for chain=srcnat PPTP_YD to keep it at #=1, so it's kind of looks like this now (also I change the PPTP_YD to PPTP_YD_GAMING50 everywhere):
Screenshot 2021-12-05 074705.jpg
But I didn't change the action=masquerade dst-address-list=excluded-addresses cause I didn't understand this part completely.
you'll replace the action=masquerade dst-address-list=excluded-addresses rule in nat/srcnat by an action=mark-connection new-connection-mark=avoid-ipsec dst-address-list=excluded-addresses rule in nat/prerouting and/or nat/output and retire the scheduled script.
but everything is working very good
but I got some questions:
1. how is traffic is routing now? I'm asking this because when the IPSec is down PPTP is not connecting (if connected it will got terminating) when the "IPSec is killing ike2 SA" before it's get a "new ike2 SA (I)" for about 120 seconds PPTP is just trying to connect and if you remember I had a "IPsec-SA expired before finishing rekey" problem before you told me on another topic to set /ip ipsec proposal to pfs-group=none and it's fixed that "IPsec-SA expired before finishing rekey" problem but still there is "IPSec is killing ike2 SA" and I got a feeling this is a server configuration problem (Linux Ubuntu StrongSwan).
Screenshot 2021-12-05 080620.jpg
2. Is this normal to having "IPSec is killing ike2 SA"? It's not very frequent though it's like at three days once or every other day.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Sun Dec 05, 2021 3:00 pm

Thanks for the nice explanation
...
I made another scheduler for chain=srcnat PPTP_YD to keep it at #=1
...
I didn't change the action=masquerade dst-address-list=excluded-addresses cause I didn't understand this part completely.
This means the explanation may have been nice but actually it wasn't clear enough. So again.

The very purpose of adding connection-mark=no-mark to the mode-config row is that instead of rule order in the srcnat chain, the presence or absence of a connection-mark would decide which packet will be handled by which rule - so there would be no need to move the rules around, using a scheduled script or otherwise.

My way, there will be just three rules in chain srcnat:
first, the dynamically added one:
action=srcnat src-address-list="Allow Local DNS" connection-mark=no-mark to-addresses=the.ip.from.responder

second and third, in any mutual order, the static one for traffic leaving via PPTP and the static one for the traffic leaving via the regular WAN (ether10 in your case):
add action=masquerade chain=srcnat comment=PPTP_YD out-interface=PPTP_YD src-address=192.168.11.94
add action=masquerade chain=srcnat out-interface-list=WAN


Their mutual order is irrelevant because no packet can match both out-interface=PPTP_YD and out-interface-list=WAN (unless you'd make PPTP-YD a member of interface list WAN; if you did, the single rule matching on out-interface-list=WAN would be enough, but please don't do that as it might break something else in the firewall). The dynamic rule must be first, though.

To make the dynamically created rule ignore a packet, you have to assign some connection-mark (no matter what particular value it will have) to that packet.

Since you want packets matching on dst-address-list=excluded-addresses to be ignored by the dynamic srcnat rule, you must add a
dst-address-list=excluded-addresses action=mark-connection new-connection-mark=avoid-ipsec
rule to /ip firewall mangle; to make it "safe", i.e. to make sure it would only assign a new connection-mark value if none has been assigned to that connection yet, it should also match on connection-mark=no-mark or connection-state=new.

And my mistake was that I've written nat/prerouting and nat/output whereas the correct places are mangle/prerouting and mangle/output.

A rule in mangle/prerouting handles traffic forwarded from LAN; a rule in mangle/output handles packets sent by the Mikrotik itself, such as the PPTP transport ones.
when the IPSec is down PPTP is not connecting (if connected it will got terminating) when the "IPSec is killing ike2 SA" before it's get a "new ike2 SA (I)" for about 120 seconds PPTP is just trying to connect and if you remember I had a "IPsec-SA expired before finishing rekey" problem before you told me on another topic to set /ip ipsec proposal to pfs-group=none and it's fixed that "IPsec-SA expired before finishing rekey" problem but still there is "IPSec is killing ike2 SA" and I got a feeling this is a server configuration problem (Linux Ubuntu StrongSwan).
If there is no rule in mangle/output (my way) or in nat/srcnat (your previous way) that would exempt the PPTP transport packets sent by the Mikrotik itself from being src-nated to match the dynamically generated IPsec policy, it means that the PPTP transport packets to the remote PPTP server are sent via the IPsec policy. So when the Security Association (SA) linked to that policy is down, but the policy itself still exists, the PPTP transport packets get nowhere, as the policy diverts them but cannot actually deliver them.

2. Is this normal to having "IPSec is killing ike2 SA"? It's not very frequent though it's like at three days once or every other day.
It indeed looks like some incompatibility between the initiator and the responder, or maybe it indicates a huge data loss causing the rekey procedure to fail, ot maybe it's the refresh of the "control SA" (the one the peers use to negotiate and control establishment of the SAs carrying the payload) that fails. To say more, I would have to see the logs from both peers, including about 5 minutes before the "killing ike2 SA" messages appear in the log.
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Mon Dec 06, 2021 12:56 am

This means the explanation may have been nice but actually it wasn't clear enough. So again.
Thank you very much, I change it all and all those excluded-addresses is working great but if the dynamically added one is at top (#=0) then the PPTP one is not working in order to make that work I have to move it on top of that. Am I missing something?
new configuration:
bhebiuft5.rsc
If there is no rule in mangle/output (my way) or in nat/srcnat (your previous way) that would exempt the PPTP transport packets sent by the Mikrotik itself from being src-nated to match the dynamically generated IPsec policy, it means that the PPTP transport packets to the remote PPTP server are sent via the IPsec policy. So when the Security Association (SA) linked to that policy is down, but the policy itself still exists, the PPTP transport packets get nowhere, as the policy diverts them but cannot actually deliver them.
Thanks man this one got fixed totally.
It indeed looks like some incompatibility between the initiator and the responder, or maybe it indicates a huge data loss causing the rekey procedure to fail, ot maybe it's the refresh of the "control SA" (the one the peers use to negotiate and control establishment of the SAs carrying the payload) that fails. To say more, I would have to see the logs from both peers, including about 5 minutes before the "killing ike2 SA" messages appear in the log.
I will try to clean and setup everything on the server side again to see if it's going to fix it.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Mon Dec 06, 2021 11:48 am

if the dynamically added one is at top (#=0) then the PPTP one is not working in order to make that work I have to move it on top of that. Am I missing something?
You only add a routing-mark, not connection-mark, in mangle/prerouting for src-address=192.168.11.94.

The whole idea of a connection-mark is that although you assign it while handling a single packet, you really mark the whole connection, i.e. connection tracking remembers the value of that mark and assigns it automatically to every subsequent packet it identifies as belonging of the same connection (and even to packets of associated connections), unless/until it eventually gets overwritten. So the normal procedure is that you assign a connection-mark only to the initial packet of each connection (which matches a connection-state=new condition), which is typically handled by a more complex set of rules than mid-connection packets. And to prevent evaluating the more complex rules or match conditions within a rule, you "note down" the required handling using a connection-mark, and then assign routing-mark values and/or packet-mark values based on connection-mark alone.

So my whole mangle/prerouting would typically look as follows:

/ip firewall mangle
add chain=prerouting connection-state=new action=jump jump-target=mark-connections-prerouting
add chain=prerouting connection-mark=PPTP_YD_GAMING50 action=mark-routing new-routing-mark=PPTP_YD_GAMING50 passthrough=no

add chain=mark-connections-prerouting dst-address-list=excluded-addresses action=mark-connection new-connection-mark=avoid-ipsec passthrough=yes comment="for excluded-addresses bypassing the IPsec IKEV2 OVH20"
add chain=mark-connections-prerouting src-address=192.168.11.94 connection-mark=no-mark action=mark-connection new-connection-mark=PPTP_YD_GAMING50 passthrough=yes comment=PPTP_YD_GAMING50


In mangle/output, you may save a few CPU cycles per packet by adding connection-state=new to your existing rule, to avoid re-assigning the same connection-mark to every single PPTP transport packet.

I will try to clean and setup everything on the server side again to see if it's going to fix it.
Since it doesn't happen regularly, I doubt it is a plain configuration issue, rather a timing issue in one of the the protocol stack or packet loss. But audit of configuration is never harmful :)
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Mon Dec 06, 2021 2:42 pm

/ip firewall mangle
add chain=prerouting connection-state=new action=jump jump-target=mark-connections-prerouting
add chain=prerouting connection-mark=PPTP_YD_GAMING50 action=mark-routing new-routing-mark=PPTP_YD_GAMING50 passthrough=no

add chain=mark-connections-prerouting dst-address-list=excluded-addresses action=mark-connection new-connection-mark=avoid-ipsec passthrough=yes comment="for excluded-addresses bypassing the IPsec IKEV2 OVH20"
add chain=mark-connections-prerouting src-address=192.168.11.94 connection-mark=no-mark action=mark-connection new-connection-mark=PPTP_YD_GAMING50 passthrough=yes comment=PPTP_YD_GAMING50
Thanks man.
After adding these rules 192.168.11.94 doesn't have internet access anymore.
my mangle:
add action=jump chain=prerouting connection-state=new jump-target=mark-connections-prerouting
add action=mark-routing chain=prerouting connection-mark=PPTP_YD_GAMING50 new-routing-mark=\
PPTP_YD_GAMING50 passthrough=no
add action=mark-connection chain=mark-connections-prerouting comment=\
"for excluded-addresses bypassing the IPsec IKEV2 OVH20" dst-address-list=excluded-addresses \
new-connection-mark=avoid-ipsec passthrough=yes
add action=mark-connection chain=mark-connections-prerouting comment=PPTP_YD_GAMING50 connection-mark=\
no-mark new-connection-mark=PPTP_YD_GAMING50 passthrough=yes src-address=192.168.11.94
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Mon Dec 06, 2021 3:59 pm

In your rules, the jump-target in the first rule is mark-connections-prerouting, whereas the last two rules are in chain mark-connections. Unify that one way or the other. Currently, both functionalities that depend on connection-mark should not work as no connection marks are assigned due to this difference.
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Mon Dec 06, 2021 5:15 pm

In your rules, the jump-target in the first rule is mark-connections-prerouting, whereas the last two rules are in chain mark-connections. Unify that one way or the other. Currently, both functionalities that depend on connection-mark should not work as no connection marks are assigned due to this difference.
I'm sorry I think I don't understand what should I do.
It's like the very first packet only get routed (if I close the cmd (or just simply open another one) and ping again, again the first one will receive):
Screenshot 2021-12-06 184142.jpg
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Mon Dec 06, 2021 6:30 pm

Sorry, I've got lost when reading the rules you've posted, they are indeed a 1:1 copy of what I've suggested to set, so the problem with different chain names in different rules doesn't exist (I should have chosen some better name of the chain that wouldn't conflict with the rule action name).

Is the action=fasttrack-connection rule in filter disabled? And are you sure that the first ping goes via the PPTP tunnel (use /tool sniffer quick interface=PPTP_YD_GAMING50 to check that when pinging from the PC)? Because I've currently got no idea what may cause the first ping request and response pass fine but the next ones to fail.

The idea is that the first packet of the ping sequence matches on connection-state=new so it goes to the mark-connections-prerouting chain and there it gets the connection-mark PPTP_YD_GAMING50; after that, the processing of the packet continues by the first rule after the action=jump one, and this rule should assign it the routing-mark PPTP_YD_GAMING50 since the connection-mark assigned by in the other chain is PPTP_YD_GAMING50. The next ping request belonging to the same sequence skips the action=jump rule (as it doesn't match connection-state=new), but it nevertheless matches the action=mark-routing one because it gets the connection-mark in connection tracking (before getting to mangle/prerouting).
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Mon Dec 06, 2021 7:03 pm

NP problem man, thanks for keeping up.
It's not pinging anymore now -.-' I don't know why
Screenshot 2021-12-06 203348.jpg
You do not have the required permissions to view the files attached to this post.
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Mon Dec 06, 2021 7:12 pm

Is the action=fasttrack-connection rule in filter disabled?
Yeah it's disabled.
I added src-address=192.168.11.94 to the this rule add chain=prerouting connection-mark=PPTP_YD_GAMING50 action=mark-routing new-routing-mark=PPTP_YD_GAMING50 passthrough=no so it's now is add action=mark-routing chain=prerouting connection-mark=PPTP_YD_GAMING50 new-routing-mark=\
PPTP_YD_GAMING50 passthrough=no src-address=192.168.11.94
and it's working.
Is it correct or wrong?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Mon Dec 06, 2021 9:21 pm

By adding the src-address=192.168.11.94 to the action=mark-routing rule you have narrowed, not extended, its effect to that source address. Since no other packets than those matching src-address=192.168.11.94 should ever get the connection-mark PPTP_YD_GAMING50, this narrowing of the match of the rule to only src-address=192.168.11.94 must be compensating some error in assigning that connection-mark value to some other traffic, and the only traffic to come to my mind that could affect what passes via the PPTP tunnel if connection-marked incorrectly to PPTP_YD_GAMING50 are the transport packets of the PPTP tunnel.

So what does /ip firewall mangle print chain=output say?
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Mon Dec 06, 2021 11:21 pm

So what does /ip firewall mangle print chain=output say?
nothing
Screenshot 2021-12-07 004825.jpg
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Tue Dec 07, 2021 11:54 am

That means that PPTP transport packets go via IPsec again - as you were replacing your previous the mangle rules by those I've suggested for prerouting, you've probably removed the single one in output as well, so put it back:

/ip firewall mangle
add action=mark-connection chain=output dst-address-list=excluded-addresses new-connection-mark=avoid-ipsec passthrough=yes


But it still doesn't explain why adding src-address=192.168.11.94 to the action=mark-routing rule makes the PPTP payload get where it should. Or maybe it was a coincidence and you've changed something else at the same time (enabled the IPSec)?

So once you add the mangle/output rule above and establish both the PPTP and the IPsec, I'd like to see the output of
/ip firewall connection print detail where dst-address~"ip.of.the.pptp.server"

Then, while pinging 9.9.9.9 from 192.168.11.95, run another command:
/ip firewall connection print detail where src-address~"192.168.11.94" dst-address~"9.9.9.9"

Feel free to obfuscate the actual IP addresses, I'm only interested in the rest of the information.
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Tue Dec 07, 2021 3:32 pm

/ip firewall mangle
add action=mark-connection chain=output dst-address-list=excluded-addresses new-connection-mark=avoid-ipsec passthrough=yes
I'm sorry I forgot this chain=output one.
but it's never had a packet even I was visiting sites which are listed in "excluded-addresses" list:
Screenshot 2021-12-07 164652.jpg
Results with this mangle :
add action=mark-connection chain=output dst-address-list=excluded-addresses new-connection-mark=\
    avoid-ipsec passthrough=yes
add action=jump chain=prerouting connection-state=new jump-target=mark-connections-prerouting
add action=mark-routing chain=prerouting connection-mark=PPTP_YD_GAMING50 new-routing-mark=\
    PPTP_YD_GAMING50 passthrough=no src-address=192.168.11.94
add action=mark-connection chain=mark-connections-prerouting comment=\
    "for excluded-addresses bypassing the IPsec IKEV2 OVH20" dst-address-list=excluded-addresses \
    new-connection-mark=avoid-ipsec passthrough=yes
add action=mark-connection chain=mark-connections-prerouting comment=PPTP_YD_GAMING50 connection-mark=\
    no-mark new-connection-mark=PPTP_YD_GAMING50 passthrough=yes src-address=192.168.11.94
Results:
So once you add the mangle/output rule above and establish both the PPTP and the IPsec, I'd like to see the output of
/ip firewall connection print detail where dst-address~"ip.of.the.pptp.server"
Screenshot 2021-12-07 164343.jpg
Then, while pinging 9.9.9.9 from 192.168.11.95, run another command:
/ip firewall connection print detail where src-address~"192.168.11.94" dst-address~"9.9.9.9"
Screenshot 2021-12-07 164209.jpg
Screenshot 2021-12-07 164135.jpg
Results with this mangle :
add action=mark-connection chain=output dst-address-list=excluded-addresses new-connection-mark=\
    avoid-ipsec passthrough=yes
add action=jump chain=prerouting connection-state=new jump-target=mark-connections-prerouting
add action=mark-routing chain=prerouting connection-mark=PPTP_YD_GAMING50 new-routing-mark=\
    PPTP_YD_GAMING50 passthrough=no
add action=mark-connection chain=mark-connections-prerouting comment=\
    "for excluded-addresses bypassing the IPsec IKEV2 OVH20" dst-address-list=excluded-addresses \
    new-connection-mark=avoid-ipsec passthrough=yes
add action=mark-connection chain=mark-connections-prerouting comment=PPTP_YD_GAMING50 connection-mark=\
    no-mark new-connection-mark=PPTP_YD_GAMING50 passthrough=yes src-address=192.168.11.94
Results:
So once you add the mangle/output rule above and establish both the PPTP and the IPsec, I'd like to see the output of
/ip firewall connection print detail where dst-address~"ip.of.the.pptp.server"
Screenshot 2021-12-07 165847.jpg
Then, while pinging 9.9.9.9 from 192.168.11.95, run another command:
/ip firewall connection print detail where src-address~"192.168.11.94" dst-address~"9.9.9.9"
Screenshot 2021-12-07 165657.jpg
Screenshot 2021-12-07 165142.jpg
Difference is that in the first one action=mark-routing rule have src-address=192.168.11.94 but in second one don't.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Tue Dec 07, 2021 5:43 pm

/ip firewall mangle
add action=mark-connection chain=output dst-address-list=excluded-addresses new-connection-mark=avoid-ipsec passthrough=yes
I'm sorry I forgot this chain=output one.
but it's never had a packet even I was visiting sites which are listed in "excluded-addresses" list:
Rules in chain output are only used for traffic originating on the Mikrotik itself; when you "visit sites", I assume you visit them from a PC, and traffic from PC to internet takes chains forward and prerouting (other ones as well, but not output).

As you wrote
If there is no rule in mangle/output (my way) or in nat/srcnat (your previous way) that would exempt the PPTP transport packets sent by the Mikrotik itself from being src-nated to match the dynamically generated IPsec policy, it means that the PPTP transport packets to the remote PPTP server are sent via the IPsec policy.
Thanks man this one got fixed totally.
I supposed that the address of the PPTP server is on the excluded-addresses list. But it either isn't or the mangle/output rule is wrong. Or maybe you actually want the PPTP transport packets to be sent to the server via the IPsec VPN? What's the intention?

Regarding the need to add src-address=192.168.11.94 to the action=mark-routing rule in order to make it work, it smells like a bug to me. What happens if you replace the address to get src-address=128.0.0.0/1 in the rule and try to ping again?
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Tue Dec 07, 2021 7:00 pm

Rules in chain output are only used for traffic originating on the Mikrotik itself; when you "visit sites", I assume you visit them from a PC, and traffic from PC to internet takes chains forward and prerouting (other ones as well, but not output).
Got it thanks.
As you wrote

Thanks man this one got fixed totally.
I supposed that the address of the PPTP server is on the excluded-addresses list. But it either isn't or the mangle/output rule is wrong. Or maybe you actually want the PPTP transport packets to be sent to the server via the IPsec VPN? What's the intention?
Yeah exactly the IP of the PPTP server is not on that list so I added another chain output: add action=mark-connection chain=output connection-state=new disabled=yes dst-address="ip.of.the.pptp.server" \
new-connection-mark=avoid-ipsec passthrough=yes

Is it better to send PPTP transport packets via the IPsec VPN (in this way ISP is just see IPsec not the PPTP, right?) or not? in terms of security and performance?
Regarding the need to add src-address=192.168.11.94 to the action=mark-routing rule in order to make it work, it smells like a bug to me. What happens if you replace the address to get src-address=128.0.0.0/1 in the rule and try to ping again?
It worked and I can ping but can not open websites or they are very slow.
add action=mark-routing chain=prerouting connection-mark=PPTP_YD_GAMING50 new-routing-mark=\
PPTP_YD_GAMING50 passthrough=no src-address=128.0.0.0/1
Screenshot 2021-12-07 203032.jpg
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec  [SOLVED]

Wed Dec 08, 2021 12:03 am

Is it better to send PPTP transport packets via the IPsec VPN (in this way ISP is just see IPsec not the PPTP, right?) or not? in terms of security and performance?
PPTP is definitely not secure by nowaday's measures, so not only to hide the fact that it is PPTP from the ISP but also to cipher the payload by a contemporary encryption algorithm you need an external encryption (like IPsec). Plus PPTP has also other limitations, so better to use L2TP/IPsec or bare IPsec, depending on the server capabilities.

If you use the same IPsec tunnel you use to hide your traffic from the ISP also to encrypt the PPTP, the bare PPTP becomes exposed all the way from the internet-facing interface of the IPsec VPN provider further to the PPTP server, which may or may not bother you depending on what kind of data you send via the PPTP.

It worked and I can ping but can not open websites or they are very slow.
I started writing an explanation why I suspect it is a bug and how to check that, and during that writing I've realized what is the actual issue. So remove the src-address=128.0.0.0/1 from the action=mark-routing rule and instead place in-interface-list=LAN to it. What was happening was that packets that arrived from the PPTP tunnel were getting the routing-mark too, and since there is only a defaut route in the routing table PPTP_YD_GAMING50, they got routed out the tunnel again rather than to the LAN host. The 9.9.9.9 doesn't fit into 128.0.0.0/1, so the src-address=128.0.0.0/1 prevented the responses from there from being misrouted, but the in-interface-list=LAN is one of several proper solutions.

Regarding slow opening of websites, I'd rather assume that to be caused by an MTU issue (any tunnel, including the PPTP one, reduces the MTU of the payload packets) combined with failure of path MTU discovery, which may happen outside the Mikrotik. So check one of the many topics here on the forum dealing with this (search for posts suggesting action=change-mss rules in chain forward of mangle in relationship to MTU).
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: VPN just for one of the LAN devices when the whole router is using IPSec

Wed Dec 08, 2021 10:21 am

I started writing an explanation why I suspect it is a bug and how to check that, and during that writing I've realized what is the actual issue. So remove the src-address=128.0.0.0/1 from the action=mark-routing rule and instead place in-interface-list=LAN to it.
Thanks a lot man, all working just fine now and in fact I change PPTP to L2TP/IPsec. I really appreciate all your effort and guidance.

Do you got bitcoin or any other cryptocurrency wallet that you can send me the deposit address of it?

Who is online

Users browsing this forum: 4l4R1, bizarrity, esj, Guntis, h1ghrise, robertkjonesjr, Yahoo [Bot] and 79 guests