I am trying to solve the following the problem : route specific traffic though my VPN (debian server with a VPN client) : IP 192.168.60.100 + all port except 16754,443,80 . The rest of the traffic should be internal using main table or using my ISP connection. The main router is a CHR installed on a proxmox with ip. Only ports tcp 16754, 443, 80 are forwarded from Internet ISP to NAS. All outgoing connections from Synology (Proxy, https, ftp, ...) should be forwardr to Internet VPN.
I use a debian server with a VPN client (192.168.50.80) which take care about masquerading and some specific rules that worked previously with a pfsense server which I replaced (or want to definitely replaced by a mikrotik CCR).
I tried to solve in a lot of ways
- routing table + routing rule + mangle routing mark
- routing table + routing rule + mangle routing mark + mangle connection mark
- routing table + routing rule + masquerading...
or . I know that a lot of people already had the same sort of problems and I already had a look to dozens of posts which did not solved my problem. I want to forward my traffic through my VPN
- I used advanced firewall recommandation
Code: Select all
/routing table
add disabled=no fib name=rtab-VPN
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Fasttrack connections" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept established/related/untracked sessions" connection-state=established,related,untracked
add action=accept chain=forward dst-address=192.168.60.100
add action=accept chain=forward src-address=192.168.60.100
add action=drop chain=forward comment="Drop invalid sessions" connection-state=invalid
..... a lot of personal rules here
add action=drop chain=forward comment="Drop all from WAN not NATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all other packets from LAN to LAN" in-interface-list=ALL_LAN out-interface-list=ALL_LAN
add action=accept chain=input comment="Accept established/related sessions" connection-state=established,related
add action=drop chain=input comment="Drop invalid sessions" connection-state=invalid
add action=accept chain=input comment="Accept ICMP from HOME_LAN" in-interface-list=HOME_LAN protocol=icmp
add action=accept chain=input comment="Accept tcp DNS from ALL_LAN" dst-port=53 in-interface-list=ALL_LAN protocol=tcp
add action=accept chain=input comment="Accept udp DNS from ALL_LAN" dst-port=53 in-interface-list=ALL_LAN protocol=udp
add action=accept chain=input comment="Accept SSH/HTTPS/Winbox from ADMIN_LAN" dst-port=22,443,8291 in-interface-list=ADMIN_LAN protocol=tcp
add action=accept chain=input comment="Accept HTTP (unsecure) from ADMIN_LAN" dst-port=80 in-interface-list=ADMIN_LAN protocol=tcp
add action=drop chain=input comment="Drop all other packets to the router"
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/16 dst-port=443 new-routing-mark=rtab-VPN passthrough=no protocol=tcp src-address=192.168.60.100
/ip firewall nat
add action=masquerade chain=srcnat comment="Accept masquerade from LAN" out-interface=br-wan
/ip firewall raw
add action=accept chain=prerouting comment="Accept DHCP from ALL_LAN" dst-address=255.255.255.255 dst-port=67 in-interface-list=ALL_LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="Drop bad source packets" src-address-list=def_bad_ipv4
add action=drop chain=prerouting comment="Drop bad destination packets" dst-address-list=def_bad_ipv4
add action=drop chain=prerouting comment="Drop bad source packets" src-address-list=def_bad_src_ipv4
add action=drop chain=prerouting comment="Drop bad destination packets" dst-address-list=def_bad_dst_ipv4
add action=drop chain=prerouting comment="Drop bad source packets from WAN" in-interface-list=WAN src-address-list=def_not_global_ipv4
add action=drop chain=prerouting comment="Drop bad udp packets" port=0 protocol=udp
add action=accept chain=prerouting comment="Accept all the rest from ALL_LAN network" in-interface-list=ALL_LAN
add action=accept chain=prerouting comment="Accept all the rest from WAN OrangeIGMP network" in-interface-list=WAN
add action=drop chain=prerouting comment="Drop all other packets to the router" disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.50.80 routing-table=rtab-VPN suppress-hw-offload=no
/ipv6 firewall raw
add action=drop chain=prerouting
/routing rule
add action=lookup-only-in-table disabled=no routing-mark=rtab-VPN table=rtab-VPN