Community discussions

MikroTik App
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Route over IPSEC tunnel by port or dst fqdn

Sat Dec 03, 2022 1:22 pm

Hi,

I have a VPN tunnel setup from the router to a commercial VPN provider. It's easy for me to forward all the packets from a LAN address, e.g., 192.168.0.44 through the tunnel using a src address list in mode-config. I can't figure out a way to send only some of the traffic over the VPN. I have one site (with a FQDN) that works over one port, either of which I could use to filter the traffic, but probably the port would be easiest.

What's the best way to do that?

I have played around with the connection mark and mangle, but I couldn't get it to work - most likely because I am not smart enough to know what I'm doing there.

D.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route over IPSEC tunnel by port or dst fqdn

Sat Dec 03, 2022 7:05 pm

I don't use it often, but mode-config has either matching using address list or connection mark. If you choose the latter, you can mark whatever you want to send via tunnel. Something like:
/ip firewall mangle
add in-interface=<LAN> connection-state=new src-address=192.168.0.44 action=mark-connection new-connection-mark=<mark>
add in-interface=<LAN> connection-state=new dst-address-list=<list> action=mark-connection new-connection-mark=<mark>
add in-interface=<LAN> connection-state=new protocol=tcp dst-port=25 action=mark-connection new-connection-mark=<mark>
...
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Route over IPSEC tunnel by port or dst fqdn

Sun Dec 04, 2022 2:33 pm

Thank you for this.

I take from this that I need only some of those three rules, depending on what I wanted to achieved. If I wanted port-based filtering of traffic from one LAN IP address how would I set that up? Should I mark the connections with the matching port number and then let Mode-Config match both connection mark and IP address? I've tried a few variants of mode-config settings chain (forward or pre-routing) and marking connections but couldn't make it work. I'm effectively guessing.

Thanks again in advance for any help.

D.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route over IPSEC tunnel by port or dst fqdn

Mon Dec 05, 2022 12:53 am

Do you have both connection mark and src address list set in mode config? I never tried that, so I'm not sure if it works as OR or AND. Try only connection mark. Then you need right conditions. For some ports from specific address e.g.:
/ip firewall mangle
add chain=prerouting src-address=192.168.0.44 protocol=tcp dst-port=25,53,465 connection-state=new action=mark-connection new-connection-mark=<mark>
add chain=prerouting src-address=192.168.0.44 protocol=udp dst-port=53 connection-state=new action=mark-connection new-connection-mark=<mark>
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Route over IPSEC tunnel by port or dst fqdn

Sat Dec 10, 2022 8:52 pm

Yep, that did it. Many many thanks for helping me get it going.

On a related note. I pushed my knowledge even further and tried to set two different VPNs - both from the same VPN provider, but to 2 different countries. This broke them both. Is it possible, using this method, to have multiple VPNs and to use mangle to send the traffic down different routes?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route over IPSEC tunnel by port or dst fqdn

Sat Dec 10, 2022 10:36 pm

It depends on what local addresses (for your end of tunnel) you get from them. If they are different ones, it should work (most likely). But if it happens to be same address, it wouldn't work.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Route over IPSEC tunnel by port or dst fqdn

Mon Dec 12, 2022 2:05 pm

Hi,

The end of tunnel address is different (different country). The tunnels are established, but the setup doesn't work as I want it to. The difference in the config seems to be that only one VPN route (is that the right term?) has a dynamic NAT entry created, but the other does not. Otherwise, all looks the same in both set-ups, barring the appropriate choices of mode config, mangling, etc.

My process was to repeat the instructions given here https://support.nordvpn.com/Connectivit ... ordVPN.htm for two different tunnels - NordVPN (as in the example) and USVPN. I then mark the connections - one with ipsec and the other with my own mark - US in Mangle. Mode-config is used to select the traffic.

This does seem to create two working tunnels, but the traffic doesn't flow as expected.

One issue doing this is that the special mark ipsec can be used to bypass fasttrack. Perhaps you can add two fasttrack filter rules to deal with that, but I haven't got that far - I just disabled fasttrack to test.

Any idea what the problem is?

D.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Route over IPSEC tunnel by port or dst fqdn

Fri Dec 16, 2022 11:02 am

I think it's the dynamic NAT entry that is the problem. Of the two tunnels created it seems that traffic gets sent over the first one that creates a NAT entry.

Any suggestions? I would guess multiple VPN tunnels must be a common scenario.

D
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route over IPSEC tunnel by port or dst fqdn

Sun Dec 18, 2022 3:13 am

If you look at generated IPSec policies, are there two different local addresses?
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Route over IPSEC tunnel by port or dst fqdn

Tue Dec 20, 2022 1:03 am

It looks like there is, yes = 10.6.0.1 and 10.6.0.6. There are also two dynamic NAT entries that use those addresses.

As far as I can tell the bit that isn't working is mangling the packets matching a destination address. It doesn't seem to send anything over the tunnel. Not sure how to troubleshoot...

Do you have any suggestions?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route over IPSEC tunnel by port or dst fqdn

Tue Dec 20, 2022 11:49 pm

If you also have two distinct marks (you do, right?), then srcnat conditions should match, source should get changed to one address or another, and then the right IPSec policy should apply. Right now I don't know what could be the problem. If you export and post your config, maybe someone will see some problem in there.

Who is online

Users browsing this forum: Bing [Bot] and 80 guests