Answer the question
In order to leave comments, you need to log in
K
K
Kameleon31072018-10-18 22:28:01
Kameleon3107, 2018-10-18 22:28:01
Mikrotik: VPN bypass routing. CHADNT?
Good day, I need help with the configuration. There is Mikrotik, the Internet from the provider to the first port, the connection to the l2tp VPN server is raised, it is necessary to implement a scheme according to which access to the address-list (woVPN) (external ip of web resources) goes through the provider directly, the rest of the traffic is in the VPN. Moreover, a division has already been created by address-list (inVPN), which local clients go to VPN, which not. Accordingly, the routing mark "throughtVPN" directs traffic from the local. cars in VPN. I can't figure out why "woVPN" doesn't work. Thank you in advance for your help.
routes
interfaces
# oct/18/2018 22:06:39 by RouterOS 6.43.2
/interface bridge
add fast-forward=no name=br-LAN
/interface ethernet
set [ find default-name=ether1 ] mac-address=4C:FE:F9:CB:9D:61 name=eth1_WAN \ speed=100Mbps
set [ find default-name=ether2 ] comment=Komp name=eth2 speed=100Mbps
set [ find default-name=ether3 ] comment=NAS name=eth3 speed=100Mbps
set [ find default-name=ether4 ] comment=TV name=eth4 speed=100Mbps
set [ find default-name=ether5 ] name=eth5 speed=100Mbps
/interface l2tp-client
add allow-fast-path=yes connect-to=someIP disabled=no ipsec-secret= name=l2tp-out1 password= use-ipsec=yes \
/interface pptp-client add connect-to= name=pptp-work-lit password= user=\
/interface list
add name=wan
add name=lan_vpn
/interface bridge port
add bridge=br-LAN interface=eth3
add bridge=br-LAN interface=eth4
add bridge=br-LAN interface=eth5
add bridge=br-LAN interface=wlan_2ghz
add bridge=br-LAN interface=wlan_5ghz
add bridge=br-LAN interface=eth2
/interface list member
add interface=eth1_WAN list=wan
add interface=br-LAN list=lan_vpn
add interface=l2tp-out1 list=lan_vpn
/interface bridge
add fast-forward=no name=br-LAN
/interface ethernet
set [ find default-name=ether1 ] mac-address=4C:FE:F9:CB:9D:61 name=eth1_WAN \ speed=100Mbps
set [ find default-name=ether2 ] comment=Komp name=eth2 speed=100Mbps
set [ find default-name=ether3 ] comment=NAS name=eth3 speed=100Mbps
set [ find default-name=ether4 ] comment=TV name=eth4 speed=100Mbps
set [ find default-name=ether5 ] name=eth5 speed=100Mbps
/interface l2tp-client
add allow-fast-path=yes connect-to=someIP disabled=no ipsec-secret= name=l2tp-out1 password= use-ipsec=yes \
/interface pptp-client add connect-to= name=pptp-work-lit password= user=\
/interface list
add name=wan
add name=lan_vpn
/interface bridge port
add bridge=br-LAN interface=eth3
add bridge=br-LAN interface=eth4
add bridge=br-LAN interface=eth5
add bridge=br-LAN interface=wlan_2ghz
add bridge=br-LAN interface=wlan_5ghz
add bridge=br-LAN interface=eth2
/interface list member
add interface=eth1_WAN list=wan
add interface=br-LAN list=lan_vpn
add interface=l2tp-out1 list=lan_vpn
address list
# oct/18/2018 22:06:39 by RouterOS 6.43.2
/ip firewall address-list
add address=100.0.0.111 list=inVPN
add address=100.0.0.110 list=inVPN
add address=217.16.21.102 list=woVPN
add address=185.89.12.132 list=woVPN
add address=100.0.0.106 list=inVPN
add address=192.168.8.0/24 list=work-resources
add address=100.0.0.101 comment=komp list=inVPN
/ip firewall address-list
add address=100.0.0.111 list=inVPN
add address=100.0.0.110 list=inVPN
add address=217.16.21.102 list=woVPN
add address=185.89.12.132 list=woVPN
add address=100.0.0.106 list=inVPN
add address=192.168.8.0/24 list=work-resources
add address=100.0.0.101 comment=komp list=inVPN
firewall rules
# oct/18/2018 22:06:26 by RouterOS 6.43.2
/ip firewall filter
add action=drop chain=input comment="drop outside DNS req" dst-port=53 \in-interface=eth1_WAN protocol=udp
add action=drop chain=input comment="drop outside NTP" dst-port=123 \in-interface=eth1_WAN protocol=udp
add action=accept chain=input comment="accept local NTP" in-interface=br-LAN \protocol=udp src-port=123
add action=accept chain=forward comment=ping in-interface=!eth1_WAN protocol=\icmp
add action=accept chain=input in-interface=!eth1_WAN protocol=icmp
add action=drop chain=input comment="invalid state" connection-state=invalid
add action=drop chain=forward connection-state=invalid
/ip firewall filter
add action=drop chain=input comment="drop outside DNS req" dst-port=53 \in-interface=eth1_WAN protocol=udp
add action=drop chain=input comment="drop outside NTP" dst-port=123 \in-interface=eth1_WAN protocol=udp
add action=accept chain=input comment="accept local NTP" in-interface=br-LAN \protocol=udp src-port=123
add action=accept chain=forward comment=ping in-interface=!eth1_WAN protocol=\icmp
add action=accept chain=input in-interface=!eth1_WAN protocol=icmp
add action=drop chain=input comment="invalid state" connection-state=invalid
add action=drop chain=forward connection-state=invalid
mangle
# oct/18/2018 22:06:09 by RouterOS 6.43.2
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=throughtVPN \passthrough=no src-address-list=inVPN
add action=mark-routing chain=prerouting dst-address-list=\woVPN new-routing-mark=woVPN passthrough=no src-address=100.0.0.0/24
add action=mark-routing chain=prerouting comment=work connection-mark=\work-lit new-routing-mark=work-resources passthrough=no
add action=mark-connection chain=prerouting comment="work test" dst-address=\192.168.8.251 new-connection-mark=work-lit passthrough=no
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=throughtVPN \passthrough=no src-address-list=inVPN
add action=mark-routing chain=prerouting dst-address-list=\woVPN new-routing-mark=woVPN passthrough=no src-address=100.0.0.0/24
add action=mark-routing chain=prerouting comment=work connection-mark=\work-lit new-routing-mark=work-resources passthrough=no
add action=mark-connection chain=prerouting comment="work test" dst-address=\192.168.8.251 new-connection-mark=work-lit passthrough=no
NAT
# oct/18/2018 22:06:17 by RouterOS 6.43.2
/ip firewall nat
add action=masquerade chain=srcnat comment=woVPN out-interface=eth1_WAN
add action=masquerade chain=srcnat comment=inVPN out-interface=l2tp-out1 \routing-mark=throughtVPN
add action=masquerade chain=srcnat comment=mainISP out-interface=eth1_WAN
# pptp-work-lit not ready
add action=masquerade chain=srcnat comment=work-lit out-interface=\pptp-work-lit
/ip firewall nat
add action=masquerade chain=srcnat comment=woVPN out-interface=eth1_WAN
add action=masquerade chain=srcnat comment=inVPN out-interface=l2tp-out1 \routing-mark=throughtVPN
add action=masquerade chain=srcnat comment=mainISP out-interface=eth1_WAN
# pptp-work-lit not ready
add action=masquerade chain=srcnat comment=work-lit out-interface=\pptp-work-lit
1 answer(s)
@Kameleon3107
V
Viktor Belsky, 2018-10-19 @Kameleon3107
In the mangle either do
or do it first
add action=mark-routing chain=prerouting dst-address-list=woVPN new-routing-mark=woVPN passthrough=no src-address=100.0.0.0/24
Similar questions
S
F
I
F
E
enabl32018-01-23 18:12:07
How to check the presence of data in a file through the telegram bot?
4Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question