this here is maby a tutorial and furthermore a question!
I would like to transfer traffic only for some addresses over my vpn tunnel.
Unfortuanetly my DL and UL rate is very slow, so i am not sure if i setup everything correct, but basicly it works!!!
Would be fine, if anyone would look at my config and make some improvements...
i am mangleing traffic from Destination Address List with a routing mark: vpn
second is to mark all vpn routing marked with vpn to mark connection: no-FastTrack
NAT: all ppp are masqueraded
finally in route table there is a 0.0.0.0/0 to gateway: vpn with ping check with routing mark vpn.
so my traffic will find a gateway over my vpn tunnel and gets back.
Code: Select all
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid log-prefix="DROP --- INPUT invalid:::"
add action=jump chain=input comment="check Chain - DENY" jump-target=DENY log-prefix="Chain - DENY:::"
add action=jump chain=input comment="check Chain - ACCEPT" jump-target=ALLOW log-prefix="Chain - ALLOW:::"
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!lan log-prefix="DROP --- INPUT not LAN:::"
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-mark=!no-FastTrack connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid log-prefix="DROP --- FORWARD invalid:::"
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=wan log-prefix="DROP --- Forward not DSTNATed:::"
add action=drop chain=forward comment="drop all from Bridge-Guest to Bridge-LAN" in-interface=bridge-guest log=yes log-prefix="DROP --- FORWARD GuestLAN:::" out-interface=bridge-lan
add action=accept chain=ALLOW comment="Acces over VPN ( 192.168.15.2)" log=yes log-prefix="VPN :::" src-address=192.168.15.2
add action=accept chain=ALLOW comment="Access to RouterOS WebFig" connection-state="" disabled=yes dst-port=80 log=yes protocol=tcp
add action=accept chain=ALLOW comment="Access via OpenVPN" connection-state="" dst-port=443 log=yes log-prefix="Access via OpenVPN:::" protocol=tcp
add action=accept chain=ALLOW comment="Access via PPTP" connection-state="" dst-port=1723 protocol=tcp
add action=accept chain=ALLOW comment="Access via PPTP" connection-state="" protocol=gre
add action=accept chain=ALLOW comment="DNS Request for Bridge-Guest" dst-port=53 in-interface=bridge-guest protocol=udp
add action=accept chain=ALLOW comment="Access via L2TP/IPSec" connection-state="" dst-port=500 protocol=udp
add action=accept chain=ALLOW comment="Access via L2TP/IPSec" connection-state="" dst-port=4500 protocol=udp
add action=accept chain=ALLOW comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=ALLOW comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ALLOW comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=ALLOW comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=ALLOW comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=ALLOW comment="allow source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=ALLOW comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=drop chain=DENY comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=DENY comment="deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=DENY comment="deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=DENY comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=DENY comment="deny NFS" dst-port=2049 protocol=udp
/ip firewall mangle
add action=mark-routing chain=prerouting comment="VPN Adress List" dst-address-list=VPN log-prefix=VPN-Mark::: new-routing-mark=vpn passthrough=yes
add action=mark-routing chain=prerouting comment=Desktop new-routing-mark=vpn passthrough=yes src-address=192.168.14.254
add action=mark-connection chain=prerouting comment="all outgoing VPN Traffic" new-connection-mark=no-FastTrack passthrough=no routing-mark=vpn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=wan to-addresses=192.168.14.1
add action=masquerade chain=srcnat comment="masquerade all ppp (VPN)" out-interface=all-ppp to-addresses=192.168.14.1
/ip firewall service-port
set ftp disabled=yes
EDIT:
Solution for anybody, who is interested.
doing same long researches on different forums, wikis,....
my RB2011UiAS-RM is simply to slow. cpu can not handle ipsec encryption as fast as i thougt.
mikrotik support confirms that; my result around 20 MBit/sec is a good result.