Hi all. Im looking for ideas and methods to use a VPN tunnel (IPIP/IPsec) as a default gateway, but of course not killing off the default gateway the tunnel is using. There wont be any NAT performed until the traffic reaches the other end of the VPN tunnel.

Thanks!

Never done it, but policy routing or a VRF should do it. Simply putting the LAN interface and the tunnel interface in the same VRF and leaving the WAN interface in the main routing table would probably do it. Then just add a second default gateway in the LAN/tunnel VRF dst of 0.0.0.0 gateway of remote vpn ip.

Never done it, but policy routing or a VRF should do it. Simply putting the LAN interface and the tunnel interface in the same VRF and leaving the WAN interface in the main routing table would probably do it. Then just add a second default gateway in the LAN/tunnel VRF dst of 0.0.0.0 gateway of remote vpn ip.

Ive never done this either (had to google VRF), but Im not using MPLS on this network, will mikrotiks VRF work without MPLS?

Yes.

Yes.

I googled around about this VRF and there isnt a lot of info, any simple examples ? seems I still have to mark traffic with routing marks still so Im not sure how VRF is advantageous to using the main routing table with marks.?


I have a wan interface, and an IPIP tunnel over it to another mikrotik, and I want LAN traffic to go out the IPIP tunnel by default (not natted).

/ip route vrf add interfaces=ether1,ipip1 routing-mark=vpn-lan

Then all the routing that happens on the ether1 and ipip1 interface will happen in its own routing table called vpn-lan.

I think it should work. I use VRFs, but not for default gateway, just for private VPNs. MPLS is just for distributing the private routing tables across broad networks.

/ip route vrf add interfaces=ether1,ipip1 routing-mark=vpn-lan

Then all the routing that happens on the ether1 and ipip1 interface will happen in its own routing table called vpn-lan.

I think it should work. I use VRFs, but not for default gateway, just for private VPNs. MPLS is just for distributing the private routing tables across broad networks.

So I would add a default route 0.0.0.0/0 via tunnel IP and select vpn-lan as the routing mark?

Yep.

hmmm... why not just use policy routing? actually, VRFs in RouterOS are PBR-based...