Hello everyone
Is it possible to route the traffic of one device (192.168.11.94) with VPN (PPTP client(I know it's not safe just for example)) while the whole router is connected to the IKEV2/IPSec?
Re: VPN just for one of the LAN devices when the whole router is using IPSec
I added:
/interface pptp-client
add allow=mschap2 connect-to=XXXXXX name=PPTP_YD password=XXXXXX \
user=XXXXX
/ip firewall mangle
add action=mark-routing chain=prerouting comment=PPTP_YD disabled=no \
new-routing-mark=PPTP_YD passthrough=yes src-address=\
192.168.11.94
/ip firewall nat
add action=masquerade chain=srcnat comment=PPTP_YD disabled=no \
out-interface=PPTP_YD src-address=192.168.11.94
/ip route
add disabled=no distance=1 gateway=PPTP_YD routing-mark=\
PPTP_YD
But still not working, what I missed?
/interface pptp-client
add allow=mschap2 connect-to=XXXXXX name=PPTP_YD password=XXXXXX \
user=XXXXX
/ip firewall mangle
add action=mark-routing chain=prerouting comment=PPTP_YD disabled=no \
new-routing-mark=PPTP_YD passthrough=yes src-address=\
192.168.11.94
/ip firewall nat
add action=masquerade chain=srcnat comment=PPTP_YD disabled=no \
out-interface=PPTP_YD src-address=192.168.11.94
/ip route
add disabled=no distance=1 gateway=PPTP_YD routing-mark=\
PPTP_YD
But still not working, what I missed?
Re: VPN just for one of the LAN devices when the whole router is using IPSec
Probably yes, but it can possibly conflict with the other vpn, if it's the "route everything elsewhere" kind. If I remember correctly, it adds some dynamic rules, so maybe it's necessary to work around that in some way.
Re: VPN just for one of the LAN devices when the whole router is using IPSec
Definitely yes, but without seeing the IPsec part, it is impossible to tell you what exactly overrides your policy routing setup. Most likely the IP address assigned to the PPTP tunnel matches to an IPsec policy, but it is not the only possibility. See my automatic signature below for further steps.Is it possible?
Re: VPN just for one of the LAN devices when the whole router is using IPSec
Thanks for the replies I'm sorry couldn't answer sooner, Happy holiday and thanks giving everybody.
IPsec=192.168.43.1 (192.168.43.0/24)
PPTP=172.19.19.227 (172.19.19.1)
My configurations:
It is the "route everything elsewhere (inside the VPN)" kind. yeah it will add a dynamic rule but I got a scheduler which can move the rules around so that dynamic rule is not a problem.Probably yes, but it can possibly conflict with the other vpn, if it's the "route everything elsewhere" kind. If I remember correctly, it adds some dynamic rules, so maybe it's necessary to work around that in some way.
PPTP and IPsec servers are totally different and assigned IPs are very different too.Definitely yes, but without seeing the IPsec part, it is impossible to tell you what exactly overrides your policy routing setup. Most likely the IP address assigned to the PPTP tunnel matches to an IPsec policy, but it is not the only possibility. See my automatic signature below for further steps.
IPsec=192.168.43.1 (192.168.43.0/24)
PPTP=172.19.19.227 (172.19.19.1)
My configurations:
You do not have the required permissions to view the files attached to this post.
Re: VPN just for one of the LAN devices when the whole router is using IPSec
Thanks man I'm looking for a PPTP or L2TP solution.It's doable: viewtopic.php?t=169273
Re: VPN just for one of the LAN devices when the whole router is using IPSec
Wow, what an amount of creativity wasted (I have in mind the script moving your static masquerade rule before the one dynamically created by IPsec).My configurations:
You've missed some points unfortunately:
- only the initial packet of each connection is handled by the /ip firewall nat rules, and the resulting handling is stored in the context of that connection in the connection tracking module, so that subsequent packets belonging to that connection could be handled accordingly (e.g. in case of src-nat, subsequent downstream packets are src-nated and upstream packets are un-src-nated symmetrically).
- if no route at all is available in the routing table indicated by the routing-mark value, that packet is normally routed using routing table main; to prevent that, you need to use an /ip route rule
- you can configure the /ip ipsec mode-config row not only to let the dynamically created action=src-nat rule match on a src-address-list but also to let it match on a connection-mark value, including the reserved one of no-mark.
If the 192.168.11.94 attempts to create a connection while the PPTP_YD interface is down, the default route via PPTP_YD marked with routing-mark PPTP_YD is not active, hence the initial packet of the connection is routed via the default route in main, so it doesn't match the out-interface=PPTP_YD condition in the action=masquerade rule, so gets caught either by the dynamic action=src-nat rule generated by IPsec or by the action=masquerade out-interface=ether10 rule, or maybe skip both of them which may make the PPTP server drop it later when the PPTP tunnel goes up and the subsequent retransmission of that packet reaches the PPTP server.
Another thing that may theoretically go wrong is that if RouterOS eventually selects the LAN IP (192.168.11.111) as a source one for the PPTP transport packets (no idea why it should do that, but we're looking for something unexpected here, don't we), the transport packets might match the dynamic src-nat rule added by IPsec and be sent down the IPsec tunnel.
So I would recommend you to add the connection-mark=no-mark setting to the /ip ipsec mode-config row, which will allow you to assign any other connection-mark value to any traffic you want to avoid the dynamic rule added by IPsec using mangle rules. I.e. you'll replace the action=masquerade dst-address-list=excluded-addresses rule in nat/srcnat by an action=mark-connection new-connection-mark=avoid-ipsec dst-address-list=excluded-addresses rule in nat/prerouting and/or nat/output and retire the scheduled script.
To make sure that traffic that should leave via the PPTP tunnel doesn't leak (and possibly get src-nated to a wrong address as a consequence) using another routing table if the PPTP_YD interface is down, add a routing rule:
/ip route rule
add routing-mark=PPTP_YD action=lookup-only-in-table table=PPTP_YD
Once you perform these changes, check existing connections, you may have to remove some of them to be able to test whether it helped (see point 1 in the list above).
Re: VPN just for one of the LAN devices when the whole router is using IPSec
hello,
please need some help , i cannot ping my sxt connected to ether2 of my mikrotik on site while i am connected l2tpvpn to the mikrotik.
ip of sxt 10.1.10.1
below is the config
please need some help , i cannot ping my sxt connected to ether2 of my mikrotik on site while i am connected l2tpvpn to the mikrotik.
ip of sxt 10.1.10.1
below is the config
Code: Select all
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Uplink
set [ find default-name=ether2 ] arp=proxy-arp name=ether2-ToSwitch
set [ find default-name=ether3 ] name=ether3
set [ find default-name=ether4 ] name=ether4
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-Uplink name=pppoe-out1 \
password=test user=test
/interface l2tp-server
add name=l2tp-in1 user=vpn
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
/ip pool
add name=dhcp_pool0 ranges=192.168.5.2-192.168.5.254
add name=ppptp-pool ranges=192.168.50.1-192.168.50.10
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=ppptp-pool \
name=pptp-profile remote-address=ppptp-pool use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=ether2-swtich
/interface l2tp-server server
set enabled=yes ipsec-secret=secret use-ipsec=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=pptp-profile
/ip address
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0
add address=10.1.10.10/24 interface=ether2-ToSwitch network=10.1.10.0
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.5.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=\
192.168.50.0/24
/ppp secret
add name=testvpn password=vpn profile=pptp-profile service=l2tpRe: VPN just for one of the LAN devices when the whole router is using IPSec
My wild guess is that no routing is set at the SXT, hence it does not know that the route to 192.168.50.x (the L2TP clients) goes via 10.1.10.10.i cannot ping my sxt connected to ether2 of my mikrotik on site while i am connected l2tpvpn to the mikrotik.
To get to the SXT via VPN, add another masquerade rule to the beginning of the chain on the router whose configuration you've shown:
/ip firewall nat print
/ip firewall nat add action=masquerade src-address=192.168.50.1-192.168.50.10 out-interface=ether2 place-before=0
Then, fix the issue at the SXT, and then you can remove that src-nat rule again (and log in to the SXT again if necessary).
Also there is no firewall in your configuration and all the management services of the router are enabled, so unless there is an external firewall, your router may be hosting some malware by now.
Last, please do not piggyback to a loosely related topics, open your own one.
Re: VPN just for one of the LAN devices when the whole router is using IPSec
Wow, what an amount of creativity wasted (I have in mind the script moving your static masquerade rule before the one dynamically created by IPsec).
Thanks for the nice explanation and sorry for the late reply.
I added connection-mark=no-mark to IP IPsec Mode-config and also add a rule to IP route rule like you said and made another scheduler for chain=srcnat PPTP_YD to keep it at #=1, so it's kind of looks like this now (also I change the PPTP_YD to PPTP_YD_GAMING50 everywhere): But I didn't change the action=masquerade dst-address-list=excluded-addresses cause I didn't understand this part completely.
but everything is working very goodyou'll replace the action=masquerade dst-address-list=excluded-addresses rule in nat/srcnat by an action=mark-connection new-connection-mark=avoid-ipsec dst-address-list=excluded-addresses rule in nat/prerouting and/or nat/output and retire the scheduled script.
but I got some questions:
1. how is traffic is routing now? I'm asking this because when the IPSec is down PPTP is not connecting (if connected it will got terminating) when the "IPSec is killing ike2 SA" before it's get a "new ike2 SA (I)" for about 120 seconds PPTP is just trying to connect and if you remember I had a "IPsec-SA expired before finishing rekey" problem before you told me on another topic to set /ip ipsec proposal to pfs-group=none and it's fixed that "IPsec-SA expired before finishing rekey" problem but still there is "IPSec is killing ike2 SA" and I got a feeling this is a server configuration problem (Linux Ubuntu StrongSwan). 2. Is this normal to having "IPSec is killing ike2 SA"? It's not very frequent though it's like at three days once or every other day.
You do not have the required permissions to view the files attached to this post.
Re: VPN just for one of the LAN devices when the whole router is using IPSec
This means the explanation may have been nice but actually it wasn't clear enough. So again.Thanks for the nice explanation
...
I made another scheduler for chain=srcnat PPTP_YD to keep it at #=1
...
I didn't change the action=masquerade dst-address-list=excluded-addresses cause I didn't understand this part completely.
The very purpose of adding connection-mark=no-mark to the mode-config row is that instead of rule order in the srcnat chain, the presence or absence of a connection-mark would decide which packet will be handled by which rule - so there would be no need to move the rules around, using a scheduled script or otherwise.
My way, there will be just three rules in chain srcnat:
first, the dynamically added one:
action=srcnat src-address-list="Allow Local DNS" connection-mark=no-mark to-addresses=the.ip.from.responder
second and third, in any mutual order, the static one for traffic leaving via PPTP and the static one for the traffic leaving via the regular WAN (ether10 in your case):
add action=masquerade chain=srcnat comment=PPTP_YD out-interface=PPTP_YD src-address=192.168.11.94
add action=masquerade chain=srcnat out-interface-list=WAN
Their mutual order is irrelevant because no packet can match both out-interface=PPTP_YD and out-interface-list=WAN (unless you'd make PPTP-YD a member of interface list WAN; if you did, the single rule matching on out-interface-list=WAN would be enough, but please don't do that as it might break something else in the firewall). The dynamic rule must be first, though.
To make the dynamically created rule ignore a packet, you have to assign some connection-mark (no matter what particular value it will have) to that packet.
Since you want packets matching on dst-address-list=excluded-addresses to be ignored by the dynamic srcnat rule, you must add a
dst-address-list=excluded-addresses action=mark-connection new-connection-mark=avoid-ipsec
rule to /ip firewall mangle; to make it "safe", i.e. to make sure it would only assign a new connection-mark value if none has been assigned to that connection yet, it should also match on connection-mark=no-mark or connection-state=new.
And my mistake was that I've written nat/prerouting and nat/output whereas the correct places are mangle/prerouting and mangle/output.
A rule in mangle/prerouting handles traffic forwarded from LAN; a rule in mangle/output handles packets sent by the Mikrotik itself, such as the PPTP transport ones.
If there is no rule in mangle/output (my way) or in nat/srcnat (your previous way) that would exempt the PPTP transport packets sent by the Mikrotik itself from being src-nated to match the dynamically generated IPsec policy, it means that the PPTP transport packets to the remote PPTP server are sent via the IPsec policy. So when the Security Association (SA) linked to that policy is down, but the policy itself still exists, the PPTP transport packets get nowhere, as the policy diverts them but cannot actually deliver them.when the IPSec is down PPTP is not connecting (if connected it will got terminating) when the "IPSec is killing ike2 SA" before it's get a "new ike2 SA (I)" for about 120 seconds PPTP is just trying to connect and if you remember I had a "IPsec-SA expired before finishing rekey" problem before you told me on another topic to set /ip ipsec proposal to pfs-group=none and it's fixed that "IPsec-SA expired before finishing rekey" problem but still there is "IPSec is killing ike2 SA" and I got a feeling this is a server configuration problem (Linux Ubuntu StrongSwan).
It indeed looks like some incompatibility between the initiator and the responder, or maybe it indicates a huge data loss causing the rekey procedure to fail, ot maybe it's the refresh of the "control SA" (the one the peers use to negotiate and control establishment of the SAs carrying the payload) that fails. To say more, I would have to see the logs from both peers, including about 5 minutes before the "killing ike2 SA" messages appear in the log.2. Is this normal to having "IPSec is killing ike2 SA"? It's not very frequent though it's like at three days once or every other day.
Re: VPN just for one of the LAN devices when the whole router is using IPSec
Thank you very much, I change it all and all those excluded-addresses is working great but if the dynamically added one is at top (#=0) then the PPTP one is not working in order to make that work I have to move it on top of that. Am I missing something?This means the explanation may have been nice but actually it wasn't clear enough. So again.
new configuration:
Thanks man this one got fixed totally.If there is no rule in mangle/output (my way) or in nat/srcnat (your previous way) that would exempt the PPTP transport packets sent by the Mikrotik itself from being src-nated to match the dynamically generated IPsec policy, it means that the PPTP transport packets to the remote PPTP server are sent via the IPsec policy. So when the Security Association (SA) linked to that policy is down, but the policy itself still exists, the PPTP transport packets get nowhere, as the policy diverts them but cannot actually deliver them.
I will try to clean and setup everything on the server side again to see if it's going to fix it.It indeed looks like some incompatibility between the initiator and the responder, or maybe it indicates a huge data loss causing the rekey procedure to fail, ot maybe it's the refresh of the "control SA" (the one the peers use to negotiate and control establishment of the SAs carrying the payload) that fails. To say more, I would have to see the logs from both peers, including about 5 minutes before the "killing ike2 SA" messages appear in the log.
You do not have the required permissions to view the files attached to this post.
Re: VPN just for one of the LAN devices when the whole router is using IPSec
You only add a routing-mark, not connection-mark, in mangle/prerouting for src-address=192.168.11.94.if the dynamically added one is at top (#=0) then the PPTP one is not working in order to make that work I have to move it on top of that. Am I missing something?
The whole idea of a connection-mark is that although you assign it while handling a single packet, you really mark the whole connection, i.e. connection tracking remembers the value of that mark and assigns it automatically to every subsequent packet it identifies as belonging of the same connection (and even to packets of associated connections), unless/until it eventually gets overwritten. So the normal procedure is that you assign a connection-mark only to the initial packet of each connection (which matches a connection-state=new condition), which is typically handled by a more complex set of rules than mid-connection packets. And to prevent evaluating the more complex rules or match conditions within a rule, you "note down" the required handling using a connection-mark, and then assign routing-mark values and/or packet-mark values based on connection-mark alone.
So my whole mangle/prerouting would typically look as follows:
/ip firewall mangle
add chain=prerouting connection-state=new action=jump jump-target=mark-connections-prerouting
add chain=prerouting connection-mark=PPTP_YD_GAMING50 action=mark-routing new-routing-mark=PPTP_YD_GAMING50 passthrough=no
add chain=mark-connections-prerouting dst-address-list=excluded-addresses action=mark-connection new-connection-mark=avoid-ipsec passthrough=yes comment="for excluded-addresses bypassing the IPsec IKEV2 OVH20"
add chain=mark-connections-prerouting src-address=192.168.11.94 connection-mark=no-mark action=mark-connection new-connection-mark=PPTP_YD_GAMING50 passthrough=yes comment=PPTP_YD_GAMING50
In mangle/output, you may save a few CPU cycles per packet by adding connection-state=new to your existing rule, to avoid re-assigning the same connection-mark to every single PPTP transport packet.
Since it doesn't happen regularly, I doubt it is a plain configuration issue, rather a timing issue in one of the the protocol stack or packet loss. But audit of configuration is never harmfulI will try to clean and setup everything on the server side again to see if it's going to fix it.
Re: VPN just for one of the LAN devices when the whole router is using IPSec
Thanks man./ip firewall mangle
add chain=prerouting connection-state=new action=jump jump-target=mark-connections-prerouting
add chain=prerouting connection-mark=PPTP_YD_GAMING50 action=mark-routing new-routing-mark=PPTP_YD_GAMING50 passthrough=no
add chain=mark-connections-prerouting dst-address-list=excluded-addresses action=mark-connection new-connection-mark=avoid-ipsec passthrough=yes comment="for excluded-addresses bypassing the IPsec IKEV2 OVH20"
add chain=mark-connections-prerouting src-address=192.168.11.94 connection-mark=no-mark action=mark-connection new-connection-mark=PPTP_YD_GAMING50 passthrough=yes comment=PPTP_YD_GAMING50
After adding these rules 192.168.11.94 doesn't have internet access anymore.
my mangle:
add action=jump chain=prerouting connection-state=new jump-target=mark-connections-prerouting
add action=mark-routing chain=prerouting connection-mark=PPTP_YD_GAMING50 new-routing-mark=\
PPTP_YD_GAMING50 passthrough=no
add action=mark-connection chain=mark-connections-prerouting comment=\
"for excluded-addresses bypassing the IPsec IKEV2 OVH20" dst-address-list=excluded-addresses \
new-connection-mark=avoid-ipsec passthrough=yes
add action=mark-connection chain=mark-connections-prerouting comment=PPTP_YD_GAMING50 connection-mark=\
no-mark new-connection-mark=PPTP_YD_GAMING50 passthrough=yes src-address=192.168.11.94
Re: VPN just for one of the LAN devices when the whole router is using IPSec
In your rules, the jump-target in the first rule is mark-connections-prerouting, whereas the last two rules are in chain mark-connections. Unify that one way or the other. Currently, both functionalities that depend on connection-mark should not work as no connection marks are assigned due to this difference.
Re: VPN just for one of the LAN devices when the whole router is using IPSec
I'm sorry I think I don't understand what should I do.In your rules, the jump-target in the first rule is mark-connections-prerouting, whereas the last two rules are in chain mark-connections. Unify that one way or the other. Currently, both functionalities that depend on connection-mark should not work as no connection marks are assigned due to this difference.
It's like the very first packet only get routed (if I close the cmd (or just simply open another one) and ping again, again the first one will receive):
You do not have the required permissions to view the files attached to this post.
Re: VPN just for one of the LAN devices when the whole router is using IPSec
Sorry, I've got lost when reading the rules you've posted, they are indeed a 1:1 copy of what I've suggested to set, so the problem with different chain names in different rules doesn't exist (I should have chosen some better name of the chain that wouldn't conflict with the rule action name).
Is the action=fasttrack-connection rule in filter disabled? And are you sure that the first ping goes via the PPTP tunnel (use /tool sniffer quick interface=PPTP_YD_GAMING50 to check that when pinging from the PC)? Because I've currently got no idea what may cause the first ping request and response pass fine but the next ones to fail.
The idea is that the first packet of the ping sequence matches on connection-state=new so it goes to the mark-connections-prerouting chain and there it gets the connection-mark PPTP_YD_GAMING50; after that, the processing of the packet continues by the first rule after the action=jump one, and this rule should assign it the routing-mark PPTP_YD_GAMING50 since the connection-mark assigned by in the other chain is PPTP_YD_GAMING50. The next ping request belonging to the same sequence skips the action=jump rule (as it doesn't match connection-state=new), but it nevertheless matches the action=mark-routing one because it gets the connection-mark in connection tracking (before getting to mangle/prerouting).
Is the action=fasttrack-connection rule in filter disabled? And are you sure that the first ping goes via the PPTP tunnel (use /tool sniffer quick interface=PPTP_YD_GAMING50 to check that when pinging from the PC)? Because I've currently got no idea what may cause the first ping request and response pass fine but the next ones to fail.
The idea is that the first packet of the ping sequence matches on connection-state=new so it goes to the mark-connections-prerouting chain and there it gets the connection-mark PPTP_YD_GAMING50; after that, the processing of the packet continues by the first rule after the action=jump one, and this rule should assign it the routing-mark PPTP_YD_GAMING50 since the connection-mark assigned by in the other chain is PPTP_YD_GAMING50. The next ping request belonging to the same sequence skips the action=jump rule (as it doesn't match connection-state=new), but it nevertheless matches the action=mark-routing one because it gets the connection-mark in connection tracking (before getting to mangle/prerouting).
Re: VPN just for one of the LAN devices when the whole router is using IPSec
NP problem man, thanks for keeping up.
It's not pinging anymore now -.-' I don't know why
It's not pinging anymore now -.-' I don't know why
You do not have the required permissions to view the files attached to this post.
Re: VPN just for one of the LAN devices when the whole router is using IPSec
Yeah it's disabled.Is the action=fasttrack-connection rule in filter disabled?
I added src-address=192.168.11.94 to the this rule add chain=prerouting connection-mark=PPTP_YD_GAMING50 action=mark-routing new-routing-mark=PPTP_YD_GAMING50 passthrough=no so it's now is add action=mark-routing chain=prerouting connection-mark=PPTP_YD_GAMING50 new-routing-mark=\
PPTP_YD_GAMING50 passthrough=no src-address=192.168.11.94 and it's working.
Is it correct or wrong?
Re: VPN just for one of the LAN devices when the whole router is using IPSec
By adding the src-address=192.168.11.94 to the action=mark-routing rule you have narrowed, not extended, its effect to that source address. Since no other packets than those matching src-address=192.168.11.94 should ever get the connection-mark PPTP_YD_GAMING50, this narrowing of the match of the rule to only src-address=192.168.11.94 must be compensating some error in assigning that connection-mark value to some other traffic, and the only traffic to come to my mind that could affect what passes via the PPTP tunnel if connection-marked incorrectly to PPTP_YD_GAMING50 are the transport packets of the PPTP tunnel.
So what does /ip firewall mangle print chain=output say?
So what does /ip firewall mangle print chain=output say?
Re: VPN just for one of the LAN devices when the whole router is using IPSec
nothingSo what does /ip firewall mangle print chain=output say?
You do not have the required permissions to view the files attached to this post.
Re: VPN just for one of the LAN devices when the whole router is using IPSec
That means that PPTP transport packets go via IPsec again - as you were replacing your previous the mangle rules by those I've suggested for prerouting, you've probably removed the single one in output as well, so put it back:
/ip firewall mangle
add action=mark-connection chain=output dst-address-list=excluded-addresses new-connection-mark=avoid-ipsec passthrough=yes
But it still doesn't explain why adding src-address=192.168.11.94 to the action=mark-routing rule makes the PPTP payload get where it should. Or maybe it was a coincidence and you've changed something else at the same time (enabled the IPSec)?
So once you add the mangle/output rule above and establish both the PPTP and the IPsec, I'd like to see the output of
/ip firewall connection print detail where dst-address~"ip.of.the.pptp.server"
Then, while pinging 9.9.9.9 from 192.168.11.95, run another command:
/ip firewall connection print detail where src-address~"192.168.11.94" dst-address~"9.9.9.9"
Feel free to obfuscate the actual IP addresses, I'm only interested in the rest of the information.
/ip firewall mangle
add action=mark-connection chain=output dst-address-list=excluded-addresses new-connection-mark=avoid-ipsec passthrough=yes
But it still doesn't explain why adding src-address=192.168.11.94 to the action=mark-routing rule makes the PPTP payload get where it should. Or maybe it was a coincidence and you've changed something else at the same time (enabled the IPSec)?
So once you add the mangle/output rule above and establish both the PPTP and the IPsec, I'd like to see the output of
/ip firewall connection print detail where dst-address~"ip.of.the.pptp.server"
Then, while pinging 9.9.9.9 from 192.168.11.95, run another command:
/ip firewall connection print detail where src-address~"192.168.11.94" dst-address~"9.9.9.9"
Feel free to obfuscate the actual IP addresses, I'm only interested in the rest of the information.
Re: VPN just for one of the LAN devices when the whole router is using IPSec
I'm sorry I forgot this chain=output one./ip firewall mangle
add action=mark-connection chain=output dst-address-list=excluded-addresses new-connection-mark=avoid-ipsec passthrough=yes
but it's never had a packet even I was visiting sites which are listed in "excluded-addresses" list: Results with this mangle :
Code: Select all
add action=mark-connection chain=output dst-address-list=excluded-addresses new-connection-mark=\
avoid-ipsec passthrough=yes
add action=jump chain=prerouting connection-state=new jump-target=mark-connections-prerouting
add action=mark-routing chain=prerouting connection-mark=PPTP_YD_GAMING50 new-routing-mark=\
PPTP_YD_GAMING50 passthrough=no src-address=192.168.11.94
add action=mark-connection chain=mark-connections-prerouting comment=\
"for excluded-addresses bypassing the IPsec IKEV2 OVH20" dst-address-list=excluded-addresses \
new-connection-mark=avoid-ipsec passthrough=yes
add action=mark-connection chain=mark-connections-prerouting comment=PPTP_YD_GAMING50 connection-mark=\
no-mark new-connection-mark=PPTP_YD_GAMING50 passthrough=yes src-address=192.168.11.94
So once you add the mangle/output rule above and establish both the PPTP and the IPsec, I'd like to see the output of
/ip firewall connection print detail where dst-address~"ip.of.the.pptp.server"
Results with this mangle :Then, while pinging 9.9.9.9 from 192.168.11.95, run another command:
/ip firewall connection print detail where src-address~"192.168.11.94" dst-address~"9.9.9.9"
Code: Select all
add action=mark-connection chain=output dst-address-list=excluded-addresses new-connection-mark=\
avoid-ipsec passthrough=yes
add action=jump chain=prerouting connection-state=new jump-target=mark-connections-prerouting
add action=mark-routing chain=prerouting connection-mark=PPTP_YD_GAMING50 new-routing-mark=\
PPTP_YD_GAMING50 passthrough=no
add action=mark-connection chain=mark-connections-prerouting comment=\
"for excluded-addresses bypassing the IPsec IKEV2 OVH20" dst-address-list=excluded-addresses \
new-connection-mark=avoid-ipsec passthrough=yes
add action=mark-connection chain=mark-connections-prerouting comment=PPTP_YD_GAMING50 connection-mark=\
no-mark new-connection-mark=PPTP_YD_GAMING50 passthrough=yes src-address=192.168.11.94
So once you add the mangle/output rule above and establish both the PPTP and the IPsec, I'd like to see the output of
/ip firewall connection print detail where dst-address~"ip.of.the.pptp.server"
Difference is that in the first one action=mark-routing rule have src-address=192.168.11.94 but in second one don't.Then, while pinging 9.9.9.9 from 192.168.11.95, run another command:
/ip firewall connection print detail where src-address~"192.168.11.94" dst-address~"9.9.9.9"
You do not have the required permissions to view the files attached to this post.
Re: VPN just for one of the LAN devices when the whole router is using IPSec
Rules in chain output are only used for traffic originating on the Mikrotik itself; when you "visit sites", I assume you visit them from a PC, and traffic from PC to internet takes chains forward and prerouting (other ones as well, but not output).I'm sorry I forgot this chain=output one./ip firewall mangle
add action=mark-connection chain=output dst-address-list=excluded-addresses new-connection-mark=avoid-ipsec passthrough=yes
but it's never had a packet even I was visiting sites which are listed in "excluded-addresses" list:
As you wrote
I supposed that the address of the PPTP server is on the excluded-addresses list. But it either isn't or the mangle/output rule is wrong. Or maybe you actually want the PPTP transport packets to be sent to the server via the IPsec VPN? What's the intention?Thanks man this one got fixed totally.If there is no rule in mangle/output (my way) or in nat/srcnat (your previous way) that would exempt the PPTP transport packets sent by the Mikrotik itself from being src-nated to match the dynamically generated IPsec policy, it means that the PPTP transport packets to the remote PPTP server are sent via the IPsec policy.
Regarding the need to add src-address=192.168.11.94 to the action=mark-routing rule in order to make it work, it smells like a bug to me. What happens if you replace the address to get src-address=128.0.0.0/1 in the rule and try to ping again?
Re: VPN just for one of the LAN devices when the whole router is using IPSec
Got it thanks.Rules in chain output are only used for traffic originating on the Mikrotik itself; when you "visit sites", I assume you visit them from a PC, and traffic from PC to internet takes chains forward and prerouting (other ones as well, but not output).
Yeah exactly the IP of the PPTP server is not on that list so I added another chain output: add action=mark-connection chain=output connection-state=new disabled=yes dst-address="ip.of.the.pptp.server" \As you wroteI supposed that the address of the PPTP server is on the excluded-addresses list. But it either isn't or the mangle/output rule is wrong. Or maybe you actually want the PPTP transport packets to be sent to the server via the IPsec VPN? What's the intention?
Thanks man this one got fixed totally.
new-connection-mark=avoid-ipsec passthrough=yes
Is it better to send PPTP transport packets via the IPsec VPN (in this way ISP is just see IPsec not the PPTP, right?) or not? in terms of security and performance?
It worked and I can ping but can not open websites or they are very slow.Regarding the need to add src-address=192.168.11.94 to the action=mark-routing rule in order to make it work, it smells like a bug to me. What happens if you replace the address to get src-address=128.0.0.0/1 in the rule and try to ping again?
add action=mark-routing chain=prerouting connection-mark=PPTP_YD_GAMING50 new-routing-mark=\
PPTP_YD_GAMING50 passthrough=no src-address=128.0.0.0/1
You do not have the required permissions to view the files attached to this post.
Re: VPN just for one of the LAN devices when the whole router is using IPSec [SOLVED]
PPTP is definitely not secure by nowaday's measures, so not only to hide the fact that it is PPTP from the ISP but also to cipher the payload by a contemporary encryption algorithm you need an external encryption (like IPsec). Plus PPTP has also other limitations, so better to use L2TP/IPsec or bare IPsec, depending on the server capabilities.Is it better to send PPTP transport packets via the IPsec VPN (in this way ISP is just see IPsec not the PPTP, right?) or not? in terms of security and performance?
If you use the same IPsec tunnel you use to hide your traffic from the ISP also to encrypt the PPTP, the bare PPTP becomes exposed all the way from the internet-facing interface of the IPsec VPN provider further to the PPTP server, which may or may not bother you depending on what kind of data you send via the PPTP.
I started writing an explanation why I suspect it is a bug and how to check that, and during that writing I've realized what is the actual issue. So remove the src-address=128.0.0.0/1 from the action=mark-routing rule and instead place in-interface-list=LAN to it. What was happening was that packets that arrived from the PPTP tunnel were getting the routing-mark too, and since there is only a defaut route in the routing table PPTP_YD_GAMING50, they got routed out the tunnel again rather than to the LAN host. The 9.9.9.9 doesn't fit into 128.0.0.0/1, so the src-address=128.0.0.0/1 prevented the responses from there from being misrouted, but the in-interface-list=LAN is one of several proper solutions.It worked and I can ping but can not open websites or they are very slow.
Regarding slow opening of websites, I'd rather assume that to be caused by an MTU issue (any tunnel, including the PPTP one, reduces the MTU of the payload packets) combined with failure of path MTU discovery, which may happen outside the Mikrotik. So check one of the many topics here on the forum dealing with this (search for posts suggesting action=change-mss rules in chain forward of mangle in relationship to MTU).
Re: VPN just for one of the LAN devices when the whole router is using IPSec
Thanks a lot man, all working just fine now and in fact I change PPTP to L2TP/IPsec. I really appreciate all your effort and guidance.I started writing an explanation why I suspect it is a bug and how to check that, and during that writing I've realized what is the actual issue. So remove the src-address=128.0.0.0/1 from the action=mark-routing rule and instead place in-interface-list=LAN to it.
Do you got bitcoin or any other cryptocurrency wallet that you can send me the deposit address of it?