Greetings everyone!
I have successfully created a VPN tunnel between MT router in location A (VPN I.P. 192.168.5.1) with LAN 192.168.11.0/24 and MT router in location B (VPN I.P. 192.168.5.2) with LAN 192.168.10.0/24.
I can also route internet to a PC in location B (client side) from location A. Thus, PC (e.g. 192.168.10.44) receives a public I.P. from ISP in Location A.
So far so good!
In location A there is a PC(A) e.g. 192.168.11.13 that is connected to a VPN service provider. Appropriate routes and settings have been introduced on that P.C. and I am able to give that PC as gateway to local devices in range 192.168.11.0/24 and thus those devices appear to the outside world not with my ISP's pubic address but with the VPN's S.P. I.P. address.
I wish to be able to route all internet traffic from PC(B) 192.168.10.44 in location B, through 192.168.11.13 in location A, in order to receive a public I.P. from that VPN service provider on PC(B).
Can anyone please advise? If I go to IP/DCHP SERVER/NETWORKS and add address 192.168.10.44 with gateway 192.168.11.13 (as I have done for devices in location A) it doesn't work...
Thank you in advance
Re: Route Internet through double VPN
What you ask for doesn't seem like a rocket science, but the description (PC on site B is getting IP address from the ISP of site A) sounds a bit confusing as you don't mention an L2 tunnel from site A to site B at the same time. So I assume you actually have in mind that all traffic from Site B is sent via the VPN to Site A (i.e. Tik B's default route for traffic coming from its LAN clients is via 192.168.5.1), so from outside (the internet), the traffic coming from Site B is seen as if coming from the public IP of site A.
If the above is true, the mistake you do is that you don't realize that the gateway IP must be in the same subnet like the own IP assigned to the interface. So on PC B whose address is in 192.168.10.0/24 range, you cannot assign a gateway from 192.168.11.0/24 because the latter is a different subnet, so you have to keep its configuration the same like it was, with Tik B's IP adress from 192.168.10.0/24 as the gateway. But what you can do is "policy routing" on Tik A, saying "route all traffic coming from PC B's IP address via 192.168.11.13". For that, a single /ip route rule and a single additional routing table which contains a single route is sufficient:
/ip route add dst-address=0.0.0.0/0 gateway=192.168.11.13 routing-mark=for-pc-b
/ip route rule add src-address=192.168.10.44 action=lookup-only-in-table table=for-pc-b
Depending on how the routing configuration on PC A looks like, you may need to use a src-nat rule at Tik A, making PC A see the traffic from PC B as coming from 192.168.11.0/24, so that it would not need a route to 192.168.10.0/24 for the responses:
ip firewall nat add chain=srcnat action=src-nat src-address=192.168.10.44 to-addresses=192.168.11.x (where 192.168.11.x is the own address of Tik A in 192.168.11.0/24).
If the above is true, the mistake you do is that you don't realize that the gateway IP must be in the same subnet like the own IP assigned to the interface. So on PC B whose address is in 192.168.10.0/24 range, you cannot assign a gateway from 192.168.11.0/24 because the latter is a different subnet, so you have to keep its configuration the same like it was, with Tik B's IP adress from 192.168.10.0/24 as the gateway. But what you can do is "policy routing" on Tik A, saying "route all traffic coming from PC B's IP address via 192.168.11.13". For that, a single /ip route rule and a single additional routing table which contains a single route is sufficient:
/ip route add dst-address=0.0.0.0/0 gateway=192.168.11.13 routing-mark=for-pc-b
/ip route rule add src-address=192.168.10.44 action=lookup-only-in-table table=for-pc-b
Depending on how the routing configuration on PC A looks like, you may need to use a src-nat rule at Tik A, making PC A see the traffic from PC B as coming from 192.168.11.0/24, so that it would not need a route to 192.168.10.0/24 for the responses:
ip firewall nat add chain=srcnat action=src-nat src-address=192.168.10.44 to-addresses=192.168.11.x (where 192.168.11.x is the own address of Tik A in 192.168.11.0/24).