MikroTik

Community discussions
https://forum.mikrotik.com/

DNS and Internet access when connected through OVPN

https://forum.mikrotik.com/viewtopic.php?t=92966

Page 1 of 1

DNS and Internet access when connected through OVPN

Posted: Mon Jan 12, 2015 9:56 am
by gcraenen
Hello,

I have a working VPN setup for "road warriors" with open VPN. They can access and connect to the LAN via the mikrotik router (routeros 6.24). When connected they have 2 issues:

1. There is no internet access when connected through VPN, so I guess I'm forgetting a firewall rule somewhere to enable that. Or do I have to masquerade the OVPN DHCP ranges to the internal network?
2. The static DNS entries from the mikrotik router are not used, so you have to type in the actual IP address. It seems that (internal) DNS is not working through the open VPN connection.

Does anyone have some tips or pointers to resolve these two issues?

Re: DNS and Internet access when connected through OVPN

Posted: Wed Jan 14, 2015 5:46 pm
by gcraenen
bump

Re: DNS and Internet access when connected through OVPN

Posted: Thu Jan 15, 2015 2:18 am
by mrphreak
Might want to post your current config (sanitised of course) otherwise people will just be guessing.

Re: DNS and Internet access when connected through OVPN

Posted: Fri Jan 16, 2015 4:31 pm
by gcraenen
You're right, but it is a long listing. So I cut a lot out that I think isn't relevant:
Code: Select all
/ip firewall layer7-protocol
add name=DENIED regexp="^.+(porn).*\$"
add name=speedtest-servers regexp="^.*(get|GET).+speedtest.*\$"
add name=torrent-wwws regexp="^.*(get|GET).+(torrent|extratorrent|kickasstorre\
    nts|nyaatorrents|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova\
    |flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy\
    |gpirate|commonbits).*\$"
add name=torrent-dns regexp="^.+(torrent|extratorrent|kickasstorrents|nyaatorr\
    ents|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|ve\
    rtor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|com\
    monbits).*\$"
add name=netflix regexp="^.*(get|GET).+(netflix).*\$"
add name=mp4 regexp="^.*(get|GET).+\\.mp4.*\$"
add name=swf regexp="^.*(get|GET).+\\.swf.*\$"
add name=flv regexp="^.*(get|GET).+\\.flv.*\$"
add name=video regexp=\
    "^.*(get|GET).+(\\.flv|\\.mp4|youtube|netflix|\\.swf).*\$"
add name=youtube regexp="^.*(get|GET).+(youtube).*\$"


/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.254
add name=dhcp_guest_wlan ranges=192.168.90.2-192.168.90.254
add name=OVPN9 ranges=10.0.0.33-10.0.0.34
add name=OVPN8 next-pool=OVPN9 ranges=10.0.0.29-10.0.0.30
add name=OVPN7 next-pool=OVPN8 ranges=10.0.0.25-10.0.0.26
add name=OVPN6 next-pool=OVPN7 ranges=10.0.0.21-10.0.0.22
add name=OVPN5 next-pool=OVPN6 ranges=10.0.0.17-10.0.0.18
add name=OVPN4 next-pool=OVPN5 ranges=10.0.0.13-10.0.0.14
add name=OVPN3 next-pool=OVPN4 ranges=10.0.0.9-10.0.0.10
add name=OVPN2 next-pool=OVPN3 ranges=10.0.0.5-10.0.0.6
add name=OVPN1 next-pool=OVPN2 ranges=10.0.0.1-10.0.0.2

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
add address-pool=dhcp_guest_wlan disabled=no interface=@@@ lease-time=1d \
    name=dhcpguests
    
/ppp profile
add dns-server=192.168.88.1 local-address=OVPN1 name=OVPN remote-address=\
    OVPN1

/queue tree
add max-limit=60M name=in parent=global
add max-limit=10M name=out parent=global
/queue type
add kind=pfifo name=streaming-video-in pfifo-limit=500
add kind=pcq name=games-in-pcq pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-rate=100k pcq-src-address6-mask=64 \
    pcq-total-limit=750000
/queue tree
add limit-at=10M max-limit=60M name=http-in packet-mark=http-in parent=in \
    priority=4 queue=default
add limit-at=15M max-limit=60M name=streaming-video-in packet-mark=\
    streaming-video-in parent=in priority=3 queue=streaming-video-in
add limit-at=1M max-limit=60M name=gaming-in packet-mark=games-in parent=in \
    priority=2 queue=games-in-pcq
add max-limit=60M name=download-in packet-mark=in parent=in queue=default
add max-limit=10M name=upload-out packet-mark=out parent=out queue=default
add limit-at=500k max-limit=10M name=gaming-out packet-mark=games-out parent=\
    out priority=2 queue=default
add limit-at=5M max-limit=10M name=http-out packet-mark=http-out parent=out \
    priority=4 queue=default
add limit-at=4M max-limit=10M name=streaming-video-out packet-mark=\
    streaming-video-out parent=out priority=3 queue=default
add limit-at=500k max-limit=60M name=voip-in packet-mark=voip-in parent=in \
    priority=1 queue=default
add limit-at=500k max-limit=60M name=vpn-in packet-mark=vpn-in parent=in \
    priority=2 queue=default
add limit-at=500k max-limit=10M name=voip-out packet-mark=voip-out parent=out \
    priority=1 queue=default
add limit-at=500k max-limit=10M name=vpn-out packet-mark=vpn-out parent=out \
    priority=2 queue=default
add limit-at=500k max-limit=60M name=admin-in packet-mark=admin-in parent=in \
    priority=1 queue=default
add limit-at=500k max-limit=10M name=admin-out packet-mark=admin-out parent=\
    out priority=1 queue=default
    
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan1

/interface bridge settings
set use-ip-firewall=yes

/interface ovpn-server server
set auth=sha1 certificate="Mikrotik cert" cipher=aes256 default-profile=OVPN \
    enabled=yes require-client-certificate=yes
    
/ip address
add address=192.168.88.1/24 comment=LAN interface=ether2 network=192.168.88.0
add address=192.168.90.1/24 comment="IP Guest wlan" interface=@@@ network=\
    192.168.90.0
add address=217.100.AAA.BBB/29 comment="Fixed networkaddress" \
    interface=ether1-gateway network=217.100.AAA.BBB
    
/ip dns
set allow-remote-requests=yes servers=\
    192.168.88.1,212.54.35.25,212.54.40.25,8.8.8.8

/ip dns static
add address=192.168.88.1 name=router
etc. etc.
add address=127.0.0.1 name=ad-emea.doubleclick.net
add address=127.0.0.1 name=ads2.msads.net
add address=127.0.0.1 name=msntest.serving-sys.com
add address=127.0.0.1 name=sO.2mdn.net
add address=127.0.0.1 name=aka-cdn-ns.adtech.de
add address=127.0.0.1 name=secure.flashtalking.com
add address=127.0.0.1 name=cdn.atdmt.com
add address=127.0.0.1 name=cdn.adnxs.com
add address=127.0.0.1 name=secure.img-cdn.mediaplex.com

/ip firewall address-list
add address=192.168.88.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
add address=192.168.88.0/24 list=internal-nets
add address=217.100.AAA.BBB/29 list=external-nets
add address=61.174.50.225 comment=OpenBL list=blacklist
add address=121.199.17.183 comment=OpenBL list=blacklist
add address=103.41.124.51 comment=OpenBL list=blacklist
etc. etc.

/ip firewall filter
add chain=input comment="default configuration" disabled=yes protocol=icmp
add chain=input comment="Allow already established connections" \
    connection-state=established
add chain=input comment="Allow already related connections" connection-state=\
    related
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add chain=input comment="allow ovpn" dst-port=1194 log=yes log-prefix=ovpn \
    protocol=tcp
add action=add-src-to-address-list address-list=DoS address-list-timeout=1d \
    chain=input comment="Detect Dos attack" connection-limit=10,32 protocol=\
    tcp
add action=tarpit chain=input comment="Supress Dos attack" connection-limit=\
    3,32 protocol=tcp src-address-list=DoS
add action=drop chain=input comment="Drop blacklist entries" in-interface=\
    ether1-gateway log=yes src-address-list=blacklist
add action=add-src-to-address-list address-list=Login_tries_wan \
    address-list-timeout=1d chain=input comment="WAN login tries" dst-port=\
    20-23,53,8291 in-interface=ether1-gateway log=yes protocol=tcp
add action=drop chain=input comment="Drop WAN login tries" log=yes \
    src-address-list=Login_tries_wan
add action=add-src-to-address-list address-list=Login_tries_lan \
    address-list-timeout=1d chain=input comment="LAN login tries" dst-port=\
    20-23,8291 in-interface=!ether1-gateway log=yes protocol=tcp \
    src-address-list=!Admin
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=drop chain=input comment="Block home network --> guest wlan" \
    dst-address=192.168.90.0/24 src-address=192.168.88.0/24
add action=drop chain=input comment="Block guest wlan --> home network" \
    dst-address=192.168.88.0/24 src-address=192.168.90.0/24
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 log=yes protocol=\
    tcp src-address-list=!Admin tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" log=yes \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" log=yes \
    protocol=tcp psd=21,3s,3,1 src-address-list=!Admin
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="FIN/PSH/URG scan" log=yes \
    protocol=tcp src-address-list=!Admin tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="NMAP FIN Stealth scan" log=\
    yes protocol=tcp src-address-list=!Admin tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="NMAP Null scan" log=yes \
    protocol=tcp src-address-list=!Admin tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="ALL/ALL scan" log=yes \
    protocol=tcp src-address-list=!Admin tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="SYN/FIN scan" log=yes \
    protocol=tcp src-address-list=!Admin tcp-flags=fin,syn
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="SYN/RST scan" log=yes \
    protocol=tcp src-address-list=!Admin tcp-flags=syn,rst
add action=drop chain=input comment="Drop to port scan list" log=yes \
    src-address-list=Port_Scanner
add chain=input comment="Allow broadcast traffic" dst-address-type=broadcast
add chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=drop chain=input comment="Block access to layer7 DENIED list" \
    layer7-protocol=DENIED log=yes log-prefix="Block denied" \
    src-address-list=!Admin
add action=jump chain=input comment="Jump to chain icmp" jump-target=ICMP \
    protocol=icmp
add action=drop chain=input comment="Drop everything else" log=yes \
    log-prefix=Dropped
add chain=forward comment="Allow new connections from LAN" connection-state=\
    new src-address-list=internal-nets
add chain=forward comment="Allow established connections from LAN" \
    connection-state=established
add chain=forward comment="Allow related connections from LAN" \
    connection-state=related
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons log=yes log-prefix="Drop bogons"
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587,465 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=\
    25,587,465 log=yes log-prefix="Drop spammer" protocol=tcp \
    src-address-list=spammers
add action=jump chain=forward comment="Jump to icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 \
    limit=1,5 protocol=icmp
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=\
    icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0 limit=5,5 \
    protocol=icmp
add chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5 \
    protocol=icmp
add chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5 \
    protocol=icmp
add chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8 limit=5,5 \
    protocol=icmp
add chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11 limit=5,5 \
    protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp

/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "internal-traffic packet mark" dst-address-list=internal-nets \
    new-packet-mark=internal-traffic passthrough=no src-address-list=\
    internal-nets
add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" \
    in-interface=ether1-gateway new-packet-mark=admin-in passthrough=no \
    protocol=udp src-port=53
add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" \
    dst-port=161 in-interface=ether1-gateway new-packet-mark=admin-in \
    passthrough=no protocol=udp
add action=mark-connection chain=prerouting comment=\
    "Remote Protocols admin connection mark" new-connection-mark=admin port=\
    20,21,22,23,2282,3389,8291 protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "icmp connection mark as admin" new-connection-mark=admin protocol=icmp \
    src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="admin-in packet mark" \
    connection-mark=admin in-interface=ether1-gateway new-packet-mark=\
    admin-in passthrough=no
add action=mark-packet chain=prerouting comment="admin-out packet mark" \
    connection-mark=admin new-packet-mark=admin-out passthrough=no
add action=mark-connection chain=prerouting comment=\
    "streaming video connection mark" dst-port=80 layer7-protocol=video \
    new-connection-mark=streaming-video protocol=tcp src-address-list=\
    internal-nets
add action=mark-packet chain=prerouting comment=\
    "streaming video in packet mark" connection-mark=streaming-video \
    in-interface=ether1-gateway new-packet-mark=streaming-video-in \
    passthrough=no
add action=mark-packet chain=prerouting comment=\
    "streaming video out packet mark" connection-mark=streaming-video \
    new-packet-mark=streaming-video-out passthrough=no
add action=mark-connection chain=prerouting comment=\
    "http traffic connection mark" dst-port=80,443 new-connection-mark=http \
    protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "http traffic connection mark" connection-bytes=5000000-4294967295 \
    dst-port=80,443 new-connection-mark=http-download protocol=tcp \
    src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="http in packet mark" \
    connection-mark=http in-interface=ether1-gateway new-packet-mark=http-in \
    passthrough=no
add action=mark-packet chain=prerouting comment="http out packet mark" \
    connection-mark=http new-packet-mark=http-out passthrough=no
add action=mark-connection chain=prerouting comment=\
    "wow connection mark as gaming" dst-port=\
    1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games protocol=tcp \
    src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "eve online connection mark as gaming" dst-address=87.237.38.200 \
    new-connection-mark=games src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "starcraft 2 connection mark as gaming" dst-port=1119 \
    new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "heros of newerth connection mark as gaming" dst-port=11031,11235-11335 \
    new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "steam connection mark as gaming" dst-port=27014-27050 \
    new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "xbox live connection mark as gaming" dst-port=3074 new-connection-mark=\
    games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "ps3 online connection mark as gaming" dst-port=5223 new-connection-mark=\
    games protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "wii online connection mark as gaming" dst-port=28910,29900,29901,29920 \
    new-connection-mark=games protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
    "games packet mark forever-saken-game" dst-address-list=external-nets \
    new-packet-mark=games-in passthrough=no src-address-list=\
    forever-saken-game
add action=mark-packet chain=prerouting comment="games packet mark wow" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
    protocol=udp src-port=53,3724
add action=mark-packet chain=prerouting comment=\
    "games packet mark starcraft2" dst-address-list=external-nets \
    new-packet-mark=games-in passthrough=no protocol=udp src-port=1119,6113
add action=mark-packet chain=prerouting comment="games packet mark HoN" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
    protocol=udp src-port=11031,11235-11335
add action=mark-packet chain=prerouting comment="games packet mark steam in" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
    port=4380,28960,27000-27030 protocol=udp
add action=mark-packet chain=prerouting comment="games packet mark steam out" \
    dst-port=53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 \
    new-packet-mark=games-out passthrough=no protocol=udp src-address-list=\
    internal-nets
add action=mark-packet chain=prerouting comment="games packet mark xbox live" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
    protocol=udp src-port=88,3074,3544,4500
add action=mark-packet chain=prerouting comment=\
    "games packet mark ps3 online" dst-address-list=external-nets \
    new-packet-mark=games-in passthrough=no protocol=udp src-port=\
    3478,3479,3658
add action=mark-packet chain=prerouting comment="games packet mark in" \
    connection-mark=games dst-address-list=external-nets new-packet-mark=\
    games-in passthrough=no
add action=mark-packet chain=prerouting comment="games packet mark out" \
    connection-mark=games new-packet-mark=games-out passthrough=no
add action=mark-packet chain=prerouting comment=\
    "voip-in packet mark teamspeak" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark teamspeak" dst-port=9987 new-packet-mark=voip-out \
    passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark teamspeak" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
    "voip-in packet mark ventrilo" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
    passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
    "voip-in packet mark ventrilo" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=no protocol=tcp src-port=3784
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
    passthrough=no protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" \
    dst-address-list=internal-nets new-packet-mark=voip-in passthrough=no \
    port=5060 protocol=tcp
add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" \
    new-packet-mark=voip-out passthrough=no port=5060 protocol=tcp \
    src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" \
    dst-address-list=internal-nets new-packet-mark=voip-in passthrough=no \
    port=5004,5060 protocol=udp
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark udp SIP" new-packet-mark=voip-out passthrough=no \
    port=5004,5060 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" \
    dst-address-list=internal-nets new-packet-mark=voip-in packet-size=\
    100-400 passthrough=no port=16348-32768 protocol=udp
add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" \
    new-packet-mark=voip-in packet-size=100-400 passthrough=no port=\
    16348-32768 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" \
    in-interface=ether1-gateway new-packet-mark=vpn-in passthrough=no \
    protocol=gre
add action=mark-packet chain=prerouting comment="vpn-out packet mark GRE" \
    new-packet-mark=vpn-out passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="vpn-in packet mark ESP" \
    in-interface=ether1-gateway new-packet-mark=vpn-in passthrough=no \
    protocol=ipsec-esp
add action=mark-packet chain=prerouting comment="vpn-out packet mark ESP" \
    new-packet-mark=vpn-out passthrough=no protocol=ipsec-esp
add action=mark-packet chain=prerouting comment=\
    "vpn-in packet mark VPN UDP ports" in-interface=ether1-gateway \
    new-packet-mark=vpn-in passthrough=no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment=\
    "vpn-out packet mark VPN UDP ports" new-packet-mark=vpn-out passthrough=\
    no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-in packet mark OVPN" \
    in-interface=ether1-gateway new-packet-mark=vpn-in passthrough=no \
    protocol=tcp src-port=1194
add action=mark-packet chain=prerouting comment="vpn-out packet mark OVPN" \
    new-packet-mark=vpn-out passthrough=no protocol=tcp src-port=1194
add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" \
    in-interface=ether1-gateway new-packet-mark=vpn-in passthrough=no \
    protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" \
    new-packet-mark=vpn-out passthrough=no protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="all in" in-interface=\
    ether1-gateway new-packet-mark=in passthrough=no
add action=mark-packet chain=prerouting comment="all out" new-packet-mark=out \
    passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=\
    "Masquerade/NAT guest wlan <--> wan" log=yes out-interface=ether1-gateway \
    src-address=192.168.90.0/24

/ip route
add distance=1 gateway=217.100.AAA.BBB
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/