Community discussions

MikroTik App
  4. RouterOS
  5. General

Policy Based Routing all traffic to VPN except ones on address list

Post Reply
 
christal
just joined
Topic Author
Posts: 3
Joined: Thu Jun 18, 2015 8:58 pm

Policy Based Routing all traffic to VPN except ones on address list

Thu Jun 25, 2015 10:53 pm

Dear expert Mikrotik users!

I'm trying to implement some PBR on an RB953, without much success. What I'm trying to accomplist is the reverse of this example:

http://www.ricardoviteri.com/2012/02/26 ... ik-router/

I'm trying to mark routing then NAT all traffic out PPTP client connection, except what is on an address list. The CIDRs on the address list must go out using the default gateway (DHCP client) on ether1 (192.168.1.1). When I just simply ticked negate (exclamation mark) next to dst addr list in the mangle rule didn't work out as I expected it. Now I'm using it by simply marking and routing all traffic to vpn on one subnet (10.10.0.0/24 with a masquerade rule, and normal traffic to default route (192.168.1.1) on another subnet (10.11.0.0/24 with another masquerade rule. My problem is that I'm doing it on two different interfaces: a bridge (10.10.0.1/24) consisting of an ethernet port (ether2) and two wlan interfaces. The other subnet uses only an ethernet port (ether3) with IP 10.11.0.1/24
Can this be done somehow? Can I use only one subnet in the LAN to send everything on VPN and some predefined (by addr list) traffic on the default gateway?


Any help is much apreciated!

My current config is the following:
Code: Select all
/interface bridge
add name=bridge-lan

/interface bridge port
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=wlan2-ext5nac
add bridge=bridge-lan interface=wlan3-ext2bgn
add bridge=bridge-lan interface=wlan1-int5an

/ip address
add address=10.10.0.1/24 interface=bridge-lan network=10.10.0.0
add address=10.11.0.1/24 interface=ether3 network=10.11.0.0

/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface=ether1 use-peer-dns=no

/interface pptp-client
add comment="VPN kliens" connect-to=the.server.addr disabled=no \
    keepalive-timeout=disabled mrru=1600 name=pptp-VPN password=pass \
    user=user

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=VPN src-address=\
    10.10.0.5-10.10.0.254

/ip route
add distance=1 gateway=pptp-VPN routing-mark=VPN

/ip firewall nat
add action=masquerade chain=srcnat comment="alap VPN NAT" out-interface=\
    pptp-VPN src-address=10.10.0.0/24
add action=masquerade chain=srcnat comment="alap internet NAT" out-interface=\
    ether1 src-address=10.11.0.0/24

/ip pool
add name=dhcp_pool1 ranges=10.10.0.2-10.10.0.254
add name=dhcp_pool2 ranges=10.11.0.2-10.11.0.254

/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=bridge-lan \
    lease-time=3d name=dhcp-ether2+wlan
add address-pool=dhcp_pool2 disabled=no interface=ether3 name=dhcp-ether3

/ip dhcp-server network
add address=10.10.0.0/24 gateway=10.10.0.1
add address=10.11.0.0/24 gateway=10.11.0.1

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=8.8.8.8,8.8.4.4

/ip dns static
add address=208.67.222.222 name=OpenDNS1
add address=208.67.220.220 name=OenDNS2
add address=8.8.8.8 name=Google1
add address=8.8.4.4 name=Google2
Top
Post Reply
  4. RouterOS
  5. General