0

Have the next setup:

  1. Mikrotik rb2011uias-2hnd-in Router OS 6.36.2
  2. OpenVPN client configured with 10.0.141.0/24 subnet

I need to route an address list through the vpn. I read https://superuser.com/questions/999196/mikrotik-and-vpn-for-specific-web-sites-only and configured NAT:

[damamaty@dw-router] > /ip firewall nat print
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=eth1-wan log=no log-prefix=""

 1    ;;; OpenVPN
      chain=srcnat action=masquerade out-interface=openvpn-client log=no log-prefix=""

 2    ;;; Block (redirect) third-party dns
      chain=dstnat action=redirect to-ports=53 protocol=udp dst-address-type=!local dst-port=53 log=no log-prefix=""

 3    chain=dstnat action=redirect to-ports=53 protocol=tcp dst-address-type=!local dst-port=53

Mangle:

[damamaty@dw-router] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting

 3    ;;; OpenVPN
      chain=prerouting action=mark-routing new-routing-mark=rkn passthrough=yes dst-address-list=rkn log=no log-prefix=""

Address list:

[damamaty@dw-router] > /ip firewall address-list print
 0   rkn 178.63.151.224
 ...

And a route with a routing mark "rkn" (same as in the mangle):

[damamaty@dw-router] > /ip route print
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  ;;; OpenVPN
        0.0.0.0/0                          10.0.141.1                1
 1 ADS  0.0.0.0/0                          37.194.203.1              1
 2 ADC  10.0.141.1/32      10.0.141.6      openvpn-client            0
 3 ADC  37.194.203.0/24    37.194.203.129  eth1-wan                  0
 4 ADC  192.168.1.0/24     192.168.1.1     br1-lan                   0

And it's not working - I can't open the addresses in a browser. Traceroute shows the next:

$ traceroute rutracker.org
traceroute to rutracker.org (195.82.146.214), 64 hops max, 52 byte packets
 1  router (192.168.1.1)  1.001 ms  0.721 ms  0.715 ms
 2  10.0.141.1 (10.0.141.1)  98.930 ms  99.776 ms  99.436 ms
 3  * * *
 4  108.61.99.1 (108.61.99.1)  101.532 ms  100.833 ms  98.721 ms
 5  * * *
 6  * * *
 7  * * *
 ...

If I replace the route (0.0.0.0/0 -> 10.0.141.1 [mark="rkn"]) with just a simple route (178.63.151.224 -> 10.0.141.1) - it works well (through vpn) though. Why the way with mangling doesn't work?

Community
  • 1
Damamaty
  • 1
  • 2
  • Post your configuration please. `/ip route export` `/ip address export` `/ip firewall export` `/interface ovpn-client export`. You could always use static routes (as you've already tried) if that works for you. Routing marking is useful when you need to route specific ports for example via the tunnel instead of the whole IP. Also static routes are more efficient thatn routing marking in terms of resources usage. Also make sure that fast-track is disabled since it can mess with your rules and queues. – Cha0s Sep 14 '16 at 13:53

1 Answers1

0

This kind of marking is ideal for source address list to be routed; for your case (destination based marking routes): Duplicate the mangle rule with the Forward and Postrouting chains. and test if it work.

You could also use ip route rule for this.

Arash
  • 274
  • 1
  • 8
  • It says: "routing-mark allowed only in output and prerouting chains". I also tried to mark packet/connection, but without any effect. – Damamaty Sep 06 '16 at 09:55