Mikrotik and VPN for specific web sites only












6















Day by day the Web censorship in my country gains its strength. The obvious solution is to use VPN, but it slows down the connection and harmlessness of public VPN services can't be guaranteed.



So I thought following solution out:



The router will access most of web sites in a conventional way, but will keep a constant VPN connection which will pretend to be one additional network interface. If I access one of censored web sites, router will pass the traffic through this virtual interface.



Is this possible with RouterOS? How to do that?



My router is RB2011UiAS-2HnD-IN, RouterOS v 6.30.2.










share|improve this question















migrated from serverfault.com Nov 11 '15 at 18:34


This question came from our site for system and network administrators.



















  • Actually, this question would be suited for the Network Engineering subsite. They will tell you that what you want cannot be achieved - a connection can either be tunneled or not. It cannot be both. Use a good VPN-Service, straight from your desktop OS, and just turn it on and off as necessary.

    – vic
    Nov 11 '15 at 17:20






  • 2





    @vic Maybe RouterOS cannot do it, but that does not mean it is impossible. Linux policy routing can get you most of the way there, for instance, though it works on IP/CIDR ranges. But then you have the question of whether you can trust the DNS records you received...

    – Michael Hampton
    Nov 11 '15 at 18:29






  • 1





    RouterOS can do it fine. Simple one-line iptables rule.

    – qasdfdsaq
    Nov 12 '15 at 14:22
















6















Day by day the Web censorship in my country gains its strength. The obvious solution is to use VPN, but it slows down the connection and harmlessness of public VPN services can't be guaranteed.



So I thought following solution out:



The router will access most of web sites in a conventional way, but will keep a constant VPN connection which will pretend to be one additional network interface. If I access one of censored web sites, router will pass the traffic through this virtual interface.



Is this possible with RouterOS? How to do that?



My router is RB2011UiAS-2HnD-IN, RouterOS v 6.30.2.










share|improve this question















migrated from serverfault.com Nov 11 '15 at 18:34


This question came from our site for system and network administrators.



















  • Actually, this question would be suited for the Network Engineering subsite. They will tell you that what you want cannot be achieved - a connection can either be tunneled or not. It cannot be both. Use a good VPN-Service, straight from your desktop OS, and just turn it on and off as necessary.

    – vic
    Nov 11 '15 at 17:20






  • 2





    @vic Maybe RouterOS cannot do it, but that does not mean it is impossible. Linux policy routing can get you most of the way there, for instance, though it works on IP/CIDR ranges. But then you have the question of whether you can trust the DNS records you received...

    – Michael Hampton
    Nov 11 '15 at 18:29






  • 1





    RouterOS can do it fine. Simple one-line iptables rule.

    – qasdfdsaq
    Nov 12 '15 at 14:22














6












6








6


2






Day by day the Web censorship in my country gains its strength. The obvious solution is to use VPN, but it slows down the connection and harmlessness of public VPN services can't be guaranteed.



So I thought following solution out:



The router will access most of web sites in a conventional way, but will keep a constant VPN connection which will pretend to be one additional network interface. If I access one of censored web sites, router will pass the traffic through this virtual interface.



Is this possible with RouterOS? How to do that?



My router is RB2011UiAS-2HnD-IN, RouterOS v 6.30.2.










share|improve this question
















Day by day the Web censorship in my country gains its strength. The obvious solution is to use VPN, but it slows down the connection and harmlessness of public VPN services can't be guaranteed.



So I thought following solution out:



The router will access most of web sites in a conventional way, but will keep a constant VPN connection which will pretend to be one additional network interface. If I access one of censored web sites, router will pass the traffic through this virtual interface.



Is this possible with RouterOS? How to do that?



My router is RB2011UiAS-2HnD-IN, RouterOS v 6.30.2.







router vpn






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 23 '16 at 12:04









Burgi

3,88792543




3,88792543










asked Nov 11 '15 at 16:51









PaulPaul

3071924




3071924




migrated from serverfault.com Nov 11 '15 at 18:34


This question came from our site for system and network administrators.









migrated from serverfault.com Nov 11 '15 at 18:34


This question came from our site for system and network administrators.















  • Actually, this question would be suited for the Network Engineering subsite. They will tell you that what you want cannot be achieved - a connection can either be tunneled or not. It cannot be both. Use a good VPN-Service, straight from your desktop OS, and just turn it on and off as necessary.

    – vic
    Nov 11 '15 at 17:20






  • 2





    @vic Maybe RouterOS cannot do it, but that does not mean it is impossible. Linux policy routing can get you most of the way there, for instance, though it works on IP/CIDR ranges. But then you have the question of whether you can trust the DNS records you received...

    – Michael Hampton
    Nov 11 '15 at 18:29






  • 1





    RouterOS can do it fine. Simple one-line iptables rule.

    – qasdfdsaq
    Nov 12 '15 at 14:22



















  • Actually, this question would be suited for the Network Engineering subsite. They will tell you that what you want cannot be achieved - a connection can either be tunneled or not. It cannot be both. Use a good VPN-Service, straight from your desktop OS, and just turn it on and off as necessary.

    – vic
    Nov 11 '15 at 17:20






  • 2





    @vic Maybe RouterOS cannot do it, but that does not mean it is impossible. Linux policy routing can get you most of the way there, for instance, though it works on IP/CIDR ranges. But then you have the question of whether you can trust the DNS records you received...

    – Michael Hampton
    Nov 11 '15 at 18:29






  • 1





    RouterOS can do it fine. Simple one-line iptables rule.

    – qasdfdsaq
    Nov 12 '15 at 14:22

















Actually, this question would be suited for the Network Engineering subsite. They will tell you that what you want cannot be achieved - a connection can either be tunneled or not. It cannot be both. Use a good VPN-Service, straight from your desktop OS, and just turn it on and off as necessary.

– vic
Nov 11 '15 at 17:20





Actually, this question would be suited for the Network Engineering subsite. They will tell you that what you want cannot be achieved - a connection can either be tunneled or not. It cannot be both. Use a good VPN-Service, straight from your desktop OS, and just turn it on and off as necessary.

– vic
Nov 11 '15 at 17:20




2




2





@vic Maybe RouterOS cannot do it, but that does not mean it is impossible. Linux policy routing can get you most of the way there, for instance, though it works on IP/CIDR ranges. But then you have the question of whether you can trust the DNS records you received...

– Michael Hampton
Nov 11 '15 at 18:29





@vic Maybe RouterOS cannot do it, but that does not mean it is impossible. Linux policy routing can get you most of the way there, for instance, though it works on IP/CIDR ranges. But then you have the question of whether you can trust the DNS records you received...

– Michael Hampton
Nov 11 '15 at 18:29




1




1





RouterOS can do it fine. Simple one-line iptables rule.

– qasdfdsaq
Nov 12 '15 at 14:22





RouterOS can do it fine. Simple one-line iptables rule.

– qasdfdsaq
Nov 12 '15 at 14:22










2 Answers
2






active

oldest

votes


















8














Let's assume that you will be using a PPTP VPN just to demonstrate the commands you need to run.

Since PPTP's encryption is broken for a long time now, I suggest you use something more secure (like OpenVPN). The principle is the same regardless of which VPN/tunnel technology you use.



So first you create the VPN without adding a default gateway route.



/interface pptp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=VPN_SERVER_IP
dial-on-demand=no disabled=no max-mru=1440 max-mtu=1440 mrru=dis
name=VPN_NAME password="MY_STRONG_PASSWORD" profile=default-encryption user=USERNAME


Then you create a new routing table by adding a default gateway via the VPN with a new routing mark vpn. This will allow you to route packets via the VPN.



/ip route add dst-address=0.0.0.0/0 distance=1 gateway=VPN_GATEWAY_IP routing-mark=vpn


The next route is optional in case you want to block outgoing traffic if the VPN is down:



/ip route add dst-address=0.0.0.0/0 type=unreachable distance=2 routing-mark=vpn


We also need to do some NAT for the packets that will be leaving via the VPN interface.



/ip firewall nat add chain=srcnat out-interface=VPN_NAME action=masquerade


Now we add the mangle rule that will match the destination IPs we want and do a mark-routing on them so that they will use the vpn route table we created.



/ip firewall mangle add chain=prerouting dst-address-list=VPN action=mark-routing new-routing-mark=vpn


Finally we create an Address List on the firewall with the IPs that we want to route via the VPN.



/ip firewall address-list add list=VPN address=1.1.1.1
/ip firewall address-list add list=VPN address=2.2.2.2
/ip firewall address-list add list=VPN address=3.3.3.3
/ip firewall address-list add list=VPN address=4.4.4.4


You repeat the last rule as many times as you need for as many IPs as you want to route via the VPN.



Keep in mind that the rules above do not provide any security as to who behind your router will be able to access the VPN etc. You may need to add appropriate source IPs checks on the rules to make them more secure.



Also this method will route whole IPs via the VPN. If you need to route specific ports/protocols via the VPN you simply create additional mangle rules that match whatever you need and do mark-routing on them.






share|improve this answer





















  • 1





    Thanks man, works perfectly! When adding nat I had to specify also chain=srcnat and when adding mangle I had to specify chain=prerouting

    – pagep
    Sep 21 '16 at 17:01













  • Thanks for pointing that out. I've updated my answer. :)

    – Cha0s
    Sep 21 '16 at 20:15











  • Wondering, can address list be replaced with layer 7 addresses so I will be able to say forward requests for specific domain name through vpn

    – mac
    May 21 '17 at 5:41











  • This was very handy, I needed to specify routing via a particular connection for a couple of remote IPs but had not worked with Mangle rules before.

    – fencepost
    Aug 3 '17 at 14:10











  • @mac In recent versions of RouterOS you can add domains in the address list and it will automatically resolve them to addresses in the same address-list. It follows the TTL of the dns record so it will automatically keep it self up to date if an IP address changes. L7 matching is kinda PITA and very resource hungry :(

    – Cha0s
    Aug 3 '17 at 18:40



















-2














The below is a generic linux answer. I do not know if routeros has suitable functionality in it's UI and if not whether you can bypass the UI and interact with the routing/firewall/nat features in the kernel directly.



The first thing to do is to set up your VPN software and bring up the VPN interface. You should tell your VPN software NOT to make the VPN the default gateway. How exactly this is done will depend on what VPN software you are using.



You can then add specific routes to the routing table to direct traffic to certain IP addresses down the VPN.



You also need to make sure NAT is configured correctly so that the source address of packets leaving your router matches the interface they go out from. This can be done either by using the "MASQURADE" target or by setting up seperate "SNAT" rules for each interface.



Depending on the exact nature of the blocking you may find it nessacery to send some or all of your DNS traffic down the VPN. Sending all your DNS traffic down the VPN should be easy enough (just point your DNS server settings at an IP that is routed down the VPN). If (for performance or privacy reasons) you want only some of your DNS queries to go down the VPN you would need some sort of DNS proxy to split up the requests.



A further complication is if the sites you are accessing don't have stable IPs. In this case you would need a DNS proxy that could monitor replies and add routes dynamically.






share|improve this answer



















  • 1





    RouterOS does not expose any way to allow you to do anything directly to the kernel or iptables. The only way to manage MikroTik RouterOS is via a proprietary CLI (Telnet/SSH), Winbox (desktop GUI), or API.

    – Cha0s
    Nov 12 '15 at 12:47











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f999196%2fmikrotik-and-vpn-for-specific-web-sites-only%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









8














Let's assume that you will be using a PPTP VPN just to demonstrate the commands you need to run.

Since PPTP's encryption is broken for a long time now, I suggest you use something more secure (like OpenVPN). The principle is the same regardless of which VPN/tunnel technology you use.



So first you create the VPN without adding a default gateway route.



/interface pptp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=VPN_SERVER_IP
dial-on-demand=no disabled=no max-mru=1440 max-mtu=1440 mrru=dis
name=VPN_NAME password="MY_STRONG_PASSWORD" profile=default-encryption user=USERNAME


Then you create a new routing table by adding a default gateway via the VPN with a new routing mark vpn. This will allow you to route packets via the VPN.



/ip route add dst-address=0.0.0.0/0 distance=1 gateway=VPN_GATEWAY_IP routing-mark=vpn


The next route is optional in case you want to block outgoing traffic if the VPN is down:



/ip route add dst-address=0.0.0.0/0 type=unreachable distance=2 routing-mark=vpn


We also need to do some NAT for the packets that will be leaving via the VPN interface.



/ip firewall nat add chain=srcnat out-interface=VPN_NAME action=masquerade


Now we add the mangle rule that will match the destination IPs we want and do a mark-routing on them so that they will use the vpn route table we created.



/ip firewall mangle add chain=prerouting dst-address-list=VPN action=mark-routing new-routing-mark=vpn


Finally we create an Address List on the firewall with the IPs that we want to route via the VPN.



/ip firewall address-list add list=VPN address=1.1.1.1
/ip firewall address-list add list=VPN address=2.2.2.2
/ip firewall address-list add list=VPN address=3.3.3.3
/ip firewall address-list add list=VPN address=4.4.4.4


You repeat the last rule as many times as you need for as many IPs as you want to route via the VPN.



Keep in mind that the rules above do not provide any security as to who behind your router will be able to access the VPN etc. You may need to add appropriate source IPs checks on the rules to make them more secure.



Also this method will route whole IPs via the VPN. If you need to route specific ports/protocols via the VPN you simply create additional mangle rules that match whatever you need and do mark-routing on them.






share|improve this answer





















  • 1





    Thanks man, works perfectly! When adding nat I had to specify also chain=srcnat and when adding mangle I had to specify chain=prerouting

    – pagep
    Sep 21 '16 at 17:01













  • Thanks for pointing that out. I've updated my answer. :)

    – Cha0s
    Sep 21 '16 at 20:15











  • Wondering, can address list be replaced with layer 7 addresses so I will be able to say forward requests for specific domain name through vpn

    – mac
    May 21 '17 at 5:41











  • This was very handy, I needed to specify routing via a particular connection for a couple of remote IPs but had not worked with Mangle rules before.

    – fencepost
    Aug 3 '17 at 14:10











  • @mac In recent versions of RouterOS you can add domains in the address list and it will automatically resolve them to addresses in the same address-list. It follows the TTL of the dns record so it will automatically keep it self up to date if an IP address changes. L7 matching is kinda PITA and very resource hungry :(

    – Cha0s
    Aug 3 '17 at 18:40
















8














Let's assume that you will be using a PPTP VPN just to demonstrate the commands you need to run.

Since PPTP's encryption is broken for a long time now, I suggest you use something more secure (like OpenVPN). The principle is the same regardless of which VPN/tunnel technology you use.



So first you create the VPN without adding a default gateway route.



/interface pptp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=VPN_SERVER_IP
dial-on-demand=no disabled=no max-mru=1440 max-mtu=1440 mrru=dis
name=VPN_NAME password="MY_STRONG_PASSWORD" profile=default-encryption user=USERNAME


Then you create a new routing table by adding a default gateway via the VPN with a new routing mark vpn. This will allow you to route packets via the VPN.



/ip route add dst-address=0.0.0.0/0 distance=1 gateway=VPN_GATEWAY_IP routing-mark=vpn


The next route is optional in case you want to block outgoing traffic if the VPN is down:



/ip route add dst-address=0.0.0.0/0 type=unreachable distance=2 routing-mark=vpn


We also need to do some NAT for the packets that will be leaving via the VPN interface.



/ip firewall nat add chain=srcnat out-interface=VPN_NAME action=masquerade


Now we add the mangle rule that will match the destination IPs we want and do a mark-routing on them so that they will use the vpn route table we created.



/ip firewall mangle add chain=prerouting dst-address-list=VPN action=mark-routing new-routing-mark=vpn


Finally we create an Address List on the firewall with the IPs that we want to route via the VPN.



/ip firewall address-list add list=VPN address=1.1.1.1
/ip firewall address-list add list=VPN address=2.2.2.2
/ip firewall address-list add list=VPN address=3.3.3.3
/ip firewall address-list add list=VPN address=4.4.4.4


You repeat the last rule as many times as you need for as many IPs as you want to route via the VPN.



Keep in mind that the rules above do not provide any security as to who behind your router will be able to access the VPN etc. You may need to add appropriate source IPs checks on the rules to make them more secure.



Also this method will route whole IPs via the VPN. If you need to route specific ports/protocols via the VPN you simply create additional mangle rules that match whatever you need and do mark-routing on them.






share|improve this answer





















  • 1





    Thanks man, works perfectly! When adding nat I had to specify also chain=srcnat and when adding mangle I had to specify chain=prerouting

    – pagep
    Sep 21 '16 at 17:01













  • Thanks for pointing that out. I've updated my answer. :)

    – Cha0s
    Sep 21 '16 at 20:15











  • Wondering, can address list be replaced with layer 7 addresses so I will be able to say forward requests for specific domain name through vpn

    – mac
    May 21 '17 at 5:41











  • This was very handy, I needed to specify routing via a particular connection for a couple of remote IPs but had not worked with Mangle rules before.

    – fencepost
    Aug 3 '17 at 14:10











  • @mac In recent versions of RouterOS you can add domains in the address list and it will automatically resolve them to addresses in the same address-list. It follows the TTL of the dns record so it will automatically keep it self up to date if an IP address changes. L7 matching is kinda PITA and very resource hungry :(

    – Cha0s
    Aug 3 '17 at 18:40














8












8








8







Let's assume that you will be using a PPTP VPN just to demonstrate the commands you need to run.

Since PPTP's encryption is broken for a long time now, I suggest you use something more secure (like OpenVPN). The principle is the same regardless of which VPN/tunnel technology you use.



So first you create the VPN without adding a default gateway route.



/interface pptp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=VPN_SERVER_IP
dial-on-demand=no disabled=no max-mru=1440 max-mtu=1440 mrru=dis
name=VPN_NAME password="MY_STRONG_PASSWORD" profile=default-encryption user=USERNAME


Then you create a new routing table by adding a default gateway via the VPN with a new routing mark vpn. This will allow you to route packets via the VPN.



/ip route add dst-address=0.0.0.0/0 distance=1 gateway=VPN_GATEWAY_IP routing-mark=vpn


The next route is optional in case you want to block outgoing traffic if the VPN is down:



/ip route add dst-address=0.0.0.0/0 type=unreachable distance=2 routing-mark=vpn


We also need to do some NAT for the packets that will be leaving via the VPN interface.



/ip firewall nat add chain=srcnat out-interface=VPN_NAME action=masquerade


Now we add the mangle rule that will match the destination IPs we want and do a mark-routing on them so that they will use the vpn route table we created.



/ip firewall mangle add chain=prerouting dst-address-list=VPN action=mark-routing new-routing-mark=vpn


Finally we create an Address List on the firewall with the IPs that we want to route via the VPN.



/ip firewall address-list add list=VPN address=1.1.1.1
/ip firewall address-list add list=VPN address=2.2.2.2
/ip firewall address-list add list=VPN address=3.3.3.3
/ip firewall address-list add list=VPN address=4.4.4.4


You repeat the last rule as many times as you need for as many IPs as you want to route via the VPN.



Keep in mind that the rules above do not provide any security as to who behind your router will be able to access the VPN etc. You may need to add appropriate source IPs checks on the rules to make them more secure.



Also this method will route whole IPs via the VPN. If you need to route specific ports/protocols via the VPN you simply create additional mangle rules that match whatever you need and do mark-routing on them.






share|improve this answer















Let's assume that you will be using a PPTP VPN just to demonstrate the commands you need to run.

Since PPTP's encryption is broken for a long time now, I suggest you use something more secure (like OpenVPN). The principle is the same regardless of which VPN/tunnel technology you use.



So first you create the VPN without adding a default gateway route.



/interface pptp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=VPN_SERVER_IP
dial-on-demand=no disabled=no max-mru=1440 max-mtu=1440 mrru=dis
name=VPN_NAME password="MY_STRONG_PASSWORD" profile=default-encryption user=USERNAME


Then you create a new routing table by adding a default gateway via the VPN with a new routing mark vpn. This will allow you to route packets via the VPN.



/ip route add dst-address=0.0.0.0/0 distance=1 gateway=VPN_GATEWAY_IP routing-mark=vpn


The next route is optional in case you want to block outgoing traffic if the VPN is down:



/ip route add dst-address=0.0.0.0/0 type=unreachable distance=2 routing-mark=vpn


We also need to do some NAT for the packets that will be leaving via the VPN interface.



/ip firewall nat add chain=srcnat out-interface=VPN_NAME action=masquerade


Now we add the mangle rule that will match the destination IPs we want and do a mark-routing on them so that they will use the vpn route table we created.



/ip firewall mangle add chain=prerouting dst-address-list=VPN action=mark-routing new-routing-mark=vpn


Finally we create an Address List on the firewall with the IPs that we want to route via the VPN.



/ip firewall address-list add list=VPN address=1.1.1.1
/ip firewall address-list add list=VPN address=2.2.2.2
/ip firewall address-list add list=VPN address=3.3.3.3
/ip firewall address-list add list=VPN address=4.4.4.4


You repeat the last rule as many times as you need for as many IPs as you want to route via the VPN.



Keep in mind that the rules above do not provide any security as to who behind your router will be able to access the VPN etc. You may need to add appropriate source IPs checks on the rules to make them more secure.



Also this method will route whole IPs via the VPN. If you need to route specific ports/protocols via the VPN you simply create additional mangle rules that match whatever you need and do mark-routing on them.







share|improve this answer














share|improve this answer



share|improve this answer








edited Jan 4 at 1:36

























answered Nov 12 '15 at 12:45









Cha0sCha0s

23115




23115








  • 1





    Thanks man, works perfectly! When adding nat I had to specify also chain=srcnat and when adding mangle I had to specify chain=prerouting

    – pagep
    Sep 21 '16 at 17:01













  • Thanks for pointing that out. I've updated my answer. :)

    – Cha0s
    Sep 21 '16 at 20:15











  • Wondering, can address list be replaced with layer 7 addresses so I will be able to say forward requests for specific domain name through vpn

    – mac
    May 21 '17 at 5:41











  • This was very handy, I needed to specify routing via a particular connection for a couple of remote IPs but had not worked with Mangle rules before.

    – fencepost
    Aug 3 '17 at 14:10











  • @mac In recent versions of RouterOS you can add domains in the address list and it will automatically resolve them to addresses in the same address-list. It follows the TTL of the dns record so it will automatically keep it self up to date if an IP address changes. L7 matching is kinda PITA and very resource hungry :(

    – Cha0s
    Aug 3 '17 at 18:40














  • 1





    Thanks man, works perfectly! When adding nat I had to specify also chain=srcnat and when adding mangle I had to specify chain=prerouting

    – pagep
    Sep 21 '16 at 17:01













  • Thanks for pointing that out. I've updated my answer. :)

    – Cha0s
    Sep 21 '16 at 20:15











  • Wondering, can address list be replaced with layer 7 addresses so I will be able to say forward requests for specific domain name through vpn

    – mac
    May 21 '17 at 5:41











  • This was very handy, I needed to specify routing via a particular connection for a couple of remote IPs but had not worked with Mangle rules before.

    – fencepost
    Aug 3 '17 at 14:10











  • @mac In recent versions of RouterOS you can add domains in the address list and it will automatically resolve them to addresses in the same address-list. It follows the TTL of the dns record so it will automatically keep it self up to date if an IP address changes. L7 matching is kinda PITA and very resource hungry :(

    – Cha0s
    Aug 3 '17 at 18:40








1




1





Thanks man, works perfectly! When adding nat I had to specify also chain=srcnat and when adding mangle I had to specify chain=prerouting

– pagep
Sep 21 '16 at 17:01







Thanks man, works perfectly! When adding nat I had to specify also chain=srcnat and when adding mangle I had to specify chain=prerouting

– pagep
Sep 21 '16 at 17:01















Thanks for pointing that out. I've updated my answer. :)

– Cha0s
Sep 21 '16 at 20:15





Thanks for pointing that out. I've updated my answer. :)

– Cha0s
Sep 21 '16 at 20:15













Wondering, can address list be replaced with layer 7 addresses so I will be able to say forward requests for specific domain name through vpn

– mac
May 21 '17 at 5:41





Wondering, can address list be replaced with layer 7 addresses so I will be able to say forward requests for specific domain name through vpn

– mac
May 21 '17 at 5:41













This was very handy, I needed to specify routing via a particular connection for a couple of remote IPs but had not worked with Mangle rules before.

– fencepost
Aug 3 '17 at 14:10





This was very handy, I needed to specify routing via a particular connection for a couple of remote IPs but had not worked with Mangle rules before.

– fencepost
Aug 3 '17 at 14:10













@mac In recent versions of RouterOS you can add domains in the address list and it will automatically resolve them to addresses in the same address-list. It follows the TTL of the dns record so it will automatically keep it self up to date if an IP address changes. L7 matching is kinda PITA and very resource hungry :(

– Cha0s
Aug 3 '17 at 18:40





@mac In recent versions of RouterOS you can add domains in the address list and it will automatically resolve them to addresses in the same address-list. It follows the TTL of the dns record so it will automatically keep it self up to date if an IP address changes. L7 matching is kinda PITA and very resource hungry :(

– Cha0s
Aug 3 '17 at 18:40













-2














The below is a generic linux answer. I do not know if routeros has suitable functionality in it's UI and if not whether you can bypass the UI and interact with the routing/firewall/nat features in the kernel directly.



The first thing to do is to set up your VPN software and bring up the VPN interface. You should tell your VPN software NOT to make the VPN the default gateway. How exactly this is done will depend on what VPN software you are using.



You can then add specific routes to the routing table to direct traffic to certain IP addresses down the VPN.



You also need to make sure NAT is configured correctly so that the source address of packets leaving your router matches the interface they go out from. This can be done either by using the "MASQURADE" target or by setting up seperate "SNAT" rules for each interface.



Depending on the exact nature of the blocking you may find it nessacery to send some or all of your DNS traffic down the VPN. Sending all your DNS traffic down the VPN should be easy enough (just point your DNS server settings at an IP that is routed down the VPN). If (for performance or privacy reasons) you want only some of your DNS queries to go down the VPN you would need some sort of DNS proxy to split up the requests.



A further complication is if the sites you are accessing don't have stable IPs. In this case you would need a DNS proxy that could monitor replies and add routes dynamically.






share|improve this answer



















  • 1





    RouterOS does not expose any way to allow you to do anything directly to the kernel or iptables. The only way to manage MikroTik RouterOS is via a proprietary CLI (Telnet/SSH), Winbox (desktop GUI), or API.

    – Cha0s
    Nov 12 '15 at 12:47
















-2














The below is a generic linux answer. I do not know if routeros has suitable functionality in it's UI and if not whether you can bypass the UI and interact with the routing/firewall/nat features in the kernel directly.



The first thing to do is to set up your VPN software and bring up the VPN interface. You should tell your VPN software NOT to make the VPN the default gateway. How exactly this is done will depend on what VPN software you are using.



You can then add specific routes to the routing table to direct traffic to certain IP addresses down the VPN.



You also need to make sure NAT is configured correctly so that the source address of packets leaving your router matches the interface they go out from. This can be done either by using the "MASQURADE" target or by setting up seperate "SNAT" rules for each interface.



Depending on the exact nature of the blocking you may find it nessacery to send some or all of your DNS traffic down the VPN. Sending all your DNS traffic down the VPN should be easy enough (just point your DNS server settings at an IP that is routed down the VPN). If (for performance or privacy reasons) you want only some of your DNS queries to go down the VPN you would need some sort of DNS proxy to split up the requests.



A further complication is if the sites you are accessing don't have stable IPs. In this case you would need a DNS proxy that could monitor replies and add routes dynamically.






share|improve this answer



















  • 1





    RouterOS does not expose any way to allow you to do anything directly to the kernel or iptables. The only way to manage MikroTik RouterOS is via a proprietary CLI (Telnet/SSH), Winbox (desktop GUI), or API.

    – Cha0s
    Nov 12 '15 at 12:47














-2












-2








-2







The below is a generic linux answer. I do not know if routeros has suitable functionality in it's UI and if not whether you can bypass the UI and interact with the routing/firewall/nat features in the kernel directly.



The first thing to do is to set up your VPN software and bring up the VPN interface. You should tell your VPN software NOT to make the VPN the default gateway. How exactly this is done will depend on what VPN software you are using.



You can then add specific routes to the routing table to direct traffic to certain IP addresses down the VPN.



You also need to make sure NAT is configured correctly so that the source address of packets leaving your router matches the interface they go out from. This can be done either by using the "MASQURADE" target or by setting up seperate "SNAT" rules for each interface.



Depending on the exact nature of the blocking you may find it nessacery to send some or all of your DNS traffic down the VPN. Sending all your DNS traffic down the VPN should be easy enough (just point your DNS server settings at an IP that is routed down the VPN). If (for performance or privacy reasons) you want only some of your DNS queries to go down the VPN you would need some sort of DNS proxy to split up the requests.



A further complication is if the sites you are accessing don't have stable IPs. In this case you would need a DNS proxy that could monitor replies and add routes dynamically.






share|improve this answer













The below is a generic linux answer. I do not know if routeros has suitable functionality in it's UI and if not whether you can bypass the UI and interact with the routing/firewall/nat features in the kernel directly.



The first thing to do is to set up your VPN software and bring up the VPN interface. You should tell your VPN software NOT to make the VPN the default gateway. How exactly this is done will depend on what VPN software you are using.



You can then add specific routes to the routing table to direct traffic to certain IP addresses down the VPN.



You also need to make sure NAT is configured correctly so that the source address of packets leaving your router matches the interface they go out from. This can be done either by using the "MASQURADE" target or by setting up seperate "SNAT" rules for each interface.



Depending on the exact nature of the blocking you may find it nessacery to send some or all of your DNS traffic down the VPN. Sending all your DNS traffic down the VPN should be easy enough (just point your DNS server settings at an IP that is routed down the VPN). If (for performance or privacy reasons) you want only some of your DNS queries to go down the VPN you would need some sort of DNS proxy to split up the requests.



A further complication is if the sites you are accessing don't have stable IPs. In this case you would need a DNS proxy that could monitor replies and add routes dynamically.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 11 '15 at 18:55









plugwashplugwash

4,2142917




4,2142917








  • 1





    RouterOS does not expose any way to allow you to do anything directly to the kernel or iptables. The only way to manage MikroTik RouterOS is via a proprietary CLI (Telnet/SSH), Winbox (desktop GUI), or API.

    – Cha0s
    Nov 12 '15 at 12:47














  • 1





    RouterOS does not expose any way to allow you to do anything directly to the kernel or iptables. The only way to manage MikroTik RouterOS is via a proprietary CLI (Telnet/SSH), Winbox (desktop GUI), or API.

    – Cha0s
    Nov 12 '15 at 12:47








1




1





RouterOS does not expose any way to allow you to do anything directly to the kernel or iptables. The only way to manage MikroTik RouterOS is via a proprietary CLI (Telnet/SSH), Winbox (desktop GUI), or API.

– Cha0s
Nov 12 '15 at 12:47





RouterOS does not expose any way to allow you to do anything directly to the kernel or iptables. The only way to manage MikroTik RouterOS is via a proprietary CLI (Telnet/SSH), Winbox (desktop GUI), or API.

– Cha0s
Nov 12 '15 at 12:47


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f999196%2fmikrotik-and-vpn-for-specific-web-sites-only%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Сан-Квентин

8-я гвардейская общевойсковая армия

Алькесар