How to direct the traffic of each client in a separate tunnel?

Good afternoon.

On Mikrotik raised several tunnels to a remote enterprise network.
Server one, account different.

On Mikrotik as raised VPN server for authorization of remote clients. It needs more to spoof addresses. But the point is that all traffic goes through Mikrotik.

In a local network Mikrotik also have several clients that need to access the production server. (on server, dialer and database).

Marked connections and routes:

add action=mark-connection chain=PREROUTING policy comment=WinOnMac_to_ISS \
dst-address=10.0.0.0/8 new-connection-mark=Nataliya passthrough=yes \
src-address=192.168.88.60
add action=mark-routing chain=PREROUTING policy connection-mark=Nataliya \
dst-address=10.0.0.0/8 new-routing-mark=Nataliya passthrough=no \
src-address=192.168.88.60

/ip route
add check-gateway=ping distance=10 dst-address=10.0.0.0/8 gateway=";;ISS" \
pref-src=10.99.99.14 routing-mark=Semen
add distance=10 dst-address=10.0.0.0/8 gateway=ISS_Nataliya pref-src=\
10.99.99.11 routing-mark=Nataliya
add check-gateway=ping distance=50 dst-address=10.0.0.0/8 type=prohibit

The problem is that in the absence of add check-gateway=ping distance=50 dst-address=10.0.0.0/8 type=prohibit ping to the remote server runs, but the services are not working (not connecting the IP phone, not downloaded to CRM system). I understand that the rule should not logically affect the performance, but it works (sorry for such silly comments). Masquerading for all of the tunnels are included.

Please tell me, maybe I'm the wrong way completely gone and we need to implement the scheme differently.
Thanks in advance.
June 26th 19 at 14:18
1 answer
June 26th 19 at 14:20
Solution
According to reports it is unclear what you have tunnels, how come you have to leave traffic. VPN server is also Mikrotik? "In the local network Mikrotik..." — what is LAN?
Suppose that there are two tunnel gateways addresses: 1.1.1.1, 2.2.2.2.

/ip route add dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-mark=gw1
/ip route add dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-mark=gw2

These rules will force the traffic marked with the appropriate labels, go to the gateways.

/ip route rule add src-address=192.168.88.60 action=lookup table=gw1
/ip route rule add src-address=192.168.88.61 action=lookup table=gw2

These rules will cause the router to send all traffic from these addresses in the appropriate tunnels. - Shakira.Cruickshank commented on June 26th 19 at 14:23
I understand Your question.

There are 2 tunnel gateway address: 10.3.5.128
/ip route add dst-address=10.0.0.0/8 gateway=10.3.5.128 routing-mark=gw1
/ip route add dst-address=10.0.0.0/8 gateway=10.3.5.128 routing-mark=gw2

Gateway in all tunnels alone. Tunnels differ only in the received link-local addresses. That is:
2b810ffb263f489da49b5239d546be4e.jpg

The local network is 192.168.88.0/24 - Margarete.Kautzer46 commented on June 26th 19 at 14:26
1c1882dbd59147d6b1154bdf88e023c9.jpg

Clients that connect via pptp does not require access to the rules add check-gateway=ping distance=50 dst-address=10.0.0.0/8 type=prohibit for some reason.

In the screenshot the route is automatic created when you connect multiple pptp client on Mikrotik, through which you need to drive traffic to a working dialer and database. - Margarete.Kautzer46 commented on June 26th 19 at 14:29
: Once we begin to understand the urge to explain the need for different tunnels to the same address in the same point? I am sure that we will be able to solve the problem more effectively and simply. - Shakira.Cruickshank commented on June 26th 19 at 14:32
Yes, I apologize once again that, perhaps, insufficiently correctly explained the problem.

Employees work in a call centre. All all remote workers (working from home). At the office, a pptp server PPTP_1. I'm with my microtia intermediate with white IP and are pptp_2 server for them and the client for the office. Each employee is issued a username and password. Address PPTP_1 servers one for all of us. I and a few others colleagues working in the same Locke. network. The rest connect via pptp to me. All working vpn connection to remote office I raise at home. It is necessary to have all employees shone the IP Kyivstar. The requirement is. The point is that the traffic from each client on Mikrotik walked into his tunnel to PPTP_1.
064a58bcf6bc45b2934f086461a7f40d.jpg
That is pptp_2_Client_A is the tunnel for PPTP_1_Client_A, "B" goes to "b" and so on. - Margarete.Kautzer46 commented on June 26th 19 at 14:35
The scheme became clear. However, I still don't understand the need to raise multiple tunnels from PPTP_2 in PPTP_1. If traffic is the result converges (PPTP_1), then whatever goal you did not pursue more than one tunnel, there is no need, this is an inefficient redundancy. To make the simulation of traffic engineering in this way will not work, connection sharing, which comes to the same point... in short, I don't really understand, maybe there is some hidden meaning, which You are told.

In General, I see the following scheme.

Any remote clients raise connections on PPTP_2. For them it is a gateway into your corporate LAN and possibly the Internet. Most of them don't need: rose connection - send back all traffic.

Further PPTP_2. This is who the server which well manages the entire existing infrastructure. He knows everything about all users both local and remote. Local and remote see each other and work as if they were on the same LAN. The only difference is the lack of the L2 level between DHCP clients and PPTP clients.

Now my vision of the role PPTP_1. As I understand it, it is necessary only to through it all clients hit the Internet, allegedly, they are sitting its external IP. So there is nothing easier. We raise ONE tunnel (PPTP, IP, OVPN, L2TP...) between PPTP_1 and PPTP_2.

Now imagine that we have a remote user And receiving on PPTP_2 address 192.168.88.2 (subnet is 192.168.88.0/24). On PPTP_1 address is 1.1.1.1, on PPTP_2 - 2.2.2.2.

The first thing we will create PPTP_2 table routing pptp1:
/ip route add dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-mark=pptp1

On РРТР_2 we use routing rules:
# If the client is in local network
/ip route rule add src-address=192.168.88.2 dst-address=is 192.168.88.0/24 action=lookup table=main
# In all other cases, send the traffic pptp1
/ip route rule add src-address=192.168.88.2 action=lookup table=pptp1

Thus, to connect to 192.168.88.2 PPTP_2, it would be awesome to communicate with other clients on this router, and the Internet to go through PPTP_1. The above schematic rules are provided only for understanding of the concept. I hope this is understandable. - Shakira.Cruickshank commented on June 26th 19 at 14:38
: Thank you. Perhaps I haven't conveyed the essence to the end.
I'll try just to take a concrete example.

Officer sitting at home. He has a account, issued by the enterprise (server PPTP_1). For example: user1.
In the morning, user1 needs to start working VPN, launch the dialer with CRM and work. On the server control the IP address from which the client joined the network. He can walk from home to bypass my Mikrotik directly to PPTP_1. But then begin the questions with what provider it came out.
Also, I can't do on your Mikrotik to raise one tunnel to the enterprise (which would be much easier and more logical) because, in this case on PPTP_1 will log in only one account, again any questions. + If I all employees will be sent to a tunnel to the enterprise, I don't have enough bandwidth. Since PPTP_1 more than 20 Mbps on a single tunnel, the speed does not rise. I want to note that access settings and parameters PPTP_1 I have no.
On account of the traffic. All the tunnels walking only working traffic. PPTP_1 not giving away the Internet. That is only true with the address of the server 10.3.5.xxx ftp server 10.3.5.xxx. Therefore, the client client_A prescribes the only route on the local machine to yourself (route add-p 10.3.5.0/24 192.168.0.122), where 192.168.0.122 address assigned to MicroTCA. The subnet here is not important since the customer may not have any connection. They just need to get the workaround using pptp_2 to PPTP_1. Customers in the Lok network Mikrotik (is 192.168.88.0/24) also go every one into his own tunnel.
I hope I correctly understood Your question and clarified necessary to address the question details. Thanks in advance for your patience).
PS Connection for client_A marked. The route is also marked. A rule created yesterday by your description. Packages go correctly. Snag local customers. They created a separate rule. Traceroute and pings to servers are fine PPTP_1. BUT without add check-gateway=ping distance=50 dst-address=10.0.0.0/8 type=prohibit not working service dialer (in my case, Oktell) - Margarete.Kautzer46 commented on June 26th 19 at 14:41
Since PPTP_1 more than 20 Mbps on a single tunnel, the speed does not rise.

What is the overall width of the channel to PPTP_1? You want to say that you have 100Mbit (1Gbit, 10Gbit), and the guys on the other end sapat incoming traffic to the tunnel at 20Mbps?

In the morning, user1 needs to start working VPN, launch the dialer with CRM and work

and immediately
Also, I can't do on your Mikrotik to raise one tunnel to the enterprise (which would be much easier and more logical) because, in this case on PPTP_1 will log in only one account, again you have questions

Not clear rules and limitations - Shakira.Cruickshank commented on June 26th 19 at 14:44
So, You pretend to be customers, turning them towards you, then signing on PPTP_1 as most of these customers? - Shakira.Cruickshank commented on June 26th 19 at 14:47
: Right. I pretend to be customers.
Not clear rules and limitations

You can't work from the zone ATO. - Margarete.Kautzer46 commented on June 26th 19 at 14:50
: it turns out that PPTP_1 connections come from one address, I don't understand the trick) If the guys on the other end, in your words, the monitored IP from which connections are made, they are not doing a good job: all connections coming from an external address PPTP_2)

Obviously, you have the intersection of address space, Mikrotik confused.
I recommend to go the way described above: to create a default route to 0.0.0.0/0 for each tunnel, and the rules to cut off local traffic. It is all zeroes, and not just 10.0.0.0/8. - Shakira.Cruickshank commented on June 26th 19 at 14:53
:
all connections coming from an external address PPTP_2


The main thing for them is that they go with a Specific provider, not of the blacklist-a).

I recommend to go the way described above: to create a default route to 0.0.0.0/0 for each tunnel, and the rules to cut off local traffic. It is all zeroes, and not just 10.0.0.0/8


A little confused here. Mark connection? all virtually the same, only the 0.0.0.0/0? - Margarete.Kautzer46 commented on June 26th 19 at 14:56
A little confused here. Mark connection? all virtually the same, only the 0.0.0.0/0?

Strictly speaking, Yes. ALL traffic, EXCEPT local, to send into the tunnels - Shakira.Cruickshank commented on June 26th 19 at 14:59
: to mark with mangle do not need anything, everything is perfectly good rule of routing. It is simple and clear. - Shakira.Cruickshank commented on June 26th 19 at 15:02
: Thank you very much. It worked. Really it's simple. The only routes not Noli wrote, because in the working tunnel, no Internet. And have not yet figured out how the traffic from the router to direct one of the tunnels. Pings, are obtained after adding the rules only from the local machine. Well, that is, without a default route Mikrotik says-no route to host-. And the rest, I think, with Your help understood. Thanks again. - Margarete.Kautzer46 commented on June 26th 19 at 15:05

Find more questions by tags MikrotikNetwork administration