In Mikrotik to send all traffic to VPN except certain addresses?

Hello!
The task is to wrap all of the connections on the VPN.
However, some customers already operating under a VPN, respectively, two times to wrap it makes no sense.

How to be in the following situations:
1. To wrap all traffic in the VPN except certain IP
2. To wrap all traffic in VPN in addition to specific domains *.host.com or subdomains *
3. To wrap all traffic in the VPN except certain IP + with the exception of certain devices (clients)

Thank you.
March 23rd 20 at 19:35
3 answers
March 23rd 20 at 19:37
To mark traffic.
For example, take Wikipedia, habré is just there, on setting up 2-3 providers Mikrotik.
By analogy do the same. Imagine that a VPN is the second provider in the path.
All done in 30 minutes.
Only when you'll be doing in Winbox, click this button: 5cfb4e07235fe534993131.png
March 23rd 20 at 19:39
First you need to mark that you are interested in the traffic in accordance with the tasks you listed.
Then write a route for marked traffic.
March 23rd 20 at 19:41
Original data:
WAN - ether1, access to the provider
172.20.10.2/24 - address obtained from the provider
172.20.10.1 - it gateway
LAN - 192.168.1.0/24
VPN ovpn_client
10.10.10.2/32 - address obtained from the VPN server
10.10.10.1 - it gateway
with option add-default-route=yes all traffic by default should go through the VPN

The theory is this, now all traffic by default goes through the VPN.
You need to mark the desired traffic and send it to the desired route.

1. To wrap all traffic in the VPN except certain IP
# create a list of addresses that should not go through the VPN
ip firewall address-list add list=exclude_list address=192.168.1.10
ip firewall address-list add list=exclude_list address=192.168.1.11

# mark packets
ip firewall mangle add chain=PREROUTING policy action=mark-routing dst-address-list=exclude_list new-routing-mark=ether1_route_mangle passthrough=no src-address=192.168.1.0/24

# change the route goes to ISP
ip route add dst-address=0.0.0.0/0 gateway=172.20.10.1 distance=1 routing-mark=ether1_route_mangle


2. To wrap all traffic in VPN in addition to specific domains *.host.com or subdomains *
Same as in option 1, only instead of IP enter domain
ip firewall address-list add list=exclude_list address=host.com
ip firewall address-list add list=exclude_list address=test.host.com


3. To wrap all traffic in the VPN except certain IP + with the exception of certain devices (clients)
It's the same as the first option?
"certain devices" have IP/domain, just add them to the list
# mark packets
ip firewall mangle add chain=PREROUTING policy action=mark-routing dst-address-list=exclude_list new-routing-mark=ether1_route_mangle passthrough=no src-address=192.168.1.0/24

Then it is not dst-address-list=exclude_list, and src-address-list=exclude_list and src-address=192.168.1.0/24 at all to remove. Otherwise heresy is obtained. Plus it is unknown what routes default and whether or not all traffic goes to the VPN initially. - Verlie.Zemlak9 commented on March 23rd 20 at 19:44
@Weston.Zemlak9, more? Maybe I don't understand, but I now think that everything is correct.

As I represent it, for example:

There is a list of addresses that I want to go to the default route.
ip firewall address-list add list=exclude_list address=google.com


I send a packet with the destination address google.comwhen a packet comes to a chain PREROUTING policy,
it is marked, because the address assignments in the list dst-address-list=exclude_list
ip firewall mangle add chain=PREROUTING policy action=mark-routing dst-address-list=exclude_list new-routing-mark=ether1_route_mangle passthrough=no src-address=192.168.1.0/24


And if you replace src-address-list=exclude_list, then Mangle will look for google.com in the source address, i.e. it simply will not prometirum package.

src-address=192.168.1.0/24, you need to Mangle marked only packets with a source address from network 192.168.1.0/24. And if you do not specify, then get really heresy, but if there are other subnets on the router? But if the package comes with a VPN interface(let me remind you, is in Mangle PREROUTING policy), he also prometirum and then you will get garbage or something.

In short you need a specific criticism, maybe I am doing it all wrong. - dolores.Bayer commented on March 23rd 20 at 19:47
@dolores.Bayer, with names it's all right, I'm talking about example 1 wrote. There are added in the exclude addresses that should not go through the default route:
# create a list of addresses that should not go through the VPN
ip firewall address-list add list=exclude_list address=192.168.1.10
ip firewall address-list add list=exclude_list address=192.168.1.11

And then the markings:
# mark packets
ip firewall mangle add chain=PREROUTING policy action=mark-routing dst-address-list=exclude_list new-routing-mark=ether1_route_mangle passthrough=no src-address=192.168.1.0/24

and it turns out "everything breaking on 192.168.1.10 or 192.168.1.11 from the network 192.168.1.0/24, then...." - Verlie.Zemlak9 commented on March 23rd 20 at 19:50

Find more questions by tags Network routingMikrotikNetwork equipmentVPNOpenVPN