In this step-by-step guide, I will tell you how to set up Mikrotik so that forbidden sites automatically open through this VPN and you can avoid dancing with tambourines: set it up once and everything works.
I chose SoftEther as my VPN: it is as easy to set up as and just as fast. I enabled Secure NAT on the VPN server side, no other settings were made.
I considered RRAS as an alternative, but Mikrotik does not know how to work with it. The connection is established, the VPN works, but Mikrotik cannot maintain a connection without constant reconnects and errors in the log.
The setting was made on the example of RB3011UiAS-RM on firmware version 6.46.11.
Now, in order, what and why.
1. Set up a VPN connection
As a VPN solution, of course, SoftEther, L2TP with a preshared key was chosen. This level of security is enough for anyone, because only the router and its owner know the key.
Go to the interfaces section. First, we add a new interface, and then we enter ip, login, password and shared key into the interface. Press ok.
Same command:
/interface l2tp-client
name="LD8" connect-to=45.134.254.112 user="Administrator" password="PASSWORD" profile=default-encryption use-ipsec=yes ipsec-secret="vpn"
SoftEther will work without changing ipsec proposals and ipsec profiles, we do not consider their configuration, but the author left screenshots of his profiles, just in case.
For RRAS in IPsec Proposals, just change the PFS Group to none.
Now you need to stand behind the NAT of this VPN server. To do this, we need to go to IP > Firewall > NAT.
Here we enable masquerade for a specific, or all, PPP interfaces. The author's router is connected to three VPNs at once, so I did this:
Same command:
/ip firewall nat
chain=srcnat action=masquerade out-interface=all-ppp
2. Add Rules to Mangle
The first thing you want, of course, is to protect everything that is most valuable and defenseless, namely DNS and HTTP traffic. Let's start with HTTP.
Go to IP β Firewall β Mangle and create a new rule.
In the rule, Chain choose Prerouting.
If there is a Smart SFP or another router in front of the router, and you want to connect to it via the web interface, in the Dst. Address needs to enter its IP address or subnet and put a negative sign to not apply Mangle to the address or to that subnet. The author has SFP GPON ONU in bridge mode, so the author retained the ability to connect to his webmord.
By default, Mangle will apply its rule to all NAT States, this will make port forwarding on your white IP impossible, so in the Connection NAT State, check dstnat and a negative sign. This will allow us to send outbound traffic over the network through the VPN, but still forward ports through our white IP.
Next, on the Action tab, select mark routing, name New Routing Mark so that it is clear to us in the future and move on.
Same command:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=HTTP passthrough=no connection-nat-state=!dstnat protocol=tcp dst-address=!192.168.1.1 dst-port=80
Now let's move on to securing DNS. In this case, you need to create two rules. One for the router, the other for devices connected to the router.
If you use the DNS built into the router, which the author does, it must also be protected. Therefore, for the first rule, as above, we select chain prerouting, for the second, we need to select output.
Output is a chain that the router itself uses for requests using its functionality. Everything here is similar to HTTP, UDP protocol, port 53.
The same commands:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=DNS passthrough=no protocol=udp
add chain=output action=mark-routing new-routing-mark=DNS-Router passthrough=no protocol=udp dst-port=53
3. Building a route through VPN
Go to IP β Routes and create new routes.
Route for HTTP routing over VPN. Specify the name of our VPN interfaces and select Routing Mark.
At this stage, you have already felt how your operator has stopped .
Same command:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=HTTP distance=2 comment=HTTP
The rules for DNS protection will look exactly the same, just select the desired label:
Here you felt how your DNS queries stopped listening. The same commands:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS distance=1 comment=DNS
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS-Router distance=1 comment=DNS-Router
Well, in the end, unlock Rutracker. The entire subnet belongs to him, so the subnet is specified.
That's how easy it was to get the Internet back. Team:
/ip route
add dst-address=195.82.146.0/24 gateway=LD8 distance=1 comment=Rutracker.Org
In exactly the same way as with the root tracker, you can route corporate resources and other blocked sites.
The author hopes that you will appreciate the convenience of accessing the root tracker and the corporate portal at the same time without taking off your sweater.
Source: habr.com