's journal
Making certain clients on LAN use a particular VPN connection with Mikrotik
Today, I received my RB-750GL from (kablosuzmarket.com) within 24h of my purchase, kudos for the excellent service. Rushed home to use this beast.
I had this idea for some time. To make certain devices on the LAN (i.e. Apple TV) to use a VPN connection so they appear to be from US (or whever the VPN server is). With Mikrotik it took just about half an hour to figure out how to do this.
1. Add your VPN connection into interface. In my case, I needed PPTP Client. Make sure it’s connected successfully.
|
1 2 3 4 5 6 7 8 9 10 |
[admin@MikroTik] /interface> print Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE MTU L2MTU 0 R ether1-gateway ether 1500 1598 1 R ether2-local-master ether 1500 1598 2 R ether3-local-slave ether 1500 1598 3 ether4-local-slave ether 1500 1598 4 ether5-local-slave ether 1500 1598 5 R pppoe-out1 pppoe-out 1480 6 R pptp-out1 pptp-out 1404 |
Last one is my VPN connection.
2. Prepare the address list of the devices you want to use this new VPN connection.
|
1 2 3 4 5 |
[admin@MikroTik] /ip firewall address-list> print Flags: X - disabled, D - dynamic # LIST ADDRESS 0 usvpn-addrlist 192.168.1.104 1 usvpn-addrlist 192.168.1.254 |
3. Add firewall rules to mark-route packets from this address list. I’ve marked them as “usvpn”.
|
1 2 3 |
[admin@MikroTik] /ip firewall mangle> print Flags: X - disabled, I - invalid, D - dynamic 0 chain=prerouting action=mark-routing new-routing-mark=usvpn passthrough=yes src-address-list=usvpn-addrlist |
4. Now, route packets marked with “usvpn” route-mark via pptp1 interface.
|
1 2 3 4 5 6 7 8 9 |
[admin@MikroTik] > ip route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 A S 0.0.0.0/0 pptp-out1 1 1 ADS 0.0.0.0/0 78.171.192.1 1 2 ADC 10.10.0.1/32 10.10.0.2 pptp-out1 0 3 ADC 10.10.2.1/32 10.10.43.56 pppoe-out1 0 4 ADC 192.168.1.0/24 192.168.1.1 ether2-local-ma... 0 |
The details are not visible in this print. When adding new route, just select the Gateway (pptp1) and Routing Mark (usvpn).
Now test if your devices are out in the US :)