Iptables – Site-to-site VPN with local internet gateways on Mikrotik

We have a corporate network in office 1 with Forefront TMG as a gateway. Internal office 1 network IP range is 192.168.0.0/24.

We have a branch office 2 with Mikrotik router (you can think of it as iptables powered Linux firewall if you are not aware of Mikrotik stuff in particular). IP range in office 2 is 192.168.88.0/24. 192.168.88.1 is an IP of the gateway.

I've setup a Site-to-site VPN connection, where only Mikrotik utilizes its PPTP Client to connect to office 1 VPN gateway on TMG.

TMG uses route relationship to communicate with computers in office 2 range.

If "Add Default Route" is checked on PPTP Client config on Mikrotik, all the traffic flows via TMG to both internet and office 1 network. Office 1 computers can access office 2 network as well, all works great.

But there is an overhead, where we don't want all the internet traffic from office 2 to flow through the TMG in office 1. We only need the office 1 IP's routed through VPN, while everything else goes through Internet uplink in office 2.

So I've disabled the "Add default route" checkmark in PPTP Client config and used Mingle setup in Firewall on Mikrotik to add a routing mark to all the traffic that targets office 1 network. In Routes table on Mikrotik I've basically added a route that says: all the traffic with office 1 mark goes through VPN gateway.

This almost gives me what I want. Office 2 connects to office 1 IP's over VPN gateway, other requests go through local Internet uplink. But the only thing that doesn't work in this setup, with "Add Default Route" unchecked, is that office 1 computers can't get neither to VPN'ed Mikrotik IP, or any IP in the office 2 network. Mikrotik basically doesn't route traffic that is coming from Office 1. I've tries several approaches (routes) based on routing mark as well, but neither allowed me to have office 1 access office 2. Only if "Add default route" is check, I can connect both ways.

Please assist in giving a hint of what's so special behind this "Add default route" in my setup, since I basically manually adding the same, which enables only half of communication setup to work.

Best Answer

You need to create static routes on each router so that they know how to reach each office's network.

On Office 1 router:
Create a route for destination network 192.168.88.0/24 with gateway the IP or interface of your VPN. (I don't know what TMG is and how it might reference to static routes, but the concept is the same regardless of the router vendor).
Since you mention some 'route relationship' (I guess this is a vendor specific terminology) you might not need to add any routes on the TMG router.

On Office 2 router:
You create a static route either via Winbox (IP > Router> Add) or via cli.

/ip route add dst-address=192.168.0.0/24 gateway=pptp-interface

Now Office 2 router know how to reach 192.168.0.0/24 (via the VPN) and likewise, Office 1 router should know how to reach 192.168.88.0/24.

Also I don't think you need any mangle rules. This can all be done without any iptables (IP>Firewall in MikroTik terminology) since it's just static routing between two networks.

Best Answer

Related Solutions

VPN setup on mikrotik router

Router – Configuring a route table to route only one (or range of ip) via a VPN connection

Related Topic