I want to create isolated network on mikrotik without load balancing .
Ex:
Wan1 : 88.88.88.88
Wan2 : 99.99.99.99
Lan1 : 192.168.1.0/24
Lan2 : 192.168.2.0/24
Lan1 go to internet via Wan1 and Lan2 go to internet via Wan2.Mikrotik mangle and route config as follows. When I use this config I never see wan2 on whatismyip. I see wan1 ip on lan1 and lan2 both.(packet-mark is for queue)
/ip firewall mangle
add action=mark-routing chain=prerouting comment=Wan1_Routing hotspot=auth \
new-routing-mark=Wan1 passthrough=no src-address=172.1.0.0/20 \
src-address-list=Wan1
add action=mark-routing chain=prerouting comment=Wan2_Routing hotspot=auth \
new-routing-mark=Wan2 passthrough=no src-address=172.5.0.0/21 \
src-address-list=Wan2
add action=mark-packet chain=prerouting comment=Wan1_Up in-interface=Wan1 \
new-packet-mark=Wan1_Up passthrough=no src-address-list=Wan1
add action=mark-packet chain=postrouting comment=Wan1_Dwn dst-address-list=\
Wan1 new-packet-mark=Wan1_Dwn out-interface=Wan1 passthrough=no
add action=mark-packet chain=prerouting comment=Wan2_Up in-interface=Wan2 \
new-packet-mark=Wan2_Up passthrough=no src-address-list=Wan2
add action=mark-packet chain=postrouting comment=Wan2_Dwn dst-address-list=Wan2 \
new-packet-mark=Wan2_Dwn out-interface=Wan2 passthrough=no
/ip route
add distance=1 gateway=192.168.1.1 routing-mark=Wan1
add distance=1 gateway=192.168.2.1 routing-mark=Wan2
add distance=1 gateway=192.168.1.1
add distance=1 gateway=192.168.2.1
Use the Per Connection Classifier to achieve this, in three steps.
step 1: mark connections with firewall/mangle feature; i.e. 192.168.1.0/24 clients will get "LAN1" connection mark
step 2: mark packets with correct route using firewall/mangle; i.e. "LAN1" connections will get "route_WAN1" route mark.
step 3: create two routes in ip/route to handle "route_WAN1" and "route_WAN2" packets and forward them to the corresponding gateway.
And that's all. Detailed implementation can be found here:
http://wiki.mikrotik.com/wiki/Manual:PCC
Related
I have an OpenVPN server I've set up on an AWS EC2 instance that is pulling an IPV6 address, and can traceroute6 and ping6 ipv6.google.com. The client can do neither and does not return an address when using online tests like ipleak, or testipv6. The server and client can ping6 and traceroute6 each other.
The client appears to pull the correct address locally, and via ip -6 route. IPV4 has always worked fine without issue. Everything appears good on the AWS side per their instructions here so the instance does have ipv6 enabled with the proper routing on the aws/vpc side. Security groups are pretty wide open for ipv6 as well.
I am assuming it's my routing, but I'm not really sure at this point as I'm no ipv6 or routing expert. Please help!
Relevant config info:
ipv6 addr of AWS instance:
aaaa:bbbb:cccc:dddd::/64
server.conf
local 172.31.44.1
port 443
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
server-ipv6 aaaa:bbbb:cccc:dddd:80::/112
push "redirect-gateway-ipv6 def1 bypass-dhcp-ipv6"
push "route-ipv6 aaaa:bbbb:cccc:dddd::/64"
push "route-ipv6 2000::/3"
push "route 172.31.44.1 255.255.255.255 net_gateway"
push "dhcp-option DNS6 2001:4860:4860::8888"
push "dhcp-option DNS6 2001:4860:4860::8844"
/etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp=1
ip6tables:
-A INPUT -p udp --dport 443 -j ACCEPT
-A FORWARD -m state --state NEW -i tun0 -o eth0 -s aaaa:bbbb:cccc:dddd::/64 -j ACCEPT
-A FORWARD -m state --state NEW -i eth0 -o tun0 -d aaaa:bbbb:cccc:dddd::/64 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Don't use proxy NDP. It's a mess.
What you need is to delegate (=route) a prefix to the EC2 instance, then configure this prefix in the OpenVPN config (server-ipv6 keyword with the assigned prefix and mask, e.g. 2001:db8:dead:beef:1::/80), then assign connected users addresses from the prefix.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/work-with-prefixes.html
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
I've just configured Strongswan and can successfully bring the VPN tunnel up on an AWS EC2 instance but I’m having issues with the traffic because we need to NAT the private IP address of my EC2 instance so all traffic going through the VPN come from a specific IP.
But currently if I ping the [DESTINATION_IP] address my traffic still originates from my private IP. I have tried several PREROUTING and POSTROUTING rules in iptables but nothing seems to work. Can anyone explain what the problem might be?
Current Settings
In AWS Source/destination checks disabled.
strongswan statusall
Listening IP addresses:
[PRIVATE_IP]
Connections:
vpn: %any...[VPN_FIREWALL_IP] IKEv2, dpddelay=10s
vpn: local: [[ELASTIC_PUBLIC_IP]] uses pre-shared key authentication
vpn: remote: [[VPN_FIREWALL_IP]] uses pre-shared key authentication
vpn: child: 0.0.0.0/0 === [DESTINATION_IP]/32 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
vpn[1]: ESTABLISHED 5 seconds ago, [PRIVATE_IP][[ELASTIC_PUBLIC_IP]]...[VPN_FIREWALL_IP][[VPN_FIREWALL_IP]]
vpn[1]: IKEv2 SPIs: 6055db442ef8607c_i* 3d2ec0bb945e9a2c_r, pre-shared key reauthentication in 7 hours
vpn[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA1/MODP_2048
vpn{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca9d2ca0_i df70a539_o
vpn{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 46 minutes
vpn{1}: [NAT_SOURCE_IP]/31 === [DESTINATION_IP]/32
ipsec.conf
config setup
charondebug="all"
uniqueids=no
conn %default
ikelifetime=28800s
keyexchange=ikev2
keylife=3600s
keyingtries=%forever
mobike=no
conn vpn
authby=psk
auto=start
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
ike=aes128-sha256-prfsha1-modp2048!
esp=aes128-sha256-modp2048,aes128-sha1-modp2048!
left=%defaultroute
leftid=[ELASTIC_PUBLIC_IP]
leftsubnet=0.0.0.0/0
leftfirewall=yes
rightsubnet=[DESTINATION_IP]/32
right=[VPN_FIREWALL_IP]
rightid=[VPN_FIREWALL_IP]
type=tunnel
mark=100
iptables-save
*nat
:PREROUTING ACCEPT [9728:543855]
:INPUT ACCEPT [7882:388791]
:OUTPUT ACCEPT [20219:1527154]
:POSTROUTING ACCEPT [20725:1569658]
COMMIT
*filter
:INPUT ACCEPT [142:30437]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [188:34735]
-A FORWARD -s [DESTINATION_IP]/32 -d [NAT_SOURCE_IP]/31 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s [NAT_SOURCE_IP]/31 -d [DESTINATION_IP]/32 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT
If I correctly understand your question, you are asking about how to setup source NAT on an EC2 instance with Strongswan. I run the same setup and in my case, following iptables rules from [1] provide the requested functionality:
iptables -t nat -A POSTROUTING -s <NAT_SOURCE_IP>/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s <NAT_SOURCE_IP>/24 -o eth0 -j MASQUERADE
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
I have setup openvpn client on a asus router, it is running padavan firmware, which is similar to tomato and other.
The VPN client works, but I would like to limits it's use to one or 2 ips on my LAN (i.e. AppleTV) and all other clients bypass the VPN connection.
The padavan vpn client has a custom script that is executed with the interface goes up and down on tun0 which is the interface.
I have attempted to route the IP address of the client that I want to use, but it does not prevent access via all of the other clients:
#!/bin/sh
### Custom user script
### Called after internal VPN client connected/disconnected to remote VPN server
### $1 - action (up/down)
### $IFNAME - tunnel interface name (e.g. ppp5 or tun0)
### $IPLOCAL - tunnel local IP address
### $IPREMOTE - tunnel remote IP address
### $DNS1 - peer DNS1
### $DNS2 - peer DNS2
# private LAN subnet behind a remote server (example)
peer_lan="192.168.0.130"
peer_msk="255.255.255.253"
### example: add static route to private LAN subnet behind a remote server
func_ipup()
{
# route add -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
# route add -net $peer_lan gw $IPREMOTE dev $IFNAME
route add default dev tun0 table 200
rule add from 192.168.0.130 table 200
return 0
}
func_ipdown()
{
# route del -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
return 0
}
logger -t vpnc-script "$IFNAME $1"
case "$1" in
up)
func_ipup
;;
down)
func_ipdown
;;
esac
I realise that this is very specific to the padavan firmware, but I think that the commands that are executed when it goes up should be universal, and my routing skills are very limited !
Maybe I need to block / allow using ip tables instead?
Any suggestions or help gratefully appreciated !
I am trying to simulate a 5% packet loss using the tc tool at server port 1234. Here are my steps -
sudo tc qdisc del dev eth0 root
sudo tc qdisc add dev eth0 root handle 1: prio
sudo tc filter add dev eth0 parent 1: protocol ip prio 1 u32 flowid 1:1 match ip dport 1234 0xffff
sudo tc qdisc add dev eth0 parent 1:1 handle 1: netem loss 5%
There are no errors during the above commands. But when I send any TCP traffic to that port, there is no packet loss observed.
What am I doing wrong in the above commands ?
Any help is appreciated.
See https://serverfault.com/a/841865/342799 for similar case.
Commands I have in my testing rig to drop 5.5% of packets:
# tc qdisc add dev eth0 root handle 1: prio priomap 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2
# tc qdisc add dev eth0 parent 1:1 handle 10: netem loss 5.5% 25%
# DST_IP=1.2.3.4/32
# tc filter add \
dev eth0 \
parent 1: \
protocol ip \
prio 1 \
u32 \
match ip dst $DST_IP \
flowid 1:1
To confirm, run:
# ping -f -c 1000 $DST_IP
before and after this setup.
Note: Almost all hosting providers start throttling your traffic if you do lot of flood pings.
I am confuse why my IPTable does not work in Router. what I'm trying to do is redirect any packets from source ip destined to port 80 and 443 to 192.168.1.110:3128. however when I tried this:
iptables -t nat -A PREROUTING -s 192.168.1.5 -p tcp --dport 80:443 -j DNAT --to-destination 192.168.1.110:3128
does not work. however when I add this,
iptables -t nat -A POSTROUTING-j MASQUARADE
it works. but the problem with masquarade is I do not get the real ip but instead the ip of the router. I need to get the source ip so my proxy server could record all ip connected to it. can some one tell me how to make it work without making POSTROUTING jump to Masquarade?
For real transparent proxying you need to use the TPROXY target (in the mangle table, PREROUTING chain). All other iptables-mechanisms like any NAT, MASQUERADE, REDIRECT rewrite the IP addresses of the packet, which makes it impossible to find out where the packet originally was intended to.
The proxy program has to bind() and listen() on a socket like any other server, but needs some specific socket flags (which requires some Linux capabilities (type of permission) or root). – Once connected, there is some way to get the “intended server” from the OS.
Sorry, I’m a little lazy about the details, but searching for “TPROXY” as keyword will get you going quickly!
If I am not wrong, the correct syntax of the rule would be:
iptables -t nat -A PREROUTING -s 192.168.1.5 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.1.110:3128
--dport 80:443 will forward all ports from 80 to 443
--dports 80,443 will forward port 80 and 443 only.
If you want traffic hitting 192.168.1.5 on port 80 and 443 to be forwarded to 192.168.1.110's 3128 port then you should use the below rule:
iptables -t nat -A PREROUTING -d 192.168.1.5 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.1.110:3128
You should also make sure the gateway on 192.168.1.110 is pointed to your router ip.
Finally you can use the masquerade rule as below.
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
eth1 should be your outgoing interface.
I had the same issue and the solution was to tell the transparent proxy to forward the source ip in the right header fields.
In case of my nginx proxy the rules were close to:
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://name_of_proxy;
proxy_redirect off;
}
i used the iptables -t nat -A PREROUTING -p tcp -s foreign ip to your device --dport 80:443 -j DNAT --to-destination your application or local ip:port.i think you did the prerouting the packet in your device out which never connect to port 80 or 443,these is for web server connect to device.192.168.1.5 is like my local address.
and remember to configecho 1 > /proc/sys/net/ipv4/ip_forward
I think you are doing NAT in both directions by not specifying an interface. Try adding -o eth0 to your -j MASQUERADE line. (Substitute whatever your "external" interface is, instead of eth0, depending on your setup.)