Routing traffic of NAS through VPN, targetting specific device/IP on network

hawk767 · Thu Feb 15, 2024 6:36 am

Made the mistake of learning to setup my new NAS(TrueNas) and integrating a Mikrotik Hex into my network as my primary router and attempting to learn the ins and outs of networking. Thoroughly fried my brain in the past couple days. I've still got a bunch of questions and and still trying to find hints towards best practices and other things to try.

For now I have a specific question regarding VPN routing. Following a few guides and looking into threads on here I was able to get all of my internet traffic routed through Wireguard (Proton VPN). The minor performance hit and the ping impact leads me to prefer not having the VPN active for my PCs traffic outside of specific cases, and then I can just run the VPN on my system. What I would like to do is retain the VPN on my NAS and perhaps my daughters devices to protect those. I tried some initial tinkering with the originally working simple routing setup but to no avail. I'm definitely in over my head so far and definitely a networking novice, but willing to learn. I have further plans of continuing fighting to get ipv6 working with Starlink as my ISP, learning to setup VLANs for my IoT devices, and figuring out what method will work best for me to have my network/NAS/server accessible outside of my LAN, for starters accessing HomeAssistant from my phone when away.

My setup was done following the setup guide on the wiki and piecing together bits here and there. Plus the incomplete ipv6 efforts. I've already wiped the config once and started over so hopefully not again.

My focus is the VPN to cover NAS traffic for now though!
ISP Starlink

# 2024-02-14 20:20:20 by RouterOS 7.14rc1
# software id = **ELIDED**
#
# model = RB760iGS
# serial number = **ELIDED**
/interface bridge
add name=local
/interface ethernet
set [ find default-name=ether1 ] name="ether1[internet]"
set [ find default-name=ether2 ] name="ether2[MainPC]"
set [ find default-name=ether3 ] name="ether3[Linksys]"
set [ find default-name=ether4 ] name="ether4[NAS]"
/interface wireguard
add listen-port=13231 mtu=1420 name=protonWG
/interface list
add name=listBridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=local lease-time=12h name=dhcp1
/ip smb users
set [ find default=yes ] read-only=yes
/routing table
add fib name=USEproton
/interface bridge port
add bridge=local interface="ether2[MainPC]"
add bridge=local interface="ether3[Linksys]"
add bridge=local interface="ether4[NAS]"
add bridge=local interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes \
    max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=local list=listBridge
/interface sstp-server server
set ciphers=aes256-sha
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=**ELIDED** endpoint-port=\
    51820 interface=protonWG persistent-keepalive=25s public-key=**ELIDED**
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
add address=10.2.0.2/30 interface=protonWG network=10.2.0.0
/ip dhcp-client
add interface="ether1[internet]" use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.240 mac-address=**ELIDED** server=dhcp1
add address=192.168.88.238 client-id=**ELIDED** mac-address=**ELIDED** server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.1
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=\
    "ether1[internet]" protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=\
    "ether1[internet]" port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=\
    "ether1[internet]" port=22 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
    "ether1[internet]"
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface="ether1[internet]"
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=\
    "ether1[internet]" log=yes log-prefix=!public src-address-list=\
    not_in_internet
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1[internet]"
add action=masquerade chain=srcnat out-interface=protonWG src-address=\
    192.168.88.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/ipv6 firewall address-list
add address=fd12:672e:6f65:8899::/64 list=allowed
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=::/48 list=allowed
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=fe80::/10 list=prefix_delegation
add address=2406:2d40:4100:7990::1/128 list=prefix_delegation
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" \
    connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="allow allowed addresses" \
    src-address-list=allowed
add action=drop chain=input
add action=accept chain=forward comment=established,related connection-state=\
    established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=\
    yes log-prefix=ipv6,invalid
add action=drop chain=forward log-prefix=IPV6
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment=DHCPv6 protocol=udp src-port=546-547
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment=DHCPv6 protocol=udp src-port=546-547
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment=DHCPv6 protocol=udp src-port=546-547
add action=accept chain=input dst-port=5678 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address-list=prefix_delegation
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input dst-port=5678 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address-list=prefix_delegation
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall nat
add action=masquerade chain=srcnat out-interface="ether1[internet]"
/ipv6 nd
set [ find default=yes ] advertise-dns=no advertise-mac-address=no hop-limit=\
    64 managed-address-configuration=yes mtu=1280 other-configuration=yes \
    ra-interval=3m20s-8m20s
/ipv6 nd prefix default
set preferred-lifetime=10m valid-lifetime=15m
/routing rule
add action=lookup disabled=no src-address=local table=main
add action=lookup-only-in-table disabled=no dst-address=/0 table=main
/system clock
set time-zone-name=America/Los_Angeles
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge

Mesquite · Fri Feb 16, 2024 12:17 am

1. DANGER! - UNPLUG YOUR ROUTER - Please DO NOT allow direct access to WINBOX from the internet!! It is meant for internal access!! Also bad is using the default winbox port.................

add action=accept chain=input comment="allow Winbox" in-interface=\
"ether1[internet]" port=8291 protocol=tcp

The only people with access should be LAN users and even better just a source-address-list of ADMIN devices IP addresses (fixed dhcp leases etc..)
The in interface list should at a minimum in-interface-list=LAN
or better
src-address-list=Authorized

where authorized is
add address=IP1 list=Authorized comment=admin desktop
add address=IP2 list=Authorized comment=admin laptop
add address=IP3 list=Authorized comment=admin smartphone

2. SAME with ssh port 22, meant for internal secure access to router interface not from internet!!

3. This rule is excellent
add action=drop chain=input comment="block everything else" in-interface=\
"ether1[internet]"

But before this rule you need to add access to router services such as DNS to LAN users....
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp

4. Organize your chain rules all input chain rules together, all forward chain rules together,, you will quickly see that you have duplicates

5. Dont understand your routing rules purpose?

hawk767 · Fri Feb 16, 2024 8:05 am

Thanks a lot for taking the time to reply.

1. Sorted! I recall seeing the suggestions regarding tying access just to local static IPs I just haven't set that up yet. The 'allow' rules for both Winbox and SSH were both straight from the "First Time Config" portion of the RouterOS doc, I did make the mistake of not setting the admin user allowed address as is recommended just above though. So, taken care of, access limited to my local connections and specifically my now static main device IPs. Easy enough to understand the importance there.

2. Same here. Curious though, the instruction does keep those ports the same, I had seen recommended elsewhere to change the SSH port of 22 to something else but no mention of the 8291 so I'll get those changed as well.

3. Appreciate this one! Still working on my understanding of DNS as far as one's usefulness on the LAN and also for my own access from outside the network/others access in, if I'm understanding that use-case right.

4. Done, I knew there were some duplicates as I worked through the firewall info in the doc and pulled what seemed sensible but am still a little unsure of the proper ordering of operations in the rules so hadn't sorted and picked through them yet.

5. Already removed right after I'd posted my config actually. Was working on an attempt at getting my NAS routed through a VPN per the title of this post, those were suggested in another post but I realized the suggestions were pointed towards changes to a different guide the post author was following from the one I was following, so those rules were irrelevant to what I was trying.

hawk767 · Sat Feb 17, 2024 9:23 am

So I've been piecing together a few threads on here and read through the policy routing doc page. I've been working at it testing the static IP assigned to me phone.

Created a route with the wireguard interface as the gateway, VPN routing table assigned.
Rule built with the src address assigned as my phone, assigned to the VPN table, lookup only in table, I wasn't clear if I was supposed to assign a routing mark here as well, not clear on its purpose.
Created NAT rule chain srcnat, src address list that will contain phone and NAS once I know its working properly with my phone first. Assigned out interface to Wireguard interface, and again I seen mention of routing mark using the VPN routing table but not clear on its purpose.

Trying this I'm not seeing a change on my phone, ip tests all reporting normal.
I do notice that when I enable or disable the Wireguard interface that it creates a different route separate from the one I create with the assigned table. So curious if that is the issue.

Thanks in advance.

# 2024-02-16 23:03:22 by RouterOS 7.14rc1
# software id = 
#
# model = RB760iGS
# serial number = 
/interface bridge
add name=local
/interface ethernet
set [ find default-name=ether1 ] name="ether1[internet]"
set [ find default-name=ether2 ] name="ether2[MainPC]"
set [ find default-name=ether3 ] name="ether3[Linksys]"
set [ find default-name=ether4 ] name="ether4[NAS]"
/interface wireguard
add listen-port=13231 mtu=1420 name=protonWG
/interface list
add name=listBridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=local lease-time=12h name=dhcp1
/ip smb users
set [ find default=yes ] read-only=yes
/routing table
add fib name=USEproton
/interface bridge port
add bridge=local interface="ether2[MainPC]"
add bridge=local interface="ether3[Linksys]"
add bridge=local interface="ether4[NAS]"
add bridge=local interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes \
    max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=local list=listBridge
/interface sstp-server server
set ciphers=aes256-sha
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx endpoint-port=\
    51820 interface=protonWG persistent-keepalive=25s public-key=\
    
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
add address=10.2.0.2/30 interface=protonWG network=10.2.0.0
/ip dhcp-client
add interface="ether1[internet]" use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.254 address-lists=Authorized client-id=\
    xxx mac-address=xxx server=dhcp1
add address=192.168.88.242 address-lists=Authorized client-id=\
    xxx mac-address=xxx server=dhcp1
add address=192.168.88.240 mac-address=xxx server=dhcp1
add address=192.168.88.238 client-id=xxx mac-address=\
    xxx server=dhcp1
add address=192.168.88.241 address-lists=Authorized client-id=\
    xxx mac-address=xxx server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.1
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.88.242 comment=tdesktop list=Authorized
add address=192.168.88.241 comment=phone list=Authorized
add address=192.168.88.254 comment=wifirouter list=Authorized
add address=192.168.88.241 comment=phone list=VPNsecure
add address=192.168.88.240 comment=NAS disabled=yes list=VPNsecure
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=input comment="allow ICMP" in-interface=\
    "ether1[internet]" protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=local \
    in-interface-list=static port=8291 protocol=tcp src-address-list=\
    Authorized
add action=accept chain=input comment="allow SSH" in-interface=local port=\
    2200 protocol=tcp src-address-list=Authorized
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=listBridge protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=listBridge protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
    "ether1[internet]"
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface="ether1[internet]"
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=\
    "ether1[internet]" log=yes log-prefix=!public src-address-list=\
    not_in_internet
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1[internet]"
add action=masquerade chain=srcnat out-interface=protonWG routing-mark=\
    USEproton src-address-list=VPNsecure
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=protonWG pref-src="" \
    routing-table=USEproton scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/ipv6 firewall address-list
add address=fd12:672e:6f65:8899::/64 list=allowed
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=::/48 list=allowed
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=fe80::/10 list=prefix_delegation
add address=2406:2d40:4100:7990::1/128 list=prefix_delegation
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" \
    connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="allow allowed addresses" \
    src-address-list=allowed
add action=drop chain=input
add action=accept chain=forward comment=established,related connection-state=\
    established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=\
    yes log-prefix=ipv6,invalid
add action=drop chain=forward log-prefix=IPV6
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment=DHCPv6 protocol=udp src-port=546-547
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment=DHCPv6 protocol=udp src-port=546-547
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment=DHCPv6 protocol=udp src-port=546-547
add action=accept chain=input dst-port=5678 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address-list=prefix_delegation
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input dst-port=5678 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address-list=prefix_delegation
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall nat
add action=masquerade chain=srcnat out-interface="ether1[internet]"
/ipv6 nd
set [ find default=yes ] advertise-dns=no advertise-mac-address=no hop-limit=\
    64 managed-address-configuration=yes mtu=1280 other-configuration=yes \
    ra-interval=3m20s-8m20s
/ipv6 nd prefix default
set preferred-lifetime=10m valid-lifetime=15m
/routing rule
add action=lookup-only-in-table disabled=no routing-mark=USEproton \
    src-address=192.168.88.241/32 table=USEproton
/system clock
set time-zone-name=America/Los_Angeles
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge

Mesquite · Sun Feb 18, 2024 3:41 pm

To be clear you are attempting to connect to a third party VPN provider?
Not sure what that has to do with your phone, as either.

a. you are connecting to proton with your router and ISP connection and then selecting which users use the tunnel
OR
b. you are connecting your phone via cellular and wireguard app to the proton wireguard

I will assume we are talking a. ( mainly because your router is not WIFI so not sure how it could get a LANIP ?? unless you have a wifi device attached to the router in which case a. still applies )

The other thing is you are using IPV6, which I know didly about so all my advice is based on normally an IPV4 based network.
Therefore I am confused as to why you have DHCP servers, why you have NAT etc............ I thought that all goes out the window with IPV6....
Thus will assume you dont actually use ipv6

Observations:

1. It is probably not a good idea to use 10.2.0.1 for an external DNS server on your settings. That DNS is specific to PROTON and will potentially screw up the rest of your LAN.
Suggest
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9 etc.....

2. I do agree for traffic entering the tunnel that traffic should be using 10.2.0.1, so how to make that happen?

3. Missing one default rule that normally should be there that the router uses itself so add it in.
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input

4. Placing any rules after the drop rule in the input chain makes zero sense............... No traffic goes past this rule its ALL DROPPED .
So change the order (if you noted I already slighlty modified your order above, default rules first, then admin rules...........then drop )

What this reveals is a mess in the input chain, duplicates etc..................... needs to be cleaned up!!!!!

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="allow Winbox" in-interface=local \
in-interface-list=static port=8291 protocol=tcp src-address-list=\
Authorized
add action=accept chain=input comment="allow SSH" in-interface=local port=\
2200 protocol=tcp src-address-list=Authorized
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input

However even this is not quite right but close. The problem is you think you are limiting winbox to a select few, which you are not,
because you have have the allowed to router rule, basically your entire subnet, then the entire subnet has access to winbox.
The idea is to only allow the entire subnet for distinct services, typically DNS, so lets do this instead.... Keep all the default rules above and for the last four rules:

add action=accept chain=input comment="allow Winbox" in-interface=local \
in-interface-list=static port=8291 protocol=tcp src-address-list=\
Authorized
add action=accept chain=input comment="allow SSH" in-interface=local port=\
2200 protocol=tcp src-address-list=Authorized
add action=accept chain=input src-address-list=allowed_to_router dst-port=53 protocol=udp
add action=accept chain=input src-address-list=allowed_to_router dst-port=53 protocol=tcp
add action=drop chain=input

Thus only those on the Authorized list can access winbox and port2200 and the lan users can only access DNS services.
Now, for authorized users aka the ADMIN you could simplify the two rules to this:
add action=accept chain=input comment="Admin Access" in-interface=local src-address-list=Authorized

5. Wireguard settings seem fine!

6. Table seems fine

7. wireguard IP address is fine , although I typically use /24 for all addresses.

8. Yikes just got to the forward chain, it would seem you are more concerned with ICMP then actual needed traffic and I recommend you simply remove all that nonsense.
Also made the wan nat rule much clearer to read by splitting it into two rules..

add action=fasttrack-connection chain=forward comment=\
"fast-track for established,related" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface=local out-interface=ether1
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop All Else"

Thus basically stating, keep the needed default rules, allow LAN to WAN traffic, allow port forwarding (disabled if not using) and then drop the rest of any possible traffic. Similar to the input chain rule.
Now whats missing??

Answer: Allowing traffic to enter the wireguard tunnel:

add action=accept chain=forward comment="internet traffic" in-interface=local out-interface=ether1
add action=accept chain=forward comment="permission to enter tunnel" in-interface=local out-interface=protonWG
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop All Else"

You could refine the bridge entry by replacing it with source-address list of IPs that need to enter the tunnel, but
remember only the IPs you ROUTE to the tunnel can reach the tunnel anyway. Firewall doesnt tell traffic where to go it simply blocks it or doesnt.

add action=accept chain=forward comment="permission to enter tunnel" src-address-list=VPNsecure out-interface=protonWG

9. IP router for proton wireguard looks fine, matches up with the Table created.

10. THE SOURCENAT RULE is WRONG......... I am not sure how you came up with that ??? The idea is simply to give every local user going into the tunnel the (source) IP address of Wireguard on your router, so that the proton server at the other end wont reject the traffic.
from:
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1[internet]"
add action=masquerade chain=srcnat out-interface=protonWG routing-mark=\
USEproton src-address-list=VPNsecure

TO:
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1[internet]"
add action=masquerade chain=srcnat out-interface=protonWG

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

11. Now comes the time that we glue together the config above in terms of forcing traffic out the tunnel.
IN this case, with one or two devices, the easiest path are routing rules.
You willl need a rule per user............

/routing rule add src-address=IPaddressof NAS action=lookup table=USEproton
/routing rule add src-address=IPaddressofPhone action=lookup table=USEproton

Note: Use action=lookup-only-in-table IF, you do not want the phone or NAS to fall back to using local WAN, in case the tunnel stops working.

12. YOu should add one mangle rule to ensure smooth traffic flow, no bumps due to MTU mismatching:

add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" \
new-mss=clamp-to-pmtu out-interface=protonWG passthrough=yes protocol=tcp tcp-flags=syn

13. Finally we still have the issue of the DNS for proton, suggesting the following to force that traffic as well.

/ip nat
add chain=dst-nat action=dst-nat in-interface-list=VPNsecure dst-port=53 protocol=tcp out-interface=protonWG to-address=10.2.0.1

This states that for any users on the list that are going out the WG tunnel, their traffic requests for DNS will be sent to 10.2.0.1 and not to the local router.
I am not 100% if this is necessary but should work.

Please confirm that 10.2.0.1 is what Proton gave you to use for DNS ( and you didnt make it up on your own ).

hawk767 · Sun Feb 18, 2024 10:58 pm

This did it, thank you so much!
Yes, goal was to route traffic through a third party VPN, not create VPN access to my network from outside via phone, can see why that might have introduced some confusion. I was simply testing getting the routing working on the static IP assigned to my phone on my network because at the time I was actively transferring data between my PC and the NAS so I didn't want to inadvertently cut off that connection. The ability to just add individual rules for individual IPs now is super convenient.

All of the IPv6 info in the router was largely me trying to get IPv6 working, found difficulty getting it configured with Starlink as my ISP. Of the projects with this whole deal, that I put aside until I finished getting the VPN routing figured out. One issue at a time for now ha.

After I'd reposted my new config I had gone back in toying some more and ended up reenabling use-peer-dns=yes, for the DHCP client, so 8.8.8.8 and 1.1.1.1 were back into the dynamic DNS list. 10.2.0.1 is the DNS provided in the proton config file with the other info for the wireguard setup and in their guide is instruction to point towards their DNS, but your NAT config provided would make that redundant.

I believe one of the discussions I found somewhere regarding the NAT had mentioned the routing-mark implementation, I'd tried with and without without change so I hadn't gone through and removed that yet. Think I have a better understanding of how the NAT rules operate now.

There was definitely a lack of firewall discussion in the posts of similar topics that I sifted through. One post had mentioned a lack of need for mangle at all so I had steered clear of that and other firewall rules relating to this routing besides port forwarding the proper port, makes much more sense now though.
The ICMP rules were again pulled from the mikrotik doc. This was where some of my duplicates came from, putting in rules from the first time config article, then adding some of these in as well, so thanks for helping me realize that mistake.

Again, appreciate the time and help, writing out the goal/problem felt like easy logic, route traffic from individual IPs attempting to access the internet via the VPN, I'm just coming to terms with the needed networking language to accomplish such a goal.

Mesquite · Sun Feb 18, 2024 11:16 pm

I did have two errors on my dstnat rule, since routing is done after dstnat, the out-interface is not yet known so that needs to be removed, and I needed source address list not in-interface list!!!!

Thus this should be the dstnat rules.........
add chain=dst-nat action=dst-nat src-address-list=VPNsecure dst-port=53 protocol=tcp to-address=10.2.0.1
add chain=dst-nat action=dst-nat src-address-list=VPNsecure dst-port=53 protocol=udp to-address=10.2.0.1

Routing traffic of NAS through VPN, targetting specific device/IP on network [SOLVED]

Routing traffic of NAS through VPN, targetting specific device/IP on network

Re: Routing traffic of NAS through VPN, targetting specific device/IP on network

Re: Routing traffic of NAS through VPN, targetting specific device/IP on network

Re: Routing traffic of NAS through VPN, targetting specific device/IP on network

Re: Routing traffic of NAS through VPN, targetting specific device/IP on network [SOLVED]

Re: Routing traffic of NAS through VPN, targetting specific device/IP on network

Re: Routing traffic of NAS through VPN, targetting specific device/IP on network

Who is online