For now I have a specific question regarding VPN routing. Following a few guides and looking into threads on here I was able to get all of my internet traffic routed through Wireguard (Proton VPN). The minor performance hit and the ping impact leads me to prefer not having the VPN active for my PCs traffic outside of specific cases, and then I can just run the VPN on my system. What I would like to do is retain the VPN on my NAS and perhaps my daughters devices to protect those. I tried some initial tinkering with the originally working simple routing setup but to no avail. I'm definitely in over my head so far and definitely a networking novice, but willing to learn. I have further plans of continuing fighting to get ipv6 working with Starlink as my ISP, learning to setup VLANs for my IoT devices, and figuring out what method will work best for me to have my network/NAS/server accessible outside of my LAN, for starters accessing HomeAssistant from my phone when away.
My setup was done following the setup guide on the wiki and piecing together bits here and there. Plus the incomplete ipv6 efforts. I've already wiped the config once and started over so hopefully not again.
My focus is the VPN to cover NAS traffic for now though!
ISP Starlink
Code: Select all
# 2024-02-14 20:20:20 by RouterOS 7.14rc1
# software id = **ELIDED**
#
# model = RB760iGS
# serial number = **ELIDED**
/interface bridge
add name=local
/interface ethernet
set [ find default-name=ether1 ] name="ether1[internet]"
set [ find default-name=ether2 ] name="ether2[MainPC]"
set [ find default-name=ether3 ] name="ether3[Linksys]"
set [ find default-name=ether4 ] name="ether4[NAS]"
/interface wireguard
add listen-port=13231 mtu=1420 name=protonWG
/interface list
add name=listBridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=local lease-time=12h name=dhcp1
/ip smb users
set [ find default=yes ] read-only=yes
/routing table
add fib name=USEproton
/interface bridge port
add bridge=local interface="ether2[MainPC]"
add bridge=local interface="ether3[Linksys]"
add bridge=local interface="ether4[NAS]"
add bridge=local interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes \
max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=local list=listBridge
/interface sstp-server server
set ciphers=aes256-sha
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=**ELIDED** endpoint-port=\
51820 interface=protonWG persistent-keepalive=25s public-key=**ELIDED**
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
add address=10.2.0.2/30 interface=protonWG network=10.2.0.0
/ip dhcp-client
add interface="ether1[internet]" use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.240 mac-address=**ELIDED** server=dhcp1
add address=192.168.88.238 client-id=**ELIDED** mac-address=**ELIDED** server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.1
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=\
"ether1[internet]" protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=\
"ether1[internet]" port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=\
"ether1[internet]" port=22 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
"ether1[internet]"
add action=fasttrack-connection chain=forward comment=\
"fast-track for established,related" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
"drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
connection-state=new in-interface="ether1[internet]"
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=\
"ether1[internet]" log=yes log-prefix=!public src-address-list=\
not_in_internet
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1[internet]"
add action=masquerade chain=srcnat out-interface=protonWG src-address=\
192.168.88.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/ipv6 firewall address-list
add address=fd12:672e:6f65:8899::/64 list=allowed
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=::/48 list=allowed
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=fe80::/10 list=prefix_delegation
add address=2406:2d40:4100:7990::1/128 list=prefix_delegation
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" \
connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
src-address=fe80::/10
add action=accept chain=input comment="allow allowed addresses" \
src-address-list=allowed
add action=drop chain=input
add action=accept chain=forward comment=established,related connection-state=\
established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=\
yes log-prefix=ipv6,invalid
add action=drop chain=forward log-prefix=IPV6
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment=DHCPv6 protocol=udp src-port=546-547
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment=DHCPv6 protocol=udp src-port=546-547
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment=DHCPv6 protocol=udp src-port=546-547
add action=accept chain=input dst-port=5678 protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address-list=prefix_delegation
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input dst-port=5678 protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address-list=prefix_delegation
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall nat
add action=masquerade chain=srcnat out-interface="ether1[internet]"
/ipv6 nd
set [ find default=yes ] advertise-dns=no advertise-mac-address=no hop-limit=\
64 managed-address-configuration=yes mtu=1280 other-configuration=yes \
ra-interval=3m20s-8m20s
/ipv6 nd prefix default
set preferred-lifetime=10m valid-lifetime=15m
/routing rule
add action=lookup disabled=no src-address=local table=main
add action=lookup-only-in-table disabled=no dst-address=/0 table=main
/system clock
set time-zone-name=America/Los_Angeles
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge