I'm trying setup IKEv2 for Surfshark, everything is working, except on clients the websites not loading.
I thought its MTU problem so I added change MMS rule, but no luck
Does anyone know the solution?
Here is my export:
Code: Select all
# RouterOS 7.10.2
# model = RB5009UG+S+
/interface bridge
add ingress-filtering=no name=LAN-BRIDGE vlan-filtering=yes
/interface vlan
add interface=LAN-BRIDGE name=GEUST_VLAN vlan-id=30
add interface=LAN-BRIDGE name=TEST_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=GUEST_VLAN
/interface wifiwave2 channel
add disabled=no frequency=2300-7300 name=5GHz width=20/40/80mhz
add disabled=no frequency=2300-7300 name=2GHz width=20/40mhz
/interface wifiwave2 datapath
add bridge=LAN-BRIDGE disabled=no name=GUEST vlan-id=30
/interface wifiwave2 security
add authentication-types=wpa3-psk disabled=no name=WPA3 wps=disable
add authentication-types=wpa2-psk disabled=no name=WPA2 wps=disable
add authentication-types=wpa2-psk disabled=no name=GUEST wps=disable
/interface wifiwave2 configuration
add country="United States" disabled=no name=HOME-5GHz security=WPA3 ssid=\
HOME-5GHz
add country="United States" disabled=no name=HOME-2GHz security=WPA2 ssid=\
HOME-2GHz
add country="United States" datapath=GUEST disabled=no name=GUEST security=\
GUEST ssid=GUEST
/ip ipsec mode-config
add name=SURFSHARK responder=no src-address-list=GUEST-VLAN-TRAFFIC
/ip ipsec policy group
add name=SURFSHARK
/ip ipsec profile
add name=SURFSHARK
/ip ipsec peer
add address=us-nyc.prod.surfshark.com exchange-mode=ike2 name=SURFSHARK \
profile=SURFSHARK
/ip ipsec proposal
add name=SURFSHARK pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN-BRIDGE name=dhcp1
add address-pool=dhcp_pool1 interface=TEST_VLAN name=dhcp2
add address-pool=dhcp_pool2 interface=GEUST_VLAN name=dhcp3
/interface bridge port
add bridge=LAN-BRIDGE interface=sfp-sfpplus1
add bridge=LAN-BRIDGE interface=ether2
add bridge=LAN-BRIDGE interface=ether3
add bridge=LAN-BRIDGE interface=ether4
add bridge=LAN-BRIDGE interface=ether5
add bridge=LAN-BRIDGE interface=ether6
add bridge=LAN-BRIDGE interface=ether7
add bridge=LAN-BRIDGE interface=ether8
/interface bridge vlan
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3 vlan-ids=20
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3,ether8 vlan-ids=30
/interface list member
add interface=ether1 list=WAN
add interface=GEUST_VLAN list=VLAN
add interface=LAN-BRIDGE list=VLAN
add interface=TEST_VLAN list=VLAN
/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=HOME-5GHz \
supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=HOME-2GHz \
slave-configurations=GUEST supported-bands=2ghz-n
/ip address
add address=192.168.1.1/24 interface=LAN-BRIDGE network=192.168.1.0
add address=192.168.20.1/24 interface=TEST_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=GEUST_VLAN network=192.168.30.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.30.0/24 list=GUEST-VLAN-TRAFFIC
/ip firewall filter
add action=accept chain=input comment="ALLOW ESTABLISHED AND RELATED" \
connection-state=established,related
add action=accept chain=input comment="ALLOW VLAN ACCESS ROUTER SERVICES" \
in-interface-list=VLAN
add action=drop chain=input comment=DROP
add action=accept chain=forward comment="ALLOW ESTABLISHED AND RELATED" \
connection-state=established,related
add action=accept chain=forward comment="ALL VLANS INTERNET ACCESS ONLY" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward src-address=192.168.9.0/24
add action=drop chain=forward comment=DROP
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add auth-method=eap certificate=surfshark_ikev2.crt_0 eap-methods=\
eap-mschapv2 generate-policy=port-strict mode-config=SURFSHARK peer=\
SURFSHARK policy-template-group=SURFSHARK username=\
3yV8q4wLtRf3uRsXsJmghq26
/ip ipsec policy
add dst-address=0.0.0.0/0 group=SURFSHARK proposal=SURFSHARK src-address=\
0.0.0.0/0 template=yes