Hey all together, I’m not really new to RouterOS but right now I am struggeling with a special firewall requirement that I have:
In order to keep private on the internet I subscribed to NordVPN and I have successfully set up the ipsec config for it (like shown here). With this config all traffic from devices that are on the address-list “local” will be encrypted and sent to NordVPN by the dynamic ipsec policy. This works perfectly fine.
Now to my problem: In the event that the Ipsec tunnel can’t be established (e.g. because of maintenance by NordVPN or whatsoever) the NordVPN ipsec policy disappears and therefore the traffic coming from the devices from the address-list will be directly routed to the Internet without any Ipsec encryption. I probably won’t notice it when this happens so I am looking for a way to drop packets that match these criteria:
- source-address-list=local
- destination-address-list!=private (I have a list “private” with those entries: 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8)
- now for the important part: NOT encrypted by ipsec
I already tried different things including mangle with packet-marks or the option for “IPsec Policy” in firewall filter but nothing seems to work like I want it to… I don’t even know whether it is possible at all because there is no firewall filter chain after the ipsec policies in the Packetflow Diagram
Do you have any idea how to solve this?
Thank you very much for helping,
Max